Fix container registry permissions

9e318bd9 · Kamil Trzcinski · 575a73c8 · 9e318bd9 · 9e318bd9 · 9e318bd9
4 changed file
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -61,6 +61,7 @@ class Ability
          :read_merge_request,
          :read_note,
          :read_commit_status,
+          :read_container_registry,
          :download_code
        ]


--- a/app/services/jwt/container_registry_authentication_service.rb
+++ b/app/services/jwt/container_registry_authentication_service.rb
@@ -3,6 +3,8 @@ module JWT
    AUDIENCE = 'container_registry'

    def execute
+      return error('not found', 404) unless registry.enabled
+
      if params[:offline_token]
        return error('forbidden', 403) unless current_user
      end
@@ -65,9 +67,11 @@ module JWT
    end

    def can_access?(requested_project, requested_action)
+      return false unless requested_project.container_registry_enabled?
+
      case requested_action
      when 'pull'
-        requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project)
+        requested_project == project || can?(current_user, :read_container_registry, requested_project)
      when 'push'
        requested_project == project || can?(current_user, :create_container_registry, requested_project)
      else

--- a/app/services/projects/destroy_service.rb
+++ b/app/services/projects/destroy_service.rb
@@ -64,7 +64,7 @@ module Projects
    end

    def remove_registry_tags
-      return unless Gitlab.config.registry.enabled
+      return true unless Gitlab.config.registry.enabled

      project.container_registry_repository.delete_tags
    end

--- a/spec/services/jwt/container_registry_authentication_service_spec.rb
+++ b/spec/services/jwt/container_registry_authentication_service_spec.rb
@@ -7,6 +7,7 @@ describe JWT::ContainerRegistryAuthenticationService, services: true do
  let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
  let(:registry_settings) do
    {
+      enabled: true,
      issuer: 'rspec',
      key: nil
    }
@@ -146,7 +147,20 @@ describe JWT::ContainerRegistryAuthenticationService, services: true do
          it_behaves_like 'a forbidden'
        end
      end
+    end
+
+    context 'for project without container registry' do
+      let(:project) { create(:empty_project, :public, container_registry_enabled: false) }
+
+      before { project.update(container_registry_enabled: false) }

+      context 'disallow when pulling' do
+        let(:current_params) do
+          { scope: "repository:#{project.path_with_namespace}:pull" }
+        end
+
+        it_behaves_like 'a forbidden'
+      end
    end
  end