Commit 4d84ba43 authored by Kamil Trzcinski's avatar Kamil Trzcinski

Merge branch 'docker-registry' into docker-registry-view

parents d05f0030 fc2d985b
module Jwt module JWT
class ContainerRegistryAuthenticationService < BaseService class ContainerRegistryAuthenticationService < BaseService
AUDIENCE = 'container_registry' AUDIENCE = 'container_registry'
...@@ -7,7 +7,7 @@ module Jwt ...@@ -7,7 +7,7 @@ module Jwt
return error('forbidden', 403) unless current_user return error('forbidden', 403) unless current_user
end end
return error('forbidden', 401) if scopes.empty? return error('forbidden', 401) if scopes.blank?
{ token: authorized_token(scopes).encoded } { token: authorized_token(scopes).encoded }
end end
...@@ -26,7 +26,7 @@ module Jwt ...@@ -26,7 +26,7 @@ module Jwt
private private
def authorized_token(access) def authorized_token(access)
token = ::Jwt::RSAToken.new(registry.key) token = ::JWT::RSAToken.new(registry.key)
token.issuer = registry.issuer token.issuer = registry.issuer
token.audience = AUDIENCE token.audience = AUDIENCE
token.subject = current_user.try(:username) token.subject = current_user.try(:username)
......
...@@ -271,7 +271,7 @@ Settings.artifacts['max_size'] ||= 100 # in megabytes ...@@ -271,7 +271,7 @@ Settings.artifacts['max_size'] ||= 100 # in megabytes
# Registry # Registry
# #
Settings['registry'] ||= Settingslogic.new({}) Settings['registry'] ||= Settingslogic.new({})
Settings.registry['registry'] = false if Settings.registry['enabled'].nil? Settings.registry['enabled'] = false if Settings.registry['enabled'].nil?
Settings.registry['host'] ||= "example.com" Settings.registry['host'] ||= "example.com"
Settings.registry['internal_host']||= "localhost" Settings.registry['internal_host']||= "localhost"
Settings.registry['key'] ||= nil Settings.registry['key'] ||= nil
......
module Jwt module JWT
class RSAToken < Token class RSAToken < Token
attr_reader :key_file attr_reader :key_file
......
module Jwt module JWT
class Token class Token
attr_accessor :issuer, :subject, :audience, :id attr_accessor :issuer, :subject, :audience, :id
attr_accessor :issued_at, :not_before, :expire_time attr_accessor :issued_at, :not_before, :expire_time
...@@ -43,4 +43,4 @@ module Jwt ...@@ -43,4 +43,4 @@ module Jwt
}.compact }.compact
end end
end end
end end
\ No newline at end of file
describe Jwt::RSAToken do describe JWT::RSAToken do
let(:rsa_key) { generate_key } let(:rsa_key) { generate_key }
let(:rsa_token) { described_class.new(nil) } let(:rsa_token) { described_class.new(nil) }
let(:rsa_encoded) { rsa_token.encoded } let(:rsa_encoded) { rsa_token.encoded }
......
describe Jwt::Token do describe JWT::Token do
let(:token) { described_class.new } let(:token) { described_class.new }
context 'custom parameters' do context 'custom parameters' do
......
require 'spec_helper' require 'spec_helper'
describe Jwt::ContainerRegistryAuthenticationService, services: true do describe JWT::ContainerRegistryAuthenticationService, services: true do
let(:current_project) { nil } let(:current_project) { nil }
let(:current_user) { nil } let(:current_user) { nil }
let(:current_params) { {} } let(:current_params) { {} }
let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) } let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
let(:registry_settings) { let(:registry_settings) do
{ {
issuer: 'rspec', issuer: 'rspec',
key: nil key: nil
} }
} end
let(:payload) { JWT.decode(subject[:token], rsa_key).first } let(:payload) { JWT.decode(subject[:token], rsa_key).first }
subject { described_class.new(current_project, current_user, current_params).execute } subject { described_class.new(current_project, current_user, current_params).execute }
before do before do
allow(Gitlab.config.registry).to receive_messages(registry_settings) allow(Gitlab.config.registry).to receive_messages(registry_settings)
allow_any_instance_of(Jwt::RSAToken).to receive(:key).and_return(rsa_key) allow_any_instance_of(JWT::RSAToken).to receive(:key).and_return(rsa_key)
end end
shared_examples 'an authenticated' do shared_examples 'an authenticated' do
...@@ -26,13 +26,13 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do ...@@ -26,13 +26,13 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
end end
shared_examples 'a accessible' do shared_examples 'a accessible' do
let(:access) { let(:access) do
[{ [{
'type' => 'repository', 'type' => 'repository',
'name' => project.path_with_namespace, 'name' => project.path_with_namespace,
'actions' => actions, 'actions' => actions,
}] }]
} end
it_behaves_like 'an authenticated' it_behaves_like 'an authenticated'
it { expect(payload).to include('access' => access) } it { expect(payload).to include('access' => access) }
...@@ -68,9 +68,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do ...@@ -68,9 +68,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context 'allow developer to push images' do context 'allow developer to push images' do
before { project.team << [current_user, :developer] } before { project.team << [current_user, :developer] }
let(:current_params) { let(:current_params) do
{ scope: "repository:#{project.path_with_namespace}:push" } { scope: "repository:#{project.path_with_namespace}:push" }
} end
it_behaves_like 'a pushable' it_behaves_like 'a pushable'
end end
...@@ -78,9 +78,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do ...@@ -78,9 +78,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context 'allow reporter to pull images' do context 'allow reporter to pull images' do
before { project.team << [current_user, :reporter] } before { project.team << [current_user, :reporter] }
let(:current_params) { let(:current_params) do
{ scope: "repository:#{project.path_with_namespace}:pull" } { scope: "repository:#{project.path_with_namespace}:pull" }
} end
it_behaves_like 'a pullable' it_behaves_like 'a pullable'
end end
...@@ -88,9 +88,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do ...@@ -88,9 +88,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context 'return a least of privileges' do context 'return a least of privileges' do
before { project.team << [current_user, :reporter] } before { project.team << [current_user, :reporter] }
let(:current_params) { let(:current_params) do
{ scope: "repository:#{project.path_with_namespace}:push,pull" } { scope: "repository:#{project.path_with_namespace}:push,pull" }
} end
it_behaves_like 'a pullable' it_behaves_like 'a pullable'
end end
...@@ -98,9 +98,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do ...@@ -98,9 +98,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context 'disallow guest to pull or push images' do context 'disallow guest to pull or push images' do
before { project.team << [current_user, :guest] } before { project.team << [current_user, :guest] }
let(:current_params) { let(:current_params) do
{ scope: "repository:#{project.path_with_namespace}:pull,push" } { scope: "repository:#{project.path_with_namespace}:pull,push" }
} end
it_behaves_like 'a forbidden' it_behaves_like 'a forbidden'
end end
...@@ -110,9 +110,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do ...@@ -110,9 +110,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
let(:current_project) { create(:empty_project) } let(:current_project) { create(:empty_project) }
context 'allow to pull and push images' do context 'allow to pull and push images' do
let(:current_params) { let(:current_params) do
{ scope: "repository:#{current_project.path_with_namespace}:pull,push" } { scope: "repository:#{current_project.path_with_namespace}:pull,push" }
} end
it_behaves_like 'a pullable and pushable' do it_behaves_like 'a pullable and pushable' do
let(:project) { current_project } let(:project) { current_project }
...@@ -121,9 +121,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do ...@@ -121,9 +121,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context 'for other projects' do context 'for other projects' do
context 'when pulling' do context 'when pulling' do
let(:current_params) { let(:current_params) do
{ scope: "repository:#{project.path_with_namespace}:pull" } { scope: "repository:#{project.path_with_namespace}:pull" }
} end
context 'allow for public' do context 'allow for public' do
let(:project) { create(:empty_project, :public) } let(:project) { create(:empty_project, :public) }
...@@ -137,9 +137,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do ...@@ -137,9 +137,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
end end
context 'when pushing' do context 'when pushing' do
let(:current_params) { let(:current_params) do
{ scope: "repository:#{project.path_with_namespace}:push" } { scope: "repository:#{project.path_with_namespace}:push" }
} end
context 'disallow for all' do context 'disallow for all' do
let(:project) { create(:empty_project, :public) } let(:project) { create(:empty_project, :public) }
...@@ -152,9 +152,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do ...@@ -152,9 +152,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context 'unauthorized' do context 'unauthorized' do
context 'for invalid scope' do context 'for invalid scope' do
let(:current_params) { let(:current_params) do
{ scope: 'invalid:aa:bb' } { scope: 'invalid:aa:bb' }
} end
it_behaves_like 'a forbidden' it_behaves_like 'a forbidden'
end end
...@@ -162,9 +162,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do ...@@ -162,9 +162,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context 'for private project' do context 'for private project' do
let(:project) { create(:empty_project, :private) } let(:project) { create(:empty_project, :private) }
let(:current_params) { let(:current_params) do
{ scope: "repository:#{project.path_with_namespace}:pull" } { scope: "repository:#{project.path_with_namespace}:pull" }
} end
it_behaves_like 'a forbidden' it_behaves_like 'a forbidden'
end end
...@@ -173,17 +173,17 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do ...@@ -173,17 +173,17 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
let(:project) { create(:empty_project, :public) } let(:project) { create(:empty_project, :public) }
context 'when pulling and pushing' do context 'when pulling and pushing' do
let(:current_params) { let(:current_params) do
{ scope: "repository:#{project.path_with_namespace}:pull,push" } { scope: "repository:#{project.path_with_namespace}:pull,push" }
} end
it_behaves_like 'a pullable' it_behaves_like 'a pullable'
end end
context 'when pushing' do context 'when pushing' do
let(:current_params) { let(:current_params) do
{ scope: "repository:#{project.path_with_namespace}:push" } { scope: "repository:#{project.path_with_namespace}:push" }
} end
it_behaves_like 'a forbidden' it_behaves_like 'a forbidden'
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment