Merge branch '349743-jwt-update' into 'master'

Fix import JWT payload

See merge request gitlab-org/gitlab!79218

app/services/auth/container_registry_authentication_service.rb

@@ -42,15 +42,15 @@ module Auth
       access_token(%w(*), names)
     end
 
-    def self.import_access_token(*names)
-      access_token(%w(import), names)
+    def self.import_access_token
+      access_token(%w(*), ['import'], 'registry')
     end
 
     def self.pull_access_token(*names)
       access_token(['pull'], names)
     end
 
-    def self.access_token(actions, names)
+    def self.access_token(actions, names, type = 'repository')
       names = names.flatten
       registry = Gitlab.config.registry
       token = JSONWebToken::RSAToken.new(registry.key)
@@ -60,10 +60,10 @@ module Auth
 
       token[:access] = names.map do |name|
         {
-          type: 'repository',
+          type: type,
           name: name,
           actions: actions,
-          migration_eligible: migration_eligible(repository_path: name)
+          migration_eligible: type == 'repository' ? migration_eligible(repository_path: name) : nil
         }.compact
       end
 

lib/container_registry/registry.rb

@@ -15,7 +15,12 @@ module ContainerRegistry
 
     def gitlab_api_client
       strong_memoize(:gitlab_api_client) do
-        ContainerRegistry::GitlabApiClient.new(@uri, @options)
+        token = Auth::ContainerRegistryAuthenticationService.import_access_token
+
+        url = Gitlab.config.registry.api_url
+        host_port = Gitlab.config.registry.host_port
+
+        ContainerRegistry::GitlabApiClient.new(url, token: token, path: host_port)
       end
     end
 

spec/lib/container_registry/registry_spec.rb

@@ -31,6 +31,10 @@ RSpec.describe ContainerRegistry::Registry do
   describe '#gitlab_api_client' do
     subject { registry.gitlab_api_client }
 
-    it { is_expected.to be_instance_of(ContainerRegistry::GitlabApiClient) }
+    it 'returns a GitLabApiClient with an import token' do
+      expect(Auth::ContainerRegistryAuthenticationService).to receive(:import_access_token)
+
+      expect(subject).to be_instance_of(ContainerRegistry::GitlabApiClient)
+    end
   end
 end

spec/support/helpers/stub_gitlab_calls.rb

@@ -51,6 +51,8 @@ module StubGitlabCalls
     allow(Gitlab.config.registry).to receive_messages(registry_settings)
     allow(Auth::ContainerRegistryAuthenticationService)
       .to receive(:full_access_token).and_return('token')
+    allow(Auth::ContainerRegistryAuthenticationService)
+      .to receive(:import_access_token).and_return('token')
   end
 
   def stub_container_registry_tags(repository: :any, tags: [], with_manifest: false)

spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb

@@ -182,17 +182,22 @@ RSpec.shared_examples 'a container registry auth service' do
   end
 
   describe '.import_access_token' do
-    let_it_be(:project) { create(:project) }
+    let(:access) do
+      [{ 'type' => 'registry',
+        'name' => 'import',
+        'actions' => ['*'] }]
+    end
 
-    let(:token) { described_class.import_access_token(project.full_path) }
+    let(:token) { described_class.import_access_token }
 
     subject { { token: token } }
 
-    it_behaves_like 'an accessible' do
-      let(:actions) { ['import'] }
-    end
-
+    it_behaves_like 'a valid token'
     it_behaves_like 'not a container repository factory'
+
+    it 'has the correct scope' do
+      expect(payload).to include('access' => access)
+    end
   end
 
   describe '.pull_access_token' do