2020-07-17 02:09:11 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
# The Conan client uses a JWT for authenticating with remotes.
|
|
|
|
# This class encodes and decodes a user's personal access token or
|
|
|
|
# CI_JOB_TOKEN into a JWT that is used by the Conan client to
|
|
|
|
# authenticate with GitLab
|
|
|
|
|
|
|
|
module Gitlab
|
|
|
|
class ConanToken
|
2021-03-23 08:09:33 -04:00
|
|
|
HMAC_KEY = 'gitlab-conan-packages'
|
2020-07-17 02:09:11 -04:00
|
|
|
|
|
|
|
attr_reader :access_token_id, :user_id
|
|
|
|
|
|
|
|
class << self
|
|
|
|
def from_personal_access_token(access_token)
|
|
|
|
new(access_token_id: access_token.id, user_id: access_token.user_id)
|
|
|
|
end
|
|
|
|
|
|
|
|
def from_job(job)
|
|
|
|
new(access_token_id: job.token, user_id: job.user.id)
|
|
|
|
end
|
|
|
|
|
|
|
|
def from_deploy_token(deploy_token)
|
|
|
|
new(access_token_id: deploy_token.token, user_id: deploy_token.username)
|
|
|
|
end
|
|
|
|
|
|
|
|
def decode(jwt)
|
|
|
|
payload = JSONWebToken::HMACToken.decode(jwt, secret).first
|
|
|
|
|
|
|
|
new(access_token_id: payload['access_token'], user_id: payload['user_id'])
|
|
|
|
rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::ImmatureSignature
|
|
|
|
# we return on expired and errored tokens because the Conan client
|
|
|
|
# will request a new token automatically.
|
|
|
|
end
|
|
|
|
|
|
|
|
def secret
|
|
|
|
OpenSSL::HMAC.hexdigest(
|
2021-01-27 07:09:01 -05:00
|
|
|
OpenSSL::Digest.new('SHA256'),
|
2020-07-17 02:09:11 -04:00
|
|
|
::Settings.attr_encrypted_db_key_base,
|
|
|
|
HMAC_KEY
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def initialize(access_token_id:, user_id:)
|
|
|
|
@access_token_id = access_token_id
|
|
|
|
@user_id = user_id
|
|
|
|
end
|
|
|
|
|
|
|
|
def to_jwt
|
|
|
|
hmac_token.encoded
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def hmac_token
|
|
|
|
JSONWebToken::HMACToken.new(self.class.secret).tap do |token|
|
|
|
|
token['access_token'] = access_token_id
|
|
|
|
token['user_id'] = user_id
|
|
|
|
token.expire_time = token.issued_at + 1.hour
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|