debian-mirror-gitlab/app/services/auth/container_registry_authentication_service.rb

module Auth
  class ContainerRegistryAuthenticationService < BaseService
    include Gitlab::CurrentSettings

    AUDIENCE = 'container_registry'

    def execute
      return error('not found', 404) unless registry.enabled

      unless current_user || project
        return error('forbidden', 403) unless scope
      end

      { token: authorized_token(scope).encoded }
    end

    def self.full_access_token(*names)
      registry = Gitlab.config.registry
      token = JSONWebToken::RSAToken.new(registry.key)
      token.issuer = registry.issuer
      token.audience = AUDIENCE
      token.expire_time = token_expire_at

      token[:access] = names.map do |name|
        { type: 'repository', name: name, actions: %w(*) }
      end

      token.encoded
    end

    def self.token_expire_at
      Time.now + current_application_settings.container_registry_token_expire_delay.minutes
    end

    private

    def authorized_token(*accesses)
      token = JSONWebToken::RSAToken.new(registry.key)
      token.issuer = registry.issuer
      token.audience = params[:service]
      token.subject = current_user.try(:username)
      token.expire_time = self.class.token_expire_at
      token[:access] = accesses.compact
      token
    end

    def scope
      return unless params[:scope]

      @scope ||= process_scope(params[:scope])
    end

    def process_scope(scope)
      type, name, actions = scope.split(':', 3)
      actions = actions.split(',')
      return unless type == 'repository'

      process_repository_access(type, name, actions)
    end

    def process_repository_access(type, name, actions)
      requested_project = Project.find_with_namespace(name)
      return unless requested_project

      actions = actions.select do |action|
        can_access?(requested_project, action)
      end

      { type: type, name: name, actions: actions } if actions.present?
    end

    def can_access?(requested_project, requested_action)
      return false unless requested_project.container_registry_enabled?

      case requested_action
      when 'pull'
        requested_project == project || can?(current_user, :read_container_image, requested_project)
      when 'push'
        requested_project == project || can?(current_user, :create_container_image, requested_project)
      else
        false
      end
    end

    def registry
      Gitlab.config.registry
    end
  end
end
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`module Auth`
			`class ContainerRegistryAuthenticationService < BaseService`
Imported Upstream version 8.9.0+debian~rc4 2016-06-16 23:09:34 +05:30			`include Gitlab::CurrentSettings`

Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`AUDIENCE = 'container_registry'`

			`def execute`
			`return error('not found', 404) unless registry.enabled`

Imported Upstream version 8.9.0+debian~rc4 2016-06-16 23:09:34 +05:30			`unless current_user \|\| project`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`return error('forbidden', 403) unless scope`
			`end`

			`{ token: authorized_token(scope).encoded }`
			`end`

			`def self.full_access_token(*names)`
			`registry = Gitlab.config.registry`
			`token = JSONWebToken::RSAToken.new(registry.key)`
			`token.issuer = registry.issuer`
			`token.audience = AUDIENCE`
Imported Upstream version 8.9.0+debian~rc4 2016-06-16 23:09:34 +05:30			`token.expire_time = token_expire_at`
Imported Upstream version 8.10.5+dfsg 2016-08-24 12:49:21 +05:30
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`token[:access] = names.map do \|name\|`
			`{ type: 'repository', name: name, actions: %w(*) }`
			`end`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`token.encoded`
			`end`

New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`def self.token_expire_at`
			`Time.now + current_application_settings.container_registry_token_expire_delay.minutes`
			`end`

Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`private`

			`def authorized_token(*accesses)`
			`token = JSONWebToken::RSAToken.new(registry.key)`
			`token.issuer = registry.issuer`
			`token.audience = params[:service]`
			`token.subject = current_user.try(:username)`
New upstream version 8.11.3+dfsg 2016-09-13 17:45:13 +05:30			`token.expire_time = self.class.token_expire_at`
Imported Upstream version 8.8.2+dfsg 2016-06-02 11:05:42 +05:30			`token[:access] = accesses.compact`
			`token`
			`end`

			`def scope`
			`return unless params[:scope]`

			`@scope \|\|= process_scope(params[:scope])`
			`end`

			`def process_scope(scope)`
			`type, name, actions = scope.split(':', 3)`
			`actions = actions.split(',')`
			`return unless type == 'repository'`

			`process_repository_access(type, name, actions)`
			`end`

			`def process_repository_access(type, name, actions)`
			`requested_project = Project.find_with_namespace(name)`
			`return unless requested_project`

			`actions = actions.select do \|action\|`
			`can_access?(requested_project, action)`
			`end`

			`{ type: type, name: name, actions: actions } if actions.present?`
			`end`

			`def can_access?(requested_project, requested_action)`
			`return false unless requested_project.container_registry_enabled?`

			`case requested_action`
			`when 'pull'`
			`requested_project == project \|\| can?(current_user, :read_container_image, requested_project)`
			`when 'push'`
			`requested_project == project \|\| can?(current_user, :create_container_image, requested_project)`
			`else`
			`false`
			`end`
			`end`

			`def registry`
			`Gitlab.config.registry`
			`end`
			`end`
			`end`