Merge branch '26763-grant-registry-auth-scope-to-admins' into 'master'

Issue JWT token with registry:catalog:* scope when requested by GitLab admin Closes #26763 and #18392 See merge request gitlab-org/gitlab-ce!14751
author: Kamil Trzciński <ayufan@ayufan.eu> 2017-10-12 20:59:03 +0000
committer: Kamil Trzciński <ayufan@ayufan.eu> 2017-10-12 20:59:03 +0000
commit: 3555252d808d7d939e1dd508962abe8d94cbd667 (patch)
tree: 7e1e83e761534033d01c7b4a32f5fffdc33ec77a
parent: 8d47e9f8e13c2ca43520b348dde0424fe6460cc9 (diff)
parent: 3d744009ed3f27daefb5d898f6e8b848a3630928 (diff)
download: gitlab-ce-3555252d808d7d939e1dd508962abe8d94cbd667.tar.gz
3 files changed, 68 insertions, 4 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 9a636346899..f40cd2b06c8 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -56,11 +56,22 @@ module Auth
     def process_scope(scope)
       type, name, actions = scope.split(':', 3)
       actions = actions.split(',')
-      path = ContainerRegistry::Path.new(name)
 
-      return unless type == 'repository'
+      case type
+      when 'registry'
+        process_registry_access(type, name, actions)
+      when 'repository'
+        path = ContainerRegistry::Path.new(name)
+        process_repository_access(type, path, actions)
+      end
+    end
+
+    def process_registry_access(type, name, actions)
+      return unless current_user&.admin?
+      return unless name == 'catalog'
+      return unless actions == ['*']
 
-      process_repository_access(type, path, actions)
+      { type: type, name: name, actions: ['*'] }
     end
 
     def process_repository_access(type, path, actions)
diff --git a/changelogs/unreleased/26763-grant-registry-auth-scope-to-admins.yml b/changelogs/unreleased/26763-grant-registry-auth-scope-to-admins.yml
new file mode 100644
index 00000000000..8918c42e3fb
--- /dev/null
+++ b/changelogs/unreleased/26763-grant-registry-auth-scope-to-admins.yml
@@ -0,0 +1,5 @@
+---
+title: Issue JWT token with registry:catalog:* scope when requested by GitLab admin
+merge_request: 14751
+author: Vratislav Kalenda
+type: added
diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb
index 1c2d0b3e0dc..9128280eb5a 100644
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -43,6 +43,21 @@ describe Auth::ContainerRegistryAuthenticationService do
     end
   end
 
+  shared_examples 'a browsable' do
+    let(:access) do
+      [{ 'type' => 'registry',
+         'name' => 'catalog',
+         'actions' => ['*'] }]
+    end
+
+    it_behaves_like 'a valid token'
+    it_behaves_like 'not a container repository factory'
+
+    it 'has the correct scope' do
+      expect(payload).to include('access' => access)
+    end
+  end
+
   shared_examples 'an accessible' do
     let(:access) do
       [{ 'type' => 'repository',
@@ -51,7 +66,10 @@ describe Auth::ContainerRegistryAuthenticationService do
     end
 
     it_behaves_like 'a valid token'
-    it { expect(payload).to include('access' => access) }
+
+    it 'has the correct scope' do
+      expect(payload).to include('access' => access)
+    end
   end
 
   shared_examples 'an inaccessible' do
@@ -117,6 +135,17 @@ describe Auth::ContainerRegistryAuthenticationService do
   context 'user authorization' do
     let(:current_user) { create(:user) }
 
+    context 'for registry catalog' do
+      let(:current_params) do
+        { scope: "registry:catalog:*" }
+      end
+
+      context 'disallow browsing for users without Gitlab admin rights' do
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+    end
+
     context 'for private project' do
       let(:project) { create(:project) }
 
@@ -490,6 +519,16 @@ describe Auth::ContainerRegistryAuthenticationService do
     end
   end
 
+  context 'registry catalog browsing authorized as admin' do
+    let(:current_user) { create(:user, :admin) }
+
+    let(:current_params) do
+      { scope: "registry:catalog:*" }
+    end
+
+    it_behaves_like 'a browsable'
+  end
+
   context 'unauthorized' do
     context 'disallow to use scope-less authentication' do
       it_behaves_like 'a forbidden'
@@ -536,5 +575,14 @@ describe Auth::ContainerRegistryAuthenticationService do
         it_behaves_like 'not a container repository factory'
       end
     end
+
+    context 'for registry catalog' do
+      let(:current_params) do
+        { scope: "registry:catalog:*" }
+      end
+
+      it_behaves_like 'a forbidden'
+      it_behaves_like 'not a container repository factory'
+    end
   end
 end
author	Kamil Trzciński <ayufan@ayufan.eu>	2017-10-12 20:59:03 +0000
committer	Kamil Trzciński <ayufan@ayufan.eu>	2017-10-12 20:59:03 +0000
commit	3555252d808d7d939e1dd508962abe8d94cbd667 (patch)
tree	7e1e83e761534033d01c7b4a32f5fffdc33ec77a
parent	8d47e9f8e13c2ca43520b348dde0424fe6460cc9 (diff)
parent	3d744009ed3f27daefb5d898f6e8b848a3630928 (diff)
download	gitlab-ce-3555252d808d7d939e1dd508962abe8d94cbd667.tar.gz