Class: DeployToken

Inherits:
ApplicationRecord show all
Includes:
Expirable, Gitlab::Utils::StrongMemoize, PolicyActor, TokenAuthenticatable
Defined in:
app/models/deploy_token.rb

Constant Summary collapse

AVAILABLE_SCOPES =
%i[read_repository read_registry write_registry
read_package_registry write_package_registry
read_virtual_registry].freeze
GITLAB_DEPLOY_TOKEN_NAME =
'gitlab-deploy-token'
DEPLOY_TOKEN_PREFIX =
'gldt-'

Constants included from Expirable

Expirable::DAYS_TO_EXPIRE

Constants inherited from ApplicationRecord

ApplicationRecord::MAX_PLUCK

Constants included from HasCheckConstraints

HasCheckConstraints::NOT_NULL_CHECK_PATTERN

Constants included from ResetOnColumnErrors

ResetOnColumnErrors::MAX_RESET_PERIOD

Class Method Summary collapse

Instance Method Summary collapse

Methods included from PolicyActor

#access_locked?, #admin?, #alert_bot?, #automation_bot?, #blocked?, #can?, #can_create_group, #can_read_all_resources?, #confirmation_required_on_sign_in?, #external?, #from_ci_job_token?, #internal?, #password_expired_if_applicable?, #preferred_language, #required_terms_not_accepted?, #requires_ldap_check?, #security_bot?, #support_bot?, #try_obtain_ldap_lease

Methods included from Expirable

#expires?, #expires_soon?

Methods inherited from ApplicationRecord

===, cached_column_list, #create_or_load_association, declarative_enum, default_select_columns, id_in, id_not_in, iid_in, nullable_column?, pluck_primary_key, primary_key_in, #readable_by?, safe_ensure_unique, safe_find_or_create_by, safe_find_or_create_by!, #to_ability_name, underscore, where_exists, where_not_exists, with_fast_read_statement_timeout, without_order

Methods included from ResetOnColumnErrors

#reset_on_union_error, #reset_on_unknown_attribute_error

Methods included from Gitlab::SensitiveSerializableHash

#serializable_hash

Class Method Details

.gitlab_deploy_tokenObject



54
55
56
# File 'app/models/deploy_token.rb', line 54

def self.gitlab_deploy_token
  active.find_by(name: GITLAB_DEPLOY_TOKEN_NAME)
end

Instance Method Details

#accessible_projectsObject



114
115
116
117
118
119
120
# File 'app/models/deploy_token.rb', line 114

def accessible_projects
  if project_type?
    projects
  elsif group_type?
    group.all_projects
  end
end

#active?Boolean

Returns:

  • (Boolean)


68
69
70
# File 'app/models/deploy_token.rb', line 68

def active?
  !revoked && !expired?
end

#deactivated?Boolean

Returns:

  • (Boolean)


72
73
74
# File 'app/models/deploy_token.rb', line 72

def deactivated?
  !active?
end

#expires_atObject



136
137
138
139
# File 'app/models/deploy_token.rb', line 136

def expires_at
  expires_at = read_attribute(:expires_at)
  expires_at != Forever.date ? expires_at : nil
end

#expires_at=(value) ⇒ Object



141
142
143
# File 'app/models/deploy_token.rb', line 141

def expires_at=(value)
  write_attribute(:expires_at, value.presence || Forever.date)
end

#groupObject



108
109
110
111
112
# File 'app/models/deploy_token.rb', line 108

def group
  strong_memoize(:group) do
    groups.first
  end
end

#has_access_to?(requested_project) ⇒ Boolean

Returns:

  • (Boolean)


84
85
86
87
88
89
# File 'app/models/deploy_token.rb', line 84

def has_access_to?(requested_project)
  return false unless active?
  return false unless holder

  holder.has_access_to?(requested_project)
end

#has_access_to_group?(requested_group) ⇒ Boolean

Returns:

  • (Boolean)


91
92
93
94
95
96
97
# File 'app/models/deploy_token.rb', line 91

def has_access_to_group?(requested_group)
  return false unless active?
  return false unless group_type?
  return false unless holder

  holder.has_access_to_group?(requested_group)
end

#holderObject



122
123
124
125
126
127
128
129
130
# File 'app/models/deploy_token.rb', line 122

def holder
  strong_memoize(:holder) do
    if project_type?
      project_deploy_tokens.first
    elsif group_type?
      group_deploy_tokens.first
    end
  end
end

#impersonated?Boolean

Returns:

  • (Boolean)


132
133
134
# File 'app/models/deploy_token.rb', line 132

def impersonated?
  false
end

#prefix_for_deploy_tokenObject



145
146
147
# File 'app/models/deploy_token.rb', line 145

def prefix_for_deploy_token
  DEPLOY_TOKEN_PREFIX
end

#projectObject

This is temporal. Currently we limit DeployToken to a single project or group, later we’re going to extend that to be for multiple projects and namespaces.



102
103
104
105
106
# File 'app/models/deploy_token.rb', line 102

def project
  strong_memoize(:project) do
    projects.first
  end
end

#revoke!Object



64
65
66
# File 'app/models/deploy_token.rb', line 64

def revoke!
  update!(revoked: true)
end

#scopesObject



76
77
78
# File 'app/models/deploy_token.rb', line 76

def scopes
  AVAILABLE_SCOPES.select { |token_scope| read_attribute(token_scope) }
end

#usernameObject



80
81
82
# File 'app/models/deploy_token.rb', line 80

def username
  super || default_username
end

#valid_for_dependency_proxy?Boolean

Returns:

  • (Boolean)


58
59
60
61
62
# File 'app/models/deploy_token.rb', line 58

def valid_for_dependency_proxy?
  group_type? &&
    active? &&
    (Gitlab::Auth::REGISTRY_SCOPES & scopes).size == Gitlab::Auth::REGISTRY_SCOPES.size
end