Support Deploy Tokens properly without hacking abilities

author: Kamil Trzciński <ayufan@ayufan.eu> 2018-04-05 16:49:18 +0300
committer: Mayra Cabrera <mcabrera@gitlab.com> 2018-04-07 05:20:16 +0300
commit: 72220a99d1cdbcf8a914f9e765c43e63eaee2548 (patch)
tree: 314df7454174092bee8f1ea83d6bda53d760959e /app/services/auth
parent: 171b2625b128e5954ce0a150a4fc923a22164e4e (diff)
1 files changed, 17 insertions, 6 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index d70ac7b1b3d..2ac35f5bd64 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -109,7 +109,7 @@ module Auth
 
       case requested_action
       when 'pull'
-        build_can_pull?(requested_project) || user_can_pull?(requested_project)
+        build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project)
       when 'push'
         build_can_push?(requested_project) || user_can_push?(requested_project)
       when '*'
@@ -123,22 +123,33 @@ module Auth
       Gitlab.config.registry
     end
 
+    def can_user?(ability, project)
+      current_user.is_a?(User) &&
+        can?(current_user, ability, project)
+    end
+
     def build_can_pull?(requested_project)
       # Build can:
       # 1. pull from its own project (for ex. a build)
       # 2. read images from dependent projects if creator of build is a team member
-      has_authentication_ability?(:project_read_container_image) &&
-        (requested_project == project || can?(current_user, :project_read_container_image, requested_project))
+      has_authentication_ability?(:build_read_container_image) &&
+        (requested_project == project || can_user?(:build_read_container_image, requested_project))
     end
 
     def user_can_admin?(requested_project)
       has_authentication_ability?(:admin_container_image) &&
-        can?(current_user, :admin_container_image, requested_project)
+        can_user?(:admin_container_image, requested_project)
     end
 
     def user_can_pull?(requested_project)
       has_authentication_ability?(:read_container_image) &&
-        can?(current_user, :read_container_image, requested_project)
+        can_user?(:read_container_image, requested_project)
+    end
+    
+    def deploy_token_can_pull?(requested_project)
+      has_authentication_ability?(:read_container_image) &&
+        current_user.is_a?(DeployToken) &&
+        current_user.has_access_to?(requested_project)
     end
 
     ##
@@ -154,7 +165,7 @@ module Auth
 
     def user_can_push?(requested_project)
       has_authentication_ability?(:create_container_image) &&
-        can?(current_user, :create_container_image, requested_project)
+        can_user?(current_user, :create_container_image, requested_project)
     end
 
     def error(code, status:, message: '')
author	Kamil Trzciński <ayufan@ayufan.eu>	2018-04-05 16:49:18 +0300
committer	Mayra Cabrera <mcabrera@gitlab.com>	2018-04-07 05:20:16 +0300
commit	72220a99d1cdbcf8a914f9e765c43e63eaee2548 (patch)
tree	314df7454174092bee8f1ea83d6bda53d760959e /app/services/auth
parent	171b2625b128e5954ce0a150a4fc923a22164e4e (diff)