Make code more clear in what is done
This commit is contained in:
parent
9f679ac207
commit
daca2144c8
|
@ -8,8 +8,9 @@ class JwtController < ApplicationController
|
||||||
|
|
||||||
def auth
|
def auth
|
||||||
@authenticated = authenticate_with_http_basic do |login, password|
|
@authenticated = authenticate_with_http_basic do |login, password|
|
||||||
@ci_project = ci_project(login, password)
|
# if it's possible we first try to authenticate project with login and password
|
||||||
@user = authenticate_user(login, password) unless @ci_project
|
@project = authenticate_project(login, password)
|
||||||
|
@user = authenticate_user(login, password) unless @project
|
||||||
end
|
end
|
||||||
|
|
||||||
unless @authenticated
|
unless @authenticated
|
||||||
|
@ -19,7 +20,7 @@ class JwtController < ApplicationController
|
||||||
service = SERVICES[params[:service]]
|
service = SERVICES[params[:service]]
|
||||||
head :not_found unless service
|
head :not_found unless service
|
||||||
|
|
||||||
result = service.new(@ci_project, @user, auth_params).execute
|
result = service.new(@project, @user, auth_params).execute
|
||||||
return head result[:http_status] if result[:http_status]
|
return head result[:http_status] if result[:http_status]
|
||||||
|
|
||||||
render json: result
|
render json: result
|
||||||
|
@ -31,7 +32,7 @@ class JwtController < ApplicationController
|
||||||
params.permit(:service, :scope, :offline_token, :account, :client_id)
|
params.permit(:service, :scope, :offline_token, :account, :client_id)
|
||||||
end
|
end
|
||||||
|
|
||||||
def ci_project(login, password)
|
def authenticate_project(login, password)
|
||||||
matched_login = /(?<s>^[a-zA-Z]*-ci)-token$/.match(login)
|
matched_login = /(?<s>^[a-zA-Z]*-ci)-token$/.match(login)
|
||||||
|
|
||||||
if matched_login.present?
|
if matched_login.present?
|
||||||
|
|
|
@ -5,12 +5,12 @@ module Jwt
|
||||||
return error('forbidden', 403) unless current_user
|
return error('forbidden', 403) unless current_user
|
||||||
end
|
end
|
||||||
|
|
||||||
{ token: token.encoded }
|
{ token: authorized_token.encoded }
|
||||||
end
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def token
|
def authorized_token
|
||||||
token = ::Jwt::RSAToken.new(registry.key)
|
token = ::Jwt::RSAToken.new(registry.key)
|
||||||
token.issuer = registry.issuer
|
token.issuer = registry.issuer
|
||||||
token.audience = params[:service]
|
token.audience = params[:service]
|
||||||
|
@ -37,22 +37,22 @@ module Jwt
|
||||||
end
|
end
|
||||||
|
|
||||||
def process_repository_access(type, name, actions)
|
def process_repository_access(type, name, actions)
|
||||||
current_project = Project.find_with_namespace(name)
|
requested_project = Project.find_with_namespace(name)
|
||||||
return unless current_project
|
return unless requested_project
|
||||||
|
|
||||||
actions = actions.select do |action|
|
actions = actions.select do |action|
|
||||||
can_access?(current_project, action)
|
can_access?(requested_project, action)
|
||||||
end
|
end
|
||||||
|
|
||||||
{ type: type, name: name, actions: actions } if actions
|
{ type: type, name: name, actions: actions } if actions
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_access?(current_project, action)
|
def can_access?(requested_project, requested_action)
|
||||||
case action
|
case requested_action
|
||||||
when 'pull'
|
when 'pull'
|
||||||
current_project == project || can?(current_user, :download_code, current_project)
|
requested_project.public? || requested_project == project || can?(current_user, :download_code, requested_project)
|
||||||
when 'push'
|
when 'push'
|
||||||
current_project == project || can?(current_user, :push_code, current_project)
|
requested_project == project || can?(current_user, :push_code, requested_project)
|
||||||
else
|
else
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue