Merge branch 'be-nice-to-docker-client' into 'master'

Be nice to Docker Clients talking to JWT/auth

## What does this MR do?

Makes all errors returned by JWT endpoint to be docker-compatible.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22465

See merge request !6536

CHANGELOG

 Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.12.2 (unreleased)
+  - Fix Import/Export not recognising correctly the imported services.
+  - Fix snippets pagination
+  - Fix List-Unsubscribe header in emails
+  - Fix an issue with the "Commits" section of the cycle analytics summary. !6513
+  - Fix errors importing project feature and milestone models using GitLab project import
+  - Make JWT messages Docker-compatible
 
 v 8.12.1
   - Fix a memory leak in HTML::Pipeline::SanitizationFilter::WHITELIST

app/controllers/jwt_controller.rb

@@ -25,7 +25,7 @@ class JwtController < ApplicationController
     authenticate_with_http_basic do |login, password|
       @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
 
-      render_403 unless @authentication_result.success? &&
+      render_unauthorized unless @authentication_result.success? &&
         (@authentication_result.actor.nil? || @authentication_result.actor.is_a?(User))
     end
   rescue Gitlab::Auth::MissingPersonalTokenError
@@ -33,10 +33,21 @@ class JwtController < ApplicationController
   end
 
   def render_missing_personal_token
-    render plain: "HTTP Basic: Access denied\n" \
-                  "You have 2FA enabled, please use a personal access token for Git over HTTP.\n" \
-                  "You can generate one at #{profile_personal_access_tokens_url}",
-           status: 401
+    render json: {
+      errors: [
+        { code: 'UNAUTHORIZED',
+          message: "HTTP Basic: Access denied\n" \
+                   "You have 2FA enabled, please use a personal access token for Git over HTTP.\n" \
+                   "You can generate one at #{profile_personal_access_tokens_url}" }
+      ] }, status: 401
+  end
+
+  def render_unauthorized
+    render json: {
+      errors: [
+        { code: 'UNAUTHORIZED',
+          message: 'HTTP Basic: Access denied' }
+      ] }, status: 401
   end
 
   def auth_params

app/services/auth/container_registry_authentication_service.rb

@@ -7,10 +7,10 @@ module Auth
     def execute(authentication_abilities:)
       @authentication_abilities = authentication_abilities
 
-      return error('not found', 404) unless registry.enabled
+      return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled
 
       unless current_user || project
-        return error('forbidden', 403) unless scope
+        return error('DENIED', status: 403, message: 'access forbidden') unless scope
       end
 
       { token: authorized_token(scope).encoded }
@@ -111,5 +111,12 @@ module Auth
       @authentication_abilities.include?(:create_container_image) &&
         can?(current_user, :create_container_image, requested_project)
     end
+
+    def error(code, status:, message: '')
+      {
+        errors: [{ code: code, message: message }],
+        http_status: status
+      }
+    end
   end
 end

spec/requests/jwt_controller_spec.rb

@@ -39,7 +39,7 @@ describe JwtController do
 
         subject! { get '/jwt/auth', parameters, headers }
 
-        it { expect(response).to have_http_status(403) }
+        it { expect(response).to have_http_status(401) }
       end
     end
 
@@ -77,7 +77,7 @@ describe JwtController do
 
       subject! { get '/jwt/auth', parameters, headers }
 
-      it { expect(response).to have_http_status(403) }
+      it { expect(response).to have_http_status(401) }
     end
   end