Commit 7ec1fa21 authored by Kamil Trzcinski's avatar Kamil Trzcinski

Make authentication service for Container Registry to be compatible with < Docker 1.11

parent 2485bd7b
......@@ -15,6 +15,7 @@ v 8.9.0 (unreleased)
- Remove 'main language' feature
- Projects pending deletion will render a 404 page
- Measure queue duration between gitlab-workhorse and Rails
- Make authentication service for Container Registry to be compatible with < Docker 1.11
v 8.8.3
- Fix gitlab importer failing to import new projects due to missing credentials
......
......@@ -32,7 +32,7 @@ class JwtController < ApplicationController
end
def auth_params
params.permit(:service, :scope, :offline_token, :account, :client_id)
params.permit(:service, :scope, :account, :client_id)
end
def authenticate_project(login, password)
......
......@@ -5,9 +5,7 @@ module Auth
def execute
return error('not found', 404) unless registry.enabled
if params[:offline_token]
return error('unauthorized', 401) unless current_user || project
else
unless current_user || project
return error('forbidden', 403) unless scope
end
......
......@@ -14,7 +14,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
allow_any_instance_of(JSONWebToken::RSAToken).to receive(:key).and_return(rsa_key)
end
shared_examples 'an authenticated' do
shared_examples 'a valid token' do
it { is_expected.to include(:token) }
it { expect(payload).to include('access') }
end
......@@ -28,10 +28,15 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
}]
end
it_behaves_like 'an authenticated'
it_behaves_like 'a valid token'
it { expect(payload).to include('access' => access) }
end
shared_examples 'an inaccessible' do
it_behaves_like 'a valid token'
it { expect(payload).to include('access' => []) }
end
shared_examples 'a pullable' do
it_behaves_like 'a accessible' do
let(:actions) { ['pull'] }
......@@ -50,11 +55,6 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
end
end
shared_examples 'an unauthorized' do
it { is_expected.to include(http_status: 401) }
it { is_expected.not_to include(:token) }
end
shared_examples 'a forbidden' do
it { is_expected.to include(http_status: 403) }
it { is_expected.not_to include(:token) }
......@@ -75,12 +75,8 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
let(:project) { create(:project) }
let(:current_user) { create(:user) }
context 'allow to use offline_token' do
let(:current_params) do
{ offline_token: true }
end
it_behaves_like 'an authenticated'
context 'allow to use scope-less authentication' do
it_behaves_like 'a valid token'
end
context 'allow developer to push images' do
......@@ -120,19 +116,15 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
{ scope: "repository:#{project.path_with_namespace}:pull,push" }
end
it_behaves_like 'a forbidden'
it_behaves_like 'an inaccessible'
end
end
context 'project authorization' do
let(:current_project) { create(:empty_project) }
context 'allow to use offline_token' do
let(:current_params) do
{ offline_token: true }
end
it_behaves_like 'an authenticated'
context 'allow to use scope-less authentication' do
it_behaves_like 'a valid token'
end
context 'allow to pull and push images' do
......@@ -158,7 +150,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context 'disallow for private' do
let(:project) { create(:empty_project, :private) }
it_behaves_like 'a forbidden'
it_behaves_like 'an inaccessible'
end
end
......@@ -169,7 +161,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
context 'disallow for all' do
let(:project) { create(:empty_project, :public) }
it_behaves_like 'a forbidden'
it_behaves_like 'an inaccessible'
end
end
end
......@@ -184,18 +176,14 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
{ scope: "repository:#{project.path_with_namespace}:pull" }
end
it_behaves_like 'a forbidden'
it_behaves_like 'an inaccessible'
end
end
end
context 'unauthorized' do
context 'disallow to use offline_token' do
let(:current_params) do
{ offline_token: true }
end
it_behaves_like 'an unauthorized'
context 'disallow to use scope-less authentication' do
it_behaves_like 'a forbidden'
end
context 'for invalid scope' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment