kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Move JWT to Gitlab::JWT

Browse source
This commit is contained in:
Kamil Trzcinski 2016-05-13 16:22:50 -05:00
parent fc2d985bfa
commit 9ef9e008fe
2 changed files with 61 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/jwt_controller.rb
View file

@ -3,7 +3,7 @@ class JwtController < ApplicationController
skip_before_action :verify_authenticity_token
SERVICES = {
'container_registry' => JWT::ContainerRegistryAuthenticationService,
'container_registry' => ::Gitlab::JWT::ContainerRegistryAuthenticationService,
}
def auth

118
app/services/jwt/container_registry_authentication_service.rb
View file

@ -1,69 +1,71 @@
module JWT
class ContainerRegistryAuthenticationService < BaseService
def execute
if params[:offline_token]
return error('forbidden', 403) unless current_user
module Gitlab
module JWT
class ContainerRegistryAuthenticationService < BaseService
def execute
if params[:offline_token]
return error('forbidden', 403) unless current_user
end
return error('forbidden', 401) if scopes.blank?
{ token: authorized_token(scopes).encoded }
end
return error('forbidden', 401) if scopes.blank?
private
{ token: authorized_token(scopes).encoded }
end
private
def authorized_token(access)
token = ::JWT::RSAToken.new(registry.key)
token.issuer = registry.issuer
token.audience = params[:service]
token.subject = current_user.try(:username)
token[:access] = access
token
end
def scopes
return unless params[:scope]
@scopes ||= begin
scope = process_scope(params[:scope])
[scope].compact
end
end
def process_scope(scope)
type, name, actions = scope.split(':', 3)
actions = actions.split(',')
case type
when 'repository'
process_repository_access(type, name, actions)
end
end
def process_repository_access(type, name, actions)
requested_project = Project.find_with_namespace(name)
return unless requested_project
actions = actions.select do |action|
can_access?(requested_project, action)
def authorized_token(access)
token = ::JWT::RSAToken.new(registry.key)
token.issuer = registry.issuer
token.audience = params[:service]
token.subject = current_user.try(:username)
token[:access] = access
token
end
{ type: type, name: name, actions: actions } if actions.present?
end
def scopes
return unless params[:scope]
def can_access?(requested_project, requested_action)
case requested_action
when 'pull'
requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project)
when 'push'
requested_project == project || can?(current_user, :create_container_registry, requested_project)
else
false
@scopes ||= begin
scope = process_scope(params[:scope])
[scope].compact
end
end
end
def registry
Gitlab.config.registry
def process_scope(scope)
type, name, actions = scope.split(':', 3)
actions = actions.split(',')
case type
when 'repository'
process_repository_access(type, name, actions)
end
end
def process_repository_access(type, name, actions)
requested_project = Project.find_with_namespace(name)
return unless requested_project
actions = actions.select do |action|
can_access?(requested_project, action)
end
{ type: type, name: name, actions: actions } if actions.present?
end
def can_access?(requested_project, requested_action)
case requested_action
when 'pull'
requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project)
when 'push'
requested_project == project || can?(current_user, :create_container_registry, requested_project)
else
false
end
end
def registry
Gitlab.config.registry
end
end
end
end