Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
4d84ba43
Commit
4d84ba43
authored
May 12, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'docker-registry' into docker-registry-view
parents
d05f0030
fc2d985b
Changes
7
Show whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
37 additions
and
37 deletions
+37
-37
app/services/jwt/container_registry_authentication_service.rb
...services/jwt/container_registry_authentication_service.rb
+3
-3
config/initializers/1_settings.rb
config/initializers/1_settings.rb
+1
-1
lib/jwt/rsa_token.rb
lib/jwt/rsa_token.rb
+1
-1
lib/jwt/token.rb
lib/jwt/token.rb
+2
-2
spec/lib/jwt/rsa_token_spec.rb
spec/lib/jwt/rsa_token_spec.rb
+1
-1
spec/lib/jwt/token_spec.rb
spec/lib/jwt/token_spec.rb
+1
-1
spec/services/jwt/container_registry_authentication_service_spec.rb
...ces/jwt/container_registry_authentication_service_spec.rb
+28
-28
No files found.
app/services/jwt/container_registry_authentication_service.rb
View file @
4d84ba43
module
J
wt
module
J
WT
class
ContainerRegistryAuthenticationService
<
BaseService
class
ContainerRegistryAuthenticationService
<
BaseService
AUDIENCE
=
'container_registry'
AUDIENCE
=
'container_registry'
...
@@ -7,7 +7,7 @@ module Jwt
...
@@ -7,7 +7,7 @@ module Jwt
return
error
(
'forbidden'
,
403
)
unless
current_user
return
error
(
'forbidden'
,
403
)
unless
current_user
end
end
return
error
(
'forbidden'
,
401
)
if
scopes
.
empty
?
return
error
(
'forbidden'
,
401
)
if
scopes
.
blank
?
{
token:
authorized_token
(
scopes
).
encoded
}
{
token:
authorized_token
(
scopes
).
encoded
}
end
end
...
@@ -26,7 +26,7 @@ module Jwt
...
@@ -26,7 +26,7 @@ module Jwt
private
private
def
authorized_token
(
access
)
def
authorized_token
(
access
)
token
=
::
J
wt
::
RSAToken
.
new
(
registry
.
key
)
token
=
::
J
WT
::
RSAToken
.
new
(
registry
.
key
)
token
.
issuer
=
registry
.
issuer
token
.
issuer
=
registry
.
issuer
token
.
audience
=
AUDIENCE
token
.
audience
=
AUDIENCE
token
.
subject
=
current_user
.
try
(
:username
)
token
.
subject
=
current_user
.
try
(
:username
)
...
...
config/initializers/1_settings.rb
View file @
4d84ba43
...
@@ -271,7 +271,7 @@ Settings.artifacts['max_size'] ||= 100 # in megabytes
...
@@ -271,7 +271,7 @@ Settings.artifacts['max_size'] ||= 100 # in megabytes
# Registry
# Registry
#
#
Settings
[
'registry'
]
||=
Settingslogic
.
new
({})
Settings
[
'registry'
]
||=
Settingslogic
.
new
({})
Settings
.
registry
[
'
registry
'
]
=
false
if
Settings
.
registry
[
'enabled'
].
nil?
Settings
.
registry
[
'
enabled
'
]
=
false
if
Settings
.
registry
[
'enabled'
].
nil?
Settings
.
registry
[
'host'
]
||=
"example.com"
Settings
.
registry
[
'host'
]
||=
"example.com"
Settings
.
registry
[
'internal_host'
]
||=
"localhost"
Settings
.
registry
[
'internal_host'
]
||=
"localhost"
Settings
.
registry
[
'key'
]
||=
nil
Settings
.
registry
[
'key'
]
||=
nil
...
...
lib/jwt/rsa_token.rb
View file @
4d84ba43
module
J
wt
module
J
WT
class
RSAToken
<
Token
class
RSAToken
<
Token
attr_reader
:key_file
attr_reader
:key_file
...
...
lib/jwt/token.rb
View file @
4d84ba43
module
J
wt
module
J
WT
class
Token
class
Token
attr_accessor
:issuer
,
:subject
,
:audience
,
:id
attr_accessor
:issuer
,
:subject
,
:audience
,
:id
attr_accessor
:issued_at
,
:not_before
,
:expire_time
attr_accessor
:issued_at
,
:not_before
,
:expire_time
...
...
spec/lib/jwt/rsa_token_spec.rb
View file @
4d84ba43
describe
J
wt
::
RSAToken
do
describe
J
WT
::
RSAToken
do
let
(
:rsa_key
)
{
generate_key
}
let
(
:rsa_key
)
{
generate_key
}
let
(
:rsa_token
)
{
described_class
.
new
(
nil
)
}
let
(
:rsa_token
)
{
described_class
.
new
(
nil
)
}
let
(
:rsa_encoded
)
{
rsa_token
.
encoded
}
let
(
:rsa_encoded
)
{
rsa_token
.
encoded
}
...
...
spec/lib/jwt/token_spec.rb
View file @
4d84ba43
describe
J
wt
::
Token
do
describe
J
WT
::
Token
do
let
(
:token
)
{
described_class
.
new
}
let
(
:token
)
{
described_class
.
new
}
context
'custom parameters'
do
context
'custom parameters'
do
...
...
spec/services/jwt/container_registry_authentication_service_spec.rb
View file @
4d84ba43
require
'spec_helper'
require
'spec_helper'
describe
J
wt
::
ContainerRegistryAuthenticationService
,
services:
true
do
describe
J
WT
::
ContainerRegistryAuthenticationService
,
services:
true
do
let
(
:current_project
)
{
nil
}
let
(
:current_project
)
{
nil
}
let
(
:current_user
)
{
nil
}
let
(
:current_user
)
{
nil
}
let
(
:current_params
)
{
{}
}
let
(
:current_params
)
{
{}
}
let
(
:rsa_key
)
{
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
}
let
(
:rsa_key
)
{
OpenSSL
::
PKey
::
RSA
.
generate
(
512
)
}
let
(
:registry_settings
)
{
let
(
:registry_settings
)
do
{
{
issuer:
'rspec'
,
issuer:
'rspec'
,
key:
nil
key:
nil
}
}
}
end
let
(
:payload
)
{
JWT
.
decode
(
subject
[
:token
],
rsa_key
).
first
}
let
(
:payload
)
{
JWT
.
decode
(
subject
[
:token
],
rsa_key
).
first
}
subject
{
described_class
.
new
(
current_project
,
current_user
,
current_params
).
execute
}
subject
{
described_class
.
new
(
current_project
,
current_user
,
current_params
).
execute
}
before
do
before
do
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
registry_settings
)
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
registry_settings
)
allow_any_instance_of
(
J
wt
::
RSAToken
).
to
receive
(
:key
).
and_return
(
rsa_key
)
allow_any_instance_of
(
J
WT
::
RSAToken
).
to
receive
(
:key
).
and_return
(
rsa_key
)
end
end
shared_examples
'an authenticated'
do
shared_examples
'an authenticated'
do
...
@@ -26,13 +26,13 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
...
@@ -26,13 +26,13 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
end
end
shared_examples
'a accessible'
do
shared_examples
'a accessible'
do
let
(
:access
)
{
let
(
:access
)
do
[{
[{
'type'
=>
'repository'
,
'type'
=>
'repository'
,
'name'
=>
project
.
path_with_namespace
,
'name'
=>
project
.
path_with_namespace
,
'actions'
=>
actions
,
'actions'
=>
actions
,
}]
}]
}
end
it_behaves_like
'an authenticated'
it_behaves_like
'an authenticated'
it
{
expect
(
payload
).
to
include
(
'access'
=>
access
)
}
it
{
expect
(
payload
).
to
include
(
'access'
=>
access
)
}
...
@@ -68,9 +68,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
...
@@ -68,9 +68,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context
'allow developer to push images'
do
context
'allow developer to push images'
do
before
{
project
.
team
<<
[
current_user
,
:developer
]
}
before
{
project
.
team
<<
[
current_user
,
:developer
]
}
let
(
:current_params
)
{
let
(
:current_params
)
do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push"
}
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push"
}
}
end
it_behaves_like
'a pushable'
it_behaves_like
'a pushable'
end
end
...
@@ -78,9 +78,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
...
@@ -78,9 +78,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context
'allow reporter to pull images'
do
context
'allow reporter to pull images'
do
before
{
project
.
team
<<
[
current_user
,
:reporter
]
}
before
{
project
.
team
<<
[
current_user
,
:reporter
]
}
let
(
:current_params
)
{
let
(
:current_params
)
do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull"
}
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull"
}
}
end
it_behaves_like
'a pullable'
it_behaves_like
'a pullable'
end
end
...
@@ -88,9 +88,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
...
@@ -88,9 +88,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context
'return a least of privileges'
do
context
'return a least of privileges'
do
before
{
project
.
team
<<
[
current_user
,
:reporter
]
}
before
{
project
.
team
<<
[
current_user
,
:reporter
]
}
let
(
:current_params
)
{
let
(
:current_params
)
do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push,pull"
}
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push,pull"
}
}
end
it_behaves_like
'a pullable'
it_behaves_like
'a pullable'
end
end
...
@@ -98,9 +98,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
...
@@ -98,9 +98,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context
'disallow guest to pull or push images'
do
context
'disallow guest to pull or push images'
do
before
{
project
.
team
<<
[
current_user
,
:guest
]
}
before
{
project
.
team
<<
[
current_user
,
:guest
]
}
let
(
:current_params
)
{
let
(
:current_params
)
do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull,push"
}
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull,push"
}
}
end
it_behaves_like
'a forbidden'
it_behaves_like
'a forbidden'
end
end
...
@@ -110,9 +110,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
...
@@ -110,9 +110,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
let
(
:current_project
)
{
create
(
:empty_project
)
}
let
(
:current_project
)
{
create
(
:empty_project
)
}
context
'allow to pull and push images'
do
context
'allow to pull and push images'
do
let
(
:current_params
)
{
let
(
:current_params
)
do
{
scope:
"repository:
#{
current_project
.
path_with_namespace
}
:pull,push"
}
{
scope:
"repository:
#{
current_project
.
path_with_namespace
}
:pull,push"
}
}
end
it_behaves_like
'a pullable and pushable'
do
it_behaves_like
'a pullable and pushable'
do
let
(
:project
)
{
current_project
}
let
(
:project
)
{
current_project
}
...
@@ -121,9 +121,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
...
@@ -121,9 +121,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context
'for other projects'
do
context
'for other projects'
do
context
'when pulling'
do
context
'when pulling'
do
let
(
:current_params
)
{
let
(
:current_params
)
do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull"
}
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull"
}
}
end
context
'allow for public'
do
context
'allow for public'
do
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
...
@@ -137,9 +137,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
...
@@ -137,9 +137,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
end
end
context
'when pushing'
do
context
'when pushing'
do
let
(
:current_params
)
{
let
(
:current_params
)
do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push"
}
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push"
}
}
end
context
'disallow for all'
do
context
'disallow for all'
do
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
...
@@ -152,9 +152,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
...
@@ -152,9 +152,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context
'unauthorized'
do
context
'unauthorized'
do
context
'for invalid scope'
do
context
'for invalid scope'
do
let
(
:current_params
)
{
let
(
:current_params
)
do
{
scope:
'invalid:aa:bb'
}
{
scope:
'invalid:aa:bb'
}
}
end
it_behaves_like
'a forbidden'
it_behaves_like
'a forbidden'
end
end
...
@@ -162,9 +162,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
...
@@ -162,9 +162,9 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
context
'for private project'
do
context
'for private project'
do
let
(
:project
)
{
create
(
:empty_project
,
:private
)
}
let
(
:project
)
{
create
(
:empty_project
,
:private
)
}
let
(
:current_params
)
{
let
(
:current_params
)
do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull"
}
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull"
}
}
end
it_behaves_like
'a forbidden'
it_behaves_like
'a forbidden'
end
end
...
@@ -173,17 +173,17 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
...
@@ -173,17 +173,17 @@ describe Jwt::ContainerRegistryAuthenticationService, services: true do
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
let
(
:project
)
{
create
(
:empty_project
,
:public
)
}
context
'when pulling and pushing'
do
context
'when pulling and pushing'
do
let
(
:current_params
)
{
let
(
:current_params
)
do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull,push"
}
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:pull,push"
}
}
end
it_behaves_like
'a pullable'
it_behaves_like
'a pullable'
end
end
context
'when pushing'
do
context
'when pushing'
do
let
(
:current_params
)
{
let
(
:current_params
)
do
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push"
}
{
scope:
"repository:
#{
project
.
path_with_namespace
}
:push"
}
}
end
it_behaves_like
'a forbidden'
it_behaves_like
'a forbidden'
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment