Merge branch 'jej/fix-sso-enforced-docker-registry-auth' into 'master'

Enforced SSO shouldn't break container registry authentication Closes #12701 See merge request gitlab-org/gitlab-ee!14843

Merge branch 'jej/fix-sso-enforced-docker-registry-auth' into 'master'
Enforced SSO shouldn't break container registry authentication Closes #12701 See merge request gitlab-org/gitlab-ee!14843
b4a7b8f2 · Kamil Trzciński · 52a5912e · e248fd4c · b4a7b8f2 · b4a7b8f2
Commit b4a7b8f2 authored Aug 23, 2019 by Kamil Trzciński
4 changed files
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
 # frozen_string_literal: true

 class JwtController < ApplicationController
+  skip_around_action :set_session_storage
  skip_before_action :authenticate_user!
  skip_before_action :verify_authenticity_token
  before_action :authenticate_project_or_user

--- a/ee/changelogs/unreleased/jej-fix-sso-enforced-docker-registry-auth.yml
+++ b/ee/changelogs/unreleased/jej-fix-sso-enforced-docker-registry-auth.yml
+---
+title: Fix Docker Registry access when Group SAML session enforcement is active
+merge_request: 14843
+author:
+type: fixed
--- a/ee/spec/requests/jwt_controller_spec.rb
+++ b/ee/spec/requests/jwt_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe JwtController do
+  context 'authenticating against container registry' do
+    let(:user) { create(:user) }
+    let(:group) { create(:group) }
+    let(:project) { create(:project, :private, group: group) }
+    let(:scope) { "repository:#{project.full_path}:pull" }
+    let(:service_name) { 'container_registry' }
+    let(:headers) { { authorization: credentials(user.username, user.password) } }
+    let(:parameters) { { account: user.username, client_id: 'docker', offline_token: true, service: service_name, scope: scope } }
+
+    before do
+      stub_container_registry_config(enabled: true, issuer: 'gitlab-issuer', key: 'spec/fixtures/x509_certificate_pk.key')
+      project.add_reporter(user)
+    end
+
+    context 'when Group SSO is enforced' do
+      let!(:saml_provider) { create(:saml_provider, enforced_sso: true, group: group) }
+      let!(:identity) { create(:group_saml_identity, saml_provider: saml_provider, user: user) }
+
+      before do
+        stub_feature_flags(enforced_sso_requires_session: true)
+      end
+
+      it 'allows access' do
+        get '/jwt/auth', params: parameters, headers: headers
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(token_response['access']).to be_present
+        expect(token_access['actions']).to eq ['pull']
+        expect(token_access['type']).to eq 'repository'
+        expect(token_access['name']).to eq project.full_path
+      end
+    end
+  end
+
+  def credentials(login, password)
+    ActionController::HttpAuthentication::Basic.encode_credentials(login, password)
+  end
+
+  def token_response
+    JWT.decode(json_response['token'], nil, false).first
+  end
+
+  def token_access
+    token_response['access']&.first
+  end
+end
--- a/spec/requests/jwt_controller_spec.rb
+++ b/spec/requests/jwt_controller_spec.rb
@@ -108,6 +108,14 @@ describe JwtController do
          end
        end
      end
+
+      it 'does not cause session based checks to be activated' do
+        expect(Gitlab::Session).not_to receive(:with_session)
+
+        get '/jwt/auth', params: parameters, headers: headers
+
+        expect(response).to have_gitlab_http_status(200)
+      end
    end

    context 'using invalid login' do