Commit d8b88f51 authored by David Fernandez's avatar David Fernandez

Merge branch '349743-jwt-update' into 'master'

Fix import JWT payload

See merge request gitlab-org/gitlab!79218
parents 2c008d0a cd88505b
......@@ -42,15 +42,15 @@ module Auth
access_token(%w(*), names)
end
def self.import_access_token(*names)
access_token(%w(import), names)
def self.import_access_token
access_token(%w(*), ['import'], 'registry')
end
def self.pull_access_token(*names)
access_token(['pull'], names)
end
def self.access_token(actions, names)
def self.access_token(actions, names, type = 'repository')
names = names.flatten
registry = Gitlab.config.registry
token = JSONWebToken::RSAToken.new(registry.key)
......@@ -60,10 +60,10 @@ module Auth
token[:access] = names.map do |name|
{
type: 'repository',
type: type,
name: name,
actions: actions,
migration_eligible: migration_eligible(repository_path: name)
migration_eligible: type == 'repository' ? migration_eligible(repository_path: name) : nil
}.compact
end
......
......@@ -15,7 +15,12 @@ module ContainerRegistry
def gitlab_api_client
strong_memoize(:gitlab_api_client) do
ContainerRegistry::GitlabApiClient.new(@uri, @options)
token = Auth::ContainerRegistryAuthenticationService.import_access_token
url = Gitlab.config.registry.api_url
host_port = Gitlab.config.registry.host_port
ContainerRegistry::GitlabApiClient.new(url, token: token, path: host_port)
end
end
......
......@@ -31,6 +31,10 @@ RSpec.describe ContainerRegistry::Registry do
describe '#gitlab_api_client' do
subject { registry.gitlab_api_client }
it { is_expected.to be_instance_of(ContainerRegistry::GitlabApiClient) }
it 'returns a GitLabApiClient with an import token' do
expect(Auth::ContainerRegistryAuthenticationService).to receive(:import_access_token)
expect(subject).to be_instance_of(ContainerRegistry::GitlabApiClient)
end
end
end
......@@ -51,6 +51,8 @@ module StubGitlabCalls
allow(Gitlab.config.registry).to receive_messages(registry_settings)
allow(Auth::ContainerRegistryAuthenticationService)
.to receive(:full_access_token).and_return('token')
allow(Auth::ContainerRegistryAuthenticationService)
.to receive(:import_access_token).and_return('token')
end
def stub_container_registry_tags(repository: :any, tags: [], with_manifest: false)
......
......@@ -182,17 +182,22 @@ RSpec.shared_examples 'a container registry auth service' do
end
describe '.import_access_token' do
let_it_be(:project) { create(:project) }
let(:access) do
[{ 'type' => 'registry',
'name' => 'import',
'actions' => ['*'] }]
end
let(:token) { described_class.import_access_token(project.full_path) }
let(:token) { described_class.import_access_token }
subject { { token: token } }
it_behaves_like 'an accessible' do
let(:actions) { ['import'] }
end
it_behaves_like 'a valid token'
it_behaves_like 'not a container repository factory'
it 'has the correct scope' do
expect(payload).to include('access' => access)
end
end
describe '.pull_access_token' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment