Merge branch 'unauthenticated-container-registry-access' into 'security'

Restore unauthenticated access to public container registries Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/24284 See merge request !2025 Signed-off-by: Rémy Coutable <remy@rymai.me>
author: Alejandro Rodriguez <alejandro@gitlab.com> 2016-11-08 21:37:15 +0300
committer: Rémy Coutable <remy@rymai.me> 2016-11-09 14:28:29 +0300
commit: 32042ef56adfa24ce5952c6f3b7dc97dea5fd2d4 (patch)
tree: 92b450e0e40160dd1e73be536e8be87129b882f2 /app/services/auth
parent: b0088b527eacd16773a85ad8f88e49de7c646cf1 (diff)
1 files changed, 10 insertions, 6 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 3fc1c70be75..c00c5aebf57 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -9,8 +9,8 @@ module Auth
 
       return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled
 
-      unless current_user || project
-        return error('DENIED', status: 403, message: 'access forbidden') unless scope
+      unless scope || current_user || project
+        return error('DENIED', status: 403, message: 'access forbidden')
       end
 
       { token: authorized_token(scope).encoded }
@@ -92,23 +92,23 @@ module Auth
       # Build can:
       # 1. pull from its own project (for ex. a build)
       # 2. read images from dependent projects if creator of build is a team member
-      @authentication_abilities.include?(:build_read_container_image) &&
+      has_authentication_ability?(:build_read_container_image) &&
         (requested_project == project || can?(current_user, :build_read_container_image, requested_project))
     end
 
     def user_can_pull?(requested_project)
-      @authentication_abilities.include?(:read_container_image) &&
+      has_authentication_ability?(:read_container_image) &&
         can?(current_user, :read_container_image, requested_project)
     end
 
     def build_can_push?(requested_project)
       # Build can push only to the project from which it originates
-      @authentication_abilities.include?(:build_create_container_image) &&
+      has_authentication_ability?(:build_create_container_image) &&
         requested_project == project
     end
 
     def user_can_push?(requested_project)
-      @authentication_abilities.include?(:create_container_image) &&
+      has_authentication_ability?(:create_container_image) &&
         can?(current_user, :create_container_image, requested_project)
     end
 
@@ -118,5 +118,9 @@ module Auth
         http_status: status
       }
     end
+
+    def has_authentication_ability?(capability)
+      (@authentication_abilities || []).include?(capability)
+    end
   end
 end
author	Alejandro Rodriguez <alejandro@gitlab.com>	2016-11-08 21:37:15 +0300
committer	Rémy Coutable <remy@rymai.me>	2016-11-09 14:28:29 +0300
commit	32042ef56adfa24ce5952c6f3b7dc97dea5fd2d4 (patch)
tree	92b450e0e40160dd1e73be536e8be87129b882f2 /app/services/auth
parent	b0088b527eacd16773a85ad8f88e49de7c646cf1 (diff)