Fixed handling of "*" action

Fixes #1057 Signed-off-by: Miquel Sabaté Solà <msabate@suse.com>
SUSE · Oct 11, 2016 · 6afb1ac · 6afb1ac
1 parent 2ef37f2
commit 6afb1ac
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 1 deletion.
diff --git a/app/controllers/api/v2/tokens_controller.rb b/app/controllers/api/v2/tokens_controller.rb
@@ -63,7 +63,7 @@ def authorize_scopes(registry)
           authorize auth_scope.resource, "#{action}?".to_sym
         rescue NoMethodError, Pundit::NotAuthorizedError, Portus::AuthScope::ResourceNotFound
           logger.debug "action #{action} not handled/authorized, removing from actions"
-          auth_scope.actions.delete_if { |a| a == action }
+          auth_scope.actions.delete_if { |a| match_action(action, a) }
         end
       end
 
@@ -82,6 +82,12 @@ def authorize_scopes(registry)
     auth_scopes.values
   end
 
+  # Returns true if the given item matches the given action.
+  def match_action(action, item)
+    action = "*" if action == "all"
+    action == item
+  end
+
   # From the given scope string, try to fetch a scope handler class for it.
   # Scope handlers are defined in "app/models/*/auth_scope.rb" files.
   def scope_handler(registry, scope_string)

diff --git a/spec/api/v2/token_spec.rb b/spec/api/v2/token_spec.rb
@@ -134,6 +134,36 @@ def parse_token(body)
         payload = parse_token response.body
         expect(payload["access"]).to be_empty
       end
+
+      it "does not allow a regular user to delete an image from another user" do
+        scope = "repository:#{user.username}/busybox:*"
+
+        # It works for the regular user
+        get v2_token_url,
+          {
+            service: registry.hostname,
+            account: user.username,
+            scope:   scope
+          },
+          "HTTP_AUTHORIZATION" => auth_mech.encode_credentials(user.username, password)
+
+        expect(response.status).to eq 200
+        payload = parse_token response.body
+        expect(payload["access"]).not_to be_empty
+
+        # But not for another
+        get v2_token_url,
+          {
+            service: registry.hostname,
+            account: another.username,
+            scope:   scope
+          },
+          "HTTP_AUTHORIZATION" => auth_mech.encode_credentials(another.username, password)
+
+        expect(response.status).to eq 200
+        payload = parse_token response.body
+        expect(payload["access"]).to be_empty
+      end
     end
 
     context "as LDAP user I can authenticate from Docker CLI" do