diff options
author | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-05-14 18:23:55 -0500 |
---|---|---|
committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-05-14 18:23:55 -0500 |
commit | f63b6fc297b876e26b93c12ca510148d18d58ec2 (patch) | |
tree | 1d1fecab4031baf1fb65cb8176c47c40af8b5c62 /app | |
parent | 5c19476286eb63325cbae7b1a21966e55712f367 (diff) | |
parent | f4f9184a01bc7442411bbcffd9b6a86784fa5f53 (diff) | |
download | gitlab-ce-f63b6fc297b876e26b93c12ca510148d18d58ec2.tar.gz |
Merge branch 'docker-registry' into docker-registry-view
Diffstat (limited to 'app')
-rw-r--r-- | app/models/ability.rb | 12 | ||||
-rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 27 |
2 files changed, 17 insertions, 22 deletions
diff --git a/app/models/ability.rb b/app/models/ability.rb index 74321240468..f70268d3138 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -61,7 +61,7 @@ class Ability :read_merge_request, :read_note, :read_commit_status, - :read_container_registry, + :read_container_image, :download_code ] @@ -204,7 +204,7 @@ class Ability :admin_label, :read_commit_status, :read_build, - :read_container_registry, + :read_container_image, ] end @@ -219,8 +219,8 @@ class Ability :create_merge_request, :create_wiki, :push_code, - :create_container_registry, - :update_container_registry, + :create_container_image, + :update_container_image, ] end @@ -247,7 +247,7 @@ class Ability :admin_project, :admin_commit_status, :admin_build, - :admin_container_registry, + :admin_container_image, ] end @@ -293,7 +293,7 @@ class Ability end unless project.container_registry_enabled - rules += named_abilities('container_registry') + rules += named_abilities('container_image') end rules diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index 45b163d213e..69ad634c368 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -9,9 +9,9 @@ module Auth return error('forbidden', 403) unless current_user end - return error('forbidden', 401) if scopes.blank? + return error('forbidden', 401) unless scope - { token: authorized_token(scopes).encoded } + { token: authorized_token(scope).encoded } end def self.full_access_token(*names) @@ -27,32 +27,27 @@ module Auth private - def authorized_token(access) - token = ::JWT::RSAToken.new(registry.key) + def authorized_token(*accesses) + token = JSONWebToken::RSAToken.new(registry.key) token.issuer = registry.issuer token.audience = params[:service] token.subject = current_user.try(:username) - token[:access] = access + token[:access] = accesses token end - def scopes + def scope return unless params[:scope] - @scopes ||= begin - scope = process_scope(params[:scope]) - [scope].compact - end + @scope ||= process_scope(params[:scope]) end def process_scope(scope) type, name, actions = scope.split(':', 3) actions = actions.split(',') + return unless type == 'repository' - case type - when 'repository' - process_repository_access(type, name, actions) - end + process_repository_access(type, name, actions) end def process_repository_access(type, name, actions) @@ -71,9 +66,9 @@ module Auth case requested_action when 'pull' - requested_project == project || can?(current_user, :read_container_registry, requested_project) + requested_project == project || can?(current_user, :read_container_image, requested_project) when 'push' - requested_project == project || can?(current_user, :create_container_registry, requested_project) + requested_project == project || can?(current_user, :create_container_image, requested_project) else false end |