From 9398d718d92a40a0a917040645a55dea51467a91 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Tue, 14 Apr 2020 00:09:57 +0000 Subject: Add latest changes from gitlab-org/gitlab@master --- app/controllers/groups/settings/ci_cd_controller.rb | 2 +- app/controllers/projects/settings/ci_cd_controller.rb | 2 +- app/models/deploy_token.rb | 4 ++-- app/services/auth/container_registry_authentication_service.rb | 9 ++++++++- app/services/projects/update_repository_storage_service.rb | 7 +++++++ app/views/projects/settings/ci_cd/show.html.haml | 2 +- app/views/shared/deploy_tokens/_form.html.haml | 5 +++++ app/workers/project_update_repository_storage_worker.rb | 10 ---------- 8 files changed, 25 insertions(+), 16 deletions(-) (limited to 'app') diff --git a/app/controllers/groups/settings/ci_cd_controller.rb b/app/controllers/groups/settings/ci_cd_controller.rb index 989013df8d4..6b842fc9fe1 100644 --- a/app/controllers/groups/settings/ci_cd_controller.rb +++ b/app/controllers/groups/settings/ci_cd_controller.rb @@ -114,7 +114,7 @@ module Groups end def deploy_token_params - params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :username) + params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :write_registry, :username) end end end diff --git a/app/controllers/projects/settings/ci_cd_controller.rb b/app/controllers/projects/settings/ci_cd_controller.rb index 5feb3e019c2..a0f98d8f1d2 100644 --- a/app/controllers/projects/settings/ci_cd_controller.rb +++ b/app/controllers/projects/settings/ci_cd_controller.rb @@ -93,7 +93,7 @@ module Projects end def deploy_token_params - params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :username) + params.require(:deploy_token).permit(:name, :expires_at, :read_repository, :read_registry, :write_registry, :username) end def run_autodevops_pipeline(service) diff --git a/app/models/deploy_token.rb b/app/models/deploy_token.rb index a9844f627b7..69245710f01 100644 --- a/app/models/deploy_token.rb +++ b/app/models/deploy_token.rb @@ -7,7 +7,7 @@ class DeployToken < ApplicationRecord include Gitlab::Utils::StrongMemoize add_authentication_token_field :token, encrypted: :optional - AVAILABLE_SCOPES = %i(read_repository read_registry).freeze + AVAILABLE_SCOPES = %i(read_repository read_registry write_registry).freeze GITLAB_DEPLOY_TOKEN_NAME = 'gitlab-deploy-token' default_value_for(:expires_at) { Forever.date } @@ -105,7 +105,7 @@ class DeployToken < ApplicationRecord end def ensure_at_least_one_scope - errors.add(:base, _("Scopes can't be blank")) unless read_repository || read_registry + errors.add(:base, _("Scopes can't be blank")) unless read_repository || read_registry || write_registry end def default_username diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index 629c1cbdc5c..4a699fe3213 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -135,7 +135,7 @@ module Auth when 'pull' build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project) when 'push' - build_can_push?(requested_project) || user_can_push?(requested_project) + build_can_push?(requested_project) || user_can_push?(requested_project) || deploy_token_can_push?(requested_project) when 'delete' build_can_delete?(requested_project) || user_can_admin?(requested_project) when '*' @@ -185,6 +185,13 @@ module Auth current_user.read_registry? end + def deploy_token_can_push?(requested_project) + has_authentication_ability?(:create_container_image) && + current_user.is_a?(DeployToken) && + current_user.has_access_to?(requested_project) && + current_user.write_registry? + end + ## # We still support legacy pipeline triggers which do not have associated # actor. New permissions model and new triggers are always associated with diff --git a/app/services/projects/update_repository_storage_service.rb b/app/services/projects/update_repository_storage_service.rb index 0602089a3ab..2e5de9411d1 100644 --- a/app/services/projects/update_repository_storage_service.rb +++ b/app/services/projects/update_repository_storage_service.rb @@ -5,12 +5,15 @@ module Projects include Gitlab::ShellAdapter Error = Class.new(StandardError) + SameFilesystemError = Class.new(Error) def initialize(project) @project = project end def execute(new_repository_storage_key) + raise SameFilesystemError if same_filesystem?(project.repository.storage, new_repository_storage_key) + mirror_repositories(new_repository_storage_key) mark_old_paths_for_archive @@ -33,6 +36,10 @@ module Projects private + def same_filesystem?(old_storage, new_storage) + Gitlab::GitalyClient.filesystem_id(old_storage) == Gitlab::GitalyClient.filesystem_id(new_storage) + end + def mirror_repositories(new_repository_storage_key) mirror_repository(new_repository_storage_key) diff --git a/app/views/projects/settings/ci_cd/show.html.haml b/app/views/projects/settings/ci_cd/show.html.haml index ab2f64cdc21..c0f60b5f3b1 100644 --- a/app/views/projects/settings/ci_cd/show.html.haml +++ b/app/views/projects/settings/ci_cd/show.html.haml @@ -4,7 +4,7 @@ - expanded = expanded_by_default? - general_expanded = @project.errors.empty? ? expanded : true -- deploy_token_description = s_('DeployTokens|Deploy tokens allow read-only access to your repository and registry images.') +- deploy_token_description = s_('DeployTokens|Deploy tokens allow access to your repository and registry images.') %section.settings#js-general-pipeline-settings.no-animate{ class: ('expanded' if general_expanded) } .settings-header diff --git a/app/views/shared/deploy_tokens/_form.html.haml b/app/views/shared/deploy_tokens/_form.html.haml index c4e82d8e157..5751ed9cb7a 100644 --- a/app/views/shared/deploy_tokens/_form.html.haml +++ b/app/views/shared/deploy_tokens/_form.html.haml @@ -30,5 +30,10 @@ = label_tag ("deploy_token_read_registry"), 'read_registry', class: 'label-bold form-check-label' .text-secondary= s_('DeployTokens|Allows read-only access to the registry images') + %fieldset.form-group.form-check + = f.check_box :write_registry, class: 'form-check-input' + = label_tag ("deploy_token_write_registry"), 'write_registry', class: 'label-bold form-check-label' + .text-secondary= s_('DeployTokens|Allows write access to the registry images') + .prepend-top-default = f.submit s_('DeployTokens|Create deploy token'), class: 'btn btn-success qa-create-deploy-token' diff --git a/app/workers/project_update_repository_storage_worker.rb b/app/workers/project_update_repository_storage_worker.rb index bb40107494b..ecee33e6421 100644 --- a/app/workers/project_update_repository_storage_worker.rb +++ b/app/workers/project_update_repository_storage_worker.rb @@ -3,21 +3,11 @@ class ProjectUpdateRepositoryStorageWorker # rubocop:disable Scalability/IdempotentWorker include ApplicationWorker - SameFilesystemError = Class.new(StandardError) - feature_category :gitaly def perform(project_id, new_repository_storage_key) project = Project.find(project_id) - raise SameFilesystemError if same_filesystem?(project.repository.storage, new_repository_storage_key) - ::Projects::UpdateRepositoryStorageService.new(project).execute(new_repository_storage_key) end - - private - - def same_filesystem?(old_storage, new_storage) - Gitlab::GitalyClient.filesystem_id(old_storage) == Gitlab::GitalyClient.filesystem_id(new_storage) - end end -- cgit v1.2.3