diff options
author | Kamil Trzciński <ayufan@ayufan.eu> | 2018-07-13 19:45:07 +0200 |
---|---|---|
committer | Kamil Trzciński <ayufan@ayufan.eu> | 2018-07-13 19:45:07 +0200 |
commit | fadd299613b511f45e2136481dde0fa481c8e865 (patch) | |
tree | 92fe852ef0bfc2185677c40e28bf7315acc92f47 | |
parent | 1399eb058bfe22dc3fac5ee464e25ea67dd9e59d (diff) | |
download | gitlab-ce-fix-multiple-scopes.tar.gz |
Support multiple scopes when using authing container registry scopesfix-multiple-scopes
-rw-r--r-- | app/controllers/jwt_controller.rb | 12 | ||||
-rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 12 |
2 files changed, 19 insertions, 5 deletions
diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 67057b5b126..4d9922e1bb0 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -55,5 +55,17 @@ class JwtController < ApplicationController def auth_params params.permit(:service, :scope, :account, :client_id) + .merge(scopes: scopes_param) + end + + # We have to parse scope as Docker Clients send. + # And we loose second scope when being processed by Rails: + # scope=scopeA&scope=scopeB + # + # This method always returns an array of scopes + def scopes_param + return unless params[:scope].present? + + [Rack::Utils.parse_query(request.query_string)['scope']].flatten end end diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index f28cddb2af3..55d022d2d3a 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -7,11 +7,11 @@ module Auth return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled - unless scope || current_user || project + unless scopes || current_user || project return error('DENIED', status: 403, message: 'access forbidden') end - { token: authorized_token(scope).encoded } + { token: authorized_token(*scopes).encoded } end def self.full_access_token(*names) @@ -45,10 +45,12 @@ module Auth end end - def scope - return unless params[:scope] + def scopes + return unless params[:scopes] - @scope ||= process_scope(params[:scope]) + @scopes ||= params[:scopes].map do |scope| + process_scope(scope) + end end def process_scope(scope) |