diff --git a/app/models/ability.rb b/app/models/ability.rb index 74321240468..f70268d3138 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -61,7 +61,7 @@ class Ability :read_merge_request, :read_note, :read_commit_status, - :read_container_registry, + :read_container_image, :download_code ] @@ -204,7 +204,7 @@ class Ability :admin_label, :read_commit_status, :read_build, - :read_container_registry, + :read_container_image, ] end @@ -219,8 +219,8 @@ class Ability :create_merge_request, :create_wiki, :push_code, - :create_container_registry, - :update_container_registry, + :create_container_image, + :update_container_image, ] end @@ -247,7 +247,7 @@ class Ability :admin_project, :admin_commit_status, :admin_build, - :admin_container_registry, + :admin_container_image, ] end @@ -293,7 +293,7 @@ class Ability end unless project.container_registry_enabled - rules += named_abilities('container_registry') + rules += named_abilities('container_image') end rules diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index 45b163d213e..69ad634c368 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -9,9 +9,9 @@ module Auth return error('forbidden', 403) unless current_user end - return error('forbidden', 401) if scopes.blank? + return error('forbidden', 401) unless scope - { token: authorized_token(scopes).encoded } + { token: authorized_token(scope).encoded } end def self.full_access_token(*names) @@ -27,32 +27,27 @@ module Auth private - def authorized_token(access) - token = ::JWT::RSAToken.new(registry.key) + def authorized_token(*accesses) + token = JSONWebToken::RSAToken.new(registry.key) token.issuer = registry.issuer token.audience = params[:service] token.subject = current_user.try(:username) - token[:access] = access + token[:access] = accesses token end - def scopes + def scope return unless params[:scope] - @scopes ||= begin - scope = process_scope(params[:scope]) - [scope].compact - end + @scope ||= process_scope(params[:scope]) end def process_scope(scope) type, name, actions = scope.split(':', 3) actions = actions.split(',') + return unless type == 'repository' - case type - when 'repository' - process_repository_access(type, name, actions) - end + process_repository_access(type, name, actions) end def process_repository_access(type, name, actions) @@ -71,9 +66,9 @@ module Auth case requested_action when 'pull' - requested_project == project || can?(current_user, :read_container_registry, requested_project) + requested_project == project || can?(current_user, :read_container_image, requested_project) when 'push' - requested_project == project || can?(current_user, :create_container_registry, requested_project) + requested_project == project || can?(current_user, :create_container_image, requested_project) else false end diff --git a/lib/jwt/rsa_token.rb b/lib/json_web_token/rsa_token.rb similarity index 63% rename from lib/jwt/rsa_token.rb rename to lib/json_web_token/rsa_token.rb index 4de89bf0d37..d6d6af7089c 100644 --- a/lib/jwt/rsa_token.rb +++ b/lib/json_web_token/rsa_token.rb @@ -1,4 +1,4 @@ -module JWT +module JSONWebToken class RSAToken < Token attr_reader :key_file @@ -29,10 +29,14 @@ module JWT end def kid - fingerprint = Digest::SHA256.digest(public_key.to_der) - Base32.encode(fingerprint).split('').each_slice(4).each_with_object([]) do |slice, mem| - mem << slice.join - end.join(':') + # calculate sha256 from DER encoded ASN1 + kid = Digest::SHA256.digest(public_key.to_der) + + # we encode only 30 bytes with base32 + kid = Base32.encode(kid[0..29]) + + # insert colon every 4 characters + kid.scan(/.{4}/).join(':') end end end diff --git a/lib/jwt/token.rb b/lib/json_web_token/token.rb similarity index 97% rename from lib/jwt/token.rb rename to lib/json_web_token/token.rb index f13abf2b71f..5b67715b0b2 100644 --- a/lib/jwt/token.rb +++ b/lib/json_web_token/token.rb @@ -1,4 +1,4 @@ -module JWT +module JSONWebToken class Token attr_accessor :issuer, :subject, :audience, :id attr_accessor :issued_at, :not_before, :expire_time diff --git a/spec/lib/jwt/rsa_token_spec.rb b/spec/lib/json_web_token/rsa_token_spec.rb similarity index 95% rename from spec/lib/jwt/rsa_token_spec.rb rename to spec/lib/json_web_token/rsa_token_spec.rb index a5b1d3a67dc..4462cdde9a3 100644 --- a/spec/lib/jwt/rsa_token_spec.rb +++ b/spec/lib/json_web_token/rsa_token_spec.rb @@ -1,4 +1,4 @@ -describe JWT::RSAToken do +describe JSONWebToken::RSAToken do let(:rsa_key) { generate_key } let(:rsa_token) { described_class.new(nil) } let(:rsa_encoded) { rsa_token.encoded } diff --git a/spec/lib/jwt/token_spec.rb b/spec/lib/json_web_token/token_spec.rb similarity index 92% rename from spec/lib/jwt/token_spec.rb rename to spec/lib/json_web_token/token_spec.rb index 92fdc3f1b7c..3d955e4d774 100644 --- a/spec/lib/jwt/token_spec.rb +++ b/spec/lib/json_web_token/token_spec.rb @@ -1,4 +1,4 @@ -describe JWT::Token do +describe JSONWebToken::Token do let(:token) { described_class.new } context 'custom parameters' do diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb index a45410f0458..bae576f1670 100644 --- a/spec/services/auth/container_registry_authentication_service_spec.rb +++ b/spec/services/auth/container_registry_authentication_service_spec.rb @@ -18,7 +18,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do before do allow(Gitlab.config.registry).to receive_messages(registry_settings) - allow_any_instance_of(JWT::RSAToken).to receive(:key).and_return(rsa_key) + allow_any_instance_of(JSONWebToken::RSAToken).to receive(:key).and_return(rsa_key) end shared_examples 'an authenticated' do