Merge branch 'docker-registry-view' into 'master'

Add container registry support

Tasks:

- [x] Merge docker/distribution authentication service: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3787
- [x] Implement Docker Registry API
- [x] Show a list of docker images in GitLab
- [x] Remove registry repository on project deletion
- [x] Support project rename, move and namespace rename
- [x] Use token when connecting the registry
- [x] Allow to delete images from GitLab
- [x] Support pushing from GitLab CI (gitlab-ci-token / $CI_BUILD_TOKEN)
- [x] Support GitLab Runner pulling for public repositories
- [ ] Support GitLab Runner pulling for private repositories
- [x] Add tests for Docker Registry API
- [x] Add tests for a views
- [x] Make texts nicer
- [x] Implement a backup support

- [ ] Create administration documentation https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4141
- [ ] Create user documentation

See merge request !4040

12 files changed, 172 insertions, 4 deletions

diff --git a/app/controllers/projects/container_registry_controller.rb b/app/controllers/projects/container_registry_controller.rb
new file mode 100644
index 00000000000..d1f46497207
--- /dev/null
+++ b/app/controllers/projects/container_registry_controller.rb
@@ -0,0 +1,34 @@
+class Projects::ContainerRegistryController < Projects::ApplicationController
+  before_action :verify_registry_enabled
+  before_action :authorize_read_container_image!
+  before_action :authorize_update_container_image!, only: [:destroy]
+  layout 'project'
+
+  def index
+    @tags = container_registry_repository.tags
+  end
+
+  def destroy
+    url = namespace_project_container_registry_index_path(project.namespace, project)
+
+    if tag.delete
+      redirect_to url
+    else
+      redirect_to url, alert: 'Failed to remove tag'
+    end
+  end
+
+  private
+
+  def verify_registry_enabled
+    render_404 unless Gitlab.config.registry.enabled
+  end
+
+  def container_registry_repository
+    @container_registry_repository ||= project.container_registry_repository
+  end
+
+  def tag
+    @tag ||= container_registry_repository.tag(params[:id])
+  end
+end
diff --git a/app/helpers/gitlab_routing_helper.rb b/app/helpers/gitlab_routing_helper.rb
index f07eff3fb57..2ce2d4e694f 100644
--- a/app/helpers/gitlab_routing_helper.rb
+++ b/app/helpers/gitlab_routing_helper.rb
@@ -33,6 +33,10 @@ module GitlabRoutingHelper
     namespace_project_builds_path(project.namespace, project, *args)
   end
 
+  def project_container_registry_path(project, *args)
+    namespace_project_container_registry_index_path(project.namespace, project, *args)
+  end
+
   def activity_project_path(project, *args)
     activity_namespace_project_path(project.namespace, project, *args)
   end
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index e1ab78df69e..a140bbc3c67 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -152,6 +152,10 @@ module ProjectsHelper
       nav_tabs << :builds
     end
 
+    if Gitlab.config.registry.enabled && can?(current_user, :read_container_image, project)
+      nav_tabs << :container_registry
+    end
+
     if can?(current_user, :admin_project, project)
       nav_tabs << :settings
     end
diff --git a/app/models/namespace.rb b/app/models/namespace.rb
index 9c942a8f4e3..da19462f265 100644
--- a/app/models/namespace.rb
+++ b/app/models/namespace.rb
@@ -110,6 +110,10 @@ class Namespace < ActiveRecord::Base
     # Ensure old directory exists before moving it
     gitlab_shell.add_namespace(path_was)
 
+    if any_project_has_container_registry_tags?
+      raise Exception.new('Namespace cannot be moved, because at least one project has tags in container registry')
+    end
+
     if gitlab_shell.mv_namespace(path_was, path)
       Gitlab::UploadsTransfer.new.rename_namespace(path_was, path)
 
@@ -131,6 +135,10 @@ class Namespace < ActiveRecord::Base
     end
   end
 
+  def any_project_has_container_registry_tags?
+    projects.any?(&:has_container_registry_tags?)
+  end
+
   def send_update_instructions
     projects.each do |project|
       project.send_move_instructions("#{path_was}/#{project.path}")
diff --git a/app/models/project.rb b/app/models/project.rb
index b7ae34c95c6..2a6b0839b64 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -329,12 +329,30 @@ class Project < ActiveRecord::Base
     @repository ||= Repository.new(path_with_namespace, self)
   end
 
-  def container_registry_url
-    if container_registry_enabled? && Gitlab.config.registry.enabled
-      "#{Gitlab.config.registry.host_with_port}/#{path_with_namespace}"
+  def container_registry_repository
+    return unless Gitlab.config.registry.enabled
+
+    @container_registry_repository ||= begin
+      token = Auth::ContainerRegistryAuthenticationService.full_access_token(path_with_namespace)
+      url = Gitlab.config.registry.api_url
+      host_port = Gitlab.config.registry.host_port
+      registry = ContainerRegistry::Registry.new(url, token: token, path: host_port)
+      registry.repository(path_with_namespace)
     end
   end
 
+  def container_registry_repository_url
+    if Gitlab.config.registry.enabled
+      "#{Gitlab.config.registry.host_port}/#{path_with_namespace}"
+    end
+  end
+
+  def has_container_registry_tags?
+    return unless container_registry_repository
+
+    container_registry_repository.tags.any?
+  end
+
   def commit(id = 'HEAD')
     repository.commit(id)
   end
@@ -746,6 +764,11 @@ class Project < ActiveRecord::Base
 
     expire_caches_before_rename(old_path_with_namespace)
 
+    if has_container_registry_tags?
+      # we currently doesn't support renaming repository if it contains tags in container registry
+      raise Exception.new('Project cannot be renamed, because tags are present in its container registry')
+    end
+
     if gitlab_shell.mv_repository(old_path_with_namespace, new_path_with_namespace)
       # If repository moved successfully we need to send update instructions to users.
       # However we cannot allow rollback since we moved repository
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index b636f55d031..3144e96ba31 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -6,7 +6,7 @@ module Auth
       return error('not found', 404) unless registry.enabled
 
       if params[:offline_token]
-        return error('forbidden', 403) unless current_user
+        return error('unauthorized', 401) unless current_user
       else
         return error('forbidden', 403) unless scope
       end
@@ -14,6 +14,17 @@ module Auth
       { token: authorized_token(scope).encoded }
     end
 
+    def self.full_access_token(*names)
+      registry = Gitlab.config.registry
+      token = JSONWebToken::RSAToken.new(registry.key)
+      token.issuer = registry.issuer
+      token.audience = AUDIENCE
+      token[:access] = names.map do |name|
+        { type: 'repository', name: name, actions: %w(pull push) }
+      end
+      token.encoded
+    end
+
     private
 
     def authorized_token(*accesses)
diff --git a/app/services/projects/destroy_service.rb b/app/services/projects/destroy_service.rb
index 48a6131b444..f09072975c3 100644
--- a/app/services/projects/destroy_service.rb
+++ b/app/services/projects/destroy_service.rb
@@ -26,6 +26,10 @@ module Projects
       Project.transaction do
         project.destroy!
 
+        unless remove_registry_tags
+          raise_error('Failed to remove project container registry. Please try again or contact administrator')
+        end
+
         unless remove_repository(repo_path)
           raise_error('Failed to remove project repository. Please try again or contact administrator')
         end
@@ -59,6 +63,12 @@ module Projects
       end
     end
 
+    def remove_registry_tags
+      return true unless Gitlab.config.registry.enabled
+
+      project.container_registry_repository.delete_tags
+    end
+
     def raise_error(message)
       raise DestroyError.new(message)
     end
diff --git a/app/services/projects/transfer_service.rb b/app/services/projects/transfer_service.rb
index 111b3ec05ea..03b57dea51e 100644
--- a/app/services/projects/transfer_service.rb
+++ b/app/services/projects/transfer_service.rb
@@ -34,6 +34,11 @@ module Projects
           raise TransferError.new("Project with same path in target namespace already exists")
         end
 
+        if project.has_container_registry_tags?
+          # we currently doesn't support renaming repository if it contains tags in container registry
+          raise TransferError.new('Project cannot be transferred, because tags are present in its container registry')
+        end
+
         project.expire_caches_before_rename(old_path)
 
         # Apply new namespace id and visibility level
diff --git a/app/views/layouts/nav/_project.html.haml b/app/views/layouts/nav/_project.html.haml
index 479bde33719..d3d715aad3b 100644
--- a/app/views/layouts/nav/_project.html.haml
+++ b/app/views/layouts/nav/_project.html.haml
@@ -46,6 +46,13 @@
           Builds
           %span.count.builds_counter= number_with_delimiter(@project.builds.running_or_pending.count(:all))
 
+  - if project_nav_tab? :container_registry
+    = nav_link(controller: %w(container_registry)) do
+      = link_to project_container_registry_path(@project), title: 'Container Registry', class: 'shortcuts-container-registry' do
+        = icon('hdd-o fw')
+        %span
+          Container Registry
+
   - if project_nav_tab? :graphs
     = nav_link(controller: %w(graphs)) do
       = link_to namespace_project_graph_path(@project.namespace, @project, current_ref), title: 'Graphs',  class: 'shortcuts-graphs' do
diff --git a/app/views/projects/container_registry/_header_title.html.haml b/app/views/projects/container_registry/_header_title.html.haml
new file mode 100644
index 00000000000..f1863c52a3e
--- /dev/null
+++ b/app/views/projects/container_registry/_header_title.html.haml
@@ -0,0 +1 @@
+- header_title project_title(@project, "Container Registry", project_container_registry_path(@project))
diff --git a/app/views/projects/container_registry/_tag.html.haml b/app/views/projects/container_registry/_tag.html.haml
new file mode 100644
index 00000000000..4e9f936539b
--- /dev/null
+++ b/app/views/projects/container_registry/_tag.html.haml
@@ -0,0 +1,21 @@
+%tr.tag
+  %td
+    = escape_once(tag.name)
+    = clipboard_button(clipboard_text: "docker pull #{tag.path}")
+  %td
+    - if layer = tag.layers.first
+      %span.has-tooltip{ title: "#{layer.revision}" }
+        = layer.short_revision
+    - else
+      \-
+  %td
+    = number_to_human_size(tag.total_size)
+    &middot;
+    = pluralize(tag.layers.size, "layer")
+  %td
+    = time_ago_in_words(tag.created_at)
+  - if can?(current_user, :update_container_image, @project)
+    %td.content
+      .controls.hidden-xs.pull-right
+        = link_to namespace_project_container_registry_path(@project.namespace, @project, tag.name), class: 'btn btn-remove has-tooltip', title: "Remove", data: { confirm: "Are you sure?" }, method: :delete do
+          = icon("trash cred")
diff --git a/app/views/projects/container_registry/index.html.haml b/app/views/projects/container_registry/index.html.haml
new file mode 100644
index 00000000000..40957993b22
--- /dev/null
+++ b/app/views/projects/container_registry/index.html.haml
@@ -0,0 +1,40 @@
+- page_title "Container Registry"
+= render "header_title"
+
+%hr
+
+%ul.content-list
+  .light.prepend-top-default
+    %p
+      A 'container image' is a snapshot of a container.
+      You can host your container images with GitLab.
+      %br
+      To start using container images hosted on GitLab you first need to login:
+      %pre
+        %code
+          docker login #{Gitlab.config.registry.host_port}
+      %br
+      Then you are free to create and upload a container image with build and push commands:
+      %pre
+        docker build -t #{escape_once(@project.container_registry_repository_url)} .
+        %br
+        docker push #{escape_once(@project.container_registry_repository_url)}
+
+  - if @tags.blank?
+    %li
+      .nothing-here-block No images in Container Registry for this project.
+
+  - else
+    .table-holder
+      %table.table.tags
+        %thead
+          %tr
+            %th Name
+            %th Image ID
+            %th Size
+            %th Created
+            - if can?(current_user, :update_container_image, @project)
+              %th
+
+        - @tags.each do |tag|
+          = render 'tag', tag: tag
\ No newline at end of file