Class: DeployToken

Inherits:

ApplicationRecord

• Object
• ActiveRecord::Base
• ApplicationRecord
• DeployToken

Includes:

Expirable, Gitlab::Utils::StrongMemoize, PolicyActor, TokenAuthenticatable

Defined in:

app/models/deploy_token.rb

Constant Summary

AVAILABLE_SCOPES =

i[read_repository read_registry write_registry
read_package_registry write_package_registry
read_virtual_registry write_virtual_registry].freeze

GITLAB_DEPLOY_TOKEN_NAME =

'gitlab-deploy-token'

DEPLOY_TOKEN_PREFIX =

'gldt-'

NOTIFICATION_INTERVALS =

{
  seven_days: 0..7,
  thirty_days: 8..30,
  sixty_days: 31..60
}.freeze

Constants included from Expirable

Expirable::DAYS_TO_EXPIRE

Constants inherited from ApplicationRecord

ApplicationRecord::MAX_PLUCK

Constants included from HasCheckConstraints

HasCheckConstraints::NOT_NULL_CHECK_PATTERN

Constants included from ResetOnColumnErrors

ResetOnColumnErrors::MAX_RESET_PERIOD

Class Method Summary

• .gitlab_deploy_token ⇒ Object
• .notification_interval(interval) ⇒ Object
• .ordered_for_keyset_pagination ⇒ Object
• .prefix_for_deploy_token ⇒ Object
• .scope_for_notification_interval(interval, min_expires_at: nil, max_expires_at: nil) ⇒ Object
• .update_notification_timestamps(token_ids, interval, timestamp = Time.current) ⇒ Object

Instance Method Summary

• #accessible_projects ⇒ Object
• #active? ⇒ Boolean
• #deactivated? ⇒ Boolean
• #expires_at ⇒ Object
• #expires_at=(value) ⇒ Object
• #group ⇒ Object
• #has_access_to?(requested_project) ⇒ Boolean
• #has_access_to_group?(requested_group) ⇒ Boolean
• #holder ⇒ Object
• #impersonated? ⇒ Boolean
• #prefix_for_deploy_token ⇒ Object
• #project ⇒ Object

  This is temporal.

• #revoke! ⇒ Object
• #scopes ⇒ Object
• #username ⇒ Object
• #valid_for_dependency_proxy? ⇒ Boolean

Methods included from PolicyActor

#access_locked?, #admin?, #alert_bot?, #automation_bot?, #blocked?, #can?, #can_access_admin_area?, #can_create_group, #can_read_all_resources?, #confirmation_required_on_sign_in?, #external?, #from_ci_job_token?, #internal?, #password_expired_if_applicable?, #preferred_language, #required_terms_not_accepted?, #requires_ldap_check?, #security_bot?, #support_bot?, #try_obtain_ldap_lease

Methods included from Expirable

#expires?, #expires_soon?

Methods inherited from ApplicationRecord

===, cached_column_list, #create_or_load_association, current_transaction, declarative_enum, default_select_columns, delete_all_returning, #deleted_from_database?, id_in, id_not_in, iid_in, nullable_column?, primary_key_in, #readable_by?, safe_ensure_unique, safe_find_or_create_by, safe_find_or_create_by!, sharding_keys, #to_ability_name, underscore, where_exists, where_not_exists, with_fast_read_statement_timeout, without_order

Methods included from ResetOnColumnErrors

#reset_on_union_error, #reset_on_unknown_attribute_error

Methods included from Gitlab::SensitiveSerializableHash

#serializable_hash

Class Method Details

.gitlab_deploy_token ⇒ Object

# File 'app/models/deploy_token.rb', line 65

def self.gitlab_deploy_token
  active.find_by(name: GITLAB_DEPLOY_TOKEN_NAME)
end

.notification_interval(interval) ⇒ Object

# File 'app/models/deploy_token.rb', line 73

def self.notification_interval(interval)
  NOTIFICATION_INTERVALS.fetch(interval).max
end

.ordered_for_keyset_pagination ⇒ Object

# File 'app/models/deploy_token.rb', line 89

def self.ordered_for_keyset_pagination
  order(:expires_at, :id)
end

.prefix_for_deploy_token ⇒ Object

# File 'app/models/deploy_token.rb', line 69

def self.prefix_for_deploy_token
  ::Authn::TokenField::PrefixHelper.prepend_instance_prefix(DEPLOY_TOKEN_PREFIX)
end

.scope_for_notification_interval(interval, min_expires_at: nil, max_expires_at: nil) ⇒ Object

# File 'app/models/deploy_token.rb', line 77

def self.scope_for_notification_interval(interval, min_expires_at: nil, max_expires_at: nil)
  interval_range = NOTIFICATION_INTERVALS.fetch(interval).minmax
  min_expiry_date, max_expiry_date = interval_range.map { |range| Date.current + range }
  min_expiry_date = min_expires_at if min_expires_at
  max_expiry_date = max_expires_at if max_expires_at
  interval_attr = "#{interval}_notification_sent_at"

  where(revoked: false)
    .where(interval_attr => nil)
    .where(expires_at: min_expiry_date..max_expiry_date)
end

.update_notification_timestamps(token_ids, interval, timestamp = Time.current) ⇒ Object

# File 'app/models/deploy_token.rb', line 93

def self.update_notification_timestamps(token_ids, interval, timestamp = Time.current)
  where(id: token_ids).update_all("#{interval}_notification_sent_at" => timestamp)
end

Instance Method Details

#accessible_projects ⇒ Object

# File 'app/models/deploy_token.rb', line 153

def accessible_projects
  if project_type?
    projects
  elsif group_type?
    group.all_projects
  end
end

#active? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/deploy_token.rb', line 107

def active?
  !revoked && !expired?
end

#deactivated? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/deploy_token.rb', line 111

def deactivated?
  !active?
end

#expires_at ⇒ Object

# File 'app/models/deploy_token.rb', line 175

def expires_at
  expires_at = read_attribute(:expires_at)
  expires_at != Forever.date ? expires_at : nil
end

#expires_at=(value) ⇒ Object

# File 'app/models/deploy_token.rb', line 180

def expires_at=(value)
  write_attribute(:expires_at, value.presence || Forever.date)
end

#group ⇒ Object

# File 'app/models/deploy_token.rb', line 147

def group
  strong_memoize(:group) do
    groups.first
  end
end

#has_access_to?(requested_project) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/deploy_token.rb', line 123

def has_access_to?(requested_project)
  return false unless active?
  return false unless holder

  holder.has_access_to?(requested_project)
end

#has_access_to_group?(requested_group) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/deploy_token.rb', line 130

def has_access_to_group?(requested_group)
  return false unless active?
  return false unless group_type?
  return false unless holder

  holder.has_access_to_group?(requested_group)
end

#holder ⇒ Object

# File 'app/models/deploy_token.rb', line 161

def holder
  strong_memoize(:holder) do
    if project_type?
      project_deploy_tokens.first
    elsif group_type?
      group_deploy_tokens.first
    end
  end
end

#impersonated? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/deploy_token.rb', line 171

def impersonated?
  false
end

#prefix_for_deploy_token ⇒ Object

# File 'app/models/deploy_token.rb', line 184

def prefix_for_deploy_token
  self.class.prefix_for_deploy_token
end

#project ⇒ Object

This is temporal. Currently we limit DeployToken to a single project or group, later we’re going to extend that to be for multiple projects and namespaces.

# File 'app/models/deploy_token.rb', line 141

def project
  strong_memoize(:project) do
    projects.first
  end
end

#revoke! ⇒ Object

# File 'app/models/deploy_token.rb', line 103

def revoke!
  update!(revoked: true)
end

#scopes ⇒ Object

# File 'app/models/deploy_token.rb', line 115

def scopes
  AVAILABLE_SCOPES.select { |token_scope| read_attribute(token_scope) }
end

#username ⇒ Object

# File 'app/models/deploy_token.rb', line 119

def username
  super || default_username
end

#valid_for_dependency_proxy? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/deploy_token.rb', line 97

def valid_for_dependency_proxy?
  group_type? &&
    active? &&
    (has_scopes?(Gitlab::Auth::REGISTRY_SCOPES) || has_scopes?(Gitlab::Auth::VIRTUAL_REGISTRY_SCOPES))
end