diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-20 14:34:42 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-20 14:34:42 +0000 |
commit | 9f46488805e86b1bc341ea1620b866016c2ce5ed (patch) | |
tree | f9748c7e287041e37d6da49e0a29c9511dc34768 /app/services/auth/container_registry_authentication_service.rb | |
parent | dfc92d081ea0332d69c8aca2f0e745cb48ae5e6d (diff) | |
download | gitlab-ce-9f46488805e86b1bc341ea1620b866016c2ce5ed.tar.gz |
Add latest changes from gitlab-org/gitlab@13-0-stable-ee
Diffstat (limited to 'app/services/auth/container_registry_authentication_service.rb')
-rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index 4a699fe3213..44a434f4402 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -52,7 +52,7 @@ module Auth end def self.token_expire_at - Time.now + Gitlab::CurrentSettings.container_registry_token_expire_delay.minutes + Time.current + Gitlab::CurrentSettings.container_registry_token_expire_delay.minutes end private @@ -103,17 +103,19 @@ module Auth return unless requested_project - actions = actions.select do |action| + authorized_actions = actions.select do |action| can_access?(requested_project, action) end - return unless actions.present? + log_if_actions_denied(type, requested_project, actions, authorized_actions) + + return unless authorized_actions.present? # At this point user/build is already authenticated. # - ensure_container_repository!(path, actions) + ensure_container_repository!(path, authorized_actions) - { type: type, name: path.to_s, actions: actions } + { type: type, name: path.to_s, actions: authorized_actions } end ## @@ -222,5 +224,22 @@ module Auth REGISTRY_LOGIN_ABILITIES.include?(ability) end end + + def log_if_actions_denied(type, requested_project, requested_actions, authorized_actions) + return if requested_actions == authorized_actions + + log_info = { + message: "Denied container registry permissions", + scope_type: type, + requested_project_path: requested_project.full_path, + requested_actions: requested_actions, + authorized_actions: authorized_actions, + username: current_user&.username, + user_id: current_user&.id, + project_path: project&.full_path + }.compact + + Gitlab::AuthLogger.warn(log_info) + end end end |