Class: Ci::JobToken::Scope

Inherits:
Object
  • Object
show all
Defined in:
app/models/ci/job_token/scope.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(current_project) ⇒ Scope

Returns a new instance of Scope.



23
24
25
 
# File 'app/models/ci/job_token/scope.rb', line 23

def initialize(current_project)
  @current_project = current_project
end

Instance Attribute Details

#current_projectObject (readonly)

Returns the value of attribute current_project.



21
22
23
 
# File 'app/models/ci/job_token/scope.rb', line 21

def current_project
  @current_project
end

Instance Method Details

#accessible?(accessed_project) ⇒ Boolean

Returns:

  • (Boolean) 


27
28
29
30
31
32
33
34
35
36
37
38
 
# File 'app/models/ci/job_token/scope.rb', line 27

def accessible?(accessed_project)
  if inbound_accessible?(accessed_project)
    # We capture only successful inbound authorizations
    Ci::JobToken::Authorization.capture(origin_project: current_project, accessed_project: accessed_project)
    true
  else
    # We observe failed authorization attempts using a Prometheus counter
    ::Gitlab::Ci::Pipeline::Metrics.job_token_authorization_failures_counter
    .increment(same_root_ancestor: same_root_ancestor?(accessed_project))
    false
  end
end

#autopopulated_group_idsObject 



70
71
72
 
# File 'app/models/ci/job_token/scope.rb', line 70

def autopopulated_group_ids
  inbound_allowlist.autopopulated_group_global_ids
end

#autopopulated_inbound_project_idsObject 



74
75
76
 
# File 'app/models/ci/job_token/scope.rb', line 74

def autopopulated_inbound_project_ids
  inbound_allowlist.autopopulated_project_global_ids
end

#groupsObject 



62
63
64
 
# File 'app/models/ci/job_token/scope.rb', line 62

def groups
  inbound_allowlist.groups
end

#groups_countObject 



66
67
68
 
# File 'app/models/ci/job_token/scope.rb', line 66

def groups_count
  groups.count
end

#inbound_projectsObject 



54
55
56
 
# File 'app/models/ci/job_token/scope.rb', line 54

def inbound_projects
  inbound_allowlist.projects
end

#inbound_projects_countObject 



58
59
60
 
# File 'app/models/ci/job_token/scope.rb', line 58

def inbound_projects_count
  inbound_projects.count
end

#outbound_projectsObject 



50
51
52
 
# File 'app/models/ci/job_token/scope.rb', line 50

def outbound_projects
  outbound_allowlist.projects
end

#policies_allowed?(accessed_project, policies) ⇒ Boolean

Returns:

  • (Boolean) 


40
41
42
43
44
45
46
47
48
 
# File 'app/models/ci/job_token/scope.rb', line 40

def policies_allowed?(accessed_project, policies)
  # We capture policies even if allowlists are disabled, or the project is not allowlisted
  Ci::JobToken::Authorization.capture_job_token_policies(policies) if policies.present?

  return true unless accessed_project.ci_inbound_job_token_scope_enabled?
  return false unless inbound_accessible?(accessed_project)

  policies_allowed_for_accessed_project?(accessed_project, policies)
end

#self_referential?(accessed_project) ⇒ Boolean

Returns:

  • (Boolean) 


78
79
80
 
# File 'app/models/ci/job_token/scope.rb', line 78

def self_referential?(accessed_project)
  current_project.id == accessed_project.id
end