Skip to content

Change Auth::Result to class to stop calling auth::result.actor directly

What does this MR do?

in #328692 there were remarks regarding how we handle find_for_git_client method results. This method is returning Gitlab::Auth::Result instance.

In Gitlab::Auth::Result as an actor we can have DeployToken or User, which is causing confusion and may lead to some problems: https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/1356.

My goal here is to create more resilient and less confusing code.

Goal 1: stop using .actor with checking the type.

In order to achieve that, I have refactored Gitlab::Auth::Result from a struct to the class. This way it will be possible to make actor method private and stop using it.

Main file changed here is a spec file: because we stopped using struct, equality check in specs started to fail. I needed to refactor all of methods based on that.

Screenshots or Screencasts (strongly suggested)

How to setup and validate locally (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Gosia Ksionek

Merge request reports

Loading