Fix communication between GitLab and Container Registry

4005eb64 · Grzegorz Bizon · 896b13b9 · 4005eb64 · 4005eb64
Showing with 24 addition and 16 deletion

app/models/container_image.rb app/models/container_image.rb +15 -8

app/services/auth/container_registry_authentication_service.rb ...ervices/auth/container_registry_authentication_service.rb +9 -8

未找到文件。
--- a/app/models/container_image.rb
+++ b/app/models/container_image.rb
@@ -43,13 +43,20 @@ class ContainerImage < ActiveRecord::Base
    end
  end

-  def self.from_path(full_path)
-    return unless full_path.include?('/')
-
-    path = full_path[0...full_path.rindex('/')]
-    name = full_path[full_path.rindex('/')+1..-1]
-    project = Project.find_by_full_path(path)
-
-    self.new(name: name, path: path, project: project)
+  def self.project_from_path(image_path)
+    return unless image_path.include?('/')
+
+    ##
+    # Projects are always located inside a namespace, so we can remove
+    # the last node, and see if project with that path exists.
+    #
+    truncated_path = image_path.slice(0...image_path.rindex('/'))
+
+    ##
+    # We still make it possible to search projects by a full image path
+    # in order to maintain backwards compatibility.
+    #
+    Project.find_by_full_path(truncated_path) ||
+        Project.find_by_full_path(image_path)
  end
 end
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -38,13 +38,13 @@ module Auth
    private

    def authorized_token(*accesses)
-      token = JSONWebToken::RSAToken.new(registry.key)
-      token.issuer = registry.issuer
-      token.audience = params[:service]
-      token.subject = current_user.try(:username)
-      token.expire_time = self.class.token_expire_at
-      token[:access] = accesses.compact
-      token
+      JSONWebToken::RSAToken.new(registry.key).tap do |token|
+        token.issuer = registry.issuer
+        token.audience = params[:service]
+        token.subject = current_user.try(:username)
+        token.expire_time = self.class.token_expire_at
+        token[:access] = accesses.compact
+      end
    end

    def scope
@@ -62,7 +62,8 @@ module Auth
    end

    def process_repository_access(type, name, actions)
-      requested_project = ContainerImage.from_path(name).project
+      requested_project = ContainerImage.project_from_path(name)
+
      return unless requested_project

      actions = actions.select do |action|