Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
557577fb
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
557577fb
编写于
2月 28, 2020
作者:
G
GitLab Bot
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add latest changes from gitlab-org/security/gitlab@12-8-stable-ee
上级
e316c474
变更
7
隐藏空白更改
内联
并排
Showing
7 changed file
with
93 addition
and
3 deletion
+93
-3
app/models/members/group_member.rb
app/models/members/group_member.rb
+1
-0
app/services/auth/container_registry_authentication_service.rb
...ervices/auth/container_registry_authentication_service.rb
+18
-0
changelogs/unreleased/enfoce-group-member-2fa.yml
changelogs/unreleased/enfoce-group-member-2fa.yml
+5
-0
changelogs/unreleased/security-deploy-token-registry-access.yml
...logs/unreleased/security-deploy-token-registry-access.yml
+6
-0
spec/models/members/group_member_spec.rb
spec/models/members/group_member_spec.rb
+18
-3
spec/services/auth/container_registry_authentication_service_spec.rb
...es/auth/container_registry_authentication_service_spec.rb
+44
-0
spec/support/shared_contexts/policies/group_policy_shared_context.rb
...t/shared_contexts/policies/group_policy_shared_context.rb
+1
-0
未找到文件。
app/models/members/group_member.rb
浏览文件 @
557577fb
...
@@ -66,6 +66,7 @@ class GroupMember < Member
...
@@ -66,6 +66,7 @@ class GroupMember < Member
def
after_accept_invite
def
after_accept_invite
notification_service
.
accept_group_invite
(
self
)
notification_service
.
accept_group_invite
(
self
)
update_two_factor_requirement
super
super
end
end
...
...
app/services/auth/container_registry_authentication_service.rb
浏览文件 @
557577fb
...
@@ -3,12 +3,24 @@
...
@@ -3,12 +3,24 @@
module
Auth
module
Auth
class
ContainerRegistryAuthenticationService
<
BaseService
class
ContainerRegistryAuthenticationService
<
BaseService
AUDIENCE
=
'container_registry'
AUDIENCE
=
'container_registry'
REGISTRY_LOGIN_ABILITIES
=
[
:read_container_image
,
:create_container_image
,
:destroy_container_image
,
:update_container_image
,
:admin_container_image
,
:build_read_container_image
,
:build_create_container_image
,
:build_destroy_container_image
].
freeze
def
execute
(
authentication_abilities
:)
def
execute
(
authentication_abilities
:)
@authentication_abilities
=
authentication_abilities
@authentication_abilities
=
authentication_abilities
return
error
(
'UNAVAILABLE'
,
status:
404
,
message:
'registry not enabled'
)
unless
registry
.
enabled
return
error
(
'UNAVAILABLE'
,
status:
404
,
message:
'registry not enabled'
)
unless
registry
.
enabled
return
error
(
'DENIED'
,
status:
403
,
message:
'access forbidden'
)
unless
has_registry_ability?
unless
scopes
.
any?
||
current_user
||
project
unless
scopes
.
any?
||
current_user
||
project
return
error
(
'DENIED'
,
status:
403
,
message:
'access forbidden'
)
return
error
(
'DENIED'
,
status:
403
,
message:
'access forbidden'
)
end
end
...
@@ -197,5 +209,11 @@ module Auth
...
@@ -197,5 +209,11 @@ module Auth
def
has_authentication_ability?
(
capability
)
def
has_authentication_ability?
(
capability
)
@authentication_abilities
.
to_a
.
include?
(
capability
)
@authentication_abilities
.
to_a
.
include?
(
capability
)
end
end
def
has_registry_ability?
@authentication_abilities
.
any?
do
|
ability
|
REGISTRY_LOGIN_ABILITIES
.
include?
(
ability
)
end
end
end
end
end
end
changelogs/unreleased/enfoce-group-member-2fa.yml
0 → 100644
浏览文件 @
557577fb
---
title
:
Update user 2fa when accepting a group invite
merge_request
:
author
:
type
:
security
changelogs/unreleased/security-deploy-token-registry-access.yml
0 → 100644
浏览文件 @
557577fb
---
title
:
Update container registry authentication to account for login request when
checking permissions
merge_request
:
author
:
type
:
security
spec/models/members/group_member_spec.rb
浏览文件 @
557577fb
...
@@ -65,10 +65,10 @@ describe GroupMember do
...
@@ -65,10 +65,10 @@ describe GroupMember do
end
end
describe
'#update_two_factor_requirement'
do
describe
'#update_two_factor_requirement'
do
let
(
:user
)
{
build
:user
}
let
(
:group_member
)
{
build
:group_member
,
user:
user
}
it
'is called after creation and deletion'
do
it
'is called after creation and deletion'
do
user
=
build
:user
group_member
=
build
:group_member
,
user:
user
expect
(
user
).
to
receive
(
:update_two_factor_requirement
)
expect
(
user
).
to
receive
(
:update_two_factor_requirement
)
group_member
.
save
group_member
.
save
...
@@ -79,6 +79,21 @@ describe GroupMember do
...
@@ -79,6 +79,21 @@ describe GroupMember do
end
end
end
end
describe
'#after_accept_invite'
do
it
'calls #update_two_factor_requirement'
do
email
=
'foo@email.com'
user
=
build
(
:user
,
email:
email
)
group
=
create
(
:group
,
require_two_factor_authentication:
true
)
group_member
=
create
(
:group_member
,
group:
group
,
invite_token:
'1234'
,
invite_email:
email
)
expect
(
user
).
to
receive
(
:require_two_factor_authentication_from_group
).
and_call_original
group_member
.
accept_invite!
(
user
)
expect
(
user
.
require_two_factor_authentication_from_group
).
to
be_truthy
end
end
context
'access levels'
do
context
'access levels'
do
context
'with parent group'
do
context
'with parent group'
do
it_behaves_like
'inherited access level as a member of entity'
do
it_behaves_like
'inherited access level as a member of entity'
do
...
...
spec/services/auth/container_registry_authentication_service_spec.rb
浏览文件 @
557577fb
...
@@ -769,6 +769,15 @@ describe Auth::ContainerRegistryAuthenticationService do
...
@@ -769,6 +769,15 @@ describe Auth::ContainerRegistryAuthenticationService do
context
'when deploy token has read_registry as a scope'
do
context
'when deploy token has read_registry as a scope'
do
let
(
:current_user
)
{
create
(
:deploy_token
,
projects:
[
project
])
}
let
(
:current_user
)
{
create
(
:deploy_token
,
projects:
[
project
])
}
shared_examples
'able to login'
do
context
'registry provides read_container_image authentication_abilities'
do
let
(
:current_params
)
{
{}
}
let
(
:authentication_abilities
)
{
[
:read_container_image
]
}
it_behaves_like
'an authenticated'
end
end
context
'for public project'
do
context
'for public project'
do
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:project
)
{
create
(
:project
,
:public
)
}
...
@@ -783,6 +792,8 @@ describe Auth::ContainerRegistryAuthenticationService do
...
@@ -783,6 +792,8 @@ describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like
'an inaccessible'
it_behaves_like
'an inaccessible'
end
end
it_behaves_like
'able to login'
end
end
context
'for internal project'
do
context
'for internal project'
do
...
@@ -799,6 +810,8 @@ describe Auth::ContainerRegistryAuthenticationService do
...
@@ -799,6 +810,8 @@ describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like
'an inaccessible'
it_behaves_like
'an inaccessible'
end
end
it_behaves_like
'able to login'
end
end
context
'for private project'
do
context
'for private project'
do
...
@@ -815,18 +828,38 @@ describe Auth::ContainerRegistryAuthenticationService do
...
@@ -815,18 +828,38 @@ describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like
'an inaccessible'
it_behaves_like
'an inaccessible'
end
end
it_behaves_like
'able to login'
end
end
end
end
context
'when deploy token does not have read_registry scope'
do
context
'when deploy token does not have read_registry scope'
do
let
(
:current_user
)
{
create
(
:deploy_token
,
projects:
[
project
],
read_registry:
false
)
}
let
(
:current_user
)
{
create
(
:deploy_token
,
projects:
[
project
],
read_registry:
false
)
}
shared_examples
'unable to login'
do
context
'registry provides no container authentication_abilities'
do
let
(
:current_params
)
{
{}
}
let
(
:authentication_abilities
)
{
[]
}
it_behaves_like
'a forbidden'
end
context
'registry provides inapplicable container authentication_abilities'
do
let
(
:current_params
)
{
{}
}
let
(
:authentication_abilities
)
{
[
:download_code
]
}
it_behaves_like
'a forbidden'
end
end
context
'for public project'
do
context
'for public project'
do
let
(
:project
)
{
create
(
:project
,
:public
)
}
let
(
:project
)
{
create
(
:project
,
:public
)
}
context
'when pulling'
do
context
'when pulling'
do
it_behaves_like
'a pullable'
it_behaves_like
'a pullable'
end
end
it_behaves_like
'unable to login'
end
end
context
'for internal project'
do
context
'for internal project'
do
...
@@ -835,6 +868,8 @@ describe Auth::ContainerRegistryAuthenticationService do
...
@@ -835,6 +868,8 @@ describe Auth::ContainerRegistryAuthenticationService do
context
'when pulling'
do
context
'when pulling'
do
it_behaves_like
'an inaccessible'
it_behaves_like
'an inaccessible'
end
end
it_behaves_like
'unable to login'
end
end
context
'for private project'
do
context
'for private project'
do
...
@@ -843,6 +878,15 @@ describe Auth::ContainerRegistryAuthenticationService do
...
@@ -843,6 +878,15 @@ describe Auth::ContainerRegistryAuthenticationService do
context
'when pulling'
do
context
'when pulling'
do
it_behaves_like
'an inaccessible'
it_behaves_like
'an inaccessible'
end
end
context
'when logging in'
do
let
(
:current_params
)
{
{}
}
let
(
:authentication_abilities
)
{
[]
}
it_behaves_like
'a forbidden'
end
it_behaves_like
'unable to login'
end
end
end
end
...
...
spec/support/shared_contexts/policies/group_policy_shared_context.rb
浏览文件 @
557577fb
...
@@ -7,6 +7,7 @@ RSpec.shared_context 'GroupPolicy context' do
...
@@ -7,6 +7,7 @@ RSpec.shared_context 'GroupPolicy context' do
let_it_be
(
:maintainer
)
{
create
(
:user
)
}
let_it_be
(
:maintainer
)
{
create
(
:user
)
}
let_it_be
(
:owner
)
{
create
(
:user
)
}
let_it_be
(
:owner
)
{
create
(
:user
)
}
let_it_be
(
:admin
)
{
create
(
:admin
)
}
let_it_be
(
:admin
)
{
create
(
:admin
)
}
let_it_be
(
:non_group_member
)
{
create
(
:user
)
}
let_it_be
(
:group
,
refind:
true
)
{
create
(
:group
,
:private
,
:owner_subgroup_creation_only
)
}
let_it_be
(
:group
,
refind:
true
)
{
create
(
:group
,
:private
,
:owner_subgroup_creation_only
)
}
let
(
:guest_permissions
)
do
let
(
:guest_permissions
)
do
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录