debian-mirror-gitlab/app/models/deploy_token.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

167 lines
3.9 KiB
Ruby
Raw Normal View History

2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2019-07-07 11:18:12 +05:30
class DeployToken < ApplicationRecord
2018-05-09 12:01:36 +05:30
include Expirable
include TokenAuthenticatable
2018-11-18 11:00:15 +05:30
include PolicyActor
2018-12-13 13:39:08 +05:30
include Gitlab::Utils::StrongMemoize
2022-07-16 23:28:13 +05:30
add_authentication_token_field :token, encrypted: :required
2018-05-09 12:01:36 +05:30
2020-05-24 23:13:21 +05:30
AVAILABLE_SCOPES = %i(read_repository read_registry write_registry
read_package_registry write_package_registry).freeze
2019-12-04 20:38:33 +05:30
GITLAB_DEPLOY_TOKEN_NAME = 'gitlab-deploy-token'
2021-10-27 15:23:28 +05:30
REQUIRED_DEPENDENCY_PROXY_SCOPES = %i[read_registry write_registry].freeze
2018-05-09 12:01:36 +05:30
2023-01-13 00:05:48 +05:30
attribute :expires_at, default: -> { Forever.date }
2018-05-09 12:01:36 +05:30
2022-06-21 17:19:12 +05:30
# Do NOT use this `user` for the authentication/authorization of the deploy tokens.
# It's for the auditing purpose on Credential Inventory, only.
# See https://gitlab.com/gitlab-org/gitlab/-/issues/353467#note_859774246 for more information.
belongs_to :user, foreign_key: :creator_id, optional: true
2018-05-09 12:01:36 +05:30
has_many :project_deploy_tokens, inverse_of: :deploy_token
has_many :projects, through: :project_deploy_tokens
2020-03-13 15:44:24 +05:30
has_many :group_deploy_tokens, inverse_of: :deploy_token
has_many :groups, through: :group_deploy_tokens
validate :no_groups, unless: :group_type?
validate :no_projects, unless: :project_type?
2018-05-09 12:01:36 +05:30
validate :ensure_at_least_one_scope
2019-09-30 21:07:59 +05:30
validates :username,
length: { maximum: 255 },
allow_nil: true,
format: {
with: /\A[a-zA-Z0-9\.\+_-]+\z/,
message: "can contain only letters, digits, '_', '-', '+', and '.'"
}
2020-03-13 15:44:24 +05:30
validates :deploy_token_type, presence: true
enum deploy_token_type: {
group_type: 1,
project_type: 2
}
2018-05-09 12:01:36 +05:30
before_save :ensure_token
accepts_nested_attributes_for :project_deploy_tokens
scope :active, -> { where("revoked = false AND expires_at >= NOW()") }
2018-10-15 14:42:47 +05:30
def self.gitlab_deploy_token
active.find_by(name: GITLAB_DEPLOY_TOKEN_NAME)
end
2021-10-27 15:23:28 +05:30
def valid_for_dependency_proxy?
group_type? &&
active? &&
REQUIRED_DEPENDENCY_PROXY_SCOPES.all? { |scope| scope.in?(scopes) }
end
2018-05-09 12:01:36 +05:30
def revoke!
update!(revoked: true)
end
def active?
2018-11-18 11:00:15 +05:30
!revoked && !expired?
2018-05-09 12:01:36 +05:30
end
2021-01-29 00:20:46 +05:30
def deactivated?
!active?
end
2018-05-09 12:01:36 +05:30
def scopes
AVAILABLE_SCOPES.select { |token_scope| read_attribute(token_scope) }
end
def username
2019-09-30 21:07:59 +05:30
super || default_username
2018-05-09 12:01:36 +05:30
end
def has_access_to?(requested_project)
2020-03-13 15:44:24 +05:30
return false unless active?
return false unless holder
holder.has_access_to?(requested_project)
2018-05-09 12:01:36 +05:30
end
2021-10-27 15:23:28 +05:30
def has_access_to_group?(requested_group)
return false unless active?
return false unless group_type?
return false unless holder
holder.has_access_to_group?(requested_group)
end
2018-05-09 12:01:36 +05:30
# This is temporal. Currently we limit DeployToken
2020-03-13 15:44:24 +05:30
# to a single project or group, later we're going to
# extend that to be for multiple projects and namespaces.
2018-05-09 12:01:36 +05:30
def project
2018-12-13 13:39:08 +05:30
strong_memoize(:project) do
projects.first
end
2018-05-09 12:01:36 +05:30
end
2021-01-03 14:25:43 +05:30
def group
strong_memoize(:group) do
groups.first
end
end
def accessible_projects
if project_type?
projects
elsif group_type?
group.all_projects
end
end
2020-03-13 15:44:24 +05:30
def holder
strong_memoize(:holder) do
if project_type?
project_deploy_tokens.first
elsif group_type?
group_deploy_tokens.first
end
end
end
2022-07-16 23:28:13 +05:30
def impersonated?
false
end
2018-05-09 12:01:36 +05:30
def expires_at
expires_at = read_attribute(:expires_at)
expires_at != Forever.date ? expires_at : nil
end
def expires_at=(value)
write_attribute(:expires_at, value.presence || Forever.date)
end
private
2018-11-18 11:00:15 +05:30
def expired?
return false unless expires_at
expires_at < Date.today
end
2018-05-09 12:01:36 +05:30
def ensure_at_least_one_scope
2020-05-24 23:13:21 +05:30
errors.add(:base, _("Scopes can't be blank")) unless scopes.any?
2018-05-09 12:01:36 +05:30
end
2019-09-30 21:07:59 +05:30
def default_username
"gitlab+deploy-token-#{id}" if persisted?
end
2020-03-13 15:44:24 +05:30
def no_groups
errors.add(:deploy_token, 'cannot have groups assigned') if group_deploy_tokens.any?
end
def no_projects
errors.add(:deploy_token, 'cannot have projects assigned') if project_deploy_tokens.any?
end
2018-05-09 12:01:36 +05:30
end