Implement read_registry for DeployTokens

aaa6d808 · Mayra Cabrera · 345ac03b · aaa6d808 · aaa6d808
Commit aaa6d808 authored Mar 31, 2018 by Mayra Cabrera
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 10 deletions

app/controllers/jwt_controller.rb app/controllers/jwt_controller.rb +11 -2

spec/lib/gitlab/auth_spec.rb spec/lib/gitlab/auth_spec.rb +29 -8

No files found.
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -23,10 +23,11 @@ class JwtController < ApplicationController
    @authentication_result = Gitlab::Auth::Result.new(nil, nil, :none, Gitlab::Auth.read_authentication_abilities)

    authenticate_with_http_basic do |login, password|
-      @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
+      project = find_project_related(password)
+      @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)

      if @authentication_result.failed? ||
-          (@authentication_result.actor.present? && !@authentication_result.actor.is_a?(User))
+          (@authentication_result.actor.present? && !user_or_deploy_token)
        render_unauthorized
      end
    end
@@ -57,4 +58,12 @@ class JwtController < ApplicationController
  def auth_params
    params.permit(:service, :scope, :account, :client_id)
  end
+
+  def find_project_related(password)
+    DeployToken.active.find_by(token: password)&.project
+  end
+
+  def user_or_deploy_token
+    @authentication_result.actor.is_a?(User) || @authentication_result.actor.is_a?(DeployToken)
+  end
 end
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -270,14 +270,6 @@ describe Gitlab::Auth do
          .to eq(auth_success)
      end

-      it 'fails if deploy token does not have read_repo as scope' do
-        deploy_token = create(:deploy_token, :read_registry, project: project)
-
-        expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
-        expect(gl_auth.find_for_git_client('', deploy_token.token, project: project, ip: 'ip'))
-          .to eq(auth_failure)
-      end
-
      it 'fails if token is nil' do
        expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
        expect(gl_auth.find_for_git_client('', nil, project: project, ip: 'ip'))
@@ -305,6 +297,35 @@ describe Gitlab::Auth do
        expect(gl_auth.find_for_git_client('deploy-token', deploy_token.token, project: project, ip: 'ip'))
          .to eq(auth_failure)
      end
+
+      context 'when registry enabled' do
+        before do
+          stub_container_registry_config(enabled: true)
+        end
+
+        it 'succeeds if deploy token does have read_registry as scope' do
+          deploy_token = create(:deploy_token, :read_registry, project: project)
+          auth_success = Gitlab::Auth::Result.new(deploy_token, project, :deploy_token, [:read_container_image])
+
+          expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: '')
+          expect(gl_auth.find_for_git_client('', deploy_token.token, project: project, ip: 'ip'))
+            .to eq(auth_success)
+        end
+      end
+
+      context 'when registry disabled' do
+        before do
+          stub_container_registry_config(enabled: false)
+        end
+
+        it 'fails if deploy token have read_registry as scope' do
+          deploy_token = create(:deploy_token, :read_registry, project: project)
+
+          expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: '')
+          expect(gl_auth.find_for_git_client('', deploy_token.token, project: project, ip: 'ip'))
+            .to eq(auth_failure)
+        end
+      end
    end
  end