Commit d8b88f51 authored by David Fernandez's avatar David Fernandez

Merge branch '349743-jwt-update' into 'master'

Fix import JWT payload

See merge request gitlab-org/gitlab!79218
parents 2c008d0a cd88505b
...@@ -42,15 +42,15 @@ module Auth ...@@ -42,15 +42,15 @@ module Auth
access_token(%w(*), names) access_token(%w(*), names)
end end
def self.import_access_token(*names) def self.import_access_token
access_token(%w(import), names) access_token(%w(*), ['import'], 'registry')
end end
def self.pull_access_token(*names) def self.pull_access_token(*names)
access_token(['pull'], names) access_token(['pull'], names)
end end
def self.access_token(actions, names) def self.access_token(actions, names, type = 'repository')
names = names.flatten names = names.flatten
registry = Gitlab.config.registry registry = Gitlab.config.registry
token = JSONWebToken::RSAToken.new(registry.key) token = JSONWebToken::RSAToken.new(registry.key)
...@@ -60,10 +60,10 @@ module Auth ...@@ -60,10 +60,10 @@ module Auth
token[:access] = names.map do |name| token[:access] = names.map do |name|
{ {
type: 'repository', type: type,
name: name, name: name,
actions: actions, actions: actions,
migration_eligible: migration_eligible(repository_path: name) migration_eligible: type == 'repository' ? migration_eligible(repository_path: name) : nil
}.compact }.compact
end end
......
...@@ -15,7 +15,12 @@ module ContainerRegistry ...@@ -15,7 +15,12 @@ module ContainerRegistry
def gitlab_api_client def gitlab_api_client
strong_memoize(:gitlab_api_client) do strong_memoize(:gitlab_api_client) do
ContainerRegistry::GitlabApiClient.new(@uri, @options) token = Auth::ContainerRegistryAuthenticationService.import_access_token
url = Gitlab.config.registry.api_url
host_port = Gitlab.config.registry.host_port
ContainerRegistry::GitlabApiClient.new(url, token: token, path: host_port)
end end
end end
......
...@@ -31,6 +31,10 @@ RSpec.describe ContainerRegistry::Registry do ...@@ -31,6 +31,10 @@ RSpec.describe ContainerRegistry::Registry do
describe '#gitlab_api_client' do describe '#gitlab_api_client' do
subject { registry.gitlab_api_client } subject { registry.gitlab_api_client }
it { is_expected.to be_instance_of(ContainerRegistry::GitlabApiClient) } it 'returns a GitLabApiClient with an import token' do
expect(Auth::ContainerRegistryAuthenticationService).to receive(:import_access_token)
expect(subject).to be_instance_of(ContainerRegistry::GitlabApiClient)
end
end end
end end
...@@ -51,6 +51,8 @@ module StubGitlabCalls ...@@ -51,6 +51,8 @@ module StubGitlabCalls
allow(Gitlab.config.registry).to receive_messages(registry_settings) allow(Gitlab.config.registry).to receive_messages(registry_settings)
allow(Auth::ContainerRegistryAuthenticationService) allow(Auth::ContainerRegistryAuthenticationService)
.to receive(:full_access_token).and_return('token') .to receive(:full_access_token).and_return('token')
allow(Auth::ContainerRegistryAuthenticationService)
.to receive(:import_access_token).and_return('token')
end end
def stub_container_registry_tags(repository: :any, tags: [], with_manifest: false) def stub_container_registry_tags(repository: :any, tags: [], with_manifest: false)
......
...@@ -182,17 +182,22 @@ RSpec.shared_examples 'a container registry auth service' do ...@@ -182,17 +182,22 @@ RSpec.shared_examples 'a container registry auth service' do
end end
describe '.import_access_token' do describe '.import_access_token' do
let_it_be(:project) { create(:project) } let(:access) do
[{ 'type' => 'registry',
'name' => 'import',
'actions' => ['*'] }]
end
let(:token) { described_class.import_access_token(project.full_path) } let(:token) { described_class.import_access_token }
subject { { token: token } } subject { { token: token } }
it_behaves_like 'an accessible' do it_behaves_like 'a valid token'
let(:actions) { ['import'] }
end
it_behaves_like 'not a container repository factory' it_behaves_like 'not a container repository factory'
it 'has the correct scope' do
expect(payload).to include('access' => access)
end
end end
describe '.pull_access_token' do describe '.pull_access_token' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment