blob: e320c0f92d14eb8f46f8dc649efdfc8d64340ec6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
# frozen_string_literal: true
# This model represents the scope of access for a CI_JOB_TOKEN.
#
# A scope is initialized with a project.
#
# Projects can be added to the scope by adding ScopeLinks to
# create an allowlist of projects in either access direction (inbound, outbound).
#
# Currently, projects in the outbound allowlist can be accessed via the token
# in the source project.
#
# TODO(Issue #346298) Projects in the inbound allowlist can use their token to access
# the source project.
#
# CI_JOB_TOKEN should be considered untrusted without these features enabled.
#
module Ci
module JobToken
class Scope
attr_reader :current_project
def initialize(current_project)
@current_project = current_project
end
def allows?(accessed_project)
self_referential?(accessed_project) || outbound_allows?(accessed_project)
end
def outbound_projects
outbound_allowlist.projects
end
# Deprecated: use outbound_projects, TODO(Issue #346298) remove references to all_project
def all_projects
outbound_projects
end
private
def outbound_allows?(accessed_project)
# if the setting is disabled any project is considered to be in scope.
return true unless @current_project.ci_outbound_job_token_scope_enabled?
outbound_allowlist.includes?(accessed_project)
end
def outbound_allowlist
Ci::JobToken::Allowlist.new(@current_project, direction: :outbound)
end
def self_referential?(accessed_project)
@current_project.id == accessed_project.id
end
end
end
end
|
