Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files)

author: Kamil Trzcinski <ayufan@ayufan.eu> 2016-08-08 13:01:25 +0300
committer: Kamil Trzcinski <ayufan@ayufan.eu> 2016-09-13 14:30:26 +0300
commit: 505dc808b3c0dc98413506446d368b91b56ff682 (patch)
tree: 1f6d5c7fe805bf5ff11a4f5696d73e11d71ca3a6 /lib/ci
parent: 45afdbef0de58f6de207b057e47151611d2ad7e6 (diff)
1 files changed, 11 insertions, 3 deletions
diff --git a/lib/ci/api/helpers.rb b/lib/ci/api/helpers.rb
index bcabf7a21b2..411e0dea15e 100644
--- a/lib/ci/api/helpers.rb
+++ b/lib/ci/api/helpers.rb
@@ -14,12 +14,20 @@ module Ci
       end
 
       def authenticate_build_token!(build)
-        token = (params[BUILD_TOKEN_PARAM] || env[BUILD_TOKEN_HEADER]).to_s
-        forbidden! unless token && build.valid_token?(token)
+        forbidden! unless build_token_valid?
       end
 
       def runner_registration_token_valid?
-        params[:token] == current_application_settings.runners_registration_token
+        ActiveSupport::SecurityUtils.variable_size_secure_compare(
+          params[:token],
+          current_application_settings.runners_registration_token)
+      end
+
+      def build_token_valid?
+        token = (params[BUILD_TOKEN_PARAM] || env[BUILD_TOKEN_HEADER]).to_s
+
+        # We require to also check `runners_token` to maintain compatibility with old version of runners
+        token && (build.valid_token?(token) || build.project.valid_runners_token?(token))
       end
 
       def update_runner_last_contact(save: true)
author	Kamil Trzcinski <ayufan@ayufan.eu>	2016-08-08 13:01:25 +0300
committer	Kamil Trzcinski <ayufan@ayufan.eu>	2016-09-13 14:30:26 +0300
commit	505dc808b3c0dc98413506446d368b91b56ff682 (patch)
tree	1f6d5c7fe805bf5ff11a4f5696d73e11d71ca3a6 /lib/ci
parent	45afdbef0de58f6de207b057e47151611d2ad7e6 (diff)