Class: Auth::ContainerRegistryAuthenticationService
- Inherits:
-
BaseService
- Object
- BaseService
- Auth::ContainerRegistryAuthenticationService
show all
- Defined in:
- app/services/auth/container_registry_authentication_service.rb
Constant Summary
collapse
- AUDIENCE =
'container_registry'
- REGISTRY_LOGIN_ABILITIES =
[
:read_container_image,
:create_container_image,
:destroy_container_image,
:update_container_image,
:admin_container_image,
:build_read_container_image,
:build_create_container_image,
:build_destroy_container_image
].freeze
- FORBIDDEN_IMPORTING_SCOPES =
%w[push delete *].freeze
- ActiveImportError =
Class.new(StandardError)
Instance Attribute Summary
Attributes inherited from BaseService
#current_user, #params, #project
Class Method Summary
collapse
Instance Method Summary
collapse
Methods inherited from BaseService
#initialize
#deny_visibility_level, #event_service, #log_error, #log_info, #notification_service, #system_hook_service, #todo_service, #visibility_level
#can?
Constructor Details
This class inherits a constructor from BaseService
Class Method Details
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
# File 'app/services/auth/container_registry_authentication_service.rb', line 83
def self.access_metadata(project: nil, path: nil)
if project.nil?
return if path.nil? return if path == 'import'
path = path.chomp('/*')
begin
project = ContainerRegistry::Path.new(path).repository_project
rescue ContainerRegistry::Path::InvalidRegistryPathError
return
end
end
{ project_path: project&.full_path&.downcase }
end
|
.access_token(actions, names, type = 'repository') ⇒ Object
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
# File 'app/services/auth/container_registry_authentication_service.rb', line 59
def self.access_token(actions, names, type = 'repository')
names = names.flatten
registry = Gitlab.config.registry
token = JSONWebToken::RSAToken.new(registry.key)
token.issuer = registry.issuer
token.audience = AUDIENCE
token.expire_time = token_expire_at
token[:access] = names.map do |name|
{
type: type,
name: name,
actions: actions,
meta: access_metadata(path: name)
}.compact
end
token.encoded
end
|
.full_access_token(*names) ⇒ Object
41
42
43
|
# File 'app/services/auth/container_registry_authentication_service.rb', line 41
def self.full_access_token(*names)
access_token(%w[*], names)
end
|
.import_access_token ⇒ Object
45
46
47
|
# File 'app/services/auth/container_registry_authentication_service.rb', line 45
def self.import_access_token
access_token(%w[*], ['import'], 'registry')
end
|
.pull_access_token(*names) ⇒ Object
49
50
51
|
# File 'app/services/auth/container_registry_authentication_service.rb', line 49
def self.pull_access_token(*names)
access_token(['pull'], names)
end
|
.pull_nested_repositories_access_token(name) ⇒ Object
53
54
55
56
57
|
# File 'app/services/auth/container_registry_authentication_service.rb', line 53
def self.pull_nested_repositories_access_token(name)
name = name.chomp('/') if name.end_with?('/')
paths = [name, "#{name}/*"]
access_token(['pull'], paths)
end
|
.token_expire_at ⇒ Object
79
80
81
|
# File 'app/services/auth/container_registry_authentication_service.rb', line 79
def self.token_expire_at
Time.current + Gitlab::CurrentSettings.container_registry_token_expire_delay.minutes
end
|
Instance Method Details
#execute(authentication_abilities:) ⇒ Object
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
# File 'app/services/auth/container_registry_authentication_service.rb', line 21
def execute(authentication_abilities:)
@authentication_abilities = authentication_abilities
return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled
return error('DENIED', status: 403, message: 'access forbidden') unless has_registry_ability?
unless scopes.any? || current_user || deploy_token || project
return error('DENIED', status: 403, message: 'access forbidden')
end
{ token: authorized_token(*scopes).encoded }
rescue ActiveImportError
error(
'DENIED',
status: 403,
message: 'Your repository is currently being migrated to a new platform and writes are temporarily disabled. Go to https://gitlab.com/groups/gitlab-org/-/epics/5523 to learn more.'
)
end
|