Skip to content
Snippets Groups Projects
Commit cfe87b93 authored by Shinya Maeda's avatar Shinya Maeda :two:
Browse files

Prevent Deploy Tokens from accessing resources

This commit prevents it from access when the repository is disabled
parent a9c50d9c
No related branches found
No related tags found
No related merge requests found
......@@ -132,6 +132,7 @@ def ensure_container_repository!(path, actions)
def can_access?(requested_project, requested_action)
return false unless requested_project.container_registry_enabled?
return false if requested_project.repository_access_level == ::ProjectFeature::DISABLED
case requested_action
when 'pull'
......
---
title: Prevent Deploy Tokens to read project resources when repository is disabled
merge_request:
author:
type: security
......@@ -234,6 +234,8 @@ def deploy_token_check(login, password, project)
# Registry access (with jwt) does not have access to project
return if project && !token.has_access_to?(project)
# When repository is disabled, no resources are accessible via Deploy Token
return if project&.repository_access_level == ::ProjectFeature::DISABLED
scopes = abilities_for_scopes(token.scopes)
......
......@@ -441,7 +441,7 @@ def operation
end
end
shared_examples 'deploy token with disabled registry' do
shared_examples 'deploy token with disabled feature' do
context 'when registry disabled' do
before do
stub_container_registry_config(enabled: false)
......@@ -452,6 +452,15 @@ def operation
.to eq(auth_failure)
end
end
context 'when repository is disabled' do
let(:project) { create(:project, :repository_disabled) }
it 'fails when login and token are valid' do
expect(gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip'))
.to eq(auth_failure)
end
end
end
context 'when deploy token and user have the same username' do
......@@ -604,7 +613,7 @@ def operation
it_behaves_like 'registry token scope'
end
it_behaves_like 'deploy token with disabled registry'
it_behaves_like 'deploy token with disabled feature'
end
context 'when the deploy token has write_registry as a scope' do
......@@ -626,7 +635,7 @@ def operation
it_behaves_like 'registry token scope'
end
it_behaves_like 'deploy token with disabled registry'
it_behaves_like 'deploy token with disabled feature'
end
end
end
......
......@@ -654,6 +654,19 @@
it_behaves_like 'not a container repository factory'
end
end
context 'for project that disables repository' do
let(:project) { create(:project, :public, :repository_disabled) }
context 'disallow when pulling' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:pull"] }
end
it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory'
end
end
end
context 'registry catalog browsing authorized as admin' do
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment