Commit f4f9184a authored by Kamil Trzcinski's avatar Kamil Trzcinski

Rename JWT to JSONWebToken

parent df973df8
......@@ -4,7 +4,7 @@ class JwtController < ApplicationController
before_action :authenticate_project_or_user
SERVICES = {
'container_registry' => Auth::ContainerRegistryAuthenticationService,
Auth::ContainerRegistryAuthenticationService::AUDIENCE => Auth::ContainerRegistryAuthenticationService,
}
def auth
......
......@@ -61,7 +61,7 @@ class Ability
:read_merge_request,
:read_note,
:read_commit_status,
:read_container_registry,
:read_container_image,
:download_code
]
......@@ -204,7 +204,7 @@ class Ability
:admin_label,
:read_commit_status,
:read_build,
:read_container_registry,
:read_container_image,
]
end
......@@ -219,8 +219,8 @@ class Ability
:create_merge_request,
:create_wiki,
:push_code,
:create_container_registry,
:update_container_registry,
:create_container_image,
:update_container_image,
]
end
......@@ -247,7 +247,7 @@ class Ability
:admin_project,
:admin_commit_status,
:admin_build,
:admin_container_registry,
:admin_container_image,
]
end
......@@ -293,7 +293,7 @@ class Ability
end
unless project.container_registry_enabled
rules += named_abilities('container_registry')
rules += named_abilities('container_image')
end
rules
......
......@@ -9,40 +9,35 @@ module Auth
return error('forbidden', 403) unless current_user
end
return error('forbidden', 401) if scopes.blank?
return error('forbidden', 401) unless scope
{ token: authorized_token(scopes).encoded }
{ token: authorized_token(scope).encoded }
end
private
def authorized_token(access)
token = ::JWT::RSAToken.new(registry.key)
def authorized_token(*accesses)
token = JSONWebToken::RSAToken.new(registry.key)
token.issuer = registry.issuer
token.audience = params[:service]
token.subject = current_user.try(:username)
token[:access] = access
token[:access] = accesses
token
end
def scopes
def scope
return unless params[:scope]
@scopes ||= begin
scope = process_scope(params[:scope])
[scope].compact
end
@scope ||= process_scope(params[:scope])
end
def process_scope(scope)
type, name, actions = scope.split(':', 3)
actions = actions.split(',')
return unless type == 'repository'
case type
when 'repository'
process_repository_access(type, name, actions)
end
end
def process_repository_access(type, name, actions)
requested_project = Project.find_with_namespace(name)
......@@ -60,9 +55,9 @@ module Auth
case requested_action
when 'pull'
requested_project == project || can?(current_user, :read_container_registry, requested_project)
requested_project == project || can?(current_user, :read_container_image, requested_project)
when 'push'
requested_project == project || can?(current_user, :create_container_registry, requested_project)
requested_project == project || can?(current_user, :create_container_image, requested_project)
else
false
end
......
module JWT
module JSONWebToken
class RSAToken < Token
attr_reader :key_file
......
module JWT
module JSONWebToken
class Token
attr_accessor :issuer, :subject, :audience, :id
attr_accessor :issued_at, :not_before, :expire_time
......
describe JWT::RSAToken do
describe JSONWebToken::RSAToken do
let(:rsa_key) { generate_key }
let(:rsa_token) { described_class.new(nil) }
let(:rsa_encoded) { rsa_token.encoded }
......
describe JWT::Token do
describe JSONWebToken::Token do
let(:token) { described_class.new }
context 'custom parameters' do
......
......@@ -18,7 +18,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
before do
allow(Gitlab.config.registry).to receive_messages(registry_settings)
allow_any_instance_of(JWT::RSAToken).to receive(:key).and_return(rsa_key)
allow_any_instance_of(JSONWebToken::RSAToken).to receive(:key).and_return(rsa_key)
end
shared_examples 'an authenticated' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment