Merge branch '204839-rake-task-auth' into 'master'

Add authentication to registry configure rake task Closes #204839 See merge request gitlab-org/gitlab!33496

Merge branch '204839-rake-task-auth' into 'master'
Add authentication to registry configure rake task Closes #204839 See merge request gitlab-org/gitlab!33496
be5cde2c · Markus Koller · 95acdb6a · 9b781f73 · be5cde2c · be5cde2c
Commit be5cde2c authored Jun 02, 2020 by Markus Koller
Showing with 33 additions and 2 deletions

lib/tasks/gitlab/container_registry.rake lib/tasks/gitlab/container_registry.rake +7 -1

spec/tasks/gitlab/container_registry_rake_spec.rb spec/tasks/gitlab/container_registry_rake_spec.rb +26 -1

No files found.
--- a/lib/tasks/gitlab/container_registry.rake
+++ b/lib/tasks/gitlab/container_registry.rake
@@ -11,7 +11,13 @@ namespace :gitlab do
      warn_user_is_not_gitlab

      url = registry_config.api_url
-      client = ContainerRegistry::Client.new(url)
+      # registry_info will query the /v2 route of the registry API. This route
+      # requires authentication, but not authorization (the response has no body,
+      # only headers that show the version of the registry). There is no
+      # associated user when running this rake, so we need to generate a valid
+      # JWT token with no access permissions to authenticate as a trusted client.
+      token = Auth::ContainerRegistryAuthenticationService.access_token([], [])
+      client = ContainerRegistry::Client.new(url, token: token)
      info = client.registry_info

      Gitlab::CurrentSettings.update!(

--- a/spec/tasks/gitlab/container_registry_rake_spec.rb
+++ b/spec/tasks/gitlab/container_registry_rake_spec.rb
@@ -4,6 +4,7 @@ require 'rake_helper'

 describe 'gitlab:container_registry namespace rake tasks' do
  let_it_be(:application_settings) { Gitlab::CurrentSettings }
+  let_it_be(:api_url) { 'http://registry.gitlab' }

  before :all do
    Rake.application.rake_require 'tasks/gitlab/container_registry'
@@ -11,7 +12,8 @@ describe 'gitlab:container_registry namespace rake tasks' do

  describe 'configure' do
    before do
-      stub_container_registry_config(enabled: true, api_url: 'http://registry.gitlab')
+      stub_access_token
+      stub_container_registry_config(enabled: true, api_url: api_url)
    end

    shared_examples 'invalid config' do
@@ -37,6 +39,24 @@ describe 'gitlab:container_registry namespace rake tasks' do
      it_behaves_like 'invalid config'
    end

+    context 'when creating a registry client instance' do
+      let(:token) { 'foo' }
+      let(:client) { ContainerRegistry::Client.new(api_url, token: token) }
+
+      before do
+        stub_registry_info({})
+      end
+
+      it 'uses a token with no access permissions' do
+        expect(Auth::ContainerRegistryAuthenticationService)
+          .to receive(:access_token).with([], []).and_return(token)
+        expect(ContainerRegistry::Client)
+          .to receive(:new).with(api_url, token: token).and_return(client)
+
+        run_rake_task('gitlab:container_registry:configure')
+      end
+    end
+
    context 'when unabled to detect the container registry type' do
      it 'fails and raises an error message' do
        stub_registry_info({})
@@ -79,6 +99,11 @@ describe 'gitlab:container_registry namespace rake tasks' do
    end
  end

+  def stub_access_token
+    allow(Auth::ContainerRegistryAuthenticationService)
+      .to receive(:access_token).with([], []).and_return('foo')
+  end
+
  def stub_registry_info(output)
    allow_next_instance_of(ContainerRegistry::Client) do |client|
      allow(client).to receive(:registry_info).and_return(output)