Commit b4653deb authored by Michael Kozono's avatar Michael Kozono

Merge branch 'ag-block-registry-pushes' into 'master'

Block writes on Docker Registry in maintenance mode

See merge request gitlab-org/gitlab!48689
parents afb907e4 306d4338
...@@ -130,6 +130,7 @@ module Auth ...@@ -130,6 +130,7 @@ module Auth
ContainerRepository.create_from_path!(path) ContainerRepository.create_from_path!(path)
end end
# Overridden in EE
def can_access?(requested_project, requested_action) def can_access?(requested_project, requested_action)
return false unless requested_project.container_registry_enabled? return false unless requested_project.container_registry_enabled?
return false if requested_project.repository_access_level == ::ProjectFeature::DISABLED return false if requested_project.repository_access_level == ::ProjectFeature::DISABLED
...@@ -226,11 +227,16 @@ module Auth ...@@ -226,11 +227,16 @@ module Auth
end end
end end
# Overridden in EE
def extra_info
{}
end
def log_if_actions_denied(type, requested_project, requested_actions, authorized_actions) def log_if_actions_denied(type, requested_project, requested_actions, authorized_actions)
return if requested_actions == authorized_actions return if requested_actions == authorized_actions
log_info = { log_info = {
message: "Denied container registry permissions", message: 'Denied container registry permissions',
scope_type: type, scope_type: type,
requested_project_path: requested_project.full_path, requested_project_path: requested_project.full_path,
requested_actions: requested_actions, requested_actions: requested_actions,
...@@ -238,9 +244,11 @@ module Auth ...@@ -238,9 +244,11 @@ module Auth
username: current_user&.username, username: current_user&.username,
user_id: current_user&.id, user_id: current_user&.id,
project_path: project&.full_path project_path: project&.full_path
}.compact }.merge!(extra_info).compact
Gitlab::AuthLogger.warn(log_info) Gitlab::AuthLogger.warn(log_info)
end end
end end
end end
Auth::ContainerRegistryAuthenticationService.prepend_if_ee('EE::Auth::ContainerRegistryAuthenticationService')
# frozen_string_literal: true
module EE
module Auth
module ContainerRegistryAuthenticationService
extend ::Gitlab::Utils::Override
private
override :can_access?
def can_access?(requested_project, requested_action)
if ::Gitlab.maintenance_mode? && requested_action != 'pull'
@access_denied_in_maintenance_mode = true # rubocop:disable Gitlab/ModuleWithInstanceVariables
return false
end
super
end
override :extra_info
def extra_info
return super unless access_denied_in_maintenance_mode?
super.merge!({
message: 'Write access denied in maintenance mode',
write_access_denied_in_maintenance_mode: true
})
end
def access_denied_in_maintenance_mode?
@access_denied_in_maintenance_mode
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Auth::ContainerRegistryAuthenticationService do
include AdminModeHelper
context 'in maintenance mode' do
include_context 'container registry auth service context'
let_it_be(:current_user) { create(:user) }
let_it_be(:project) { create(:project) }
let(:log_data) do
{
message: 'Write access denied in maintenance mode',
write_access_denied_in_maintenance_mode: true
}
end
before do
stub_application_setting(maintenance_mode: true)
project.add_developer(current_user)
end
context 'allows developer to pull images' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:pull"] }
end
it_behaves_like 'a pullable'
end
context 'does not allow developer to push images' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:push"] }
end
it_behaves_like 'not a container repository factory'
it_behaves_like 'logs an auth warning', ['push']
end
context 'does not allow developer to delete images' do
let(:current_params) do
{ scopes: ["repository:#{project.full_path}:delete"] }
end
it_behaves_like 'not a container repository factory'
it_behaves_like 'logs an auth warning', ['delete']
end
end
context 'when not in maintenance mode' do
it_behaves_like 'a container registry auth service'
end
end
...@@ -4,7 +4,7 @@ module EE ...@@ -4,7 +4,7 @@ module EE
module StubGitlabCalls module StubGitlabCalls
def stub_registry_replication_config(registry_settings) def stub_registry_replication_config(registry_settings)
allow(::Gitlab.config.geo.registry_replication).to receive_messages(registry_settings) allow(::Gitlab.config.geo.registry_replication).to receive_messages(registry_settings)
allow(Auth::ContainerRegistryAuthenticationService) allow(::Auth::ContainerRegistryAuthenticationService)
.to receive(:pull_access_token).and_return('pull-token') .to receive(:pull_access_token).and_return('pull-token')
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment