Support multiple scopes when using authing container registry scopesfix-multiple-scopes

2 files changed, 19 insertions, 5 deletions

diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb
index 67057b5b126..4d9922e1bb0 100644
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -55,5 +55,17 @@ class JwtController < ApplicationController
 
   def auth_params
     params.permit(:service, :scope, :account, :client_id)
+          .merge(scopes: scopes_param)
+  end
+
+  # We have to parse scope as Docker Clients send.
+  # And we loose second scope when being processed by Rails:
+  # scope=scopeA&scope=scopeB
+  #
+  # This method always returns an array of scopes
+  def scopes_param
+    return unless params[:scope].present?
+
+    [Rack::Utils.parse_query(request.query_string)['scope']].flatten
   end
 end
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index f28cddb2af3..55d022d2d3a 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -7,11 +7,11 @@ module Auth
 
       return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled
 
-      unless scope || current_user || project
+      unless scopes || current_user || project
         return error('DENIED', status: 403, message: 'access forbidden')
       end
 
-      { token: authorized_token(scope).encoded }
+      { token: authorized_token(*scopes).encoded }
     end
 
     def self.full_access_token(*names)
@@ -45,10 +45,12 @@ module Auth
       end
     end
 
-    def scope
-      return unless params[:scope]
+    def scopes
+      return unless params[:scopes]
 
-      @scope ||= process_scope(params[:scope])
+      @scopes ||= params[:scopes].map do |scope|
+        process_scope(scope)
+      end
     end
 
     def process_scope(scope)