debian-mirror-gitlab/app/models/ci/job_token/scope.rb

# frozen_string_literal: true

# This model represents the scope of access for a CI_JOB_TOKEN.
#
# A scope is initialized with a current project.
#
# Projects can be added to the scope by adding ScopeLinks to
# create an allowlist of projects in either access direction (inbound, outbound).
#
# Projects in the outbound allowlist can be accessed via the current project's job token.
#
# Projects in the inbound allowlist can use their project's job token to
# access the current project.
#
# CI_JOB_TOKEN should be considered untrusted without a scope enabled.
#

module Ci
  module JobToken
    class Scope
      attr_reader :current_project

      def initialize(current_project)
        @current_project = current_project
      end

      def accessible?(accessed_project)
        self_referential?(accessed_project) || (
          outbound_accessible?(accessed_project) &&
          inbound_accessible?(accessed_project)
        )
      end

      def outbound_projects
        outbound_allowlist.projects
      end

      def inbound_projects
        inbound_allowlist.projects
      end

      def add!(added_project, user:, direction:)
        case direction
        when :inbound
          inbound_allowlist.add!(added_project, user: user)
        when :outbound
          outbound_allowlist.add!(added_project, user: user)
        end
      end

      private

      def outbound_accessible?(accessed_project)
        # if the setting is disabled any project is considered to be in scope.
        return true unless current_project.ci_outbound_job_token_scope_enabled?

        outbound_allowlist.includes?(accessed_project)
      end

      def inbound_accessible?(accessed_project)
        # if the setting is disabled any project is considered to be in scope.
        return true unless accessed_project.ci_inbound_job_token_scope_enabled?

        inbound_linked_as_accessible?(accessed_project)
      end

      # We don't check the inbound allowlist here. That is because
      # the access check starts from the current project but the inbound
      # allowlist contains projects that can access the current project.
      def inbound_linked_as_accessible?(accessed_project)
        inbound_accessible_projects(accessed_project).includes?(current_project)
      end

      def inbound_accessible_projects(accessed_project)
        Ci::JobToken::Allowlist.new(accessed_project, direction: :inbound)
      end

      # User created list of projects allowed to access the current project
      def inbound_allowlist
        Ci::JobToken::Allowlist.new(current_project, direction: :inbound)
      end

      # User created list of projects that can be accessed from the current project
      def outbound_allowlist
        Ci::JobToken::Allowlist.new(current_project, direction: :outbound)
      end

      def self_referential?(accessed_project)
        current_project.id == accessed_project.id
      end
    end
  end
end
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`# frozen_string_literal: true`

New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30			`# This model represents the scope of access for a CI_JOB_TOKEN.`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`#`
New upstream version 15.9.2+ds1 2023-04-23 21:23:45 +05:30			`# A scope is initialized with a current project.`
New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30			`#`
			`# Projects can be added to the scope by adding ScopeLinks to`
			`# create an allowlist of projects in either access direction (inbound, outbound).`
			`#`
New upstream version 15.9.2+ds1 2023-04-23 21:23:45 +05:30			`# Projects in the outbound allowlist can be accessed via the current project's job token.`
New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30			`#`
New upstream version 15.9.2+ds1 2023-04-23 21:23:45 +05:30			`# Projects in the inbound allowlist can use their project's job token to`
			`# access the current project.`
New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30			`#`
New upstream version 15.9.2+ds1 2023-04-23 21:23:45 +05:30			`# CI_JOB_TOKEN should be considered untrusted without a scope enabled.`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`#`

			`module Ci`
			`module JobToken`
			`class Scope`
New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30			`attr_reader :current_project`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30
New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30			`def initialize(current_project)`
			`@current_project = current_project`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`end`

New upstream version 15.9.2+ds1 2023-04-23 21:23:45 +05:30			`def accessible?(accessed_project)`
			`self_referential?(accessed_project) \|\| (`
			`outbound_accessible?(accessed_project) &&`
			`inbound_accessible?(accessed_project)`
			`)`
New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30			`end`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30
New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30			`def outbound_projects`
			`outbound_allowlist.projects`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`end`

New upstream version 15.9.2+ds1 2023-04-23 21:23:45 +05:30			`def inbound_projects`
			`inbound_allowlist.projects`
			`end`

			`def add!(added_project, user:, direction:)`
			`case direction`
			`when :inbound`
			`inbound_allowlist.add!(added_project, user: user)`
			`when :outbound`
			`outbound_allowlist.add!(added_project, user: user)`
			`end`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`end`
New upstream version 14.4.2+ds1 2021-11-18 22:05:49 +05:30
			`private`

New upstream version 15.9.2+ds1 2023-04-23 21:23:45 +05:30			`def outbound_accessible?(accessed_project)`
New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30			`# if the setting is disabled any project is considered to be in scope.`
New upstream version 15.9.2+ds1 2023-04-23 21:23:45 +05:30			`return true unless current_project.ci_outbound_job_token_scope_enabled?`
New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30
			`outbound_allowlist.includes?(accessed_project)`
			`end`

New upstream version 15.9.2+ds1 2023-04-23 21:23:45 +05:30			`def inbound_accessible?(accessed_project)`
New upstream version 15.10.7+ds1 2023-05-27 22:25:52 +05:30			`# if the setting is disabled any project is considered to be in scope.`
New upstream version 15.9.2+ds1 2023-04-23 21:23:45 +05:30			`return true unless accessed_project.ci_inbound_job_token_scope_enabled?`

			`inbound_linked_as_accessible?(accessed_project)`
			`end`

			`# We don't check the inbound allowlist here. That is because`
			`# the access check starts from the current project but the inbound`
			`# allowlist contains projects that can access the current project.`
			`def inbound_linked_as_accessible?(accessed_project)`
			`inbound_accessible_projects(accessed_project).includes?(current_project)`
			`end`

			`def inbound_accessible_projects(accessed_project)`
			`Ci::JobToken::Allowlist.new(accessed_project, direction: :inbound)`
			`end`

			`# User created list of projects allowed to access the current project`
			`def inbound_allowlist`
			`Ci::JobToken::Allowlist.new(current_project, direction: :inbound)`
			`end`

			`# User created list of projects that can be accessed from the current project`
New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30			`def outbound_allowlist`
New upstream version 15.9.2+ds1 2023-04-23 21:23:45 +05:30			`Ci::JobToken::Allowlist.new(current_project, direction: :outbound)`
New upstream version 14.4.2+ds1 2021-11-18 22:05:49 +05:30			`end`
New upstream version 15.4.2+ds1 2022-10-11 01:57:18 +05:30
New upstream version 15.7.8+ds1 2023-03-04 22:38:38 +05:30			`def self_referential?(accessed_project)`
New upstream version 15.9.2+ds1 2023-04-23 21:23:45 +05:30			`current_project.id == accessed_project.id`
New upstream version 15.4.2+ds1 2022-10-11 01:57:18 +05:30			`end`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`end`
			`end`
			`end`