Add latest changes from gitlab-org/security/gitlab@12-6-stable-ee

789293e4 · GitLab Bot · 42c8702f · 789293e4 · 789293e4 · 789293e4
Commit 789293e4 authored 5 years ago by GitLab Bot
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -3,12 +3,24 @@
 module Auth
  class ContainerRegistryAuthenticationService < BaseService
    AUDIENCE = 'container_registry'
+    REGISTRY_LOGIN_ABILITIES = [
+      :read_container_image,
+      :create_container_image,
+      :destroy_container_image,
+      :update_container_image,
+      :admin_container_image,
+      :build_read_container_image,
+      :build_create_container_image,
+      :build_destroy_container_image
+    ].freeze
  
    def execute(authentication_abilities:)
      @authentication_abilities = authentication_abilities
  
      return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled
  
+      return error('DENIED', status: 403, message: 'access forbidden') unless has_registry_ability?
+
      unless scopes.any? || current_user || project
        return error('DENIED', status: 403, message: 'access forbidden')
      end
@@ -197,5 +209,11 @@ module Auth
    def has_authentication_ability?(capability)
      @authentication_abilities.to_a.include?(capability)
    end
+
+    def has_registry_ability?
+      @authentication_abilities.any? do |ability|
+        REGISTRY_LOGIN_ABILITIES.include?(ability)
+      end
+    end
  end
 end
--- a/changelogs/unreleased/security-deploy-token-registry-access.yml
+++ b/changelogs/unreleased/security-deploy-token-registry-access.yml
+---
+title: Update container registry authentication to account for login request when
+  checking permissions
+merge_request:
+author:
+type: security
--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -769,6 +769,15 @@ describe Auth::ContainerRegistryAuthenticationService do
    context 'when deploy token has read_registry as a scope' do
      let(:current_user) { create(:deploy_token, projects: [project]) }
  
+      shared_examples 'able to login' do
+        context 'registry provides read_container_image authentication_abilities' do
+          let(:current_params) { {} }
+          let(:authentication_abilities) { [:read_container_image] }
+
+          it_behaves_like 'an authenticated'
+        end
+      end
+
      context 'for public project' do
        let(:project) { create(:project, :public) }
  
@@ -783,6 +792,8 @@ describe Auth::ContainerRegistryAuthenticationService do
  
          it_behaves_like 'an inaccessible'
        end
+
+        it_behaves_like 'able to login'
      end
  
      context 'for internal project' do
@@ -799,6 +810,8 @@ describe Auth::ContainerRegistryAuthenticationService do
  
          it_behaves_like 'an inaccessible'
        end
+
+        it_behaves_like 'able to login'
      end
  
      context 'for private project' do
@@ -815,18 +828,38 @@ describe Auth::ContainerRegistryAuthenticationService do
  
          it_behaves_like 'an inaccessible'
        end
+
+        it_behaves_like 'able to login'
      end
    end
  
    context 'when deploy token does not have read_registry scope' do
      let(:current_user) { create(:deploy_token, projects: [project], read_registry: false) }
  
+      shared_examples 'unable to login' do
+        context 'registry provides no container authentication_abilities' do
+          let(:current_params) { {} }
+          let(:authentication_abilities) { [] }
+
+          it_behaves_like 'a forbidden'
+        end
+
+        context 'registry provides inapplicable container authentication_abilities' do
+          let(:current_params) { {} }
+          let(:authentication_abilities) { [:download_code] }
+
+          it_behaves_like 'a forbidden'
+        end
+      end
+
      context 'for public project' do
        let(:project) { create(:project, :public) }
  
        context 'when pulling' do
          it_behaves_like 'a pullable'
        end
+
+        it_behaves_like 'unable to login'
      end
  
      context 'for internal project' do
@@ -835,6 +868,8 @@ describe Auth::ContainerRegistryAuthenticationService do
        context 'when pulling' do
          it_behaves_like 'an inaccessible'
        end
+
+        it_behaves_like 'unable to login'
      end
  
      context 'for private project' do
@@ -843,6 +878,15 @@ describe Auth::ContainerRegistryAuthenticationService do
        context 'when pulling' do
          it_behaves_like 'an inaccessible'
        end
+
+        context 'when logging in' do
+          let(:current_params) { {} }
+          let(:authentication_abilities) { [] }
+
+          it_behaves_like 'a forbidden'
+        end
+
+        it_behaves_like 'unable to login'
      end
    end
  

--- a/spec/support/shared_contexts/policies/group_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
@@ -7,6 +7,7 @@ RSpec.shared_context 'GroupPolicy context' do
  let_it_be(:maintainer) { create(:user) }
  let_it_be(:owner) { create(:user) }
  let_it_be(:admin) { create(:admin) }
+  let_it_be(:non_group_member) { create(:user) }
  let_it_be(:group, refind: true) { create(:group, :private, :owner_subgroup_creation_only) }
  
  let(:guest_permissions) do