Commit 3d18b3a0 authored by Kamil Trzcinski's avatar Kamil Trzcinski

Merge branch 'docker-registry' into docker-registry-view

parents b575b2f1 dfd0e245
...@@ -7,10 +7,10 @@ module Auth ...@@ -7,10 +7,10 @@ module Auth
if params[:offline_token] if params[:offline_token]
return error('forbidden', 403) unless current_user return error('forbidden', 403) unless current_user
else
return error('forbidden', 401) unless scope
end end
return error('forbidden', 401) unless scope
{ token: authorized_token(scope).encoded } { token: authorized_token(scope).encoded }
end end
...@@ -32,7 +32,7 @@ module Auth ...@@ -32,7 +32,7 @@ module Auth
token.issuer = registry.issuer token.issuer = registry.issuer
token.audience = params[:service] token.audience = params[:service]
token.subject = current_user.try(:username) token.subject = current_user.try(:username)
token[:access] = accesses token[:access] = accesses.compact
token token
end end
......
describe JSONWebToken::RSAToken do describe JSONWebToken::RSAToken do
let(:rsa_key) { generate_key } let(:rsa_key) do
OpenSSL::PKey::RSA.new <<-eos.strip_heredoc
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAMA5sXIBE0HwgIB40iNidN4PGWzOyLQK0bsdOBNgpEXkDlZBvnak
OUgAPF+rME4PB0Yl415DabUI40T5UNmlwxcCAwEAAQJAZtY2pSwIFm3JAXIh0cZZ
iXcAfiJ+YzuqinUOS+eW2sBCAEzjcARlU/o6sFQgtsOi4FOMczAd1Yx8UDMXMmrw
2QIhAPBgVhJiTF09pdmeFWutCvTJDlFFAQNbrbo2X2x/9WF9AiEAzLgqMKeStSRu
H9N16TuDrUoO8R+DPqriCwkKrSHaWyMCIFzMhE4inuKcSywBaLmiG4m3GQzs++Al
A6PRG/PSTpQtAiBxtBg6zdf+JC3GH3zt/dA0/10tL4OF2wORfYQghRzyYQIhAL2l
0ZQW+yLIZAGrdBFWYEAa52GZosncmzBNlsoTgwE4
-----END RSA PRIVATE KEY-----
eos
end
let(:rsa_token) { described_class.new(nil) } let(:rsa_token) { described_class.new(nil) }
let(:rsa_encoded) { rsa_token.encoded } let(:rsa_encoded) { rsa_token.encoded }
...@@ -13,19 +25,19 @@ describe JSONWebToken::RSAToken do ...@@ -13,19 +25,19 @@ describe JSONWebToken::RSAToken do
it { expect{subject}.to_not raise_error } it { expect{subject}.to_not raise_error }
it { expect(subject.first).to include('key' => 'value') } it { expect(subject.first).to include('key' => 'value') }
it do
expect(subject.second).to eq(
"typ" => "JWT",
"alg" => "RS256",
"kid" => "OGXY:4TR7:FAVO:WEM2:XXEW:E4FP:TKL7:7ACK:TZAF:D54P:SUIA:P3B2")
end
end end
context 'for invalid key to raise an exception' do context 'for invalid key to raise an exception' do
let(:new_key) { generate_key } let(:new_key) { OpenSSL::PKey::RSA.generate(512) }
subject { JWT.decode(rsa_encoded, new_key) } subject { JWT.decode(rsa_encoded, new_key) }
it { expect{subject}.to raise_error(JWT::DecodeError) } it { expect{subject}.to raise_error(JWT::DecodeError) }
end end
end end
private
def generate_key
OpenSSL::PKey::RSA.generate(512)
end
end end
...@@ -57,15 +57,28 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -57,15 +57,28 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
end end
end end
shared_examples 'a forbidden' do shared_examples 'a unauthorized' do
it { is_expected.to include(http_status: 401) } it { is_expected.to include(http_status: 401) }
it { is_expected.to_not include(:token) } it { is_expected.to_not include(:token) }
end end
shared_examples 'a forbidden' do
it { is_expected.to include(http_status: 403) }
it { is_expected.to_not include(:token) }
end
context 'user authorization' do context 'user authorization' do
let(:project) { create(:project) } let(:project) { create(:project) }
let(:current_user) { create(:user) } let(:current_user) { create(:user) }
context 'allow to use offline_token' do
let(:current_params) do
{ offline_token: true }
end
it_behaves_like 'an authenticated'
end
context 'allow developer to push images' do context 'allow developer to push images' do
before { project.team << [current_user, :developer] } before { project.team << [current_user, :developer] }
...@@ -103,13 +116,21 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -103,13 +116,21 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
{ scope: "repository:#{project.path_with_namespace}:pull,push" } { scope: "repository:#{project.path_with_namespace}:pull,push" }
end end
it_behaves_like 'a forbidden' it_behaves_like 'a unauthorized'
end end
end end
context 'project authorization' do context 'project authorization' do
let(:current_project) { create(:empty_project) } let(:current_project) { create(:empty_project) }
context 'disallow to use offline_token' do
let(:current_params) do
{ offline_token: true }
end
it_behaves_like 'a forbidden'
end
context 'allow to pull and push images' do context 'allow to pull and push images' do
let(:current_params) do let(:current_params) do
{ scope: "repository:#{current_project.path_with_namespace}:pull,push" } { scope: "repository:#{current_project.path_with_namespace}:pull,push" }
...@@ -133,7 +154,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -133,7 +154,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context 'disallow for private' do context 'disallow for private' do
let(:project) { create(:empty_project, :private) } let(:project) { create(:empty_project, :private) }
it_behaves_like 'a forbidden' it_behaves_like 'a unauthorized'
end end
end end
...@@ -144,7 +165,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -144,7 +165,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context 'disallow for all' do context 'disallow for all' do
let(:project) { create(:empty_project, :public) } let(:project) { create(:empty_project, :public) }
it_behaves_like 'a forbidden' it_behaves_like 'a unauthorized'
end end
end end
end end
...@@ -165,12 +186,20 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -165,12 +186,20 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
end end
context 'unauthorized' do context 'unauthorized' do
context 'disallow to use offline_token' do
let(:current_params) do
{ offline_token: true }
end
it_behaves_like 'a forbidden'
end
context 'for invalid scope' do context 'for invalid scope' do
let(:current_params) do let(:current_params) do
{ scope: 'invalid:aa:bb' } { scope: 'invalid:aa:bb' }
end end
it_behaves_like 'a forbidden' it_behaves_like 'a unauthorized'
end end
context 'for private project' do context 'for private project' do
...@@ -180,7 +209,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -180,7 +209,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
{ scope: "repository:#{project.path_with_namespace}:pull" } { scope: "repository:#{project.path_with_namespace}:pull" }
end end
it_behaves_like 'a forbidden' it_behaves_like 'a unauthorized'
end end
context 'for public project' do context 'for public project' do
...@@ -199,7 +228,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do ...@@ -199,7 +228,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
{ scope: "repository:#{project.path_with_namespace}:push" } { scope: "repository:#{project.path_with_namespace}:push" }
end end
it_behaves_like 'a forbidden' it_behaves_like 'a unauthorized'
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment