From 9f46488805e86b1bc341ea1620b866016c2ce5ed Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 20 May 2020 14:34:42 +0000
Subject: Add latest changes from gitlab-org/gitlab@13-0-stable-ee

---
 .../container_registry_authentication_service.rb   | 29 ++++++++++++++++++----
 1 file changed, 24 insertions(+), 5 deletions(-)

(limited to 'app/services/auth/container_registry_authentication_service.rb')

diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 4a699fe3213..44a434f4402 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -52,7 +52,7 @@ module Auth
     end
 
     def self.token_expire_at
-      Time.now + Gitlab::CurrentSettings.container_registry_token_expire_delay.minutes
+      Time.current + Gitlab::CurrentSettings.container_registry_token_expire_delay.minutes
     end
 
     private
@@ -103,17 +103,19 @@ module Auth
 
       return unless requested_project
 
-      actions = actions.select do |action|
+      authorized_actions = actions.select do |action|
         can_access?(requested_project, action)
       end
 
-      return unless actions.present?
+      log_if_actions_denied(type, requested_project, actions, authorized_actions)
+
+      return unless authorized_actions.present?
 
       # At this point user/build is already authenticated.
       #
-      ensure_container_repository!(path, actions)
+      ensure_container_repository!(path, authorized_actions)
 
-      { type: type, name: path.to_s, actions: actions }
+      { type: type, name: path.to_s, actions: authorized_actions }
     end
 
     ##
@@ -222,5 +224,22 @@ module Auth
         REGISTRY_LOGIN_ABILITIES.include?(ability)
       end
     end
+
+    def log_if_actions_denied(type, requested_project, requested_actions, authorized_actions)
+      return if requested_actions == authorized_actions
+
+      log_info = {
+        message: "Denied container registry permissions",
+        scope_type: type,
+        requested_project_path: requested_project.full_path,
+        requested_actions: requested_actions,
+        authorized_actions: authorized_actions,
+        username: current_user&.username,
+        user_id: current_user&.id,
+        project_path: project&.full_path
+      }.compact
+
+      Gitlab::AuthLogger.warn(log_info)
+    end
   end
 end
-- 
cgit v1.2.1