Be nice to Docker Clients talking to JWT/auth

137a8016 · Kamil Trzcinski · 3820ca58 · 137a8016 · 137a8016 · 137a8016
4 changed file
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -12,6 +12,7 @@ v 8.12.2 (unreleased)
  - Fix List-Unsubscribe header in emails
  - Fix an issue with the "Commits" section of the cycle analytics summary. !6513
  - Fix errors importing project feature and milestone models using GitLab project import
+  - Make JWT messages Docker-compatible

 v 8.12.1
  - Fix a memory leak in HTML::Pipeline::SanitizationFilter::WHITELIST

--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -25,7 +25,7 @@ class JwtController < ApplicationController
    authenticate_with_http_basic do |login, password|
      @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)

-      render_403 unless @authentication_result.success? &&
+      render_unauthorized unless @authentication_result.success? &&
        (@authentication_result.actor.nil? || @authentication_result.actor.is_a?(User))
    end
  rescue Gitlab::Auth::MissingPersonalTokenError
@@ -33,10 +33,21 @@ class JwtController < ApplicationController
  end

  def render_missing_personal_token
-    render plain: "HTTP Basic: Access denied\n" \
-                  "You have 2FA enabled, please use a personal access token for Git over HTTP.\n" \
-                  "You can generate one at #{profile_personal_access_tokens_url}",
-           status: 401
+    render json: {
+      errors: [
+        { code: 'UNAUTHORIZED',
+          message: "HTTP Basic: Access denied\n" \
+                   "You have 2FA enabled, please use a personal access token for Git over HTTP.\n" \
+                   "You can generate one at #{profile_personal_access_tokens_url}" }
+      ] }, status: 401
+  end
+
+  def render_unauthorized
+    render json: {
+      errors: [
+        { code: 'UNAUTHORIZED',
+          message: 'HTTP Basic: Access denied' }
+      ] }, status: 401
  end

  def auth_params

--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -7,10 +7,10 @@ module Auth
    def execute(authentication_abilities:)
      @authentication_abilities = authentication_abilities

-      return error('not found', 404) unless registry.enabled
+      return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled

      unless current_user || project
-        return error('forbidden', 403) unless scope
+        return error('DENIED', status: 403, message: 'access forbidden') unless scope
      end

      { token: authorized_token(scope).encoded }
@@ -111,5 +111,12 @@ module Auth
      @authentication_abilities.include?(:create_container_image) &&
        can?(current_user, :create_container_image, requested_project)
    end
+
+    def error(code, status:, message: '')
+      {
+        errors: [{ code: code, message: message }],
+        http_status: status
+      }
+    end
  end
 end
--- a/spec/requests/jwt_controller_spec.rb
+++ b/spec/requests/jwt_controller_spec.rb
@@ -39,7 +39,7 @@ describe JwtController do

        subject! { get '/jwt/auth', parameters, headers }

-        it { expect(response).to have_http_status(403) }
+        it { expect(response).to have_http_status(401) }
      end
    end

@@ -77,7 +77,7 @@ describe JwtController do

      subject! { get '/jwt/auth', parameters, headers }

-      it { expect(response).to have_http_status(403) }
+      it { expect(response).to have_http_status(401) }
    end
  end