Merge branch 'docker-registry' into docker-registry-view

app/models/ability.rb

@@ -61,7 +61,7 @@ class Ability
           :read_merge_request,
           :read_note,
           :read_commit_status,
-          :read_container_registry,
+          :read_container_image,
           :download_code
         ]
 
@@ -204,7 +204,7 @@ class Ability
         :admin_label,
         :read_commit_status,
         :read_build,
-        :read_container_registry,
+        :read_container_image,
       ]
     end
 
@@ -219,8 +219,8 @@ class Ability
         :create_merge_request,
         :create_wiki,
         :push_code,
-        :create_container_registry,
-        :update_container_registry,
+        :create_container_image,
+        :update_container_image,
       ]
     end
 
@@ -247,7 +247,7 @@ class Ability
         :admin_project,
         :admin_commit_status,
         :admin_build,
-        :admin_container_registry,
+        :admin_container_image,
       ]
     end
 
@@ -293,7 +293,7 @@ class Ability
       end
 
       unless project.container_registry_enabled
-        rules += named_abilities('container_registry')
+        rules += named_abilities('container_image')
       end
 
       rules

app/services/auth/container_registry_authentication_service.rb

@@ -9,9 +9,9 @@ module Auth
         return error('forbidden', 403) unless current_user
       end
 
-      return error('forbidden', 401) if scopes.blank?
+      return error('forbidden', 401) unless scope
 
-      { token: authorized_token(scopes).encoded }
+      { token: authorized_token(scope).encoded }
     end
 
     def self.full_access_token(*names)
@@ -27,32 +27,27 @@ module Auth
 
     private
 
-    def authorized_token(access)
-      token = ::JWT::RSAToken.new(registry.key)
+    def authorized_token(*accesses)
+      token = JSONWebToken::RSAToken.new(registry.key)
       token.issuer = registry.issuer
       token.audience = params[:service]
       token.subject = current_user.try(:username)
-      token[:access] = access
+      token[:access] = accesses
       token
     end
 
-    def scopes
+    def scope
       return unless params[:scope]
 
-      @scopes ||= begin
-        scope = process_scope(params[:scope])
-        [scope].compact
-      end
+      @scope ||= process_scope(params[:scope])
     end
 
     def process_scope(scope)
       type, name, actions = scope.split(':', 3)
       actions = actions.split(',')
+      return unless type == 'repository'
 
-      case type
-      when 'repository'
-        process_repository_access(type, name, actions)
-      end
+      process_repository_access(type, name, actions)
     end
 
     def process_repository_access(type, name, actions)
@@ -71,9 +66,9 @@ module Auth
 
       case requested_action
       when 'pull'
-        requested_project == project || can?(current_user, :read_container_registry, requested_project)
+        requested_project == project || can?(current_user, :read_container_image, requested_project)
       when 'push'
-        requested_project == project || can?(current_user, :create_container_registry, requested_project)
+        requested_project == project || can?(current_user, :create_container_image, requested_project)
       else
         false
       end

lib/json_web_token/rsa_token.rb

@@ -1,4 +1,4 @@
-module JWT
+module JSONWebToken
   class RSAToken < Token
     attr_reader :key_file
 
@@ -29,10 +29,14 @@ module JWT
     end
 
     def kid
-      fingerprint = Digest::SHA256.digest(public_key.to_der)
-      Base32.encode(fingerprint).split('').each_slice(4).each_with_object([]) do |slice, mem|
-        mem << slice.join
-      end.join(':')
+      # calculate sha256 from DER encoded ASN1
+      kid = Digest::SHA256.digest(public_key.to_der)
+
+      # we encode only 30 bytes with base32
+      kid = Base32.encode(kid[0..29])
+
+      # insert colon every 4 characters
+      kid.scan(/.{4}/).join(':')
     end
   end
 end

lib/json_web_token/token.rb

@@ -1,4 +1,4 @@
-module JWT
+module JSONWebToken
   class Token
     attr_accessor :issuer, :subject, :audience, :id
     attr_accessor :issued_at, :not_before, :expire_time

spec/lib/json_web_token/rsa_token_spec.rb

@@ -1,4 +1,4 @@
-describe JWT::RSAToken do
+describe JSONWebToken::RSAToken do
   let(:rsa_key) { generate_key }
   let(:rsa_token) { described_class.new(nil) }
   let(:rsa_encoded) { rsa_token.encoded }

spec/lib/json_web_token/token_spec.rb

@@ -1,4 +1,4 @@
-describe JWT::Token do
+describe JSONWebToken::Token do
   let(:token) { described_class.new }
 
   context 'custom parameters' do

spec/services/auth/container_registry_authentication_service_spec.rb

@@ -18,7 +18,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
 
   before do
     allow(Gitlab.config.registry).to receive_messages(registry_settings)
-    allow_any_instance_of(JWT::RSAToken).to receive(:key).and_return(rsa_key)
+    allow_any_instance_of(JSONWebToken::RSAToken).to receive(:key).and_return(rsa_key)
   end
 
   shared_examples 'an authenticated' do