Add latest changes from gitlab-org/gitlab@14-2-stable-eev14.2.0-rc42

2 files changed, 27 insertions, 15 deletions

diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index d42dcb2fd00..a2683647c72 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -21,7 +21,7 @@ module Auth
 
       return error('DENIED', status: 403, message: 'access forbidden') unless has_registry_ability?
 
-      unless scopes.any? || current_user || project
+      unless scopes.any? || current_user || deploy_token || project
         return error('DENIED', status: 403, message: 'access forbidden')
       end
 
@@ -124,7 +124,6 @@ module Auth
     end
 
     def migration_eligible(project, actions)
-      return unless actions.include?('push')
       return unless Feature.enabled?(:container_registry_migration_phase1)
 
       # The migration process will start by allowing only specific test and gitlab-org projects using the
@@ -178,8 +177,7 @@ module Auth
     end
 
     def can_user?(ability, project)
-      user = current_user.is_a?(User) ? current_user : nil
-      can?(user, ability, project)
+      can?(current_user, ability, project)
     end
 
     def build_can_pull?(requested_project)
@@ -202,16 +200,16 @@ module Auth
 
     def deploy_token_can_pull?(requested_project)
       has_authentication_ability?(:read_container_image) &&
-        current_user.is_a?(DeployToken) &&
-        current_user.has_access_to?(requested_project) &&
-        current_user.read_registry?
+        deploy_token.present? &&
+        deploy_token.has_access_to?(requested_project) &&
+        deploy_token.read_registry?
     end
 
     def deploy_token_can_push?(requested_project)
       has_authentication_ability?(:create_container_image) &&
-        current_user.is_a?(DeployToken) &&
-        current_user.has_access_to?(requested_project) &&
-        current_user.write_registry?
+        deploy_token.present? &&
+        deploy_token.has_access_to?(requested_project) &&
+        deploy_token.write_registry?
     end
 
     ##
@@ -250,6 +248,10 @@ module Auth
       {}
     end
 
+    def deploy_token
+      params[:deploy_token]
+    end
+
     def log_if_actions_denied(type, requested_project, requested_actions, authorized_actions)
       return if requested_actions == authorized_actions
 
diff --git a/app/services/auth/dependency_proxy_authentication_service.rb b/app/services/auth/dependency_proxy_authentication_service.rb
index fab42e0ebb6..164594d6f6c 100644
--- a/app/services/auth/dependency_proxy_authentication_service.rb
+++ b/app/services/auth/dependency_proxy_authentication_service.rb
@@ -8,10 +8,7 @@ module Auth
 
     def execute(authentication_abilities:)
       return error('dependency proxy not enabled', 404) unless ::Gitlab.config.dependency_proxy.enabled
-
-      # Because app/controllers/concerns/dependency_proxy/auth.rb consumes this
-      # JWT only as `User.find`, we currently only allow User (not DeployToken, etc)
-      return error('access forbidden', 403) unless current_user.is_a?(User)
+      return error('access forbidden', 403) unless valid_user_actor?
 
       { token: authorized_token.encoded }
     end
@@ -36,11 +33,24 @@ module Auth
 
     private
 
+    def valid_user_actor?
+      current_user || valid_deploy_token?
+    end
+
+    def valid_deploy_token?
+      deploy_token && deploy_token.valid_for_dependency_proxy?
+    end
+
     def authorized_token
       JSONWebToken::HMACToken.new(self.class.secret).tap do |token|
-        token['user_id'] = current_user.id
+        token['user_id'] = current_user.id if current_user
+        token['deploy_token'] = deploy_token.token if deploy_token
         token.expire_time = self.class.token_expire_at
       end
     end
+
+    def deploy_token
+      params[:deploy_token]
+    end
   end
 end