Merge branch 'docker-registry' into docker-registry-view

author: Kamil Trzcinski <ayufan@ayufan.eu> 2016-05-14 18:23:55 -0500
committer: Kamil Trzcinski <ayufan@ayufan.eu> 2016-05-14 18:23:55 -0500
commit: f63b6fc297b876e26b93c12ca510148d18d58ec2 (patch)
tree: 1d1fecab4031baf1fb65cb8176c47c40af8b5c62
parent: 5c19476286eb63325cbae7b1a21966e55712f367 (diff)
parent: f4f9184a01bc7442411bbcffd9b6a86784fa5f53 (diff)
download: gitlab-ce-f63b6fc297b876e26b93c12ca510148d18d58ec2.tar.gz
7 files changed, 30 insertions, 31 deletions
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 74321240468..f70268d3138 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -61,7 +61,7 @@ class Ability
           :read_merge_request,
           :read_note,
           :read_commit_status,
-          :read_container_registry,
+          :read_container_image,
           :download_code
         ]
 
@@ -204,7 +204,7 @@ class Ability
         :admin_label,
         :read_commit_status,
         :read_build,
-        :read_container_registry,
+        :read_container_image,
       ]
     end
 
@@ -219,8 +219,8 @@ class Ability
         :create_merge_request,
         :create_wiki,
         :push_code,
-        :create_container_registry,
-        :update_container_registry,
+        :create_container_image,
+        :update_container_image,
       ]
     end
 
@@ -247,7 +247,7 @@ class Ability
         :admin_project,
         :admin_commit_status,
         :admin_build,
-        :admin_container_registry,
+        :admin_container_image,
       ]
     end
 
@@ -293,7 +293,7 @@ class Ability
       end
 
       unless project.container_registry_enabled
-        rules += named_abilities('container_registry')
+        rules += named_abilities('container_image')
       end
 
       rules
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 45b163d213e..69ad634c368 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -9,9 +9,9 @@ module Auth
         return error('forbidden', 403) unless current_user
       end
 
-      return error('forbidden', 401) if scopes.blank?
+      return error('forbidden', 401) unless scope
 
-      { token: authorized_token(scopes).encoded }
+      { token: authorized_token(scope).encoded }
     end
 
     def self.full_access_token(*names)
@@ -27,32 +27,27 @@ module Auth
 
     private
 
-    def authorized_token(access)
-      token = ::JWT::RSAToken.new(registry.key)
+    def authorized_token(*accesses)
+      token = JSONWebToken::RSAToken.new(registry.key)
       token.issuer = registry.issuer
       token.audience = params[:service]
       token.subject = current_user.try(:username)
-      token[:access] = access
+      token[:access] = accesses
       token
     end
 
-    def scopes
+    def scope
       return unless params[:scope]
 
-      @scopes ||= begin
-        scope = process_scope(params[:scope])
-        [scope].compact
-      end
+      @scope ||= process_scope(params[:scope])
     end
 
     def process_scope(scope)
       type, name, actions = scope.split(':', 3)
       actions = actions.split(',')
+      return unless type == 'repository'
 
-      case type
-      when 'repository'
-        process_repository_access(type, name, actions)
-      end
+      process_repository_access(type, name, actions)
     end
 
     def process_repository_access(type, name, actions)
@@ -71,9 +66,9 @@ module Auth
 
       case requested_action
       when 'pull'
-        requested_project == project || can?(current_user, :read_container_registry, requested_project)
+        requested_project == project || can?(current_user, :read_container_image, requested_project)
       when 'push'
-        requested_project == project || can?(current_user, :create_container_registry, requested_project)
+        requested_project == project || can?(current_user, :create_container_image, requested_project)
       else
         false
       end
diff --git a/lib/jwt/rsa_token.rb b/lib/json_web_token/rsa_token.rb
index 4de89bf0d37..d6d6af7089c 100644
--- a/lib/jwt/rsa_token.rb
+++ b/lib/json_web_token/rsa_token.rb
@@ -1,4 +1,4 @@
-module JWT
+module JSONWebToken
   class RSAToken < Token
     attr_reader :key_file
 
@@ -29,10 +29,14 @@ module JWT
     end
 
     def kid
-      fingerprint = Digest::SHA256.digest(public_key.to_der)
-      Base32.encode(fingerprint).split('').each_slice(4).each_with_object([]) do |slice, mem|
-        mem << slice.join
-      end.join(':')
+      # calculate sha256 from DER encoded ASN1
+      kid = Digest::SHA256.digest(public_key.to_der)
+
+      # we encode only 30 bytes with base32
+      kid = Base32.encode(kid[0..29])
+
+      # insert colon every 4 characters
+      kid.scan(/.{4}/).join(':')
     end
   end
 end
diff --git a/lib/jwt/token.rb b/lib/json_web_token/token.rb
index f13abf2b71f..5b67715b0b2 100644
--- a/lib/jwt/token.rb
+++ b/lib/json_web_token/token.rb
@@ -1,4 +1,4 @@
-module JWT
+module JSONWebToken
   class Token
     attr_accessor :issuer, :subject, :audience, :id
     attr_accessor :issued_at, :not_before, :expire_time
diff --git a/spec/lib/jwt/rsa_token_spec.rb b/spec/lib/json_web_token/rsa_token_spec.rb
index a5b1d3a67dc..4462cdde9a3 100644
--- a/spec/lib/jwt/rsa_token_spec.rb
+++ b/spec/lib/json_web_token/rsa_token_spec.rb
@@ -1,4 +1,4 @@
-describe JWT::RSAToken do
+describe JSONWebToken::RSAToken do
   let(:rsa_key) { generate_key }
   let(:rsa_token) { described_class.new(nil) }
   let(:rsa_encoded) { rsa_token.encoded }
diff --git a/spec/lib/jwt/token_spec.rb b/spec/lib/json_web_token/token_spec.rb
index 92fdc3f1b7c..3d955e4d774 100644
--- a/spec/lib/jwt/token_spec.rb
+++ b/spec/lib/json_web_token/token_spec.rb
@@ -1,4 +1,4 @@
-describe JWT::Token do
+describe JSONWebToken::Token do
   let(:token) { described_class.new }
 
   context 'custom parameters' do
diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb
index a45410f0458..bae576f1670 100644
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -18,7 +18,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
 
   before do
     allow(Gitlab.config.registry).to receive_messages(registry_settings)
-    allow_any_instance_of(JWT::RSAToken).to receive(:key).and_return(rsa_key)
+    allow_any_instance_of(JSONWebToken::RSAToken).to receive(:key).and_return(rsa_key)
   end
 
   shared_examples 'an authenticated' do
author	Kamil Trzcinski <ayufan@ayufan.eu>	2016-05-14 18:23:55 -0500
committer	Kamil Trzcinski <ayufan@ayufan.eu>	2016-05-14 18:23:55 -0500
commit	f63b6fc297b876e26b93c12ca510148d18d58ec2 (patch)
tree	1d1fecab4031baf1fb65cb8176c47c40af8b5c62
parent	5c19476286eb63325cbae7b1a21966e55712f367 (diff)
parent	f4f9184a01bc7442411bbcffd9b6a86784fa5f53 (diff)
download	gitlab-ce-f63b6fc297b876e26b93c12ca510148d18d58ec2.tar.gz