If user can push to docker then it can delete too

Extends the permission of $CI_REGISTRY_USER to allow them to delete tags in addition to just pushing. https://gitlab.com/gitlab-org/gitlab-ce/issues/40096

If user can push to docker then it can delete too
Extends the permission of $CI_REGISTRY_USER to allow them to delete tags in addition to just pushing. https://gitlab.com/gitlab-org/gitlab-ce/issues/40096
f5b28994 · Giorgenes Gelatti · Thong Kuah · 3feab234 · f5b28994 · f5b28994
Commit f5b28994 authored Sep 03, 2019 by Giorgenes Gelatti Committed by Thong Kuah Sep 03, 2019
5 changed files
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -124,13 +124,21 @@ module Auth
        build_can_pull?(requested_project) || user_can_pull?(requested_project) || deploy_token_can_pull?(requested_project)
      when 'push'
        build_can_push?(requested_project) || user_can_push?(requested_project)
-      when '*', 'delete'
+      when 'delete'
+        build_can_delete?(requested_project) || user_can_admin?(requested_project)
+      when '*'
        user_can_admin?(requested_project)
      else
        false
      end
    end
+    def build_can_delete?(requested_project)
+      # Build can delete only from the project from which it originates
+      has_authentication_ability?(:build_destroy_container_image) &&
+        requested_project == project
+    end
    def registry
      Gitlab.config.registry
    end

--- a/changelogs/unreleased/40096-allow-ci-token-to-delete-from-registry.yml
+++ b/changelogs/unreleased/40096-allow-ci-token-to-delete-from-registry.yml
+---
+title: Allow $CI_REGISTRY_USER to delete tags
+merge_request: 31796
+author:
+type: added
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -265,7 +265,8 @@ module Gitlab
          :read_project,
          :build_download_code,
          :build_read_container_image,
-          :build_create_container_image
+          :build_create_container_image,
+          :build_destroy_container_image
        ]
      end

--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -587,7 +587,8 @@ describe Gitlab::Auth do
      :read_project,
      :build_download_code,
      :build_read_container_image,
-      :build_create_container_image
+      :build_create_container_image,
+      :build_destroy_container_image
    ]
  end

--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -476,7 +476,7 @@ describe Auth::ContainerRegistryAuthenticationService do
    let(:current_user) { create(:user) }
    let(:authentication_abilities) do
-      [:build_read_container_image, :build_create_container_image]
+      [:build_read_container_image, :build_create_container_image, :build_destroy_container_image]
    end
    before do
@@ -507,19 +507,19 @@ describe Auth::ContainerRegistryAuthenticationService do
      end
    end
-    context 'disallow to delete images' do
+    context 'allow to delete images since registry 2.7' do
      let(:current_params) do
-        { scopes: ["repository:#{current_project.full_path}:*"] }
+        { scopes: ["repository:#{current_project.full_path}:delete"] }
      end
-      it_behaves_like 'an inaccessible' do
+      it_behaves_like 'a deletable since registry 2.7' do
        let(:project) { current_project }
      end
    end
-    context 'disallow to delete images since registry 2.7' do
+    context 'disallow to delete images' do
      let(:current_params) do
-        { scopes: ["repository:#{current_project.full_path}:delete"] }
+        { scopes: ["repository:#{current_project.full_path}:*"] }
      end
      it_behaves_like 'an inaccessible' do