From 9ef9e008feb99aaf0c4edc85bb76039eb46f0794 Mon Sep 17 00:00:00 2001
From: Kamil Trzcinski <ayufan@ayufan.eu>
Date: Fri, 13 May 2016 16:22:50 -0500
Subject: [PATCH] Move JWT to Gitlab::JWT

---
 app/controllers/jwt_controller.rb             |   2 +-
 ...ntainer_registry_authentication_service.rb | 118 +++++++++---------
 2 files changed, 61 insertions(+), 59 deletions(-)

diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb
index 599f62bd121..c203c50d1fb 100644
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -3,7 +3,7 @@ class JwtController < ApplicationController
   skip_before_action :verify_authenticity_token
 
   SERVICES = {
-    'container_registry' => JWT::ContainerRegistryAuthenticationService,
+    'container_registry' => ::Gitlab::JWT::ContainerRegistryAuthenticationService,
   }
 
   def auth
diff --git a/app/services/jwt/container_registry_authentication_service.rb b/app/services/jwt/container_registry_authentication_service.rb
index 0ab3e6d02ba..dd0f2954784 100644
--- a/app/services/jwt/container_registry_authentication_service.rb
+++ b/app/services/jwt/container_registry_authentication_service.rb
@@ -1,69 +1,71 @@
-module JWT
-  class ContainerRegistryAuthenticationService < BaseService
-    def execute
-      if params[:offline_token]
-        return error('forbidden', 403) unless current_user
+module Gitlab
+  module JWT
+    class ContainerRegistryAuthenticationService < BaseService
+      def execute
+        if params[:offline_token]
+          return error('forbidden', 403) unless current_user
+        end
+
+        return error('forbidden', 401) if scopes.blank?
+
+        { token: authorized_token(scopes).encoded }
       end
 
-      return error('forbidden', 401) if scopes.blank?
+      private
 
-      { token: authorized_token(scopes).encoded }
-    end
-
-    private
-
-    def authorized_token(access)
-      token = ::JWT::RSAToken.new(registry.key)
-      token.issuer = registry.issuer
-      token.audience = params[:service]
-      token.subject = current_user.try(:username)
-      token[:access] = access
-      token
-    end
-
-    def scopes
-      return unless params[:scope]
-
-      @scopes ||= begin
-        scope = process_scope(params[:scope])
-        [scope].compact
-      end
-    end
-
-    def process_scope(scope)
-      type, name, actions = scope.split(':', 3)
-      actions = actions.split(',')
-
-      case type
-      when 'repository'
-        process_repository_access(type, name, actions)
-      end
-    end
-
-    def process_repository_access(type, name, actions)
-      requested_project = Project.find_with_namespace(name)
-      return unless requested_project
-
-      actions = actions.select do |action|
-        can_access?(requested_project, action)
+      def authorized_token(access)
+        token = ::JWT::RSAToken.new(registry.key)
+        token.issuer = registry.issuer
+        token.audience = params[:service]
+        token.subject = current_user.try(:username)
+        token[:access] = access
+        token
       end
 
-      { type: type, name: name, actions: actions } if actions.present?
-    end
+      def scopes
+        return unless params[:scope]
 
-    def can_access?(requested_project, requested_action)
-      case requested_action
-      when 'pull'
-        requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project)
-      when 'push'
-        requested_project == project || can?(current_user, :create_container_registry, requested_project)
-      else
-        false
+        @scopes ||= begin
+          scope = process_scope(params[:scope])
+          [scope].compact
+        end
       end
-    end
 
-    def registry
-      Gitlab.config.registry
+      def process_scope(scope)
+        type, name, actions = scope.split(':', 3)
+        actions = actions.split(',')
+
+        case type
+        when 'repository'
+          process_repository_access(type, name, actions)
+        end
+      end
+
+      def process_repository_access(type, name, actions)
+        requested_project = Project.find_with_namespace(name)
+        return unless requested_project
+
+        actions = actions.select do |action|
+          can_access?(requested_project, action)
+        end
+
+        { type: type, name: name, actions: actions } if actions.present?
+      end
+
+      def can_access?(requested_project, requested_action)
+        case requested_action
+        when 'pull'
+          requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project)
+        when 'push'
+          requested_project == project || can?(current_user, :create_container_registry, requested_project)
+        else
+          false
+        end
+      end
+
+      def registry
+        Gitlab.config.registry
+      end
     end
   end
 end