Commit 846d111f authored by Kamil Trzcinski's avatar Kamil Trzcinski

Add Application Setting to configure Container Registry token expire delay (default 5min)

parent ba81c912
......@@ -17,6 +17,7 @@ v 8.9.0 (unreleased)
- Projects pending deletion will render a 404 page
- Measure queue duration between gitlab-workhorse and Rails
- Make authentication service for Container Registry to be compatible with < Docker 1.11
- Add Application Setting to configure Container Registry token expire delay (default 5min)
v 8.8.3
- Fix gitlab importer failing to import new projects due to missing credentials
......
......@@ -107,6 +107,7 @@ def application_setting_params
:repository_checks_enabled,
:metrics_packet_size,
:send_user_confirmation_email,
:container_registry_token_expire_delay,
restricted_visibility_levels: [],
import_sources: [],
disabled_oauth_sign_in_sources: []
......
......@@ -51,6 +51,10 @@ class ApplicationSetting < ActiveRecord::Base
presence: true,
numericality: { only_integer: true, greater_than: 0 }
validates :container_registry_token_expire_delay,
presence: true,
numericality: { only_integer: true, greater_than: 0 }
validates_each :restricted_visibility_levels do |record, attr, value|
unless value.nil?
value.each do |level|
......@@ -121,7 +125,8 @@ def self.create_from_defaults
akismet_enabled: false,
repository_checks_enabled: true,
disabled_oauth_sign_in_sources: [],
send_user_confirmation_email: false
send_user_confirmation_email: false,
container_registry_token_expire_delay: 5,
)
end
......
module Auth
class ContainerRegistryAuthenticationService < BaseService
include CurrentSettings
AUDIENCE = 'container_registry'
def execute
......@@ -17,6 +19,7 @@ def self.full_access_token(*names)
token = JSONWebToken::RSAToken.new(registry.key)
token.issuer = registry.issuer
token.audience = AUDIENCE
token.expire_time = token.issued_at + current_application_settings.container_registry_token_expire_delay.minutes
token[:access] = names.map do |name|
{ type: 'repository', name: name, actions: %w(*) }
end
......
......@@ -178,6 +178,14 @@
.col-sm-10
= f.number_field :max_artifacts_size, class: 'form-control'
- if Gitlab.config.registry.enabled
%fieldset
%legend Container Registry
.form-group
= f.label :container_registry_token_expire_delay, 'Authorization token duration (minutes)', class: 'control-label col-sm-2'
.col-sm-10
= f.number_field :container_registry_token_expire_delay, class: 'form-control'
%fieldset
%legend Metrics
%p
......
# See http://doc.gitlab.com/ce/development/migration_style_guide.html
# for more information on how to write migrations for GitLab.
class AddContainerRegistryTokenExpireDelayToApplicationSettings < ActiveRecord::Migration
include Gitlab::Database::MigrationHelpers
# When using the methods "add_concurrent_index" or "add_column_with_default"
# you must disable the use of transactions as these methods can not run in an
# existing transaction. When using "add_concurrent_index" make sure that this
# method is the _only_ method called in the migration, any other changes
# should go in a separate migration. This ensures that upon failure _only_ the
# index creation fails and can be retried or reverted easily.
#
# To disable transactions uncomment the following line and remove these
# comments:
# disable_ddl_transaction!
def change
add_column :application_settings, :container_registry_token_expire_delay, :integer
# Set default expire delay to 5 minutes
execute("update application_settings set container_registry_token_expire_delay = 5")
end
end
......@@ -37,7 +37,8 @@ Example response:
"created_at" : "2016-01-04T15:44:55.176Z",
"default_project_visibility" : 0,
"gravatar_enabled" : true,
"sign_in_text" : null
"sign_in_text" : null,
"container_registry_token_expire_delay": 5
}
```
......@@ -64,6 +65,7 @@ PUT /application/settings
| `restricted_signup_domains` | array of strings | no | Force people to use only corporate emails for sign-up. Default is null, meaning there is no restriction. |
| `user_oauth_applications` | boolean | no | Allow users to register any application to use GitLab as an OAuth provider |
| `after_sign_out_path` | string | no | Where to redirect users after logout |
| `container_registry_token_expire_delay` | integer | no | Container Registry token duration in minutes |
```bash
curl -X PUT -H "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v3/application/settings?signup_enabled=false&default_project_visibility=1
......@@ -90,6 +92,7 @@ Example response:
"default_snippet_visibility": 0,
"restricted_signup_domains": [],
"user_oauth_applications": true,
"after_sign_out_path": ""
"after_sign_out_path": "",
"container_registry_token_expire_delay": 5
}
```
......@@ -362,6 +362,7 @@ class ApplicationSetting < Grape::Entity
expose :restricted_signup_domains
expose :user_oauth_applications
expose :after_sign_out_path
expose :container_registry_token_expire_delay
end
class Release < Grape::Entity
......
......@@ -36,6 +36,7 @@ def fake_application_settings
two_factor_grace_period: 48,
akismet_enabled: false,
repository_checks_enabled: true,
container_registry_token_expire_delay: 5,
)
end
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment