Skip to content

G
gitlab-ce
Commit e248fd4c authored by James Edwards-Jones's avatar James Edwards-Jones
Browse files
Options

JwtController avoids activating session checks 

This used without a session and issues a sessionless token, so we
should avoid causing access checks based on the session.

Fixes docker registry access when used with Group SAML session
enforcement.
parent 503c7b58
Hide whitespace changes
Inline Side-by-side
Showing with 65 additions and 0 deletions
app/controllers/jwt_controller.rb
View file @ e248fd4c
# frozen_string_literal: true
class JwtController < ApplicationController
skip_around_action :set_session_storage
skip_before_action :authenticate_user!
skip_before_action :verify_authenticity_token
before_action :authenticate_project_or_user
......
ee/changelogs/unreleased/jej-fix-sso-enforced-docker-registry-auth.yml 0 → 100644
View file @ e248fd4c
---
title: Fix Docker Registry access when Group SAML session enforcement is active
merge_request: 14843
author:
type: fixed
ee/spec/requests/jwt_controller_spec.rb 0 → 100644
View file @ e248fd4c
# frozen_string_literal: true
require 'spec_helper'
describe JwtController do
context 'authenticating against container registry' do
let(:user) { create(:user) }
let(:group) { create(:group) }
let(:project) { create(:project, :private, group: group) }
let(:scope) { "repository:#{project.full_path}:pull" }
let(:service_name) { 'container_registry' }
let(:headers) { { authorization: credentials(user.username, user.password) } }
let(:parameters) { { account: user.username, client_id: 'docker', offline_token: true, service: service_name, scope: scope } }
before do
stub_container_registry_config(enabled: true, issuer: 'gitlab-issuer', key: 'spec/fixtures/x509_certificate_pk.key')
project.add_reporter(user)
end
context 'when Group SSO is enforced' do
let!(:saml_provider) { create(:saml_provider, enforced_sso: true, group: group) }
let!(:identity) { create(:group_saml_identity, saml_provider: saml_provider, user: user) }
before do
stub_feature_flags(enforced_sso_requires_session: true)
end
it 'allows access' do
get '/jwt/auth', params: parameters, headers: headers
expect(response).to have_gitlab_http_status(200)
expect(token_response['access']).to be_present
expect(token_access['actions']).to eq ['pull']
expect(token_access['type']).to eq 'repository'
expect(token_access['name']).to eq project.full_path
end
end
end
def credentials(login, password)
ActionController::HttpAuthentication::Basic.encode_credentials(login, password)
end
def token_response
JWT.decode(json_response['token'], nil, false).first
end
def token_access
token_response['access']&.first
end
end
spec/requests/jwt_controller_spec.rb
View file @ e248fd4c
......@@ -108,6 +108,14 @@ describe JwtController do
end
end
end
it 'does not cause session based checks to be activated' do
expect(Gitlab::Session).not_to receive(:with_session)
get '/jwt/auth', params: parameters, headers: headers
expect(response).to have_gitlab_http_status(200)
end
end
context 'using invalid login' do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7