1. 27 Jul, 2017 1 commit
  2. 30 Jun, 2017 1 commit
  3. 29 Jun, 2017 1 commit
    • Timothy Andrew's avatar
      Extract a `Gitlab::Scope` class. · b8ec1f42
      Timothy Andrew authored
      - To represent an authorization scope, such as `api` or `read_user`
      - This is a better abstraction than the hash we were previously using.
      b8ec1f42
  4. 28 Jun, 2017 4 commits
    • Timothy Andrew's avatar
      Implement review comments from @DouweM for !12300. · c1fcd730
      Timothy Andrew authored
      - Use a struct for scopes, so we can call `scope.if` instead of `scope[:if]`
      
      - Refactor the "remove scopes whose :if condition returns false" logic to use a
        `select` rather than a `reject`.
      c1fcd730
    • Timothy Andrew's avatar
      4dbfa14e
    • Timothy Andrew's avatar
      Fix remaining spec failures for !12300. · 1b8223dd
      Timothy Andrew authored
      1. Get the spec for `lib/gitlab/auth.rb` passing.
      
        - Make the `request` argument to `AccessTokenValidationService` optional -
        `auth.rb` doesn't need to pass in a request.
      
        - Pass in scopes in the format `[{ name: 'api' }]` rather than `['api']`, which
        is what `AccessTokenValidationService` now expects.
      
      2. Get the spec for `API::V3::Users` passing
      
      2. Get the spec for `AccessTokenValidationService` passing
      1b8223dd
    • Timothy Andrew's avatar
      Allow API scope declarations to be applied conditionally. · 80c1ebaa
      Timothy Andrew authored
      - Scope declarations of the form:
      
          allow_access_with_scope :read_user, if: -> (request) { request.get? }
      
        will only apply for `GET` requests
      
      - Add a negative test to a `POST` endpoint in the `users` API to test this. Also
        test for this case in the `AccessTokenValidationService` unit tests.
      80c1ebaa
  5. 16 Dec, 2016 3 commits
    • Timothy Andrew's avatar
      Convert AccessTokenValidationService into a class. · b303948f
      Timothy Andrew authored
      - Previously, AccessTokenValidationService was a module, and all its  public
      methods accepted a token. It makes sense to convert it to a class which accepts
      a token during initialization.
      
      - Also rename the `sufficient_scope?` method to `include_any_scope?`
      
      - Based on feedback from @rymai
      b303948f
    • Timothy Andrew's avatar
      Implement minor changes from @dbalexandre's review. · 4d6da770
      Timothy Andrew authored
      - Mainly whitespace changes.
      
      - Require the migration adding the `scope` column to the
        `personal_access_tokens` table to have downtime, since API calls will
        fail if the new code is in place, but the migration hasn't run.
      
      - Minor refactoring - load `@scopes` in a `before_action`, since we're
        doing it in three different places.
      4d6da770
    • Timothy Andrew's avatar
      Calls to the API are checked for scope. · 7fa06ed5
      Timothy Andrew authored
      - Move the `Oauth2::AccessTokenValidationService` class to
        `AccessTokenValidationService`, since it is now being used for
        personal access token validation as well.
      
      - Each API endpoint declares the scopes it accepts (if any). Currently,
        the top level API module declares the `api` scope, and the `Users` API
        module declares the `read_user` scope (for GET requests).
      
      - Move the `find_user_by_private_token` from the API `Helpers` module to
        the `APIGuard` module, to avoid littering `Helpers` with more
        auth-related methods to support `find_user_by_private_token`
      7fa06ed5