diff options
| author | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-05-14 18:23:31 -0500 |
|---|---|---|
| committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-05-14 18:23:31 -0500 |
| commit | f4f9184a01bc7442411bbcffd9b6a86784fa5f53 (patch) | |
| tree | 0d841ce4a6ccedc06035d90d32a31c017d443d2b /app | |
| parent | df973df8c536fb9ffe0a9ed4e92f7d9144eb687a (diff) | |
| download | gitlab-ce-f4f9184a01bc7442411bbcffd9b6a86784fa5f53.tar.gz | |
Rename JWT to JSONWebToken
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/jwt_controller.rb | 2 | ||||
| -rw-r--r-- | app/models/ability.rb | 12 | ||||
| -rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 27 |
3 files changed, 18 insertions, 23 deletions
diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index bd9d7e4425d..0edf084e9e4 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -4,7 +4,7 @@ class JwtController < ApplicationController before_action :authenticate_project_or_user SERVICES = { - 'container_registry' => Auth::ContainerRegistryAuthenticationService, + Auth::ContainerRegistryAuthenticationService::AUDIENCE => Auth::ContainerRegistryAuthenticationService, } def auth diff --git a/app/models/ability.rb b/app/models/ability.rb index 74321240468..f70268d3138 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -61,7 +61,7 @@ class Ability :read_merge_request, :read_note, :read_commit_status, - :read_container_registry, + :read_container_image, :download_code ] @@ -204,7 +204,7 @@ class Ability :admin_label, :read_commit_status, :read_build, - :read_container_registry, + :read_container_image, ] end @@ -219,8 +219,8 @@ class Ability :create_merge_request, :create_wiki, :push_code, - :create_container_registry, - :update_container_registry, + :create_container_image, + :update_container_image, ] end @@ -247,7 +247,7 @@ class Ability :admin_project, :admin_commit_status, :admin_build, - :admin_container_registry, + :admin_container_image, ] end @@ -293,7 +293,7 @@ class Ability end unless project.container_registry_enabled - rules += named_abilities('container_registry') + rules += named_abilities('container_image') end rules diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index a63e7046fcc..bbbc84475c8 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -9,39 +9,34 @@ module Auth return error('forbidden', 403) unless current_user end - return error('forbidden', 401) if scopes.blank? + return error('forbidden', 401) unless scope - { token: authorized_token(scopes).encoded } + { token: authorized_token(scope).encoded } end private - def authorized_token(access) - token = ::JWT::RSAToken.new(registry.key) + def authorized_token(*accesses) + token = JSONWebToken::RSAToken.new(registry.key) token.issuer = registry.issuer token.audience = params[:service] token.subject = current_user.try(:username) - token[:access] = access + token[:access] = accesses token end - def scopes + def scope return unless params[:scope] - @scopes ||= begin - scope = process_scope(params[:scope]) - [scope].compact - end + @scope ||= process_scope(params[:scope]) end def process_scope(scope) type, name, actions = scope.split(':', 3) actions = actions.split(',') + return unless type == 'repository' - case type - when 'repository' - process_repository_access(type, name, actions) - end + process_repository_access(type, name, actions) end def process_repository_access(type, name, actions) @@ -60,9 +55,9 @@ module Auth case requested_action when 'pull' - requested_project == project || can?(current_user, :read_container_registry, requested_project) + requested_project == project || can?(current_user, :read_container_image, requested_project) when 'push' - requested_project == project || can?(current_user, :create_container_registry, requested_project) + requested_project == project || can?(current_user, :create_container_image, requested_project) else false end |