Commit 692b5e0b authored by Kamil Trzcinski's avatar Kamil Trzcinski

Merge branch 'docker-registry' into docker-registry-view

# Conflicts:
#	app/controllers/jwt_controller.rb
#	app/services/jwt/container_registry_authentication_service.rb
parents 9e318bd9 509654b3
class JwtController < ApplicationController class JwtController < ApplicationController
skip_before_action :authenticate_user! skip_before_action :authenticate_user!
skip_before_action :verify_authenticity_token skip_before_action :verify_authenticity_token
before_action :authenticate_project_or_user
SERVICES = { SERVICES = {
Jwt::ContainerRegistryAuthenticationService::AUDIENCE => Jwt::ContainerRegistryAuthenticationService, ::Gitlab::JWT::ContainerRegistryAuthenticationService::AUDIENCE => ::Gitlab::JWT::ContainerRegistryAuthenticationService,
} }
def auth def auth
@authenticated = authenticate_with_http_basic do |login, password|
# if it's possible we first try to authenticate project with login and password
@project = authenticate_project(login, password)
@user = authenticate_user(login, password) unless @project
end
unless @authenticated
head :forbidden if ActionController::HttpAuthentication::Basic.has_basic_credentials?(request)
end
service = SERVICES[params[:service]] service = SERVICES[params[:service]]
head :not_found unless service head :not_found unless service
...@@ -28,19 +19,28 @@ class JwtController < ApplicationController ...@@ -28,19 +19,28 @@ class JwtController < ApplicationController
private private
def authenticate_project_or_user
authenticate_with_http_basic do |login, password|
# if it's possible we first try to authenticate project with login and password
@project = authenticate_project(login, password)
return if @project
@user = authenticate_user(login, password)
return if @user
end
if ActionController::HttpAuthentication::Basic.has_basic_credentials?(request)
head :forbidden
end
end
def auth_params def auth_params
params.permit(:service, :scope, :offline_token, :account, :client_id) params.permit(:service, :scope, :offline_token, :account, :client_id)
end end
def authenticate_project(login, password) def authenticate_project(login, password)
matched_login = /(?<s>^[a-zA-Z]*-ci)-token$/.match(login) if login == 'gitlab_ci_token'
Project.find_by(builds_enabled: true, runners_token: password)
if matched_login.present?
underscored_service = matched_login['s'].underscore
if underscored_service == 'gitlab_ci'
Project.find_by(builds_enabled: true, runners_token: password)
end
end end
end end
...@@ -77,6 +77,7 @@ class JwtController < ApplicationController ...@@ -77,6 +77,7 @@ class JwtController < ApplicationController
if banned if banned
Rails.logger.info "IP #{request.ip} failed to login " \ Rails.logger.info "IP #{request.ip} failed to login " \
"as #{login} but has been temporarily banned from Git auth" "as #{login} but has been temporarily banned from Git auth"
return
end end
end end
end end
......
...@@ -377,7 +377,7 @@ class Project < ActiveRecord::Base ...@@ -377,7 +377,7 @@ class Project < ActiveRecord::Base
def container_registry_repository def container_registry_repository
@container_registry_repository ||= begin @container_registry_repository ||= begin
token = JWT::ContainerRegistryAuthenticationService.full_access_token(path_with_namespace) token = Gitlab::JWT::ContainerRegistryAuthenticationService.full_access_token(path_with_namespace)
url = Gitlab.config.registry.api_url url = Gitlab.config.registry.api_url
host_port = Gitlab.config.registry.host_port host_port = Gitlab.config.registry.host_port
registry = ContainerRegistry::Registry.new(url, token: token, path: host_port) registry = ContainerRegistry::Registry.new(url, token: token, path: host_port)
......
module JWT module Gitlab
class ContainerRegistryAuthenticationService < BaseService module JWT
AUDIENCE = 'container_registry' class ContainerRegistryAuthenticationService < BaseService
AUDIENCE = 'container_registry'
def execute def execute
return error('not found', 404) unless registry.enabled return error('not found', 404) unless registry.enabled
if params[:offline_token] if params[:offline_token]
return error('forbidden', 403) unless current_user return error('forbidden', 403) unless current_user
end end
return error('forbidden', 401) if scopes.blank? return error('forbidden', 401) if scopes.blank?
{ token: authorized_token(scopes).encoded } { token: authorized_token(scopes).encoded }
end end
def self.full_access_token(*names) def self.full_access_token(*names)
registry = Gitlab.config.registry registry = Gitlab.config.registry
token = ::JWT::RSAToken.new(registry.key) token = ::JWT::RSAToken.new(registry.key)
token.issuer = registry.issuer token.issuer = registry.issuer
token.audience = AUDIENCE token.audience = AUDIENCE
token[:access] = names.map do |name| token[:access] = names.map do |name|
{ type: 'repository', name: name, actions: %w(pull push) } { type: 'repository', name: name, actions: %w(pull push) }
end
token.encoded
end end
token.encoded
end
private private
def authorized_token(access) def authorized_token(access)
token = ::JWT::RSAToken.new(registry.key) token = ::JWT::RSAToken.new(registry.key)
token.issuer = registry.issuer token.issuer = registry.issuer
token.audience = AUDIENCE token.audience = params[:service]
token.subject = current_user.try(:username) token.subject = current_user.try(:username)
token[:access] = access token[:access] = access
token token
end end
def scopes def scopes
return unless params[:scope] return unless params[:scope]
@scopes ||= begin @scopes ||= begin
scope = process_scope(params[:scope]) scope = process_scope(params[:scope])
[scope].compact [scope].compact
end
end end
end
def process_scope(scope) def process_scope(scope)
type, name, actions = scope.split(':', 3) type, name, actions = scope.split(':', 3)
actions = actions.split(',') actions = actions.split(',')
case type case type
when 'repository' when 'repository'
process_repository_access(type, name, actions) process_repository_access(type, name, actions)
end
end end
end
def process_repository_access(type, name, actions) def process_repository_access(type, name, actions)
requested_project = Project.find_with_namespace(name) requested_project = Project.find_with_namespace(name)
return unless requested_project return unless requested_project
actions = actions.select do |action| actions = actions.select do |action|
can_access?(requested_project, action) can_access?(requested_project, action)
end end
{ type: type, name: name, actions: actions } if actions.present? { type: type, name: name, actions: actions } if actions.present?
end end
<<<<<<< HEAD
def can_access?(requested_project, requested_action) def can_access?(requested_project, requested_action)
return false unless requested_project.container_registry_enabled? return false unless requested_project.container_registry_enabled?
...@@ -76,11 +78,22 @@ module JWT ...@@ -76,11 +78,22 @@ module JWT
requested_project == project || can?(current_user, :create_container_registry, requested_project) requested_project == project || can?(current_user, :create_container_registry, requested_project)
else else
false false
=======
def can_access?(requested_project, requested_action)
case requested_action
when 'pull'
requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project)
when 'push'
requested_project == project || can?(current_user, :create_container_registry, requested_project)
else
false
end
>>>>>>> docker-registry
end end
end
def registry def registry
Gitlab.config.registry Gitlab.config.registry
end
end end
end end
end end
...@@ -24,11 +24,13 @@ module JWT ...@@ -24,11 +24,13 @@ module JWT
@key ||= OpenSSL::PKey::RSA.new(key_data) @key ||= OpenSSL::PKey::RSA.new(key_data)
end end
def public_key
key.public_key
end
def kid def kid
sha256 = Digest::SHA256.new fingerprint = Digest::SHA256.digest(public_key.to_der)
sha256.update(key.public_key.to_der) Base32.encode(fingerprint).split('').each_slice(4).each_with_object([]) do |slice, mem|
payload = StringIO.new(sha256.digest).read(30)
Base32.encode(payload).split('').each_slice(4).each_with_object([]) do |slice, mem|
mem << slice.join mem << slice.join
end.join(':') end.join(':')
end end
......
...@@ -16,7 +16,7 @@ describe "Container Registry" do ...@@ -16,7 +16,7 @@ describe "Container Registry" do
project.team << [@user, :developer] project.team << [@user, :developer]
stub_container_registry(*tags) stub_container_registry(*tags)
allow(Gitlab.config.registry).to receive_messages(registry_settings) allow(Gitlab.config.registry).to receive_messages(registry_settings)
allow(JWT::ContainerRegistryAuthenticationService).to receive(:full_access_token).and_return('token') allow(Gitlab::JWT::ContainerRegistryAuthenticationService).to receive(:full_access_token).and_return('token')
end end
describe 'GET /:project/container_registry' do describe 'GET /:project/container_registry' do
......
require 'spec_helper' require 'spec_helper'
describe JWT::ContainerRegistryAuthenticationService, services: true do describe Gitlab::JWT::ContainerRegistryAuthenticationService, services: true do
let(:current_project) { nil } let(:current_project) { nil }
let(:current_user) { nil } let(:current_user) { nil }
let(:current_params) { {} } let(:current_params) { {} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment