diff options
Diffstat (limited to 'app')
-rw-r--r-- | app/models/deploy_token.rb | 6 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 4 | ||||
-rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 23 |
3 files changed, 24 insertions, 9 deletions
diff --git a/app/models/deploy_token.rb b/app/models/deploy_token.rb index b4df44d295a..c70d1457afb 100644 --- a/app/models/deploy_token.rb +++ b/app/models/deploy_token.rb @@ -29,6 +29,10 @@ class DeployToken < ActiveRecord::Base end def username - User.ghost.username + "gitlab+deploy-token-#{id}" + end + + def has_access_to?(project) + self.project == project end end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 2f9dd0384bc..21bb0934dee 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -145,7 +145,7 @@ class ProjectPolicy < BasePolicy # These abilities are not allowed to admins that are not members of the project, # that's why they are defined separately. rule { guest & can?(:download_code) }.enable :build_download_code - rule { guest & can?(:read_container_image) }.enable :project_read_container_image + rule { guest & can?(:read_container_image) }.enable :build_read_container_image rule { can?(:reporter_access) }.policy do enable :download_code @@ -179,7 +179,7 @@ class ProjectPolicy < BasePolicy enable :fork_project enable :build_download_code - enable :project_read_container_image + enable :build_read_container_image enable :request_access end diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index d70ac7b1b3d..2ac35f5bd64 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -109,7 +109,7 @@ module Auth case requested_action when 'pull' - build_can_pull?(requested_project) || user_can_pull?(requested_project) + build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project) when 'push' build_can_push?(requested_project) || user_can_push?(requested_project) when '*' @@ -123,22 +123,33 @@ module Auth Gitlab.config.registry end + def can_user?(ability, project) + current_user.is_a?(User) && + can?(current_user, ability, project) + end + def build_can_pull?(requested_project) # Build can: # 1. pull from its own project (for ex. a build) # 2. read images from dependent projects if creator of build is a team member - has_authentication_ability?(:project_read_container_image) && - (requested_project == project || can?(current_user, :project_read_container_image, requested_project)) + has_authentication_ability?(:build_read_container_image) && + (requested_project == project || can_user?(:build_read_container_image, requested_project)) end def user_can_admin?(requested_project) has_authentication_ability?(:admin_container_image) && - can?(current_user, :admin_container_image, requested_project) + can_user?(:admin_container_image, requested_project) end def user_can_pull?(requested_project) has_authentication_ability?(:read_container_image) && - can?(current_user, :read_container_image, requested_project) + can_user?(:read_container_image, requested_project) + end + + def deploy_token_can_pull?(requested_project) + has_authentication_ability?(:read_container_image) && + current_user.is_a?(DeployToken) && + current_user.has_access_to?(requested_project) end ## @@ -154,7 +165,7 @@ module Auth def user_can_push?(requested_project) has_authentication_ability?(:create_container_image) && - can?(current_user, :create_container_image, requested_project) + can_user?(current_user, :create_container_image, requested_project) end def error(code, status:, message: '') |