diff options
author | Kamil Trzciński <ayufan@ayufan.eu> | 2017-10-12 20:59:03 +0000 |
---|---|---|
committer | Kamil Trzciński <ayufan@ayufan.eu> | 2017-10-12 20:59:03 +0000 |
commit | 3555252d808d7d939e1dd508962abe8d94cbd667 (patch) | |
tree | 7e1e83e761534033d01c7b4a32f5fffdc33ec77a | |
parent | 8d47e9f8e13c2ca43520b348dde0424fe6460cc9 (diff) | |
parent | 3d744009ed3f27daefb5d898f6e8b848a3630928 (diff) | |
download | gitlab-ce-3555252d808d7d939e1dd508962abe8d94cbd667.tar.gz |
Merge branch '26763-grant-registry-auth-scope-to-admins' into 'master'
Issue JWT token with registry:catalog:* scope when requested by GitLab admin
Closes #26763 and #18392
See merge request gitlab-org/gitlab-ce!14751
3 files changed, 68 insertions, 4 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index 9a636346899..f40cd2b06c8 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -56,11 +56,22 @@ module Auth def process_scope(scope) type, name, actions = scope.split(':', 3) actions = actions.split(',') - path = ContainerRegistry::Path.new(name) - return unless type == 'repository' + case type + when 'registry' + process_registry_access(type, name, actions) + when 'repository' + path = ContainerRegistry::Path.new(name) + process_repository_access(type, path, actions) + end + end + + def process_registry_access(type, name, actions) + return unless current_user&.admin? + return unless name == 'catalog' + return unless actions == ['*'] - process_repository_access(type, path, actions) + { type: type, name: name, actions: ['*'] } end def process_repository_access(type, path, actions) diff --git a/changelogs/unreleased/26763-grant-registry-auth-scope-to-admins.yml b/changelogs/unreleased/26763-grant-registry-auth-scope-to-admins.yml new file mode 100644 index 00000000000..8918c42e3fb --- /dev/null +++ b/changelogs/unreleased/26763-grant-registry-auth-scope-to-admins.yml @@ -0,0 +1,5 @@ +--- +title: Issue JWT token with registry:catalog:* scope when requested by GitLab admin +merge_request: 14751 +author: Vratislav Kalenda +type: added diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb index 1c2d0b3e0dc..9128280eb5a 100644 --- a/spec/services/auth/container_registry_authentication_service_spec.rb +++ b/spec/services/auth/container_registry_authentication_service_spec.rb @@ -43,6 +43,21 @@ describe Auth::ContainerRegistryAuthenticationService do end end + shared_examples 'a browsable' do + let(:access) do + [{ 'type' => 'registry', + 'name' => 'catalog', + 'actions' => ['*'] }] + end + + it_behaves_like 'a valid token' + it_behaves_like 'not a container repository factory' + + it 'has the correct scope' do + expect(payload).to include('access' => access) + end + end + shared_examples 'an accessible' do let(:access) do [{ 'type' => 'repository', @@ -51,7 +66,10 @@ describe Auth::ContainerRegistryAuthenticationService do end it_behaves_like 'a valid token' - it { expect(payload).to include('access' => access) } + + it 'has the correct scope' do + expect(payload).to include('access' => access) + end end shared_examples 'an inaccessible' do @@ -117,6 +135,17 @@ describe Auth::ContainerRegistryAuthenticationService do context 'user authorization' do let(:current_user) { create(:user) } + context 'for registry catalog' do + let(:current_params) do + { scope: "registry:catalog:*" } + end + + context 'disallow browsing for users without Gitlab admin rights' do + it_behaves_like 'an inaccessible' + it_behaves_like 'not a container repository factory' + end + end + context 'for private project' do let(:project) { create(:project) } @@ -490,6 +519,16 @@ describe Auth::ContainerRegistryAuthenticationService do end end + context 'registry catalog browsing authorized as admin' do + let(:current_user) { create(:user, :admin) } + + let(:current_params) do + { scope: "registry:catalog:*" } + end + + it_behaves_like 'a browsable' + end + context 'unauthorized' do context 'disallow to use scope-less authentication' do it_behaves_like 'a forbidden' @@ -536,5 +575,14 @@ describe Auth::ContainerRegistryAuthenticationService do it_behaves_like 'not a container repository factory' end end + + context 'for registry catalog' do + let(:current_params) do + { scope: "registry:catalog:*" } + end + + it_behaves_like 'a forbidden' + it_behaves_like 'not a container repository factory' + end end end |