2017-10-08 20:36:45 +02:00 · 2017-10-08 20:36:45 +02:00 · 74d37438d5
parent 91f1d652f5
commit 74d37438d5
3 changed files with 55 additions and 0 deletions
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@ -58,6 +58,11 @@ module Auth
      actions = actions.split(',')
      path = ContainerRegistry::Path.new(name)

+      if type == 'registry' && name == 'catalog' && current_user && current_user.admin?
+        return { type: type, name: name, actions: ['*'] }
+      end
+
+
      return unless type == 'repository'

      process_repository_access(type, path, actions)
--- a/changelogs/unreleased/26763-grant-registry-auth-scope-to-admins.yml
+++ b/changelogs/unreleased/26763-grant-registry-auth-scope-to-admins.yml
@ -0,0 +1,5 @@
+---
+title: Issue JWT token with registry:catalog:* scope when requested by GitLab admin
+merge_request:
+author:
+type: added
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@ -42,6 +42,19 @@ describe Auth::ContainerRegistryAuthenticationService do
      end
    end
  end
+  
+  shared_examples 'a browsable' do
+    let(:access) do
+      [{ 'type' => 'registry',
+         'name' => 'catalog',
+         'actions' => ['*']
+        }]
+    end
+
+    it_behaves_like 'a valid token'
+    it_behaves_like 'not a container repository factory'
+    it { expect(payload).to include('access' => access) }
+  end

  shared_examples 'an accessible' do
    let(:access) do
@ -117,6 +130,19 @@ describe Auth::ContainerRegistryAuthenticationService do
  context 'user authorization' do
    let(:current_user) { create(:user) }

+    context 'for registry catalog' do
+      let(:current_params) do
+        { scope: "registry:catalog:*" }
+      end
+
+      context 'disallow browsing for users without Gitlab admin rights' do
+        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
+      end
+    end
+
+
+
    context 'for private project' do
      let(:project) { create(:project) }

@ -490,6 +516,16 @@ describe Auth::ContainerRegistryAuthenticationService do
    end
  end

+  context 'registry catalog browsing authorized as admin' do
+    let(:current_user) { create(:user, :admin) }
+    let(:current_params) do
+      { scope: "registry:catalog:*" }
+    end
+
+    it_behaves_like 'a browsable'
+
+  end
+
  context 'unauthorized' do
    context 'disallow to use scope-less authentication' do
      it_behaves_like 'a forbidden'
@ -536,5 +572,14 @@ describe Auth::ContainerRegistryAuthenticationService do
        it_behaves_like 'not a container repository factory'
      end
    end
+
+    context 'for registry catalog' do
+      let(:current_params) do
+        { scope: "registry:catalog:*" }
+      end
+      it_behaves_like 'a forbidden'
+      it_behaves_like 'not a container repository factory'
+    end
+
  end
 end