Merge branch 'docker-registry' into 'master'

Added authentication service for docker registry

This adds a simple authentication service for docker which uses current user credentials to authenticate pulls and pushes.

I have only one concern. Since the `.docker/config` is unencrypted, thus the password for user stored there is unencrypted, maybe we should from the start implement function to generate/provide a separate password just for the purposes of accessing docker registry?

What do you think @jacobvosmaer @sytses @marin?

cc @marin 

See merge request !3787

4 files changed, 95 insertions, 1 deletions

diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 93a5798e21e..dbd03ea74fa 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -66,7 +66,8 @@ module API
       expose :owner, using: Entities::UserBasic, unless: ->(project, options) { project.group }
       expose :name, :name_with_namespace
       expose :path, :path_with_namespace
-      expose :issues_enabled, :merge_requests_enabled, :wiki_enabled, :builds_enabled, :snippets_enabled, :created_at, :last_activity_at
+      expose :issues_enabled, :merge_requests_enabled, :wiki_enabled, :builds_enabled, :snippets_enabled, :container_registry_enabled
+      expose :created_at, :last_activity_at
       expose :shared_runners_enabled
       expose :creator_id
       expose :namespace
diff --git a/lib/api/projects.rb b/lib/api/projects.rb
index 9b595772675..5a22d14988f 100644
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -94,6 +94,7 @@ module API
       #   builds_enabled (optional)
       #   wiki_enabled (optional)
       #   snippets_enabled (optional)
+      #   container_registry_enabled (optional)
       #   shared_runners_enabled (optional)
       #   namespace_id (optional) - defaults to user namespace
       #   public (optional) - if true same as setting visibility_level = 20
@@ -112,6 +113,7 @@ module API
                                      :builds_enabled,
                                      :wiki_enabled,
                                      :snippets_enabled,
+                                     :container_registry_enabled,
                                      :shared_runners_enabled,
                                      :namespace_id,
                                      :public,
@@ -143,6 +145,7 @@ module API
       #   builds_enabled (optional)
       #   wiki_enabled (optional)
       #   snippets_enabled (optional)
+      #   container_registry_enabled (optional)
       #   shared_runners_enabled (optional)
       #   public (optional) - if true same as setting visibility_level = 20
       #   visibility_level (optional)
@@ -206,6 +209,7 @@ module API
       #   builds_enabled (optional)
       #   wiki_enabled (optional)
       #   snippets_enabled (optional)
+      #   container_registry_enabled (optional)
       #   shared_runners_enabled (optional)
       #   public (optional) - if true same as setting visibility_level = 20
       #   visibility_level (optional) - visibility level of a project
@@ -222,6 +226,7 @@ module API
                                      :builds_enabled,
                                      :wiki_enabled,
                                      :snippets_enabled,
+                                     :container_registry_enabled,
                                      :shared_runners_enabled,
                                      :public,
                                      :visibility_level,
diff --git a/lib/json_web_token/rsa_token.rb b/lib/json_web_token/rsa_token.rb
new file mode 100644
index 00000000000..d6d6af7089c
--- /dev/null
+++ b/lib/json_web_token/rsa_token.rb
@@ -0,0 +1,42 @@
+module JSONWebToken
+  class RSAToken < Token
+    attr_reader :key_file
+
+    def initialize(key_file)
+      super()
+      @key_file = key_file
+    end
+
+    def encoded
+      headers = {
+        kid: kid
+      }
+      JWT.encode(payload, key, 'RS256', headers)
+    end
+
+    private
+
+    def key_data
+      @key_data ||= File.read(key_file)
+    end
+
+    def key
+      @key ||= OpenSSL::PKey::RSA.new(key_data)
+    end
+
+    def public_key
+      key.public_key
+    end
+
+    def kid
+      # calculate sha256 from DER encoded ASN1
+      kid = Digest::SHA256.digest(public_key.to_der)
+
+      # we encode only 30 bytes with base32
+      kid = Base32.encode(kid[0..29])
+
+      # insert colon every 4 characters
+      kid.scan(/.{4}/).join(':')
+    end
+  end
+end
diff --git a/lib/json_web_token/token.rb b/lib/json_web_token/token.rb
new file mode 100644
index 00000000000..5b67715b0b2
--- /dev/null
+++ b/lib/json_web_token/token.rb
@@ -0,0 +1,46 @@
+module JSONWebToken
+  class Token
+    attr_accessor :issuer, :subject, :audience, :id
+    attr_accessor :issued_at, :not_before, :expire_time
+
+    def initialize
+      @id = SecureRandom.uuid
+      @issued_at = Time.now
+      # we give a few seconds for time shift
+      @not_before = issued_at - 5.seconds
+      # default 60 seconds should be more than enough for this authentication token
+      @expire_time = issued_at + 1.minute
+      @custom_payload = {}
+    end
+
+    def [](key)
+      @custom_payload[key]
+    end
+
+    def []=(key, value)
+      @custom_payload[key] = value
+    end
+
+    def encoded
+      raise NotImplementedError
+    end
+
+    def payload
+      @custom_payload.merge(default_payload)
+    end
+
+    private
+
+    def default_payload
+      {
+        jti: id,
+        aud: audience,
+        sub: subject,
+        iss: issuer,
+        iat: issued_at.to_i,
+        nbf: not_before.to_i,
+        exp: expire_time.to_i
+      }.compact
+    end
+  end
+end