Merge branch 'docker-registry' into docker-registry-view

# Conflicts:
#	app/controllers/jwt_controller.rb
#	app/services/jwt/container_registry_authentication_service.rb

app/controllers/jwt_controller.rb

 class JwtController < ApplicationController
   skip_before_action :authenticate_user!
   skip_before_action :verify_authenticity_token
+  before_action :authenticate_project_or_user
 
   SERVICES = {
-    Jwt::ContainerRegistryAuthenticationService::AUDIENCE => Jwt::ContainerRegistryAuthenticationService,
+    ::Gitlab::JWT::ContainerRegistryAuthenticationService::AUDIENCE => ::Gitlab::JWT::ContainerRegistryAuthenticationService,
   }
 
   def auth
-    @authenticated = authenticate_with_http_basic do |login, password|
-      # if it's possible we first try to authenticate project with login and password
-      @project = authenticate_project(login, password)
-      @user = authenticate_user(login, password) unless @project
-    end
-
-    unless @authenticated
-      head :forbidden if ActionController::HttpAuthentication::Basic.has_basic_credentials?(request)
-    end
-
     service = SERVICES[params[:service]]
     head :not_found unless service
 
@@ -28,21 +19,30 @@ class JwtController < ApplicationController
 
   private
 
+  def authenticate_project_or_user
+    authenticate_with_http_basic do |login, password|
+      # if it's possible we first try to authenticate project with login and password
+      @project = authenticate_project(login, password)
+      return if @project
+
+      @user = authenticate_user(login, password)
+      return if @user
+    end
+
+    if ActionController::HttpAuthentication::Basic.has_basic_credentials?(request)
+      head :forbidden
+    end
+  end
+
   def auth_params
     params.permit(:service, :scope, :offline_token, :account, :client_id)
   end
 
   def authenticate_project(login, password)
-    matched_login = /(?<s>^[a-zA-Z]*-ci)-token$/.match(login)
-
-    if matched_login.present?
-      underscored_service = matched_login['s'].underscore
-
-      if underscored_service == 'gitlab_ci'
+    if login == 'gitlab_ci_token'
       Project.find_by(builds_enabled: true, runners_token: password)
     end
   end
-  end
 
   def authenticate_user(login, password)
     user = Gitlab::Auth.new.find(login, password)
@@ -77,6 +77,7 @@ class JwtController < ApplicationController
         if banned
           Rails.logger.info "IP #{request.ip} failed to login " \
               "as #{login} but has been temporarily banned from Git auth"
+          return
         end
       end
     end

app/models/project.rb

@@ -377,7 +377,7 @@ class Project < ActiveRecord::Base
 
   def container_registry_repository
     @container_registry_repository ||= begin
-      token = JWT::ContainerRegistryAuthenticationService.full_access_token(path_with_namespace)
+      token = Gitlab::JWT::ContainerRegistryAuthenticationService.full_access_token(path_with_namespace)
       url = Gitlab.config.registry.api_url
       host_port = Gitlab.config.registry.host_port
       registry = ContainerRegistry::Registry.new(url, token: token, path: host_port)

app/services/jwt/container_registry_authentication_service.rb

-module JWT
+module Gitlab
+  module JWT
     class ContainerRegistryAuthenticationService < BaseService
       AUDIENCE = 'container_registry'
 
@@ -30,7 +31,7 @@ module JWT
       def authorized_token(access)
         token = ::JWT::RSAToken.new(registry.key)
         token.issuer = registry.issuer
-      token.audience = AUDIENCE
+        token.audience = params[:service]
         token.subject = current_user.try(:username)
         token[:access] = access
         token
@@ -66,6 +67,7 @@ module JWT
         { type: type, name: name, actions: actions } if actions.present?
       end
 
+<<<<<<< HEAD
     def can_access?(requested_project, requested_action)
       return false unless requested_project.container_registry_enabled?
 
@@ -76,11 +78,22 @@ module JWT
         requested_project == project || can?(current_user, :create_container_registry, requested_project)
       else
         false
+=======
+      def can_access?(requested_project, requested_action)
+        case requested_action
+        when 'pull'
+          requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project)
+        when 'push'
+          requested_project == project || can?(current_user, :create_container_registry, requested_project)
+        else
+          false
         end
+>>>>>>> docker-registry
       end
 
       def registry
         Gitlab.config.registry
       end
     end
+  end
 end

lib/jwt/rsa_token.rb

@@ -24,11 +24,13 @@ module JWT
       @key ||= OpenSSL::PKey::RSA.new(key_data)
     end
 
+    def public_key
+      key.public_key
+    end
+
     def kid
-      sha256 = Digest::SHA256.new
-      sha256.update(key.public_key.to_der)
-      payload = StringIO.new(sha256.digest).read(30)
-      Base32.encode(payload).split('').each_slice(4).each_with_object([]) do |slice, mem|
+      fingerprint = Digest::SHA256.digest(public_key.to_der)
+      Base32.encode(fingerprint).split('').each_slice(4).each_with_object([]) do |slice, mem|
         mem << slice.join
       end.join(':')
     end

spec/features/container_registry_spec.rb

@@ -16,7 +16,7 @@ describe "Container Registry" do
     project.team << [@user, :developer]
     stub_container_registry(*tags)
     allow(Gitlab.config.registry).to receive_messages(registry_settings)
-    allow(JWT::ContainerRegistryAuthenticationService).to receive(:full_access_token).and_return('token')
+    allow(Gitlab::JWT::ContainerRegistryAuthenticationService).to receive(:full_access_token).and_return('token')
   end
 
   describe 'GET /:project/container_registry' do

spec/services/jwt/container_registry_authentication_service_spec.rb

 require 'spec_helper'
 
-describe JWT::ContainerRegistryAuthenticationService, services: true do
+describe Gitlab::JWT::ContainerRegistryAuthenticationService, services: true do
   let(:current_project) { nil }
   let(:current_user) { nil }
   let(:current_params) { {} }