Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
f63b6fc2
Commit
f63b6fc2
authored
May 14, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'docker-registry' into docker-registry-view
parents
5c194762
f4f9184a
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
30 additions
and
31 deletions
+30
-31
app/models/ability.rb
app/models/ability.rb
+6
-6
app/services/auth/container_registry_authentication_service.rb
...ervices/auth/container_registry_authentication_service.rb
+11
-16
lib/json_web_token/rsa_token.rb
lib/json_web_token/rsa_token.rb
+9
-5
lib/json_web_token/token.rb
lib/json_web_token/token.rb
+1
-1
spec/lib/json_web_token/rsa_token_spec.rb
spec/lib/json_web_token/rsa_token_spec.rb
+1
-1
spec/lib/json_web_token/token_spec.rb
spec/lib/json_web_token/token_spec.rb
+1
-1
spec/services/auth/container_registry_authentication_service_spec.rb
...es/auth/container_registry_authentication_service_spec.rb
+1
-1
No files found.
app/models/ability.rb
View file @
f63b6fc2
...
@@ -61,7 +61,7 @@ class Ability
...
@@ -61,7 +61,7 @@ class Ability
:read_merge_request
,
:read_merge_request
,
:read_note
,
:read_note
,
:read_commit_status
,
:read_commit_status
,
:read_container_
registry
,
:read_container_
image
,
:download_code
:download_code
]
]
...
@@ -204,7 +204,7 @@ class Ability
...
@@ -204,7 +204,7 @@ class Ability
:admin_label
,
:admin_label
,
:read_commit_status
,
:read_commit_status
,
:read_build
,
:read_build
,
:read_container_
registry
,
:read_container_
image
,
]
]
end
end
...
@@ -219,8 +219,8 @@ class Ability
...
@@ -219,8 +219,8 @@ class Ability
:create_merge_request
,
:create_merge_request
,
:create_wiki
,
:create_wiki
,
:push_code
,
:push_code
,
:create_container_
registry
,
:create_container_
image
,
:update_container_
registry
,
:update_container_
image
,
]
]
end
end
...
@@ -247,7 +247,7 @@ class Ability
...
@@ -247,7 +247,7 @@ class Ability
:admin_project
,
:admin_project
,
:admin_commit_status
,
:admin_commit_status
,
:admin_build
,
:admin_build
,
:admin_container_
registry
,
:admin_container_
image
,
]
]
end
end
...
@@ -293,7 +293,7 @@ class Ability
...
@@ -293,7 +293,7 @@ class Ability
end
end
unless
project
.
container_registry_enabled
unless
project
.
container_registry_enabled
rules
+=
named_abilities
(
'container_
registry
'
)
rules
+=
named_abilities
(
'container_
image
'
)
end
end
rules
rules
...
...
app/services/auth/container_registry_authentication_service.rb
View file @
f63b6fc2
...
@@ -9,9 +9,9 @@ module Auth
...
@@ -9,9 +9,9 @@ module Auth
return
error
(
'forbidden'
,
403
)
unless
current_user
return
error
(
'forbidden'
,
403
)
unless
current_user
end
end
return
error
(
'forbidden'
,
401
)
if
scopes
.
blank?
return
error
(
'forbidden'
,
401
)
unless
scope
{
token:
authorized_token
(
scope
s
).
encoded
}
{
token:
authorized_token
(
scope
).
encoded
}
end
end
def
self
.
full_access_token
(
*
names
)
def
self
.
full_access_token
(
*
names
)
...
@@ -27,32 +27,27 @@ module Auth
...
@@ -27,32 +27,27 @@ module Auth
private
private
def
authorized_token
(
acces
s
)
def
authorized_token
(
*
accesse
s
)
token
=
::
JWT
::
RSAToken
.
new
(
registry
.
key
)
token
=
JSONWebToken
::
RSAToken
.
new
(
registry
.
key
)
token
.
issuer
=
registry
.
issuer
token
.
issuer
=
registry
.
issuer
token
.
audience
=
params
[
:service
]
token
.
audience
=
params
[
:service
]
token
.
subject
=
current_user
.
try
(
:username
)
token
.
subject
=
current_user
.
try
(
:username
)
token
[
:access
]
=
access
token
[
:access
]
=
access
es
token
token
end
end
def
scope
s
def
scope
return
unless
params
[
:scope
]
return
unless
params
[
:scope
]
@scopes
||=
begin
@scope
||=
process_scope
(
params
[
:scope
])
scope
=
process_scope
(
params
[
:scope
])
[
scope
].
compact
end
end
end
def
process_scope
(
scope
)
def
process_scope
(
scope
)
type
,
name
,
actions
=
scope
.
split
(
':'
,
3
)
type
,
name
,
actions
=
scope
.
split
(
':'
,
3
)
actions
=
actions
.
split
(
','
)
actions
=
actions
.
split
(
','
)
return
unless
type
==
'repository'
case
type
process_repository_access
(
type
,
name
,
actions
)
when
'repository'
process_repository_access
(
type
,
name
,
actions
)
end
end
end
def
process_repository_access
(
type
,
name
,
actions
)
def
process_repository_access
(
type
,
name
,
actions
)
...
@@ -71,9 +66,9 @@ module Auth
...
@@ -71,9 +66,9 @@ module Auth
case
requested_action
case
requested_action
when
'pull'
when
'pull'
requested_project
==
project
||
can?
(
current_user
,
:read_container_
registry
,
requested_project
)
requested_project
==
project
||
can?
(
current_user
,
:read_container_
image
,
requested_project
)
when
'push'
when
'push'
requested_project
==
project
||
can?
(
current_user
,
:create_container_
registry
,
requested_project
)
requested_project
==
project
||
can?
(
current_user
,
:create_container_
image
,
requested_project
)
else
else
false
false
end
end
...
...
lib/j
wt
/rsa_token.rb
→
lib/j
son_web_token
/rsa_token.rb
View file @
f63b6fc2
module
J
WT
module
J
SONWebToken
class
RSAToken
<
Token
class
RSAToken
<
Token
attr_reader
:key_file
attr_reader
:key_file
...
@@ -29,10 +29,14 @@ module JWT
...
@@ -29,10 +29,14 @@ module JWT
end
end
def
kid
def
kid
fingerprint
=
Digest
::
SHA256
.
digest
(
public_key
.
to_der
)
# calculate sha256 from DER encoded ASN1
Base32
.
encode
(
fingerprint
).
split
(
''
).
each_slice
(
4
).
each_with_object
([])
do
|
slice
,
mem
|
kid
=
Digest
::
SHA256
.
digest
(
public_key
.
to_der
)
mem
<<
slice
.
join
end
.
join
(
':'
)
# we encode only 30 bytes with base32
kid
=
Base32
.
encode
(
kid
[
0
..
29
])
# insert colon every 4 characters
kid
.
scan
(
/.{4}/
).
join
(
':'
)
end
end
end
end
end
end
lib/j
wt
/token.rb
→
lib/j
son_web_token
/token.rb
View file @
f63b6fc2
module
J
WT
module
J
SONWebToken
class
Token
class
Token
attr_accessor
:issuer
,
:subject
,
:audience
,
:id
attr_accessor
:issuer
,
:subject
,
:audience
,
:id
attr_accessor
:issued_at
,
:not_before
,
:expire_time
attr_accessor
:issued_at
,
:not_before
,
:expire_time
...
...
spec/lib/j
wt
/rsa_token_spec.rb
→
spec/lib/j
son_web_token
/rsa_token_spec.rb
View file @
f63b6fc2
describe
J
WT
::
RSAToken
do
describe
J
SONWebToken
::
RSAToken
do
let
(
:rsa_key
)
{
generate_key
}
let
(
:rsa_key
)
{
generate_key
}
let
(
:rsa_token
)
{
described_class
.
new
(
nil
)
}
let
(
:rsa_token
)
{
described_class
.
new
(
nil
)
}
let
(
:rsa_encoded
)
{
rsa_token
.
encoded
}
let
(
:rsa_encoded
)
{
rsa_token
.
encoded
}
...
...
spec/lib/j
wt
/token_spec.rb
→
spec/lib/j
son_web_token
/token_spec.rb
View file @
f63b6fc2
describe
J
WT
::
Token
do
describe
J
SONWebToken
::
Token
do
let
(
:token
)
{
described_class
.
new
}
let
(
:token
)
{
described_class
.
new
}
context
'custom parameters'
do
context
'custom parameters'
do
...
...
spec/services/auth/container_registry_authentication_service_spec.rb
View file @
f63b6fc2
...
@@ -18,7 +18,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
...
@@ -18,7 +18,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
before
do
before
do
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
registry_settings
)
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
registry_settings
)
allow_any_instance_of
(
J
WT
::
RSAToken
).
to
receive
(
:key
).
and_return
(
rsa_key
)
allow_any_instance_of
(
J
SONWebToken
::
RSAToken
).
to
receive
(
:key
).
and_return
(
rsa_key
)
end
end
shared_examples
'an authenticated'
do
shared_examples
'an authenticated'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment