Class: Auth::ContainerRegistryAuthenticationService

Inherits:
BaseService
  • Object
show all
Defined in:
app/services/auth/container_registry_authentication_service.rb

Constant Summary collapse

AUDIENCE =
'container_registry'
REGISTRY_LOGIN_ABILITIES =
[
  :read_container_image,
  :create_container_image,
  :destroy_container_image,
  :update_container_image,
  :admin_container_image,
  :build_read_container_image,
  :build_create_container_image,
  :build_destroy_container_image
].freeze

Instance Attribute Summary

Attributes inherited from BaseService

#current_user, #params, #project

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from BaseService

#initialize

Methods included from BaseServiceUtility

#deny_visibility_level, #event_service, #log_error, #log_info, #notification_service, #system_hook_service, #todo_service, #visibility_level

Methods included from Gitlab::Allowable

#can?, #can_all?, #can_any?

Constructor Details

This class inherits a constructor from BaseService

Class Method Details

.access_metadata(project: nil, path: nil, use_key_as_project_path: false) ⇒ Object



102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# File 'app/services/auth/container_registry_authentication_service.rb', line 102

def self.(project: nil, path: nil, use_key_as_project_path: false)
  return { project_path: path.chomp('/*').downcase } if use_key_as_project_path

  # If the project is not given, try to infer it from the provided path
  if project.nil?
    return if path.nil? # If no path is given, return early
    return if path == 'import' # Ignore the special 'import' path

    # If the path ends with '/*', remove it so we can parse the actual repository path
    path = path.chomp('/*')

    # Parse the repository project from the path
    begin
      project = ContainerRegistry::Path.new(path).repository_project
    rescue ContainerRegistry::Path::InvalidRegistryPathError
      # If the path is invalid, gracefully handle the error
      return
    end
  end

  {
    project_path: project&.full_path&.downcase,
    project_id: project&.id,
    root_namespace_id: project&.root_ancestor&.id
  }
end

.access_token(names_and_actions, type = 'repository', use_key_as_project_path: false) ⇒ Object



79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# File 'app/services/auth/container_registry_authentication_service.rb', line 79

def self.access_token(names_and_actions, type = 'repository', use_key_as_project_path: false)
  registry = Gitlab.config.registry
  token = JSONWebToken::RSAToken.new(registry.key)
  token.issuer = registry.issuer
  token.audience = AUDIENCE
  token.expire_time = token_expire_at

  token[:access] = names_and_actions.map do |name, actions|
    {
      type: type,
      name: name,
      actions: actions,
      meta: (path: name, use_key_as_project_path: use_key_as_project_path)
    }.compact
  end

  token.encoded
end

.full_access_token(*names) ⇒ Object



35
36
37
38
# File 'app/services/auth/container_registry_authentication_service.rb', line 35

def self.full_access_token(*names)
  names_and_actions = names.index_with { %w[*] }
  access_token(names_and_actions)
end

.pull_access_token(*names) ⇒ Object



40
41
42
43
# File 'app/services/auth/container_registry_authentication_service.rb', line 40

def self.pull_access_token(*names)
  names_and_actions = names.index_with { %w[pull] }
  access_token(names_and_actions)
end

.pull_nested_repositories_access_token(name) ⇒ Object



45
46
47
48
49
50
51
52
# File 'app/services/auth/container_registry_authentication_service.rb', line 45

def self.pull_nested_repositories_access_token(name)
  name = name.chomp('/')

  access_token({
    name => %w[pull],
    "#{name}/*" => %w[pull]
  })
end

.push_pull_move_repositories_access_token(name, new_namespace) ⇒ Object



66
67
68
69
70
71
72
73
74
75
76
77
# File 'app/services/auth/container_registry_authentication_service.rb', line 66

def self.push_pull_move_repositories_access_token(name, new_namespace)
  name = name.chomp('/')

  access_token(
    {
      name => %w[pull push],
      "#{name}/*" => %w[pull],
      "#{new_namespace}/*" => %w[push]
    },
    use_key_as_project_path: true
  )
end

.push_pull_nested_repositories_access_token(name) ⇒ Object



54
55
56
57
58
59
60
61
62
63
64
# File 'app/services/auth/container_registry_authentication_service.rb', line 54

def self.push_pull_nested_repositories_access_token(name)
  name = name.chomp('/')

  access_token(
    {
      name => %w[pull push],
      "#{name}/*" => %w[pull]
    },
    use_key_as_project_path: true
  )
end

.token_expire_atObject



98
99
100
# File 'app/services/auth/container_registry_authentication_service.rb', line 98

def self.token_expire_at
  Time.current + Gitlab::CurrentSettings.container_registry_token_expire_delay.minutes
end

Instance Method Details

#execute(authentication_abilities:) ⇒ Object



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# File 'app/services/auth/container_registry_authentication_service.rb', line 17

def execute(authentication_abilities:)
  @authentication_abilities = authentication_abilities

  return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled

  return error('DENIED', status: 403, message: 'access forbidden') unless has_registry_ability?

  unless scopes.any? || current_user || deploy_token || project
    return error('DENIED', status: 403, message: 'access forbidden')
  end

  if repository_path_push_protected?
    return error('DENIED', status: 403, message: 'Pushing to protected repository path forbidden')
  end

  { token: authorized_token(*scopes).encoded }
end