Commit b4a7b8f2 authored by Kamil Trzciński's avatar Kamil Trzciński

Merge branch 'jej/fix-sso-enforced-docker-registry-auth' into 'master'

Enforced SSO shouldn't break container registry authentication

Closes #12701

See merge request gitlab-org/gitlab-ee!14843
parents 52a5912e e248fd4c
# frozen_string_literal: true # frozen_string_literal: true
class JwtController < ApplicationController class JwtController < ApplicationController
skip_around_action :set_session_storage
skip_before_action :authenticate_user! skip_before_action :authenticate_user!
skip_before_action :verify_authenticity_token skip_before_action :verify_authenticity_token
before_action :authenticate_project_or_user before_action :authenticate_project_or_user
......
---
title: Fix Docker Registry access when Group SAML session enforcement is active
merge_request: 14843
author:
type: fixed
# frozen_string_literal: true
require 'spec_helper'
describe JwtController do
context 'authenticating against container registry' do
let(:user) { create(:user) }
let(:group) { create(:group) }
let(:project) { create(:project, :private, group: group) }
let(:scope) { "repository:#{project.full_path}:pull" }
let(:service_name) { 'container_registry' }
let(:headers) { { authorization: credentials(user.username, user.password) } }
let(:parameters) { { account: user.username, client_id: 'docker', offline_token: true, service: service_name, scope: scope } }
before do
stub_container_registry_config(enabled: true, issuer: 'gitlab-issuer', key: 'spec/fixtures/x509_certificate_pk.key')
project.add_reporter(user)
end
context 'when Group SSO is enforced' do
let!(:saml_provider) { create(:saml_provider, enforced_sso: true, group: group) }
let!(:identity) { create(:group_saml_identity, saml_provider: saml_provider, user: user) }
before do
stub_feature_flags(enforced_sso_requires_session: true)
end
it 'allows access' do
get '/jwt/auth', params: parameters, headers: headers
expect(response).to have_gitlab_http_status(200)
expect(token_response['access']).to be_present
expect(token_access['actions']).to eq ['pull']
expect(token_access['type']).to eq 'repository'
expect(token_access['name']).to eq project.full_path
end
end
end
def credentials(login, password)
ActionController::HttpAuthentication::Basic.encode_credentials(login, password)
end
def token_response
JWT.decode(json_response['token'], nil, false).first
end
def token_access
token_response['access']&.first
end
end
...@@ -108,6 +108,14 @@ describe JwtController do ...@@ -108,6 +108,14 @@ describe JwtController do
end end
end end
end end
it 'does not cause session based checks to be activated' do
expect(Gitlab::Session).not_to receive(:with_session)
get '/jwt/auth', params: parameters, headers: headers
expect(response).to have_gitlab_http_status(200)
end
end end
context 'using invalid login' do context 'using invalid login' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment