Rename DockerAuthenticationService to ContainerRegistryAuthenticationService

b180d79c · Kamil Trzcinski · daca2144 · b180d79c · b180d79c · b180d79c
Commit b180d79c authored May 09, 2016 by Kamil Trzcinski
3 changed files
--- a/app/controllers/jwt_controller.rb
+++ b/app/controllers/jwt_controller.rb
@@ -3,7 +3,7 @@ class JwtController < ApplicationController
  skip_before_action :verify_authenticity_token

  SERVICES = {
-    'docker' => Jwt::DockerAuthenticationService,
+    'container_registry' => Jwt::ContainerRegistryAuthenticationService,
  }

  def auth

--- a/app/services/jwt/docker_authentication_service.rb
+++ b/app/services/jwt/docker_authentication_service.rb
 module Jwt
-  class DockerAuthenticationService < BaseService
+  class ContainerRegistryAuthenticationService < BaseService
    def execute
      if params[:offline_token]
        return error('forbidden', 403) unless current_user
      end

-      { token: authorized_token.encoded }
+      return error('forbidden', 401) if scopes.empty?
+
+      { token: authorized_token(scopes).encoded }
    end

    private

-    def authorized_token
+    def authorized_token(access)
      token = ::Jwt::RSAToken.new(registry.key)
      token.issuer = registry.issuer
      token.audience = params[:service]
@@ -19,11 +21,13 @@ module Jwt
      token
    end

-    def access
+    def scopes
      return unless params[:scope]

-      scope = process_scope(params[:scope])
-      [scope].compact
+      @scopes ||= begin
+        scope = process_scope(params[:scope])
+        [scope].compact
+      end
    end

    def process_scope(scope)
@@ -44,15 +48,15 @@ module Jwt
        can_access?(requested_project, action)
      end

-      { type: type, name: name, actions: actions } if actions
+      { type: type, name: name, actions: actions } if actions.present?
    end

    def can_access?(requested_project, requested_action)
      case requested_action
      when 'pull'
-        requested_project.public? || requested_project == project || can?(current_user, :download_code, requested_project)
+        requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project)
      when 'push'
-        requested_project == project || can?(current_user, :push_code, requested_project)
+        requested_project == project || can?(current_user, :create_container_registry, requested_project)
      else
        false
      end

--- a/lib/jwt/token.rb
+++ b/lib/jwt/token.rb
@@ -4,19 +4,21 @@ module Jwt
    attr_accessor :issued_at, :not_before, :expire_time

    def initialize
-      @payload = {}
      @id = SecureRandom.uuid
      @issued_at = Time.now
+      # we give a few seconds for time shift
      @not_before = issued_at - 5.seconds
+      # default 60 seconds should be more than enough for this authentication token
      @expire_time = issued_at + 1.minute
+      @custom_payload = {}
    end

    def [](key)
-      @payload[key]
+      @custom_payload[key]
    end

    def []=(key, value)
-      @payload[key] = value
+      @custom_payload[key] = value
    end

    def encoded
@@ -24,11 +26,7 @@ module Jwt
    end

    def payload
-      @payload.merge(default_payload)
-    end
-
-    def to_json
-      payload.to_json
+      @custom_payload.merge(default_payload)
    end

    private