Fix import JWT format

Change import access token from repository to registry type.

Fix import JWT format
Change import access token from repository to registry type.
cd88505b · Steve Abrams · David Fernandez · d967565a · cd88505b · cd88505b
Commit cd88505b authored Feb 01, 2022 by Steve Abrams Committed by David Fernandez Feb 01, 2022
5 changed files
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -42,15 +42,15 @@ module Auth
      access_token(%w(*), names)
    end
-    def self.import_access_token(*names)
+    def self.import_access_token
-      access_token(%w(import), names)
+      access_token(%w(*), ['import'], 'registry')
    end
    def self.pull_access_token(*names)
      access_token(['pull'], names)
    end
-    def self.access_token(actions, names)
+    def self.access_token(actions, names, type = 'repository')
      names = names.flatten
      registry = Gitlab.config.registry
      token = JSONWebToken::RSAToken.new(registry.key)
@@ -60,10 +60,10 @@ module Auth
      token[:access] = names.map do |name|
        {
-          type: 'repository',
+          type: type,
          name: name,
          actions: actions,
-          migration_eligible: migration_eligible(repository_path: name)
+          migration_eligible: type == 'repository' ? migration_eligible(repository_path: name) : nil
        }.compact
      end

--- a/lib/container_registry/registry.rb
+++ b/lib/container_registry/registry.rb
@@ -15,7 +15,12 @@ module ContainerRegistry
    def gitlab_api_client
      strong_memoize(:gitlab_api_client) do
-        ContainerRegistry::GitlabApiClient.new(@uri, @options)
+        token = Auth::ContainerRegistryAuthenticationService.import_access_token
+        url = Gitlab.config.registry.api_url
+        host_port = Gitlab.config.registry.host_port
+        ContainerRegistry::GitlabApiClient.new(url, token: token, path: host_port)
      end
    end

--- a/spec/lib/container_registry/registry_spec.rb
+++ b/spec/lib/container_registry/registry_spec.rb
@@ -31,6 +31,10 @@ RSpec.describe ContainerRegistry::Registry do
  describe '#gitlab_api_client' do
    subject { registry.gitlab_api_client }
-    it { is_expected.to be_instance_of(ContainerRegistry::GitlabApiClient) }
+    it 'returns a GitLabApiClient with an import token' do
+      expect(Auth::ContainerRegistryAuthenticationService).to receive(:import_access_token)
+      expect(subject).to be_instance_of(ContainerRegistry::GitlabApiClient)
+    end
  end
 end
--- a/spec/support/helpers/stub_gitlab_calls.rb
+++ b/spec/support/helpers/stub_gitlab_calls.rb
@@ -51,6 +51,8 @@ module StubGitlabCalls
    allow(Gitlab.config.registry).to receive_messages(registry_settings)
    allow(Auth::ContainerRegistryAuthenticationService)
      .to receive(:full_access_token).and_return('token')
+    allow(Auth::ContainerRegistryAuthenticationService)
+      .to receive(:import_access_token).and_return('token')
  end
  def stub_container_registry_tags(repository: :any, tags: [], with_manifest: false)

--- a/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
+++ b/spec/support/shared_examples/services/container_registry_auth_service_shared_examples.rb
@@ -182,17 +182,22 @@ RSpec.shared_examples 'a container registry auth service' do
  end
  describe '.import_access_token' do
-    let_it_be(:project) { create(:project) }
+    let(:access) do
+      [{ 'type' => 'registry',
+        'name' => 'import',
+        'actions' => ['*'] }]
+    end
-    let(:token) { described_class.import_access_token(project.full_path) }
+    let(:token) { described_class.import_access_token }
    subject { { token: token } }
-    it_behaves_like 'an accessible' do
+    it_behaves_like 'a valid token'
-      let(:actions) { ['import'] }
-    end
    it_behaves_like 'not a container repository factory'
+    it 'has the correct scope' do
+      expect(payload).to include('access' => access)
+    end
  end
  describe '.pull_access_token' do