Skip to content

Refactor LfsRequest to stop referencing auth::result.actor directly

What does this MR do?

in #328692 there were remarks regarding how we handle find_for_git_client method results. This method is returning Gitlab::Auth::Result instance.

In Gitlab::Auth::Result as an actor we can have DeployToken or User, which is causing confusion and may lead to some problems: https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/1356.

My goal here is to create more resilient and less confusing code.

Goal 1: stop using .actor with checking the type.

Here I implemented changes in LFS facing endpoints: they no longer using user derived from actor from Gitlab::Auth::Result class, but separately DeployToken instance or User instance.

In LfsApiController and LfsStorageController we do not call user directly - authorization goes through LfsRequest module

In LfsLocksApiController we need User instance - looking at what is implemented in the services.

Screenshots or Screencasts (strongly suggested)

How to setup and validate locally (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Gosia Ksionek

Merge request reports

Loading