Enforce maintenance mode on Docker Registry

by blocking authentication for write requests

Enforce maintenance mode on Docker Registry
by blocking authentication for write requests
306d4338 · Aakriti Gupta · Michael Kozono · afb907e4 · 306d4338 · 306d4338
Commit 306d4338 authored Dec 17, 2020 by Aakriti Gupta Committed by Michael Kozono Dec 17, 2020
6 changed files
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -130,6 +130,7 @@ module Auth
      ContainerRepository.create_from_path!(path)
    end

+    # Overridden in EE
    def can_access?(requested_project, requested_action)
      return false unless requested_project.container_registry_enabled?
      return false if requested_project.repository_access_level == ::ProjectFeature::DISABLED
@@ -226,11 +227,16 @@ module Auth
      end
    end

+    # Overridden in EE
+    def extra_info
+      {}
+    end
+
    def log_if_actions_denied(type, requested_project, requested_actions, authorized_actions)
      return if requested_actions == authorized_actions

      log_info = {
-        message: "Denied container registry permissions",
+        message: 'Denied container registry permissions',
        scope_type: type,
        requested_project_path: requested_project.full_path,
        requested_actions: requested_actions,
@@ -238,9 +244,11 @@ module Auth
        username: current_user&.username,
        user_id: current_user&.id,
        project_path: project&.full_path
-      }.compact
+      }.merge!(extra_info).compact

      Gitlab::AuthLogger.warn(log_info)
    end
  end
 end
+
+Auth::ContainerRegistryAuthenticationService.prepend_if_ee('EE::Auth::ContainerRegistryAuthenticationService')
--- a/ee/app/services/ee/auth/container_registry_authentication_service.rb
+++ b/ee/app/services/ee/auth/container_registry_authentication_service.rb
+# frozen_string_literal: true
+
+module EE
+  module Auth
+    module ContainerRegistryAuthenticationService
+      extend ::Gitlab::Utils::Override
+
+      private
+
+      override :can_access?
+      def can_access?(requested_project, requested_action)
+        if ::Gitlab.maintenance_mode? && requested_action != 'pull'
+          @access_denied_in_maintenance_mode = true # rubocop:disable Gitlab/ModuleWithInstanceVariables
+          return false
+        end
+
+        super
+      end
+
+      override :extra_info
+      def extra_info
+        return super unless access_denied_in_maintenance_mode?
+
+        super.merge!({
+          message: 'Write access denied in maintenance mode',
+          write_access_denied_in_maintenance_mode: true
+        })
+      end
+
+      def access_denied_in_maintenance_mode?
+        @access_denied_in_maintenance_mode
+      end
+    end
+  end
+end
--- a/ee/spec/services/ee/auth/container_registry_authentication_service_spec.rb
+++ b/ee/spec/services/ee/auth/container_registry_authentication_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Auth::ContainerRegistryAuthenticationService do
+  include AdminModeHelper
+
+  context 'in maintenance mode' do
+    include_context 'container registry auth service context'
+
+    let_it_be(:current_user) { create(:user) }
+    let_it_be(:project) { create(:project) }
+
+    let(:log_data) do
+      {
+        message: 'Write access denied in maintenance mode',
+        write_access_denied_in_maintenance_mode: true
+      }
+    end
+
+    before do
+      stub_application_setting(maintenance_mode: true)
+      project.add_developer(current_user)
+    end
+
+    context 'allows developer to pull images' do
+      let(:current_params) do
+        { scopes: ["repository:#{project.full_path}:pull"] }
+      end
+
+      it_behaves_like 'a pullable'
+    end
+
+    context 'does not allow developer to push images' do
+      let(:current_params) do
+        { scopes: ["repository:#{project.full_path}:push"] }
+      end
+
+      it_behaves_like 'not a container repository factory'
+      it_behaves_like 'logs an auth warning', ['push']
+    end
+
+    context 'does not allow developer to delete images' do
+      let(:current_params) do
+        { scopes: ["repository:#{project.full_path}:delete"] }
+      end
+
+      it_behaves_like 'not a container repository factory'
+      it_behaves_like 'logs an auth warning', ['delete']
+    end
+  end
+
+  context 'when not in maintenance mode' do
+    it_behaves_like 'a container registry auth service'
+  end
+end
--- a/ee/spec/support/helpers/ee/stub_gitlab_calls.rb
+++ b/ee/spec/support/helpers/ee/stub_gitlab_calls.rb
@@ -4,7 +4,7 @@ module EE
  module StubGitlabCalls
    def stub_registry_replication_config(registry_settings)
      allow(::Gitlab.config.geo.registry_replication).to receive_messages(registry_settings)
-      allow(Auth::ContainerRegistryAuthenticationService)
+      allow(::Auth::ContainerRegistryAuthenticationService)
        .to receive(:pull_access_token).and_return('pull-token')
    end
  end

--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
--- a/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
+++ b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb