Commit 846d111f authored by Kamil Trzcinski's avatar Kamil Trzcinski

Add Application Setting to configure Container Registry token expire delay (default 5min)

parent ba81c912
...@@ -17,6 +17,7 @@ v 8.9.0 (unreleased) ...@@ -17,6 +17,7 @@ v 8.9.0 (unreleased)
- Projects pending deletion will render a 404 page - Projects pending deletion will render a 404 page
- Measure queue duration between gitlab-workhorse and Rails - Measure queue duration between gitlab-workhorse and Rails
- Make authentication service for Container Registry to be compatible with < Docker 1.11 - Make authentication service for Container Registry to be compatible with < Docker 1.11
- Add Application Setting to configure Container Registry token expire delay (default 5min)
v 8.8.3 v 8.8.3
- Fix gitlab importer failing to import new projects due to missing credentials - Fix gitlab importer failing to import new projects due to missing credentials
......
...@@ -107,6 +107,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController ...@@ -107,6 +107,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
:repository_checks_enabled, :repository_checks_enabled,
:metrics_packet_size, :metrics_packet_size,
:send_user_confirmation_email, :send_user_confirmation_email,
:container_registry_token_expire_delay,
restricted_visibility_levels: [], restricted_visibility_levels: [],
import_sources: [], import_sources: [],
disabled_oauth_sign_in_sources: [] disabled_oauth_sign_in_sources: []
......
...@@ -51,6 +51,10 @@ class ApplicationSetting < ActiveRecord::Base ...@@ -51,6 +51,10 @@ class ApplicationSetting < ActiveRecord::Base
presence: true, presence: true,
numericality: { only_integer: true, greater_than: 0 } numericality: { only_integer: true, greater_than: 0 }
validates :container_registry_token_expire_delay,
presence: true,
numericality: { only_integer: true, greater_than: 0 }
validates_each :restricted_visibility_levels do |record, attr, value| validates_each :restricted_visibility_levels do |record, attr, value|
unless value.nil? unless value.nil?
value.each do |level| value.each do |level|
...@@ -121,7 +125,8 @@ class ApplicationSetting < ActiveRecord::Base ...@@ -121,7 +125,8 @@ class ApplicationSetting < ActiveRecord::Base
akismet_enabled: false, akismet_enabled: false,
repository_checks_enabled: true, repository_checks_enabled: true,
disabled_oauth_sign_in_sources: [], disabled_oauth_sign_in_sources: [],
send_user_confirmation_email: false send_user_confirmation_email: false,
container_registry_token_expire_delay: 5,
) )
end end
......
module Auth module Auth
class ContainerRegistryAuthenticationService < BaseService class ContainerRegistryAuthenticationService < BaseService
include CurrentSettings
AUDIENCE = 'container_registry' AUDIENCE = 'container_registry'
def execute def execute
...@@ -17,6 +19,7 @@ module Auth ...@@ -17,6 +19,7 @@ module Auth
token = JSONWebToken::RSAToken.new(registry.key) token = JSONWebToken::RSAToken.new(registry.key)
token.issuer = registry.issuer token.issuer = registry.issuer
token.audience = AUDIENCE token.audience = AUDIENCE
token.expire_time = token.issued_at + current_application_settings.container_registry_token_expire_delay.minutes
token[:access] = names.map do |name| token[:access] = names.map do |name|
{ type: 'repository', name: name, actions: %w(*) } { type: 'repository', name: name, actions: %w(*) }
end end
......
...@@ -178,6 +178,14 @@ ...@@ -178,6 +178,14 @@
.col-sm-10 .col-sm-10
= f.number_field :max_artifacts_size, class: 'form-control' = f.number_field :max_artifacts_size, class: 'form-control'
- if Gitlab.config.registry.enabled
%fieldset
%legend Container Registry
.form-group
= f.label :container_registry_token_expire_delay, 'Authorization token duration (minutes)', class: 'control-label col-sm-2'
.col-sm-10
= f.number_field :container_registry_token_expire_delay, class: 'form-control'
%fieldset %fieldset
%legend Metrics %legend Metrics
%p %p
......
# See http://doc.gitlab.com/ce/development/migration_style_guide.html
# for more information on how to write migrations for GitLab.
class AddContainerRegistryTokenExpireDelayToApplicationSettings < ActiveRecord::Migration
include Gitlab::Database::MigrationHelpers
# When using the methods "add_concurrent_index" or "add_column_with_default"
# you must disable the use of transactions as these methods can not run in an
# existing transaction. When using "add_concurrent_index" make sure that this
# method is the _only_ method called in the migration, any other changes
# should go in a separate migration. This ensures that upon failure _only_ the
# index creation fails and can be retried or reverted easily.
#
# To disable transactions uncomment the following line and remove these
# comments:
# disable_ddl_transaction!
def change
add_column :application_settings, :container_registry_token_expire_delay, :integer
# Set default expire delay to 5 minutes
execute("update application_settings set container_registry_token_expire_delay = 5")
end
end
...@@ -37,7 +37,8 @@ Example response: ...@@ -37,7 +37,8 @@ Example response:
"created_at" : "2016-01-04T15:44:55.176Z", "created_at" : "2016-01-04T15:44:55.176Z",
"default_project_visibility" : 0, "default_project_visibility" : 0,
"gravatar_enabled" : true, "gravatar_enabled" : true,
"sign_in_text" : null "sign_in_text" : null,
"container_registry_token_expire_delay": 5
} }
``` ```
...@@ -64,6 +65,7 @@ PUT /application/settings ...@@ -64,6 +65,7 @@ PUT /application/settings
| `restricted_signup_domains` | array of strings | no | Force people to use only corporate emails for sign-up. Default is null, meaning there is no restriction. | | `restricted_signup_domains` | array of strings | no | Force people to use only corporate emails for sign-up. Default is null, meaning there is no restriction. |
| `user_oauth_applications` | boolean | no | Allow users to register any application to use GitLab as an OAuth provider | | `user_oauth_applications` | boolean | no | Allow users to register any application to use GitLab as an OAuth provider |
| `after_sign_out_path` | string | no | Where to redirect users after logout | | `after_sign_out_path` | string | no | Where to redirect users after logout |
| `container_registry_token_expire_delay` | integer | no | Container Registry token duration in minutes |
```bash ```bash
curl -X PUT -H "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v3/application/settings?signup_enabled=false&default_project_visibility=1 curl -X PUT -H "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v3/application/settings?signup_enabled=false&default_project_visibility=1
...@@ -90,6 +92,7 @@ Example response: ...@@ -90,6 +92,7 @@ Example response:
"default_snippet_visibility": 0, "default_snippet_visibility": 0,
"restricted_signup_domains": [], "restricted_signup_domains": [],
"user_oauth_applications": true, "user_oauth_applications": true,
"after_sign_out_path": "" "after_sign_out_path": "",
"container_registry_token_expire_delay": 5
} }
``` ```
...@@ -362,6 +362,7 @@ module API ...@@ -362,6 +362,7 @@ module API
expose :restricted_signup_domains expose :restricted_signup_domains
expose :user_oauth_applications expose :user_oauth_applications
expose :after_sign_out_path expose :after_sign_out_path
expose :container_registry_token_expire_delay
end end
class Release < Grape::Entity class Release < Grape::Entity
......
...@@ -36,6 +36,7 @@ module Gitlab ...@@ -36,6 +36,7 @@ module Gitlab
two_factor_grace_period: 48, two_factor_grace_period: 48,
akismet_enabled: false, akismet_enabled: false,
repository_checks_enabled: true, repository_checks_enabled: true,
container_registry_token_expire_delay: 5,
) )
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment