Commit 137a8016 authored by Kamil Trzcinski's avatar Kamil Trzcinski

Be nice to Docker Clients talking to JWT/auth

parent 3820ca58
...@@ -12,6 +12,7 @@ v 8.12.2 (unreleased) ...@@ -12,6 +12,7 @@ v 8.12.2 (unreleased)
- Fix List-Unsubscribe header in emails - Fix List-Unsubscribe header in emails
- Fix an issue with the "Commits" section of the cycle analytics summary. !6513 - Fix an issue with the "Commits" section of the cycle analytics summary. !6513
- Fix errors importing project feature and milestone models using GitLab project import - Fix errors importing project feature and milestone models using GitLab project import
- Make JWT messages Docker-compatible
v 8.12.1 v 8.12.1
- Fix a memory leak in HTML::Pipeline::SanitizationFilter::WHITELIST - Fix a memory leak in HTML::Pipeline::SanitizationFilter::WHITELIST
......
...@@ -25,7 +25,7 @@ class JwtController < ApplicationController ...@@ -25,7 +25,7 @@ class JwtController < ApplicationController
authenticate_with_http_basic do |login, password| authenticate_with_http_basic do |login, password|
@authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip) @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
render_403 unless @authentication_result.success? && render_unauthorized unless @authentication_result.success? &&
(@authentication_result.actor.nil? || @authentication_result.actor.is_a?(User)) (@authentication_result.actor.nil? || @authentication_result.actor.is_a?(User))
end end
rescue Gitlab::Auth::MissingPersonalTokenError rescue Gitlab::Auth::MissingPersonalTokenError
...@@ -33,10 +33,21 @@ class JwtController < ApplicationController ...@@ -33,10 +33,21 @@ class JwtController < ApplicationController
end end
def render_missing_personal_token def render_missing_personal_token
render plain: "HTTP Basic: Access denied\n" \ render json: {
errors: [
{ code: 'UNAUTHORIZED',
message: "HTTP Basic: Access denied\n" \
"You have 2FA enabled, please use a personal access token for Git over HTTP.\n" \ "You have 2FA enabled, please use a personal access token for Git over HTTP.\n" \
"You can generate one at #{profile_personal_access_tokens_url}", "You can generate one at #{profile_personal_access_tokens_url}" }
status: 401 ] }, status: 401
end
def render_unauthorized
render json: {
errors: [
{ code: 'UNAUTHORIZED',
message: 'HTTP Basic: Access denied' }
] }, status: 401
end end
def auth_params def auth_params
......
...@@ -7,10 +7,10 @@ module Auth ...@@ -7,10 +7,10 @@ module Auth
def execute(authentication_abilities:) def execute(authentication_abilities:)
@authentication_abilities = authentication_abilities @authentication_abilities = authentication_abilities
return error('not found', 404) unless registry.enabled return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled
unless current_user || project unless current_user || project
return error('forbidden', 403) unless scope return error('DENIED', status: 403, message: 'access forbidden') unless scope
end end
{ token: authorized_token(scope).encoded } { token: authorized_token(scope).encoded }
...@@ -111,5 +111,12 @@ module Auth ...@@ -111,5 +111,12 @@ module Auth
@authentication_abilities.include?(:create_container_image) && @authentication_abilities.include?(:create_container_image) &&
can?(current_user, :create_container_image, requested_project) can?(current_user, :create_container_image, requested_project)
end end
def error(code, status:, message: '')
{
errors: [{ code: code, message: message }],
http_status: status
}
end
end end
end end
...@@ -39,7 +39,7 @@ describe JwtController do ...@@ -39,7 +39,7 @@ describe JwtController do
subject! { get '/jwt/auth', parameters, headers } subject! { get '/jwt/auth', parameters, headers }
it { expect(response).to have_http_status(403) } it { expect(response).to have_http_status(401) }
end end
end end
...@@ -77,7 +77,7 @@ describe JwtController do ...@@ -77,7 +77,7 @@ describe JwtController do
subject! { get '/jwt/auth', parameters, headers } subject! { get '/jwt/auth', parameters, headers }
it { expect(response).to have_http_status(403) } it { expect(response).to have_http_status(401) }
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment