Create container repository on successful push auth

Because we do not have yet two way communication between container registry and GitLab, we need to eagerly create a new container repository objects in database. We now do that after user/build successfully authenticates a push action using auth service.

Create container repository on successful push auth
Because we do not have yet two way communication between container registry and GitLab, we need to eagerly create a new container repository objects in database. We now do that after user/build successfully authenticates a push action using auth service.
7d3d1ec5 · Grzegorz Bizon · 236c9c17 · 7d3d1ec5 · 7d3d1ec5 · 7d3d1ec5
Commit 7d3d1ec5 authored Mar 30, 2017 by Grzegorz Bizon
4 changed files
--- a/app/models/container_repository.rb
+++ b/app/models/container_repository.rb
@@ -60,6 +60,7 @@ class ContainerRepository < ActiveRecord::Base
  end
  def self.create_from_path(path)
-    self.create(project: path.repository_project, name: path.repository_name)
+    self.create(project: path.repository_project,
+                name: path.repository_name)
  end
 end
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -74,9 +74,25 @@ module Auth
      return unless actions.present?
+      # At this point user/build is already authenticated.
+      #
+      ensure_container_repository!(path, actions)
      { type: type, name: path.to_s, actions: actions }
    end
+    ##
+    # Because we do not have two way communication with registry yet,
+    # we create a container repository image resource when push to the
+    # registry is successfuly authorized.
+    #
+    def ensure_container_repository!(path, actions)
+      return if path.has_repository?
+      return unless actions.include?('push')
+      ContainerRepository.create_from_path(path)
+    end
    def can_access?(requested_project, requested_action)
      return false unless requested_project.container_registry_enabled?

--- a/lib/container_registry/path.rb
+++ b/lib/container_registry/path.rb
@@ -44,6 +44,10 @@ module ContainerRegistry
        .where(name: repository_name).any?
    end
+    def root_repository?
+      @path == repository_project.full_path
+    end
    def repository_project
      @project ||= Project.where_full_path_in(components.first(3))&.first
    end

--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -80,6 +80,19 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
    it { is_expected.not_to include(:token) }
  end
+  shared_examples 'container repository factory' do
+    it 'creates a new containe repository resource' do
+      expect { subject }
+        .to change { project.container_repositories.count }.by(1)
+    end
+  end
+  shared_examples 'container repository factory' do
+    it 'does not create a new container repository resource' do
+      expect { subject }.not_to change { ContainerRepository.count }
+    end
+  end
  describe '#full_access_token' do
    let(:project) { create(:empty_project) }
    let(:token) { described_class.full_access_token(project.path_with_namespace) }
@@ -89,6 +102,8 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
    it_behaves_like 'an accessible' do
      let(:actions) { ['*'] }
    end
+    it_behaves_like 'not a container repository factory'
  end
  context 'user authorization' do
@@ -109,16 +124,20 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
        end
        it_behaves_like 'a pushable'
+        it_behaves_like 'container repository factory'
      end
      context 'allow reporter to pull images' do
        before { project.team << [current_user, :reporter] }
-        let(:current_params) do
+        context 'when pulling from root level repository' do
-          { scope: "repository:#{project.path_with_namespace}:pull" }
+          let(:current_params) do
-        end
+            { scope: "repository:#{project.path_with_namespace}:pull" }
+          end
-        it_behaves_like 'a pullable'
+          it_behaves_like 'a pullable'
+          it_behaves_like 'not a container repository factory'
+        end
      end
      context 'return a least of privileges' do
@@ -129,6 +148,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
        end
        it_behaves_like 'a pullable'
+        it_behaves_like 'not a container repository factory'
      end
      context 'disallow guest to pull or push images' do
@@ -139,6 +159,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
        end
        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
      end
    end
@@ -151,6 +172,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
        end
        it_behaves_like 'a pullable'
+        it_behaves_like 'not a container repository factory'
      end
      context 'disallow anyone to push images' do
@@ -159,6 +181,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
        end
        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
      end
    end
@@ -172,6 +195,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
          end
          it_behaves_like 'a pullable'
+          it_behaves_like 'not a container repository factory'
        end
        context 'disallow anyone to push images' do
@@ -180,6 +204,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
          end
          it_behaves_like 'an inaccessible'
+          it_behaves_like 'not a container repository factory'
        end
      end
@@ -190,6 +215,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
        end
        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
      end
    end
  end
@@ -216,6 +242,10 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
      it_behaves_like 'a pullable and pushable' do
        let(:project) { current_project }
      end
+      it_behaves_like 'container repository factory' do
+        let(:project) { current_project }
+      end
    end
    context 'for other projects' do
@@ -228,11 +258,13 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
          let(:project) { create(:empty_project, :public) }
          it_behaves_like 'a pullable'
+          it_behaves_like 'not a container repository factory'
        end
        shared_examples 'pullable for being team member' do
          context 'when you are not member' do
            it_behaves_like 'an inaccessible'
+            it_behaves_like 'not a container repository factory'
          end
          context 'when you are member' do
@@ -241,12 +273,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
            end
            it_behaves_like 'a pullable'
+            it_behaves_like 'not a container repository factory'
          end
          context 'when you are owner' do
            let(:project) { create(:empty_project, namespace: current_user.namespace) }
            it_behaves_like 'a pullable'
+            it_behaves_like 'not a container repository factory'
          end
        end
@@ -260,6 +294,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
            context 'when you are not member' do
              it_behaves_like 'an inaccessible'
+              it_behaves_like 'not a container repository factory'
            end
            context 'when you are member' do
@@ -268,12 +303,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
              end
              it_behaves_like 'a pullable'
+              it_behaves_like 'not a container repository factory'
            end
            context 'when you are owner' do
              let(:project) { create(:empty_project, namespace: current_user.namespace) }
              it_behaves_like 'a pullable'
+              it_behaves_like 'not a container repository factory'
            end
          end
        end
@@ -293,12 +330,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
            end
            it_behaves_like 'an inaccessible'
+            it_behaves_like 'not a container repository factory'
          end
          context 'when you are owner' do
            let(:project) { create(:empty_project, :public, namespace: current_user.namespace) }
            it_behaves_like 'an inaccessible'
+            it_behaves_like 'not a container repository factory'
          end
        end
      end
@@ -315,6 +354,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
        end
        it_behaves_like 'an inaccessible'
+        it_behaves_like 'not a container repository factory'
      end
    end
  end
@@ -322,6 +362,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
  context 'unauthorized' do
    context 'disallow to use scope-less authentication' do
      it_behaves_like 'a forbidden'
+      it_behaves_like 'not a container repository factory'
    end
    context 'for invalid scope' do
@@ -330,6 +371,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
      end
      it_behaves_like 'a forbidden'
+      it_behaves_like 'not a container repository factory'
    end
    context 'for private project' do
@@ -351,6 +393,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
        end
        it_behaves_like 'a pullable'
+        it_behaves_like 'not a container repository factory'
      end
      context 'when pushing' do
@@ -359,6 +402,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
        end
        it_behaves_like 'a forbidden'
+        it_behaves_like 'not a container repository factory'
      end
    end
  end