Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
3d18b3a0
Commit
3d18b3a0
authored
May 15, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'docker-registry' into docker-registry-view
parents
b575b2f1
dfd0e245
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
59 additions
and
18 deletions
+59
-18
app/services/auth/container_registry_authentication_service.rb
...ervices/auth/container_registry_authentication_service.rb
+3
-3
spec/lib/json_web_token/rsa_token_spec.rb
spec/lib/json_web_token/rsa_token_spec.rb
+20
-8
spec/services/auth/container_registry_authentication_service_spec.rb
...es/auth/container_registry_authentication_service_spec.rb
+36
-7
No files found.
app/services/auth/container_registry_authentication_service.rb
View file @
3d18b3a0
...
...
@@ -7,9 +7,9 @@ module Auth
if
params
[
:offline_token
]
return
error
(
'forbidden'
,
403
)
unless
current_user
end
else
return
error
(
'forbidden'
,
401
)
unless
scope
end
{
token:
authorized_token
(
scope
).
encoded
}
end
...
...
@@ -32,7 +32,7 @@ module Auth
token
.
issuer
=
registry
.
issuer
token
.
audience
=
params
[
:service
]
token
.
subject
=
current_user
.
try
(
:username
)
token
[
:access
]
=
accesses
token
[
:access
]
=
accesses
.
compact
token
end
...
...
spec/lib/json_web_token/rsa_token_spec.rb
View file @
3d18b3a0
describe
JSONWebToken
::
RSAToken
do
let
(
:rsa_key
)
{
generate_key
}
let
(
:rsa_key
)
do
OpenSSL
::
PKey
::
RSA
.
new
<<-
eos
.
strip_heredoc
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMA5sXIBE0HwgIB40iNidN4PGWzOyLQK0bsdOBNgpEXkDlZBvnak
OUgAPF+rME4PB0Yl415DabUI40T5UNmlwxcCAwEAAQJAZtY2pSwIFm3JAXIh0cZZ
iXcAfiJ+YzuqinUOS+eW2sBCAEzjcARlU/o6sFQgtsOi4FOMczAd1Yx8UDMXMmrw
2QIhAPBgVhJiTF09pdmeFWutCvTJDlFFAQNbrbo2X2x/9WF9AiEAzLgqMKeStSRu
H9N16TuDrUoO8R+DPqriCwkKrSHaWyMCIFzMhE4inuKcSywBaLmiG4m3GQzs++Al
A6PRG/PSTpQtAiBxtBg6zdf+JC3GH3zt/dA0/10tL4OF2wORfYQghRzyYQIhAL2l
0ZQW+yLIZAGrdBFWYEAa52GZosncmzBNlsoTgwE4
-----END RSA PRIVATE KEY-----
eos
end
let
(
:rsa_token
)
{
described_class
.
new
(
nil
)
}
let
(
:rsa_encoded
)
{
rsa_token
.
encoded
}
...
...
@@ -13,19 +25,19 @@ describe JSONWebToken::RSAToken do
it
{
expect
{
subject
}.
to_not
raise_error
}
it
{
expect
(
subject
.
first
).
to
include
(
'key'
=>
'value'
)
}
it
do
expect
(
subject
.
second
).
to
eq
(
"typ"
=>
"JWT"
,
"alg"
=>
"RS256"
,
"kid"
=>
"OGXY:4TR7:FAVO:WEM2:XXEW:E4FP:TKL7:7ACK:TZAF:D54P:SUIA:P3B2"
)
end
end
context
'for invalid key to raise an exception'
do
let
(
:new_key
)
{
generate_key
}
let
(
:new_key
)
{
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
}
subject
{
JWT
.
decode
(
rsa_encoded
,
new_key
)
}
it
{
expect
{
subject
}.
to
raise_error
(
JWT
::
DecodeError
)
}
end
end
private
def
generate_key
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
end
end
spec/services/auth/container_registry_authentication_service_spec.rb
View file @
3d18b3a0
...
...
@@ -57,15 +57,28 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
end
end
shared_examples
'a
forbidden
'
do
shared_examples
'a
unauthorized
'
do
it
{
is_expected
.
to
include
(
http_status:
401
)
}
it
{
is_expected
.
to_not
include
(
:token
)
}
end
shared_examples
'a forbidden'
do
it
{
is_expected
.
to
include
(
http_status:
403
)
}
it
{
is_expected
.
to_not
include
(
:token
)
}
end
context
'user authorization'
do
let
(
:project
)
{
create
(
:project
)
}
let
(
:current_user
)
{
create
(
:user
)
}
context
'allow to use offline_token'
do
let
(
:current_params
)
do
{
offline_token:
true
}
end
it_behaves_like
'an authenticated'
end
context
'allow developer to push images'
do
before
{
project
.
team
<<
[
current_user
,
:developer
]
}
...
...
@@ -103,13 +116,21 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull,push"
}
end
it_behaves_like
'a
forbidden
'
it_behaves_like
'a
unauthorized
'
end
end
context
'project authorization'
do
let
(
:current_project
)
{
create
(
:empty_project
)
}
context
'disallow to use offline_token'
do
let
(
:current_params
)
do
{
offline_token:
true
}
end
it_behaves_like
'a forbidden'
end
context
'allow to pull and push images'
do
let
(
:current_params
)
do
{
scope:
"repository:
#{
current_project
.
path_with_namespace
}
:pull,push"
}
...
...
@@ -133,7 +154,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context
'disallow for private'
do
let
(
:project
)
{
create
(
:empty_project
,
:private
)
}
it_behaves_like
'a
forbidden
'
it_behaves_like
'a
unauthorized
'
end
end
...
...
@@ -144,7 +165,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context
'disallow for all'
do
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
it_behaves_like
'a
forbidden
'
it_behaves_like
'a
unauthorized
'
end
end
end
...
...
@@ -165,12 +186,20 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
end
context
'unauthorized'
do
context
'disallow to use offline_token'
do
let
(
:current_params
)
do
{
offline_token:
true
}
end
it_behaves_like
'a forbidden'
end
context
'for invalid scope'
do
let
(
:current_params
)
do
{
scope:
'invalid:aa:bb'
}
end
it_behaves_like
'a
forbidden
'
it_behaves_like
'a
unauthorized
'
end
context
'for private project'
do
...
...
@@ -180,7 +209,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull"
}
end
it_behaves_like
'a
forbidden
'
it_behaves_like
'a
unauthorized
'
end
context
'for public project'
do
...
...
@@ -199,7 +228,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push"
}
end
it_behaves_like
'a
forbidden
'
it_behaves_like
'a
unauthorized
'
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment