diff options
Diffstat (limited to 'app/services/auth')
-rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 22 | ||||
-rw-r--r-- | app/services/auth/dependency_proxy_authentication_service.rb | 20 |
2 files changed, 27 insertions, 15 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index d42dcb2fd00..a2683647c72 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -21,7 +21,7 @@ module Auth return error('DENIED', status: 403, message: 'access forbidden') unless has_registry_ability? - unless scopes.any? || current_user || project + unless scopes.any? || current_user || deploy_token || project return error('DENIED', status: 403, message: 'access forbidden') end @@ -124,7 +124,6 @@ module Auth end def migration_eligible(project, actions) - return unless actions.include?('push') return unless Feature.enabled?(:container_registry_migration_phase1) # The migration process will start by allowing only specific test and gitlab-org projects using the @@ -178,8 +177,7 @@ module Auth end def can_user?(ability, project) - user = current_user.is_a?(User) ? current_user : nil - can?(user, ability, project) + can?(current_user, ability, project) end def build_can_pull?(requested_project) @@ -202,16 +200,16 @@ module Auth def deploy_token_can_pull?(requested_project) has_authentication_ability?(:read_container_image) && - current_user.is_a?(DeployToken) && - current_user.has_access_to?(requested_project) && - current_user.read_registry? + deploy_token.present? && + deploy_token.has_access_to?(requested_project) && + deploy_token.read_registry? end def deploy_token_can_push?(requested_project) has_authentication_ability?(:create_container_image) && - current_user.is_a?(DeployToken) && - current_user.has_access_to?(requested_project) && - current_user.write_registry? + deploy_token.present? && + deploy_token.has_access_to?(requested_project) && + deploy_token.write_registry? end ## @@ -250,6 +248,10 @@ module Auth {} end + def deploy_token + params[:deploy_token] + end + def log_if_actions_denied(type, requested_project, requested_actions, authorized_actions) return if requested_actions == authorized_actions diff --git a/app/services/auth/dependency_proxy_authentication_service.rb b/app/services/auth/dependency_proxy_authentication_service.rb index fab42e0ebb6..164594d6f6c 100644 --- a/app/services/auth/dependency_proxy_authentication_service.rb +++ b/app/services/auth/dependency_proxy_authentication_service.rb @@ -8,10 +8,7 @@ module Auth def execute(authentication_abilities:) return error('dependency proxy not enabled', 404) unless ::Gitlab.config.dependency_proxy.enabled - - # Because app/controllers/concerns/dependency_proxy/auth.rb consumes this - # JWT only as `User.find`, we currently only allow User (not DeployToken, etc) - return error('access forbidden', 403) unless current_user.is_a?(User) + return error('access forbidden', 403) unless valid_user_actor? { token: authorized_token.encoded } end @@ -36,11 +33,24 @@ module Auth private + def valid_user_actor? + current_user || valid_deploy_token? + end + + def valid_deploy_token? + deploy_token && deploy_token.valid_for_dependency_proxy? + end + def authorized_token JSONWebToken::HMACToken.new(self.class.secret).tap do |token| - token['user_id'] = current_user.id + token['user_id'] = current_user.id if current_user + token['deploy_token'] = deploy_token.token if deploy_token token.expire_time = self.class.token_expire_at end end + + def deploy_token + params[:deploy_token] + end end end |