Commit b180d79c authored by Kamil Trzcinski's avatar Kamil Trzcinski

Rename DockerAuthenticationService to ContainerRegistryAuthenticationService

parent daca2144
...@@ -3,7 +3,7 @@ class JwtController < ApplicationController ...@@ -3,7 +3,7 @@ class JwtController < ApplicationController
skip_before_action :verify_authenticity_token skip_before_action :verify_authenticity_token
SERVICES = { SERVICES = {
'docker' => Jwt::DockerAuthenticationService, 'container_registry' => Jwt::ContainerRegistryAuthenticationService,
} }
def auth def auth
......
module Jwt module Jwt
class DockerAuthenticationService < BaseService class ContainerRegistryAuthenticationService < BaseService
def execute def execute
if params[:offline_token] if params[:offline_token]
return error('forbidden', 403) unless current_user return error('forbidden', 403) unless current_user
end end
{ token: authorized_token.encoded } return error('forbidden', 401) if scopes.empty?
{ token: authorized_token(scopes).encoded }
end end
private private
def authorized_token def authorized_token(access)
token = ::Jwt::RSAToken.new(registry.key) token = ::Jwt::RSAToken.new(registry.key)
token.issuer = registry.issuer token.issuer = registry.issuer
token.audience = params[:service] token.audience = params[:service]
...@@ -19,12 +21,14 @@ module Jwt ...@@ -19,12 +21,14 @@ module Jwt
token token
end end
def access def scopes
return unless params[:scope] return unless params[:scope]
@scopes ||= begin
scope = process_scope(params[:scope]) scope = process_scope(params[:scope])
[scope].compact [scope].compact
end end
end
def process_scope(scope) def process_scope(scope)
type, name, actions = scope.split(':', 3) type, name, actions = scope.split(':', 3)
...@@ -44,15 +48,15 @@ module Jwt ...@@ -44,15 +48,15 @@ module Jwt
can_access?(requested_project, action) can_access?(requested_project, action)
end end
{ type: type, name: name, actions: actions } if actions { type: type, name: name, actions: actions } if actions.present?
end end
def can_access?(requested_project, requested_action) def can_access?(requested_project, requested_action)
case requested_action case requested_action
when 'pull' when 'pull'
requested_project.public? || requested_project == project || can?(current_user, :download_code, requested_project) requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project)
when 'push' when 'push'
requested_project == project || can?(current_user, :push_code, requested_project) requested_project == project || can?(current_user, :create_container_registry, requested_project)
else else
false false
end end
......
...@@ -4,19 +4,21 @@ module Jwt ...@@ -4,19 +4,21 @@ module Jwt
attr_accessor :issued_at, :not_before, :expire_time attr_accessor :issued_at, :not_before, :expire_time
def initialize def initialize
@payload = {}
@id = SecureRandom.uuid @id = SecureRandom.uuid
@issued_at = Time.now @issued_at = Time.now
# we give a few seconds for time shift
@not_before = issued_at - 5.seconds @not_before = issued_at - 5.seconds
# default 60 seconds should be more than enough for this authentication token
@expire_time = issued_at + 1.minute @expire_time = issued_at + 1.minute
@custom_payload = {}
end end
def [](key) def [](key)
@payload[key] @custom_payload[key]
end end
def []=(key, value) def []=(key, value)
@payload[key] = value @custom_payload[key] = value
end end
def encoded def encoded
...@@ -24,11 +26,7 @@ module Jwt ...@@ -24,11 +26,7 @@ module Jwt
end end
def payload def payload
@payload.merge(default_payload) @custom_payload.merge(default_payload)
end
def to_json
payload.to_json
end end
private private
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment