summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorAlejandro Rodriguez <alejandro@gitlab.com>2016-11-08 18:37:15 +0000
committerRémy Coutable <remy@rymai.me>2016-11-09 12:28:29 +0100
commit32042ef56adfa24ce5952c6f3b7dc97dea5fd2d4 (patch)
tree92b450e0e40160dd1e73be536e8be87129b882f2 /app
parentb0088b527eacd16773a85ad8f88e49de7c646cf1 (diff)
downloadgitlab-ce-32042ef56adfa24ce5952c6f3b7dc97dea5fd2d4.tar.gz
Merge branch 'unauthenticated-container-registry-access' into 'security'
Restore unauthenticated access to public container registries Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24284 See merge request !2025 Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'app')
-rw-r--r--app/controllers/jwt_controller.rb4
-rw-r--r--app/services/auth/container_registry_authentication_service.rb16
2 files changed, 12 insertions, 8 deletions
diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb
index 7e4da73bc11..c736200a104 100644
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -12,7 +12,7 @@ class JwtController < ApplicationController
return head :not_found unless service
result = service.new(@authentication_result.project, @authentication_result.actor, auth_params).
- execute(authentication_abilities: @authentication_result.authentication_abilities || [])
+ execute(authentication_abilities: @authentication_result.authentication_abilities)
render json: result, status: result[:http_status]
end
@@ -20,7 +20,7 @@ class JwtController < ApplicationController
private
def authenticate_project_or_user
- @authentication_result = Gitlab::Auth::Result.new
+ @authentication_result = Gitlab::Auth::Result.new(nil, nil, :none, Gitlab::Auth.read_authentication_abilities)
authenticate_with_http_basic do |login, password|
@authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 3fc1c70be75..c00c5aebf57 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -9,8 +9,8 @@ module Auth
return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled
- unless current_user || project
- return error('DENIED', status: 403, message: 'access forbidden') unless scope
+ unless scope || current_user || project
+ return error('DENIED', status: 403, message: 'access forbidden')
end
{ token: authorized_token(scope).encoded }
@@ -92,23 +92,23 @@ module Auth
# Build can:
# 1. pull from its own project (for ex. a build)
# 2. read images from dependent projects if creator of build is a team member
- @authentication_abilities.include?(:build_read_container_image) &&
+ has_authentication_ability?(:build_read_container_image) &&
(requested_project == project || can?(current_user, :build_read_container_image, requested_project))
end
def user_can_pull?(requested_project)
- @authentication_abilities.include?(:read_container_image) &&
+ has_authentication_ability?(:read_container_image) &&
can?(current_user, :read_container_image, requested_project)
end
def build_can_push?(requested_project)
# Build can push only to the project from which it originates
- @authentication_abilities.include?(:build_create_container_image) &&
+ has_authentication_ability?(:build_create_container_image) &&
requested_project == project
end
def user_can_push?(requested_project)
- @authentication_abilities.include?(:create_container_image) &&
+ has_authentication_ability?(:create_container_image) &&
can?(current_user, :create_container_image, requested_project)
end
@@ -118,5 +118,9 @@ module Auth
http_status: status
}
end
+
+ def has_authentication_ability?(capability)
+ (@authentication_abilities || []).include?(capability)
+ end
end
end