Make authentication service for Container Registry to be compatible with < Docker 1.11
This commit is contained in:
parent
2485bd7bbf
commit
7ec1fa212d
|
@ -15,6 +15,7 @@ v 8.9.0 (unreleased)
|
||||||
- Remove 'main language' feature
|
- Remove 'main language' feature
|
||||||
- Projects pending deletion will render a 404 page
|
- Projects pending deletion will render a 404 page
|
||||||
- Measure queue duration between gitlab-workhorse and Rails
|
- Measure queue duration between gitlab-workhorse and Rails
|
||||||
|
- Make authentication service for Container Registry to be compatible with < Docker 1.11
|
||||||
|
|
||||||
v 8.8.3
|
v 8.8.3
|
||||||
- Fix gitlab importer failing to import new projects due to missing credentials
|
- Fix gitlab importer failing to import new projects due to missing credentials
|
||||||
|
|
|
@ -32,7 +32,7 @@ class JwtController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def auth_params
|
def auth_params
|
||||||
params.permit(:service, :scope, :offline_token, :account, :client_id)
|
params.permit(:service, :scope, :account, :client_id)
|
||||||
end
|
end
|
||||||
|
|
||||||
def authenticate_project(login, password)
|
def authenticate_project(login, password)
|
||||||
|
|
|
@ -5,9 +5,7 @@ module Auth
|
||||||
def execute
|
def execute
|
||||||
return error('not found', 404) unless registry.enabled
|
return error('not found', 404) unless registry.enabled
|
||||||
|
|
||||||
if params[:offline_token]
|
unless current_user || project
|
||||||
return error('unauthorized', 401) unless current_user || project
|
|
||||||
else
|
|
||||||
return error('forbidden', 403) unless scope
|
return error('forbidden', 403) unless scope
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
|
||||||
allow_any_instance_of(JSONWebToken::RSAToken).to receive(:key).and_return(rsa_key)
|
allow_any_instance_of(JSONWebToken::RSAToken).to receive(:key).and_return(rsa_key)
|
||||||
end
|
end
|
||||||
|
|
||||||
shared_examples 'an authenticated' do
|
shared_examples 'a valid token' do
|
||||||
it { is_expected.to include(:token) }
|
it { is_expected.to include(:token) }
|
||||||
it { expect(payload).to include('access') }
|
it { expect(payload).to include('access') }
|
||||||
end
|
end
|
||||||
|
@ -28,10 +28,15 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
|
||||||
}]
|
}]
|
||||||
end
|
end
|
||||||
|
|
||||||
it_behaves_like 'an authenticated'
|
it_behaves_like 'a valid token'
|
||||||
it { expect(payload).to include('access' => access) }
|
it { expect(payload).to include('access' => access) }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
shared_examples 'an inaccessible' do
|
||||||
|
it_behaves_like 'a valid token'
|
||||||
|
it { expect(payload).to include('access' => []) }
|
||||||
|
end
|
||||||
|
|
||||||
shared_examples 'a pullable' do
|
shared_examples 'a pullable' do
|
||||||
it_behaves_like 'a accessible' do
|
it_behaves_like 'a accessible' do
|
||||||
let(:actions) { ['pull'] }
|
let(:actions) { ['pull'] }
|
||||||
|
@ -50,11 +55,6 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
shared_examples 'an unauthorized' do
|
|
||||||
it { is_expected.to include(http_status: 401) }
|
|
||||||
it { is_expected.not_to include(:token) }
|
|
||||||
end
|
|
||||||
|
|
||||||
shared_examples 'a forbidden' do
|
shared_examples 'a forbidden' do
|
||||||
it { is_expected.to include(http_status: 403) }
|
it { is_expected.to include(http_status: 403) }
|
||||||
it { is_expected.not_to include(:token) }
|
it { is_expected.not_to include(:token) }
|
||||||
|
@ -75,12 +75,8 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
|
||||||
let(:project) { create(:project) }
|
let(:project) { create(:project) }
|
||||||
let(:current_user) { create(:user) }
|
let(:current_user) { create(:user) }
|
||||||
|
|
||||||
context 'allow to use offline_token' do
|
context 'allow to use scope-less authentication' do
|
||||||
let(:current_params) do
|
it_behaves_like 'a valid token'
|
||||||
{ offline_token: true }
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'an authenticated'
|
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'allow developer to push images' do
|
context 'allow developer to push images' do
|
||||||
|
@ -120,19 +116,15 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
|
||||||
{ scope: "repository:#{project.path_with_namespace}:pull,push" }
|
{ scope: "repository:#{project.path_with_namespace}:pull,push" }
|
||||||
end
|
end
|
||||||
|
|
||||||
it_behaves_like 'a forbidden'
|
it_behaves_like 'an inaccessible'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'project authorization' do
|
context 'project authorization' do
|
||||||
let(:current_project) { create(:empty_project) }
|
let(:current_project) { create(:empty_project) }
|
||||||
|
|
||||||
context 'allow to use offline_token' do
|
context 'allow to use scope-less authentication' do
|
||||||
let(:current_params) do
|
it_behaves_like 'a valid token'
|
||||||
{ offline_token: true }
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'an authenticated'
|
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'allow to pull and push images' do
|
context 'allow to pull and push images' do
|
||||||
|
@ -158,7 +150,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
|
||||||
|
|
||||||
context 'disallow for private' do
|
context 'disallow for private' do
|
||||||
let(:project) { create(:empty_project, :private) }
|
let(:project) { create(:empty_project, :private) }
|
||||||
it_behaves_like 'a forbidden'
|
it_behaves_like 'an inaccessible'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -169,7 +161,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
|
||||||
|
|
||||||
context 'disallow for all' do
|
context 'disallow for all' do
|
||||||
let(:project) { create(:empty_project, :public) }
|
let(:project) { create(:empty_project, :public) }
|
||||||
it_behaves_like 'a forbidden'
|
it_behaves_like 'an inaccessible'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -184,18 +176,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
|
||||||
{ scope: "repository:#{project.path_with_namespace}:pull" }
|
{ scope: "repository:#{project.path_with_namespace}:pull" }
|
||||||
end
|
end
|
||||||
|
|
||||||
it_behaves_like 'a forbidden'
|
it_behaves_like 'an inaccessible'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'unauthorized' do
|
context 'unauthorized' do
|
||||||
context 'disallow to use offline_token' do
|
context 'disallow to use scope-less authentication' do
|
||||||
let(:current_params) do
|
it_behaves_like 'a forbidden'
|
||||||
{ offline_token: true }
|
|
||||||
end
|
|
||||||
|
|
||||||
it_behaves_like 'an unauthorized'
|
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'for invalid scope' do
|
context 'for invalid scope' do
|
||||||
|
|
Loading…
Reference in New Issue