Skip to content

G
gitlab-ce
Commit 9ef9e008 authored by Kamil Trzcinski's avatar Kamil Trzcinski
Browse files
Options

Move JWT to Gitlab::JWT

parent fc2d985b
Hide whitespace changes
Inline Side-by-side
Showing with 53 additions and 51 deletions
app/controllers/jwt_controller.rb
View file @ 9ef9e008
...@@ -3,7 +3,7 @@ class JwtController < ApplicationController ...@@ -3,7 +3,7 @@ class JwtController < ApplicationController
skip_before_action :verify_authenticity_token skip_before_action :verify_authenticity_token
SERVICES = { SERVICES = {
'container_registry' => JWT::ContainerRegistryAuthenticationService, 'container_registry' => ::Gitlab::JWT::ContainerRegistryAuthenticationService,
} }
def auth def auth
......
app/services/jwt/container_registry_authentication_service.rb
View file @ 9ef9e008
module JWT module Gitlab
class ContainerRegistryAuthenticationService < BaseService module JWT
def execute class ContainerRegistryAuthenticationService < BaseService
if params[:offline_token] def execute
return error('forbidden', 403) unless current_user if params[:offline_token]
end return error('forbidden', 403) unless current_user
end
return error('forbidden', 401) if scopes.blank? return error('forbidden', 401) if scopes.blank?
{ token: authorized_token(scopes).encoded } { token: authorized_token(scopes).encoded }
end end
private private
def authorized_token(access) def authorized_token(access)
token = ::JWT::RSAToken.new(registry.key) token = ::JWT::RSAToken.new(registry.key)
token.issuer = registry.issuer token.issuer = registry.issuer
token.audience = params[:service] token.audience = params[:service]
token.subject = current_user.try(:username) token.subject = current_user.try(:username)
token[:access] = access token[:access] = access
token token
end end
def scopes def scopes
return unless params[:scope] return unless params[:scope]
@scopes ||= begin @scopes ||= begin
scope = process_scope(params[:scope]) scope = process_scope(params[:scope])
[scope].compact [scope].compact
end
end end
end
def process_scope(scope) def process_scope(scope)
type, name, actions = scope.split(':', 3) type, name, actions = scope.split(':', 3)
actions = actions.split(',') actions = actions.split(',')
case type case type
when 'repository' when 'repository'
process_repository_access(type, name, actions) process_repository_access(type, name, actions)
end
end end
end
def process_repository_access(type, name, actions) def process_repository_access(type, name, actions)
requested_project = Project.find_with_namespace(name) requested_project = Project.find_with_namespace(name)
return unless requested_project return unless requested_project
actions = actions.select do |action| actions = actions.select do |action|
can_access?(requested_project, action) can_access?(requested_project, action)
end end
{ type: type, name: name, actions: actions } if actions.present? { type: type, name: name, actions: actions } if actions.present?
end end
def can_access?(requested_project, requested_action) def can_access?(requested_project, requested_action)
case requested_action case requested_action
when 'pull' when 'pull'
requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project) requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project)
when 'push' when 'push'
requested_project == project || can?(current_user, :create_container_registry, requested_project) requested_project == project || can?(current_user, :create_container_registry, requested_project)
else else
false false
end
end end
end
def registry def registry
Gitlab.config.registry Gitlab.config.registry
end
end end
end end
end end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7