Issue JWT token with registry:catalog:* scope when requested by GitLab admin
This commit is contained in:
parent
91f1d652f5
commit
74d37438d5
|
@ -58,6 +58,11 @@ module Auth
|
|||
actions = actions.split(',')
|
||||
path = ContainerRegistry::Path.new(name)
|
||||
|
||||
if type == 'registry' && name == 'catalog' && current_user && current_user.admin?
|
||||
return { type: type, name: name, actions: ['*'] }
|
||||
end
|
||||
|
||||
|
||||
return unless type == 'repository'
|
||||
|
||||
process_repository_access(type, path, actions)
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Issue JWT token with registry:catalog:* scope when requested by GitLab admin
|
||||
merge_request:
|
||||
author:
|
||||
type: added
|
|
@ -42,6 +42,19 @@ describe Auth::ContainerRegistryAuthenticationService do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
shared_examples 'a browsable' do
|
||||
let(:access) do
|
||||
[{ 'type' => 'registry',
|
||||
'name' => 'catalog',
|
||||
'actions' => ['*']
|
||||
}]
|
||||
end
|
||||
|
||||
it_behaves_like 'a valid token'
|
||||
it_behaves_like 'not a container repository factory'
|
||||
it { expect(payload).to include('access' => access) }
|
||||
end
|
||||
|
||||
shared_examples 'an accessible' do
|
||||
let(:access) do
|
||||
|
@ -117,6 +130,19 @@ describe Auth::ContainerRegistryAuthenticationService do
|
|||
context 'user authorization' do
|
||||
let(:current_user) { create(:user) }
|
||||
|
||||
context 'for registry catalog' do
|
||||
let(:current_params) do
|
||||
{ scope: "registry:catalog:*" }
|
||||
end
|
||||
|
||||
context 'disallow browsing for users without Gitlab admin rights' do
|
||||
it_behaves_like 'an inaccessible'
|
||||
it_behaves_like 'not a container repository factory'
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
context 'for private project' do
|
||||
let(:project) { create(:project) }
|
||||
|
||||
|
@ -490,6 +516,16 @@ describe Auth::ContainerRegistryAuthenticationService do
|
|||
end
|
||||
end
|
||||
|
||||
context 'registry catalog browsing authorized as admin' do
|
||||
let(:current_user) { create(:user, :admin) }
|
||||
let(:current_params) do
|
||||
{ scope: "registry:catalog:*" }
|
||||
end
|
||||
|
||||
it_behaves_like 'a browsable'
|
||||
|
||||
end
|
||||
|
||||
context 'unauthorized' do
|
||||
context 'disallow to use scope-less authentication' do
|
||||
it_behaves_like 'a forbidden'
|
||||
|
@ -536,5 +572,14 @@ describe Auth::ContainerRegistryAuthenticationService do
|
|||
it_behaves_like 'not a container repository factory'
|
||||
end
|
||||
end
|
||||
|
||||
context 'for registry catalog' do
|
||||
let(:current_params) do
|
||||
{ scope: "registry:catalog:*" }
|
||||
end
|
||||
it_behaves_like 'a forbidden'
|
||||
it_behaves_like 'not a container repository factory'
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue