2020-07-28 23:09:34 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
module API
|
|
|
|
module Helpers
|
|
|
|
module Packages
|
|
|
|
module BasicAuthHelpers
|
2020-10-24 23:57:45 +05:30
|
|
|
extend ::Gitlab::Utils::Override
|
|
|
|
|
2020-07-28 23:09:34 +05:30
|
|
|
module Constants
|
2021-02-22 17:27:13 +05:30
|
|
|
AUTHENTICATE_REALM_HEADER = 'WWW-Authenticate'
|
|
|
|
AUTHENTICATE_REALM_NAME = 'Basic realm="GitLab Packages Registry"'
|
2020-07-28 23:09:34 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
include Constants
|
2021-03-08 18:12:59 +05:30
|
|
|
include Gitlab::Utils::StrongMemoize
|
2020-07-28 23:09:34 +05:30
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
def authorized_user_project(action: :read_project)
|
|
|
|
strong_memoize("authorized_user_project_#{action}") do
|
|
|
|
authorized_project_find!(action: action)
|
|
|
|
end
|
2020-07-28 23:09:34 +05:30
|
|
|
end
|
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
def authorized_project_find!(action: :read_project)
|
2022-09-01 20:07:04 +05:30
|
|
|
project = find_project(params[:id])
|
2020-07-28 23:09:34 +05:30
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
return unauthorized_or! { not_found! } unless project
|
|
|
|
|
|
|
|
case action
|
|
|
|
when :read_package
|
|
|
|
unless can?(current_user, :read_package, project&.packages_policy_subject)
|
|
|
|
# guest users can have :read_project but not :read_package
|
|
|
|
return forbidden! if can?(current_user, :read_project, project)
|
|
|
|
|
|
|
|
return unauthorized_or! { not_found! }
|
|
|
|
end
|
|
|
|
else
|
|
|
|
return unauthorized_or! { not_found! } unless can?(current_user, action, project)
|
2020-07-28 23:09:34 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
project
|
|
|
|
end
|
|
|
|
|
2021-03-08 18:12:59 +05:30
|
|
|
def find_authorized_group!
|
|
|
|
strong_memoize(:authorized_group) do
|
|
|
|
group = find_group(params[:id])
|
|
|
|
|
|
|
|
unless group && can?(current_user, :read_group, group)
|
|
|
|
next unauthorized_or! { not_found! }
|
|
|
|
end
|
|
|
|
|
|
|
|
group
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-07-28 23:09:34 +05:30
|
|
|
def authorize!(action, subject = :global, reason = nil)
|
|
|
|
return if can?(current_user, action, subject)
|
|
|
|
|
|
|
|
unauthorized_or! { forbidden!(reason) }
|
|
|
|
end
|
|
|
|
|
|
|
|
def unauthorized_or!
|
2020-10-24 23:57:45 +05:30
|
|
|
current_user ? yield : unauthorized!
|
2020-07-28 23:09:34 +05:30
|
|
|
end
|
|
|
|
|
2020-10-24 23:57:45 +05:30
|
|
|
override :unauthorized!
|
|
|
|
def unauthorized!
|
2020-07-28 23:09:34 +05:30
|
|
|
header(AUTHENTICATE_REALM_HEADER, AUTHENTICATE_REALM_NAME)
|
2020-10-24 23:57:45 +05:30
|
|
|
super
|
2020-07-28 23:09:34 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|