Class: Auth::ContainerRegistryAuthenticationService

Inherits:

Object
BaseService
Auth::ContainerRegistryAuthenticationService

Defined in:: app/services/auth/container_registry_authentication_service.rb

Constant Summary collapse

AUDIENCE =

'container_registry'

REGISTRY_LOGIN_ABILITIES =

[
  :read_container_image,
  :create_container_image,
  :destroy_container_image,
  :update_container_image,
  :admin_container_image,
  :build_read_container_image,
  :build_create_container_image,
  :build_destroy_container_image
].freeze

FORBIDDEN_IMPORTING_SCOPES =

%w[push delete *].freeze

ActiveImportError =

Class.new(StandardError)

Instance Attribute Summary

Attributes inherited from BaseService

#current_user, #params, #project

Class Method Summary collapse

Instance Method Summary collapse

#execute(authentication_abilities:) ⇒ Object

Constructor Details

This class inherits a constructor from BaseService

Class Method Details

.access_metadata(project: nil, path: nil) ⇒ `Object`

# File 'app/services/auth/container_registry_authentication_service.rb', line 83

def self.access_metadata(project: nil, path: nil)
  # If the project is not given, try to infer it from the provided path
  if project.nil?
    return if path.nil? # If no path is given, return early
    return if path == 'import' # Ignore the special 'import' path

    # If the path ends with '/*', remove it so we can parse the actual repository path
    path = path.chomp('/*')

    # Parse the repository project from the path
    begin
      project = ContainerRegistry::Path.new(path).repository_project
    rescue ContainerRegistry::Path::InvalidRegistryPathError
      # If the path is invalid, gracefully handle the error
      return
    end
  end

  # Return the project path (lowercase) as metadata
  { project_path: project&.full_path&.downcase }
end

.access_token(actions, names, type = 'repository') ⇒ `Object`

# File 'app/services/auth/container_registry_authentication_service.rb', line 59

def self.access_token(actions, names, type = 'repository')
  names = names.flatten
  registry = Gitlab.config.registry
  token = JSONWebToken::RSAToken.new(registry.key)
  token.issuer = registry.issuer
  token.audience = AUDIENCE
  token.expire_time = token_expire_at

  token[:access] = names.map do |name|
    {
      type: type,
      name: name,
      actions: actions,
      meta: access_metadata(path: name)
    }.compact
  end

  token.encoded
end

.full_access_token(*names) ⇒ `Object`



41
42
43

# File 'app/services/auth/container_registry_authentication_service.rb', line 41

def self.full_access_token(*names)
  access_token(%w[*], names)
end

.import_access_token ⇒ `Object`



45
46
47

# File 'app/services/auth/container_registry_authentication_service.rb', line 45

def self.import_access_token
  access_token(%w[*], ['import'], 'registry')
end

.pull_access_token(*names) ⇒ `Object`



49
50
51

# File 'app/services/auth/container_registry_authentication_service.rb', line 49

def self.pull_access_token(*names)
  access_token(['pull'], names)
end

.pull_nested_repositories_access_token(name) ⇒ `Object`

# File 'app/services/auth/container_registry_authentication_service.rb', line 53

def self.pull_nested_repositories_access_token(name)
  name = name.chomp('/') if name.end_with?('/')
  paths = [name, "#{name}/*"]
  access_token(['pull'], paths)
end

.token_expire_at ⇒ `Object`



79
80
81

# File 'app/services/auth/container_registry_authentication_service.rb', line 79

def self.token_expire_at
  Time.current + Gitlab::CurrentSettings.container_registry_token_expire_delay.minutes
end

Instance Method Details

#execute(authentication_abilities:) ⇒ `Object`

# File 'app/services/auth/container_registry_authentication_service.rb', line 21

def execute(authentication_abilities:)
  @authentication_abilities = authentication_abilities

  return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled

  return error('DENIED', status: 403, message: 'access forbidden') unless has_registry_ability?

  unless scopes.any? || current_user || deploy_token || project
    return error('DENIED', status: 403, message: 'access forbidden')
  end

  { token: authorized_token(*scopes).encoded }
rescue ActiveImportError
  error(
    'DENIED',
    status: 403,
    message: 'Your repository is currently being migrated to a new platform and writes are temporarily disabled. Go to https://gitlab.com/groups/gitlab-org/-/epics/5523 to learn more.'
  )
end

Class: Auth::ContainerRegistryAuthenticationService

Constant Summary collapse

Instance Attribute Summary

Attributes inherited from BaseService

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from BaseService

Methods included from BaseServiceUtility

Methods included from Gitlab::Allowable

Constructor Details

Class Method Details

.access_metadata(project: nil, path: nil) ⇒ Object

.access_token(actions, names, type = 'repository') ⇒ Object

.full_access_token(*names) ⇒ Object

.import_access_token ⇒ Object

.pull_access_token(*names) ⇒ Object

.pull_nested_repositories_access_token(name) ⇒ Object

.token_expire_at ⇒ Object

Instance Method Details

#execute(authentication_abilities:) ⇒ Object

.access_metadata(project: nil, path: nil) ⇒ `Object`

.access_token(actions, names, type = 'repository') ⇒ `Object`

.full_access_token(*names) ⇒ `Object`

.import_access_token ⇒ `Object`

.pull_access_token(*names) ⇒ `Object`

.pull_nested_repositories_access_token(name) ⇒ `Object`

.token_expire_at ⇒ `Object`

#execute(authentication_abilities:) ⇒ `Object`