Commit 9e318bd9 authored by Kamil Trzcinski's avatar Kamil Trzcinski

Fix container registry permissions

parent 575a73c8
...@@ -61,6 +61,7 @@ class Ability ...@@ -61,6 +61,7 @@ class Ability
:read_merge_request, :read_merge_request,
:read_note, :read_note,
:read_commit_status, :read_commit_status,
:read_container_registry,
:download_code :download_code
] ]
......
...@@ -3,6 +3,8 @@ module JWT ...@@ -3,6 +3,8 @@ module JWT
AUDIENCE = 'container_registry' AUDIENCE = 'container_registry'
def execute def execute
return error('not found', 404) unless registry.enabled
if params[:offline_token] if params[:offline_token]
return error('forbidden', 403) unless current_user return error('forbidden', 403) unless current_user
end end
...@@ -65,9 +67,11 @@ module JWT ...@@ -65,9 +67,11 @@ module JWT
end end
def can_access?(requested_project, requested_action) def can_access?(requested_project, requested_action)
return false unless requested_project.container_registry_enabled?
case requested_action case requested_action
when 'pull' when 'pull'
requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project) requested_project == project || can?(current_user, :read_container_registry, requested_project)
when 'push' when 'push'
requested_project == project || can?(current_user, :create_container_registry, requested_project) requested_project == project || can?(current_user, :create_container_registry, requested_project)
else else
......
...@@ -64,7 +64,7 @@ module Projects ...@@ -64,7 +64,7 @@ module Projects
end end
def remove_registry_tags def remove_registry_tags
return unless Gitlab.config.registry.enabled return true unless Gitlab.config.registry.enabled
project.container_registry_repository.delete_tags project.container_registry_repository.delete_tags
end end
......
...@@ -7,6 +7,7 @@ describe JWT::ContainerRegistryAuthenticationService, services: true do ...@@ -7,6 +7,7 @@ describe JWT::ContainerRegistryAuthenticationService, services: true do
let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) } let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
let(:registry_settings) do let(:registry_settings) do
{ {
enabled: true,
issuer: 'rspec', issuer: 'rspec',
key: nil key: nil
} }
...@@ -146,7 +147,20 @@ describe JWT::ContainerRegistryAuthenticationService, services: true do ...@@ -146,7 +147,20 @@ describe JWT::ContainerRegistryAuthenticationService, services: true do
it_behaves_like 'a forbidden' it_behaves_like 'a forbidden'
end end
end end
end
context 'for project without container registry' do
let(:project) { create(:empty_project, :public, container_registry_enabled: false) }
before { project.update(container_registry_enabled: false) }
context 'disallow when pulling' do
let(:current_params) do
{ scope: "repository:#{project.path_with_namespace}:pull" }
end
it_behaves_like 'a forbidden'
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment