Commit 3555252d authored by Kamil Trzciński's avatar Kamil Trzciński

Merge branch '26763-grant-registry-auth-scope-to-admins' into 'master'

Issue JWT token with registry:catalog:* scope when requested by GitLab admin

Closes #26763 and #18392

See merge request gitlab-org/gitlab-ce!14751
parents 8d47e9f8 3d744009
Pipeline #12746300 failed with stages
in 98 minutes and 30 seconds
......@@ -56,11 +56,22 @@ module Auth
def process_scope(scope)
type, name, actions = scope.split(':', 3)
actions = actions.split(',')
path = ContainerRegistry::Path.new(name)
return unless type == 'repository'
case type
when 'registry'
process_registry_access(type, name, actions)
when 'repository'
path = ContainerRegistry::Path.new(name)
process_repository_access(type, path, actions)
end
end
def process_registry_access(type, name, actions)
return unless current_user&.admin?
return unless name == 'catalog'
return unless actions == ['*']
process_repository_access(type, path, actions)
{ type: type, name: name, actions: ['*'] }
end
def process_repository_access(type, path, actions)
......
---
title: Issue JWT token with registry:catalog:* scope when requested by GitLab admin
merge_request: 14751
author: Vratislav Kalenda
type: added
......@@ -43,6 +43,21 @@ describe Auth::ContainerRegistryAuthenticationService do
end
end
shared_examples 'a browsable' do
let(:access) do
[{ 'type' => 'registry',
'name' => 'catalog',
'actions' => ['*'] }]
end
it_behaves_like 'a valid token'
it_behaves_like 'not a container repository factory'
it 'has the correct scope' do
expect(payload).to include('access' => access)
end
end
shared_examples 'an accessible' do
let(:access) do
[{ 'type' => 'repository',
......@@ -51,7 +66,10 @@ describe Auth::ContainerRegistryAuthenticationService do
end
it_behaves_like 'a valid token'
it { expect(payload).to include('access' => access) }
it 'has the correct scope' do
expect(payload).to include('access' => access)
end
end
shared_examples 'an inaccessible' do
......@@ -117,6 +135,17 @@ describe Auth::ContainerRegistryAuthenticationService do
context 'user authorization' do
let(:current_user) { create(:user) }
context 'for registry catalog' do
let(:current_params) do
{ scope: "registry:catalog:*" }
end
context 'disallow browsing for users without Gitlab admin rights' do
it_behaves_like 'an inaccessible'
it_behaves_like 'not a container repository factory'
end
end
context 'for private project' do
let(:project) { create(:project) }
......@@ -490,6 +519,16 @@ describe Auth::ContainerRegistryAuthenticationService do
end
end
context 'registry catalog browsing authorized as admin' do
let(:current_user) { create(:user, :admin) }
let(:current_params) do
{ scope: "registry:catalog:*" }
end
it_behaves_like 'a browsable'
end
context 'unauthorized' do
context 'disallow to use scope-less authentication' do
it_behaves_like 'a forbidden'
......@@ -536,5 +575,14 @@ describe Auth::ContainerRegistryAuthenticationService do
it_behaves_like 'not a container repository factory'
end
end
context 'for registry catalog' do
let(:current_params) do
{ scope: "registry:catalog:*" }
end
it_behaves_like 'a forbidden'
it_behaves_like 'not a container repository factory'
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment