Class: Auth::ContainerRegistryAuthenticationService

Inherits:

BaseService

• Object
• BaseService
• Auth::ContainerRegistryAuthenticationService

Defined in:

app/services/auth/container_registry_authentication_service.rb

Constant Summary

AUDIENCE =

'container_registry'

REGISTRY_LOGIN_ABILITIES =

[
  :read_container_image,
  :create_container_image,
  :destroy_container_image,
  :destroy_container_image_tag,
  :update_container_image,
  :admin_container_image,
  :build_read_container_image,
  :build_create_container_image,
  :build_destroy_container_image
].freeze

PROTECTED_TAG_ACTIONS =

%w[push delete].freeze

ALLOWED_REGISTRY_SCOPE_NAMES =

%w[catalog statistics].freeze

Constants inherited from BaseService

BaseService::UnauthorizedError

Instance Attribute Summary

Attributes inherited from BaseService

#current_user, #params, #project

Class Method Summary

• .access_metadata(project: nil, path: nil, use_key_as_project_path: false, actions: [], user: nil) ⇒ Object
• .access_metadata_with_key_as_project_path(project:, path:, actions: [], user: nil) ⇒ Object
• .access_token(names_and_actions, type = 'repository', use_key_as_project_path: false, project: nil) ⇒ Object
• .full_access_token(*names) ⇒ Object
• .patterns_metadata(project, user, actions) ⇒ Object
• .pull_access_token(*names) ⇒ Object
• .pull_nested_repositories_access_token(name) ⇒ Object
• .push_pull_move_repositories_access_token(name, new_namespace, project:) ⇒ Object
• .push_pull_nested_repositories_access_token(name, project:) ⇒ Object
• .statistics_token ⇒ Object
• .tag_deny_access_patterns(project, user, actions) ⇒ Object
• .token_expire_at ⇒ Object

Instance Method Summary

• #execute(authentication_abilities:) ⇒ Object

Methods inherited from BaseService

#initialize

Methods included from BaseServiceUtility

#deny_visibility_level, #event_service, #log_error, #log_info, #notification_service, #system_hook_service, #todo_service, #visibility_level

Methods included from Gitlab::Allowable

#can?, #can_all?, #can_any?

Constructor Details

This class inherits a constructor from BaseService

Class Method Details

.access_metadata(project: nil, path: nil, use_key_as_project_path: false, actions: [], user: nil) ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 111

def self.access_metadata(project: nil, path: nil, use_key_as_project_path: false, actions: [], user: nil)
  return access_metadata_with_key_as_project_path(project:, path:, actions:, user:) if use_key_as_project_path

  if project.nil?
    return if path.nil? # If no path is given, return early
    return if path == 'import' # Ignore the special 'import' path

    # If the path ends with '/*', remove it so we can parse the actual repository path
    path = path.chomp('/*')

    # Parse the repository project from the path
    begin
      project = ContainerRegistry::Path.new(path).repository_project
    rescue ContainerRegistry::Path::InvalidRegistryPathError
      # If the path is invalid, gracefully handle the error
      return
    end
  end

  {
    project_path: project&.full_path&.downcase,
    project_id: project&.id,
    root_namespace_id: project&.root_ancestor&.id
  }.merge(patterns_metadata(project, user, actions)).compact
end

.access_metadata_with_key_as_project_path(project:, path:, actions: [], user: nil) ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 139

def self.access_metadata_with_key_as_project_path(project:, path:, actions: [], user: nil)
  { project_path: path.chomp('/*').downcase }.merge(patterns_metadata(project, user, actions)).compact
end

.access_token(names_and_actions, type = 'repository', use_key_as_project_path: false, project: nil) ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 88

def self.access_token(names_and_actions, type = 'repository', use_key_as_project_path: false, project: nil)
  registry = Gitlab.config.registry
  token = JSONWebToken::RSAToken.new(registry.key)
  token.issuer = registry.issuer
  token.audience = AUDIENCE
  token.expire_time = token_expire_at

  token[:access] = names_and_actions.map do |name, actions|
    {
      type: type,
      name: name,
      actions: actions,
      meta: access_metadata(path: name, use_key_as_project_path: use_key_as_project_path, actions: actions, project: project)
    }.compact
  end

  token.encoded
end

.full_access_token(*names) ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 38

def self.full_access_token(*names)
  names_and_actions = names.index_with { %w[*] }
  access_token(names_and_actions)
end

.patterns_metadata(project, user, actions) ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 143

def self.patterns_metadata(project, user, actions)
  {
    tag_deny_access_patterns: tag_deny_access_patterns(project, user, actions)
  }
end

.pull_access_token(*names) ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 43

def self.pull_access_token(*names)
  names_and_actions = names.index_with { %w[pull] }
  access_token(names_and_actions)
end

.pull_nested_repositories_access_token(name) ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 48

def self.pull_nested_repositories_access_token(name)
  name = name.chomp('/')

  access_token({
    name => %w[pull],
    "#{name}/*" => %w[pull]
  })
end

.push_pull_move_repositories_access_token(name, new_namespace, project:) ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 70

def self.push_pull_move_repositories_access_token(name, new_namespace, project:)
  name = name.chomp('/')

  access_token(
    {
      name => %w[pull push],
      "#{name}/*" => %w[pull],
      "#{new_namespace}/*" => %w[push]
    },
    project: project,
    use_key_as_project_path: true
  )
end

.push_pull_nested_repositories_access_token(name, project:) ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 57

def self.push_pull_nested_repositories_access_token(name, project:)
  name = name.chomp('/')

  access_token(
    {
      name => %w[pull push],
      "#{name}/*" => %w[pull]
    },
    project: project,
    use_key_as_project_path: true
  )
end

.statistics_token ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 84

def self.statistics_token
  access_token({ 'statistics' => ['*'] }, 'registry')
end

.tag_deny_access_patterns(project, user, actions) ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 149

def self.tag_deny_access_patterns(project, user, actions)
  return if project.nil? || user.nil?

  rules = project.container_registry_protection_tag_rules
  return unless rules.mutable.any?

  # Expand the special `*` action into individual actions (pull + push + delete), which is what it represents. The
  # `pull` action is not part of the protected tags feature, so we can ignore it right here. Additionally, although
  # unexpected for realistic scenarios (known client tools), it's technically possible for repeated actions to get
  # this far in the code, so deduplicate them.
  actions_to_check = actions.include?('*') ? PROTECTED_TAG_ACTIONS : actions.uniq
  actions_to_check.delete('pull')

  patterns = actions_to_check.index_with { [] }

  # Admins get unrestricted access with protected tags, but the registry expects to always see an array for each granted actions, so we
  # can return early here, but not any earlier.
  return patterns if user.can_admin_all_resources?

  user_access_level = project.team.max_member_access(user.id)
  applicable_rules = rules.for_actions_and_access(actions_to_check, user_access_level)

  applicable_rules.each do |rule|
    if actions_to_check.include?('push') && rule.push_restricted?(user_access_level)
      patterns['push'] << rule.tag_name_pattern
    end

    if actions_to_check.include?('delete') && rule.delete_restricted?(user_access_level)
      patterns['delete'] << rule.tag_name_pattern
    end
  end

  patterns
end

.token_expire_at ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 107

def self.token_expire_at
  Time.current + Gitlab::CurrentSettings.container_registry_token_expire_delay.minutes
end

Instance Method Details

#execute(authentication_abilities:) ⇒ Object

# File 'app/services/auth/container_registry_authentication_service.rb', line 20

def execute(authentication_abilities:)
  @authentication_abilities = authentication_abilities

  return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled

  return error('DENIED', status: 403, message: 'access forbidden') unless has_registry_ability?

  unless scopes.any? || current_user || deploy_token || project
    return error('DENIED', status: 403, message: 'access forbidden')
  end

  if repository_path_push_protected?
    return error('DENIED', status: 403, message: 'Pushing to protected repository path forbidden')
  end

  { token: authorized_token(*scopes).encoded }
end