From 74d37438d5361fd4e77993dbc9590b20f7c32100 Mon Sep 17 00:00:00 2001 From: Vratislav Kalenda Date: Sun, 8 Oct 2017 20:36:45 +0200 Subject: Issue JWT token with registry:catalog:* scope when requested by GitLab admin --- .../container_registry_authentication_service.rb | 5 +++ .../26763-grant-registry-auth-scope-to-admins.yml | 5 +++ ...ntainer_registry_authentication_service_spec.rb | 45 ++++++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 changelogs/unreleased/26763-grant-registry-auth-scope-to-admins.yml diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index 9a636346899..0de7009e339 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -58,6 +58,11 @@ module Auth actions = actions.split(',') path = ContainerRegistry::Path.new(name) + if type == 'registry' && name == 'catalog' && current_user && current_user.admin? + return { type: type, name: name, actions: ['*'] } + end + + return unless type == 'repository' process_repository_access(type, path, actions) diff --git a/changelogs/unreleased/26763-grant-registry-auth-scope-to-admins.yml b/changelogs/unreleased/26763-grant-registry-auth-scope-to-admins.yml new file mode 100644 index 00000000000..bd9791d6c1c --- /dev/null +++ b/changelogs/unreleased/26763-grant-registry-auth-scope-to-admins.yml @@ -0,0 +1,5 @@ +--- +title: Issue JWT token with registry:catalog:* scope when requested by GitLab admin +merge_request: +author: +type: added diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb index 1c2d0b3e0dc..6145f72df43 100644 --- a/spec/services/auth/container_registry_authentication_service_spec.rb +++ b/spec/services/auth/container_registry_authentication_service_spec.rb @@ -42,6 +42,19 @@ describe Auth::ContainerRegistryAuthenticationService do end end end + + shared_examples 'a browsable' do + let(:access) do + [{ 'type' => 'registry', + 'name' => 'catalog', + 'actions' => ['*'] + }] + end + + it_behaves_like 'a valid token' + it_behaves_like 'not a container repository factory' + it { expect(payload).to include('access' => access) } + end shared_examples 'an accessible' do let(:access) do @@ -117,6 +130,19 @@ describe Auth::ContainerRegistryAuthenticationService do context 'user authorization' do let(:current_user) { create(:user) } + context 'for registry catalog' do + let(:current_params) do + { scope: "registry:catalog:*" } + end + + context 'disallow browsing for users without Gitlab admin rights' do + it_behaves_like 'an inaccessible' + it_behaves_like 'not a container repository factory' + end + end + + + context 'for private project' do let(:project) { create(:project) } @@ -490,6 +516,16 @@ describe Auth::ContainerRegistryAuthenticationService do end end + context 'registry catalog browsing authorized as admin' do + let(:current_user) { create(:user, :admin) } + let(:current_params) do + { scope: "registry:catalog:*" } + end + + it_behaves_like 'a browsable' + + end + context 'unauthorized' do context 'disallow to use scope-less authentication' do it_behaves_like 'a forbidden' @@ -536,5 +572,14 @@ describe Auth::ContainerRegistryAuthenticationService do it_behaves_like 'not a container repository factory' end end + + context 'for registry catalog' do + let(:current_params) do + { scope: "registry:catalog:*" } + end + it_behaves_like 'a forbidden' + it_behaves_like 'not a container repository factory' + end + end end -- cgit v1.2.1