Fix the CI login to Container Registry (the gitlab-ci-token user)

646018a4 · Kamil Trzcinski · Grzegorz Bizon · b4c47368 · 646018a4 · 646018a4
Commit 646018a4 authored May 22, 2016 by Kamil Trzcinski Committed by Grzegorz Bizon May 23, 2016
5 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -32,6 +32,7 @@ v 8.8.0 (unreleased)
  - Bump mail_room to 0.7.0 to fix stuck IDLE connections
  - Remove future dates from contribution calendar graph.
  - Support e-mail notifications for comments on project snippets
+  - Fix the CI login to Container Registry (the gitlab-ci-token user)
  - Fix API leak of notes of unauthorized issues, snippets and merge requests
  - Use ActionDispatch Remote IP for Akismet checking
  - Fix error when visiting commit builds page before build was updated

--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -36,7 +36,7 @@ class JwtController < ApplicationController
  end

  def authenticate_project(login, password)
-    if login == 'gitlab_ci_token'
+    if login == 'gitlab-ci-token'
      Project.find_by(builds_enabled: true, runners_token: password)
    end
  end

--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -6,7 +6,7 @@ module Auth
      return error('not found', 404) unless registry.enabled

      if params[:offline_token]
-        return error('unauthorized', 401) unless current_user
+        return error('unauthorized', 401) unless current_user || project
      else
        return error('forbidden', 403) unless scope
      end

--- a/spec/requests/jwt_controller_spec.rb
+++ b/spec/requests/jwt_controller_spec.rb
@@ -23,7 +23,7 @@ describe JwtController do
  context 'when using authorized request' do
    context 'using CI token' do
      let(:project) { create(:empty_project, runners_token: 'token', builds_enabled: builds_enabled) }
-      let(:headers) { { authorization: credentials('gitlab_ci_token', project.runners_token) } }
+      let(:headers) { { authorization: credentials('gitlab-ci-token', project.runners_token) } }

      subject! { get '/jwt/auth', parameters, headers }


--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -127,12 +127,12 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
  context 'project authorization' do
    let(:current_project) { create(:empty_project) }

-    context 'disallow to use offline_token' do
+    context 'allow to use offline_token' do
      let(:current_params) do
        { offline_token: true }
      end

-      it_behaves_like 'an unauthorized'
+      it_behaves_like 'an authenticated'
    end

    context 'allow to pull and push images' do