debian-mirror-gitlab/app/services/auth/container_registry_authentication_service.rb

153 lines
4.5 KiB
Ruby
Raw Normal View History

2016-06-02 11:05:42 +05:30
module Auth
class ContainerRegistryAuthenticationService < BaseService
include Gitlab::CurrentSettings
2017-08-17 22:00:37 +05:30
AUDIENCE = 'container_registry'.freeze
2016-06-02 11:05:42 +05:30
2016-09-29 09:46:39 +05:30
def execute(authentication_abilities:)
@authentication_abilities = authentication_abilities
2016-10-01 15:18:49 +05:30
return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled
2016-06-02 11:05:42 +05:30
2016-11-24 13:41:30 +05:30
unless scope || current_user || project
return error('DENIED', status: 403, message: 'access forbidden')
2016-06-02 11:05:42 +05:30
end
{ token: authorized_token(scope).encoded }
end
def self.full_access_token(*names)
2017-08-17 22:00:37 +05:30
names = names.flatten
2016-06-02 11:05:42 +05:30
registry = Gitlab.config.registry
token = JSONWebToken::RSAToken.new(registry.key)
token.issuer = registry.issuer
token.audience = AUDIENCE
token.expire_time = token_expire_at
2016-08-24 12:49:21 +05:30
2016-06-02 11:05:42 +05:30
token[:access] = names.map do |name|
{ type: 'repository', name: name, actions: %w(*) }
end
2016-09-13 17:45:13 +05:30
2016-06-02 11:05:42 +05:30
token.encoded
end
2016-09-13 17:45:13 +05:30
def self.token_expire_at
Time.now + current_application_settings.container_registry_token_expire_delay.minutes
end
2016-06-02 11:05:42 +05:30
private
def authorized_token(*accesses)
2017-08-17 22:00:37 +05:30
JSONWebToken::RSAToken.new(registry.key).tap do |token|
token.issuer = registry.issuer
token.audience = params[:service]
token.subject = current_user.try(:username)
token.expire_time = self.class.token_expire_at
token[:access] = accesses.compact
end
2016-06-02 11:05:42 +05:30
end
def scope
return unless params[:scope]
@scope ||= process_scope(params[:scope])
end
def process_scope(scope)
type, name, actions = scope.split(':', 3)
actions = actions.split(',')
2017-08-17 22:00:37 +05:30
path = ContainerRegistry::Path.new(name)
2016-06-02 11:05:42 +05:30
return unless type == 'repository'
2017-08-17 22:00:37 +05:30
process_repository_access(type, path, actions)
2016-06-02 11:05:42 +05:30
end
2017-08-17 22:00:37 +05:30
def process_repository_access(type, path, actions)
return unless path.valid?
requested_project = path.repository_project
2016-06-02 11:05:42 +05:30
return unless requested_project
actions = actions.select do |action|
can_access?(requested_project, action)
end
2017-08-17 22:00:37 +05:30
return unless actions.present?
# At this point user/build is already authenticated.
#
ensure_container_repository!(path, actions)
{ type: type, name: path.to_s, actions: actions }
end
##
# Because we do not have two way communication with registry yet,
# we create a container repository image resource when push to the
# registry is successfuly authorized.
#
def ensure_container_repository!(path, actions)
return if path.has_repository?
return unless actions.include?('push')
ContainerRepository.create_from_path!(path)
2016-06-02 11:05:42 +05:30
end
def can_access?(requested_project, requested_action)
return false unless requested_project.container_registry_enabled?
case requested_action
when 'pull'
2016-11-24 13:41:30 +05:30
build_can_pull?(requested_project) || user_can_pull?(requested_project)
2016-06-02 11:05:42 +05:30
when 'push'
2016-09-29 09:46:39 +05:30
build_can_push?(requested_project) || user_can_push?(requested_project)
2016-06-02 11:05:42 +05:30
else
false
end
end
def registry
Gitlab.config.registry
end
2016-09-29 09:46:39 +05:30
def build_can_pull?(requested_project)
# Build can:
# 1. pull from its own project (for ex. a build)
# 2. read images from dependent projects if creator of build is a team member
2016-11-24 13:41:30 +05:30
has_authentication_ability?(:build_read_container_image) &&
2016-09-29 09:46:39 +05:30
(requested_project == project || can?(current_user, :build_read_container_image, requested_project))
end
def user_can_pull?(requested_project)
2016-11-24 13:41:30 +05:30
has_authentication_ability?(:read_container_image) &&
2016-09-29 09:46:39 +05:30
can?(current_user, :read_container_image, requested_project)
end
2017-08-17 22:00:37 +05:30
##
# We still support legacy pipeline triggers which do not have associated
# actor. New permissions model and new triggers are always associated with
# an actor, so this should be improved in 10.0 version of GitLab.
#
2016-09-29 09:46:39 +05:30
def build_can_push?(requested_project)
# Build can push only to the project from which it originates
2016-11-24 13:41:30 +05:30
has_authentication_ability?(:build_create_container_image) &&
2016-09-29 09:46:39 +05:30
requested_project == project
end
def user_can_push?(requested_project)
2016-11-24 13:41:30 +05:30
has_authentication_ability?(:create_container_image) &&
2016-09-29 09:46:39 +05:30
can?(current_user, :create_container_image, requested_project)
end
2016-10-01 15:18:49 +05:30
def error(code, status:, message: '')
2017-08-17 22:00:37 +05:30
{ errors: [{ code: code, message: message }], http_status: status }
2016-10-01 15:18:49 +05:30
end
2016-11-24 13:41:30 +05:30
def has_authentication_ability?(capability)
2017-08-17 22:00:37 +05:30
@authentication_abilities.to_a.include?(capability)
2016-11-24 13:41:30 +05:30
end
2016-06-02 11:05:42 +05:30
end
end