Class: Auth::ContainerRegistryAuthenticationService

Inherits:
BaseService
  • Object
show all
Defined in:
app/services/auth/container_registry_authentication_service.rb

Constant Summary collapse

AUDIENCE =
'container_registry'
REGISTRY_LOGIN_ABILITIES =
[
  :read_container_image,
  :create_container_image,
  :destroy_container_image,
  :update_container_image,
  :admin_container_image,
  :build_read_container_image,
  :build_create_container_image,
  :build_destroy_container_image
].freeze

Instance Attribute Summary

Attributes inherited from BaseService

#current_user, #params, #project

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from BaseService

#initialize

Methods included from BaseServiceUtility

#deny_visibility_level, #event_service, #log_error, #log_info, #notification_service, #system_hook_service, #todo_service, #visibility_level

Methods included from Gitlab::Allowable

#can?

Constructor Details

This class inherits a constructor from BaseService

Class Method Details

.access_token(actions, names) ⇒ Object


39
40
41
42
43
44
45
46
47
48
49
50
51
52
# File 'app/services/auth/container_registry_authentication_service.rb', line 39

def self.access_token(actions, names)
  names = names.flatten
  registry = Gitlab.config.registry
  token = JSONWebToken::RSAToken.new(registry.key)
  token.issuer = registry.issuer
  token.audience = AUDIENCE
  token.expire_time = token_expire_at

  token[:access] = names.map do |name|
    { type: 'repository', name: name, actions: actions }
  end

  token.encoded
end

.full_access_token(*names) ⇒ Object


31
32
33
# File 'app/services/auth/container_registry_authentication_service.rb', line 31

def self.full_access_token(*names)
  access_token(%w(*), names)
end

.pull_access_token(*names) ⇒ Object


35
36
37
# File 'app/services/auth/container_registry_authentication_service.rb', line 35

def self.pull_access_token(*names)
  access_token(['pull'], names)
end

.token_expire_atObject


54
55
56
# File 'app/services/auth/container_registry_authentication_service.rb', line 54

def self.token_expire_at
  Time.current + Gitlab::CurrentSettings.container_registry_token_expire_delay.minutes
end

Instance Method Details

#execute(authentication_abilities:) ⇒ Object


17
18
19
20
21
22
23
24
25
26
27
28
29
# File 'app/services/auth/container_registry_authentication_service.rb', line 17

def execute(authentication_abilities:)
  @authentication_abilities = authentication_abilities

  return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled

  return error('DENIED', status: 403, message: 'access forbidden') unless has_registry_ability?

  unless scopes.any? || current_user || project
    return error('DENIED', status: 403, message: 'access forbidden')
  end

  { token: authorized_token(*scopes).encoded }
end