Merge branch 'docker-registry' into docker-registry-view
This commit is contained in:
commit
f63b6fc297
7 changed files with 30 additions and 31 deletions
|
@ -61,7 +61,7 @@ class Ability
|
|||
:read_merge_request,
|
||||
:read_note,
|
||||
:read_commit_status,
|
||||
:read_container_registry,
|
||||
:read_container_image,
|
||||
:download_code
|
||||
]
|
||||
|
||||
|
@ -204,7 +204,7 @@ class Ability
|
|||
:admin_label,
|
||||
:read_commit_status,
|
||||
:read_build,
|
||||
:read_container_registry,
|
||||
:read_container_image,
|
||||
]
|
||||
end
|
||||
|
||||
|
@ -219,8 +219,8 @@ class Ability
|
|||
:create_merge_request,
|
||||
:create_wiki,
|
||||
:push_code,
|
||||
:create_container_registry,
|
||||
:update_container_registry,
|
||||
:create_container_image,
|
||||
:update_container_image,
|
||||
]
|
||||
end
|
||||
|
||||
|
@ -247,7 +247,7 @@ class Ability
|
|||
:admin_project,
|
||||
:admin_commit_status,
|
||||
:admin_build,
|
||||
:admin_container_registry,
|
||||
:admin_container_image,
|
||||
]
|
||||
end
|
||||
|
||||
|
@ -293,7 +293,7 @@ class Ability
|
|||
end
|
||||
|
||||
unless project.container_registry_enabled
|
||||
rules += named_abilities('container_registry')
|
||||
rules += named_abilities('container_image')
|
||||
end
|
||||
|
||||
rules
|
||||
|
|
|
@ -9,9 +9,9 @@ module Auth
|
|||
return error('forbidden', 403) unless current_user
|
||||
end
|
||||
|
||||
return error('forbidden', 401) if scopes.blank?
|
||||
return error('forbidden', 401) unless scope
|
||||
|
||||
{ token: authorized_token(scopes).encoded }
|
||||
{ token: authorized_token(scope).encoded }
|
||||
end
|
||||
|
||||
def self.full_access_token(*names)
|
||||
|
@ -27,32 +27,27 @@ module Auth
|
|||
|
||||
private
|
||||
|
||||
def authorized_token(access)
|
||||
token = ::JWT::RSAToken.new(registry.key)
|
||||
def authorized_token(*accesses)
|
||||
token = JSONWebToken::RSAToken.new(registry.key)
|
||||
token.issuer = registry.issuer
|
||||
token.audience = params[:service]
|
||||
token.subject = current_user.try(:username)
|
||||
token[:access] = access
|
||||
token[:access] = accesses
|
||||
token
|
||||
end
|
||||
|
||||
def scopes
|
||||
def scope
|
||||
return unless params[:scope]
|
||||
|
||||
@scopes ||= begin
|
||||
scope = process_scope(params[:scope])
|
||||
[scope].compact
|
||||
end
|
||||
@scope ||= process_scope(params[:scope])
|
||||
end
|
||||
|
||||
def process_scope(scope)
|
||||
type, name, actions = scope.split(':', 3)
|
||||
actions = actions.split(',')
|
||||
return unless type == 'repository'
|
||||
|
||||
case type
|
||||
when 'repository'
|
||||
process_repository_access(type, name, actions)
|
||||
end
|
||||
process_repository_access(type, name, actions)
|
||||
end
|
||||
|
||||
def process_repository_access(type, name, actions)
|
||||
|
@ -71,9 +66,9 @@ module Auth
|
|||
|
||||
case requested_action
|
||||
when 'pull'
|
||||
requested_project == project || can?(current_user, :read_container_registry, requested_project)
|
||||
requested_project == project || can?(current_user, :read_container_image, requested_project)
|
||||
when 'push'
|
||||
requested_project == project || can?(current_user, :create_container_registry, requested_project)
|
||||
requested_project == project || can?(current_user, :create_container_image, requested_project)
|
||||
else
|
||||
false
|
||||
end
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
module JWT
|
||||
module JSONWebToken
|
||||
class RSAToken < Token
|
||||
attr_reader :key_file
|
||||
|
||||
|
@ -29,10 +29,14 @@ module JWT
|
|||
end
|
||||
|
||||
def kid
|
||||
fingerprint = Digest::SHA256.digest(public_key.to_der)
|
||||
Base32.encode(fingerprint).split('').each_slice(4).each_with_object([]) do |slice, mem|
|
||||
mem << slice.join
|
||||
end.join(':')
|
||||
# calculate sha256 from DER encoded ASN1
|
||||
kid = Digest::SHA256.digest(public_key.to_der)
|
||||
|
||||
# we encode only 30 bytes with base32
|
||||
kid = Base32.encode(kid[0..29])
|
||||
|
||||
# insert colon every 4 characters
|
||||
kid.scan(/.{4}/).join(':')
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,4 +1,4 @@
|
|||
module JWT
|
||||
module JSONWebToken
|
||||
class Token
|
||||
attr_accessor :issuer, :subject, :audience, :id
|
||||
attr_accessor :issued_at, :not_before, :expire_time
|
|
@ -1,4 +1,4 @@
|
|||
describe JWT::RSAToken do
|
||||
describe JSONWebToken::RSAToken do
|
||||
let(:rsa_key) { generate_key }
|
||||
let(:rsa_token) { described_class.new(nil) }
|
||||
let(:rsa_encoded) { rsa_token.encoded }
|
|
@ -1,4 +1,4 @@
|
|||
describe JWT::Token do
|
||||
describe JSONWebToken::Token do
|
||||
let(:token) { described_class.new }
|
||||
|
||||
context 'custom parameters' do
|
|
@ -18,7 +18,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
|
|||
|
||||
before do
|
||||
allow(Gitlab.config.registry).to receive_messages(registry_settings)
|
||||
allow_any_instance_of(JWT::RSAToken).to receive(:key).and_return(rsa_key)
|
||||
allow_any_instance_of(JSONWebToken::RSAToken).to receive(:key).and_return(rsa_key)
|
||||
end
|
||||
|
||||
shared_examples 'an authenticated' do
|
||||
|
|
Loading…
Reference in a new issue