gitlab-org--gitlab-foss/app/services/auth/container_registry_authentication_service.rb

module Auth
  class ContainerRegistryAuthenticationService < BaseService
    include Gitlab::CurrentSettings

    AUDIENCE = 'container_registry'

    def execute(authentication_abilities:)
      @authentication_abilities = authentication_abilities

      return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled

      unless current_user || project
        return error('DENIED', status: 403, message: 'access forbidden') unless scope
      end

      { token: authorized_token(scope).encoded }
    end

    def self.full_access_token(*names)
      registry = Gitlab.config.registry
      token = JSONWebToken::RSAToken.new(registry.key)
      token.issuer = registry.issuer
      token.audience = AUDIENCE
      token.expire_time = token_expire_at

      token[:access] = names.map do |name|
        { type: 'repository', name: name, actions: %w(*) }
      end

      token.encoded
    end

    def self.token_expire_at
      Time.now + current_application_settings.container_registry_token_expire_delay.minutes
    end

    private

    def authorized_token(*accesses)
      token = JSONWebToken::RSAToken.new(registry.key)
      token.issuer = registry.issuer
      token.audience = params[:service]
      token.subject = current_user.try(:username)
      token.expire_time = self.class.token_expire_at
      token[:access] = accesses.compact
      token
    end

    def scope
      return unless params[:scope]

      @scope ||= process_scope(params[:scope])
    end

    def process_scope(scope)
      type, name, actions = scope.split(':', 3)
      actions = actions.split(',')
      return unless type == 'repository'

      process_repository_access(type, name, actions)
    end

    def process_repository_access(type, name, actions)
      requested_project = Project.find_with_namespace(name)
      return unless requested_project

      actions = actions.select do |action|
        can_access?(requested_project, action)
      end

      { type: type, name: name, actions: actions } if actions.present?
    end

    def can_access?(requested_project, requested_action)
      return false unless requested_project.container_registry_enabled?

      case requested_action
      when 'pull'
        requested_project.public? || build_can_pull?(requested_project) || user_can_pull?(requested_project)
      when 'push'
        build_can_push?(requested_project) || user_can_push?(requested_project)
      else
        false
      end
    end

    def registry
      Gitlab.config.registry
    end

    def build_can_pull?(requested_project)
      # Build can:
      # 1. pull from its own project (for ex. a build)
      # 2. read images from dependent projects if creator of build is a team member
      @authentication_abilities.include?(:build_read_container_image) &&
        (requested_project == project || can?(current_user, :build_read_container_image, requested_project))
    end

    def user_can_pull?(requested_project)
      @authentication_abilities.include?(:read_container_image) &&
        can?(current_user, :read_container_image, requested_project)
    end

    def build_can_push?(requested_project)
      # Build can push only to the project from which it originates
      @authentication_abilities.include?(:build_create_container_image) &&
        requested_project == project
    end

    def user_can_push?(requested_project)
      @authentication_abilities.include?(:create_container_image) &&
        can?(current_user, :create_container_image, requested_project)
    end

    def error(code, status:, message: '')
      {
        errors: [{ code: code, message: message }],
        http_status: status
      }
    end
  end
end
Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`module Auth`
			`class ContainerRegistryAuthenticationService < BaseService`
Fix the use of CurrentSettings in ContainerRegistryAuthenticationService 2016-05-31 07:48:05 -04:00			`include Gitlab::CurrentSettings`
Add Application Setting to configure Container Registry token expire delay (default 5min) 2016-05-30 11:12:50 -04:00
Merge branch 'docker-registry' into docker-registry-view 2016-05-14 12:15:19 -04:00			`AUDIENCE = 'container_registry'`

Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`def execute(authentication_abilities:)`
Improve JwtController implementation 2016-09-20 11:07:34 -04:00			`@authentication_abilities = authentication_abilities`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 06:01:25 -04:00
Be nice to Docker Clients talking to JWT/auth 2016-09-26 06:18:21 -04:00			`return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled`
Merge branch 'docker-registry' into docker-registry-view 2016-05-14 12:15:19 -04:00
Make authentication service for Container Registry to be compatible with < Docker 1.11 2016-05-30 10:57:39 -04:00			`unless current_user \|\| project`
Be nice to Docker Clients talking to JWT/auth 2016-09-26 06:18:21 -04:00			`return error('DENIED', status: 403, message: 'access forbidden') unless scope`
Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`end`

Rename JWT to JSONWebToken 2016-05-14 19:23:31 -04:00			`{ token: authorized_token(scope).encoded }`
Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`end`

Merge branch 'docker-registry' into docker-registry-view 2016-05-14 12:15:19 -04:00			`def self.full_access_token(*names)`
			`registry = Gitlab.config.registry`
Fix Container Service full access token 2016-05-15 09:47:48 -04:00			`token = JSONWebToken::RSAToken.new(registry.key)`
Merge branch 'docker-registry' into docker-registry-view 2016-05-14 12:15:19 -04:00			`token.issuer = registry.issuer`
			`token.audience = AUDIENCE`
Fix the use of CurrentSettings in ContainerRegistryAuthenticationService 2016-05-31 07:48:05 -04:00			`token.expire_time = token_expire_at`
Services: code style fixes, minor refactoring 2016-07-06 09:26:59 -04:00
Merge branch 'docker-registry' into docker-registry-view 2016-05-14 12:15:19 -04:00			`token[:access] = names.map do \|name\|`
Fix container deletion permission issue 2016-05-20 19:43:11 -04:00			`{ type: 'repository', name: name, actions: %w(*) }`
Merge branch 'docker-registry' into docker-registry-view 2016-05-14 12:15:19 -04:00			`end`
Fix private method visibility in container registry 2016-07-19 08:17:47 -04:00
Merge branch 'docker-registry' into docker-registry-view 2016-05-14 12:15:19 -04:00			`token.encoded`
			`end`

Fix private method visibility in container registry 2016-07-19 08:17:47 -04:00			`def self.token_expire_at`
			`Time.now + current_application_settings.container_registry_token_expire_delay.minutes`
			`end`

Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`private`

Rename JWT to JSONWebToken 2016-05-14 19:23:31 -04:00			`def authorized_token(*accesses)`
			`token = JSONWebToken::RSAToken.new(registry.key)`
Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`token.issuer = registry.issuer`
			`token.audience = params[:service]`
			`token.subject = current_user.try(:username)`
Fix private method visibility in container registry 2016-07-19 08:17:47 -04:00			`token.expire_time = self.class.token_expire_at`
Improve authentication service specs 2016-05-15 09:52:26 -04:00			`token[:access] = accesses.compact`
Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`token`
			`end`

Rename JWT to JSONWebToken 2016-05-14 19:23:31 -04:00			`def scope`
Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`return unless params[:scope]`

Rename JWT to JSONWebToken 2016-05-14 19:23:31 -04:00			`@scope \|\|= process_scope(params[:scope])`
Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`end`

			`def process_scope(scope)`
			`type, name, actions = scope.split(':', 3)`
			`actions = actions.split(',')`
Rename JWT to JSONWebToken 2016-05-14 19:23:31 -04:00			`return unless type == 'repository'`
Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00
Rename JWT to JSONWebToken 2016-05-14 19:23:31 -04:00			`process_repository_access(type, name, actions)`
Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`end`

			`def process_repository_access(type, name, actions)`
			`requested_project = Project.find_with_namespace(name)`
			`return unless requested_project`

			`actions = actions.select do \|action\|`
			`can_access?(requested_project, action)`
			`end`

			`{ type: type, name: name, actions: actions } if actions.present?`
			`end`

			`def can_access?(requested_project, requested_action)`
Fix authentication service 2016-05-14 15:22:45 -04:00			`return false unless requested_project.container_registry_enabled?`

Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`case requested_action`
			`when 'pull'`
Fix existing authorization specs 2016-09-15 07:49:11 -04:00			`requested_project.public? \|\| build_can_pull?(requested_project) \|\| user_can_pull?(requested_project)`
Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`when 'push'`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`build_can_push?(requested_project) \|\| user_can_push?(requested_project)`
Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`else`
			`false`
			`end`
			`end`

			`def registry`
			`Gitlab.config.registry`
			`end`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 06:01:25 -04:00
Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`def build_can_pull?(requested_project)`
			`# Build can:`
Improve code comments 2016-09-16 06:46:33 -04:00			`# 1. pull from its own project (for ex. a build)`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`# 2. read images from dependent projects if creator of build is a team member`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`@authentication_abilities.include?(:build_read_container_image) &&`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`(requested_project == project \|\| can?(current_user, :build_read_container_image, requested_project))`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 06:01:25 -04:00			`end`

Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`def user_can_pull?(requested_project)`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`@authentication_abilities.include?(:read_container_image) &&`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`can?(current_user, :read_container_image, requested_project)`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 06:01:25 -04:00			`end`

Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`def build_can_push?(requested_project)`
Improve code comments 2016-09-16 06:46:33 -04:00			`# Build can push only to the project from which it originates`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`@authentication_abilities.include?(:build_create_container_image) &&`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`requested_project == project`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 06:01:25 -04:00			`end`

Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`def user_can_push?(requested_project)`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`@authentication_abilities.include?(:create_container_image) &&`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`can?(current_user, :create_container_image, requested_project)`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 06:01:25 -04:00			`end`
Be nice to Docker Clients talking to JWT/auth 2016-09-26 06:18:21 -04:00
			`def error(code, status:, message: '')`
			`{`
			`errors: [{ code: code, message: message }],`
			`http_status: status`
			`}`
			`end`
Use Auth::ContainerRegistryAuthenticationService 2016-05-14 12:11:48 -04:00			`end`
			`end`