diff options
| -rw-r--r-- | app/controllers/jwt_controller.rb | 2 | ||||
| -rw-r--r-- | app/services/jwt/container_registry_authentication_service.rb | 102 |
2 files changed, 53 insertions, 51 deletions
diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 599f62bd121..c203c50d1fb 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -3,7 +3,7 @@ class JwtController < ApplicationController skip_before_action :verify_authenticity_token SERVICES = { - 'container_registry' => JWT::ContainerRegistryAuthenticationService, + 'container_registry' => ::Gitlab::JWT::ContainerRegistryAuthenticationService, } def auth diff --git a/app/services/jwt/container_registry_authentication_service.rb b/app/services/jwt/container_registry_authentication_service.rb index 0ab3e6d02ba..dd0f2954784 100644 --- a/app/services/jwt/container_registry_authentication_service.rb +++ b/app/services/jwt/container_registry_authentication_service.rb @@ -1,69 +1,71 @@ -module JWT - class ContainerRegistryAuthenticationService < BaseService - def execute - if params[:offline_token] - return error('forbidden', 403) unless current_user - end +module Gitlab + module JWT + class ContainerRegistryAuthenticationService < BaseService + def execute + if params[:offline_token] + return error('forbidden', 403) unless current_user + end - return error('forbidden', 401) if scopes.blank? + return error('forbidden', 401) if scopes.blank? - { token: authorized_token(scopes).encoded } - end + { token: authorized_token(scopes).encoded } + end - private + private - def authorized_token(access) - token = ::JWT::RSAToken.new(registry.key) - token.issuer = registry.issuer - token.audience = params[:service] - token.subject = current_user.try(:username) - token[:access] = access - token - end + def authorized_token(access) + token = ::JWT::RSAToken.new(registry.key) + token.issuer = registry.issuer + token.audience = params[:service] + token.subject = current_user.try(:username) + token[:access] = access + token + end - def scopes - return unless params[:scope] + def scopes + return unless params[:scope] - @scopes ||= begin - scope = process_scope(params[:scope]) - [scope].compact + @scopes ||= begin + scope = process_scope(params[:scope]) + [scope].compact + end end - end - def process_scope(scope) - type, name, actions = scope.split(':', 3) - actions = actions.split(',') + def process_scope(scope) + type, name, actions = scope.split(':', 3) + actions = actions.split(',') - case type - when 'repository' - process_repository_access(type, name, actions) + case type + when 'repository' + process_repository_access(type, name, actions) + end end - end - def process_repository_access(type, name, actions) - requested_project = Project.find_with_namespace(name) - return unless requested_project + def process_repository_access(type, name, actions) + requested_project = Project.find_with_namespace(name) + return unless requested_project - actions = actions.select do |action| - can_access?(requested_project, action) - end + actions = actions.select do |action| + can_access?(requested_project, action) + end - { type: type, name: name, actions: actions } if actions.present? - end + { type: type, name: name, actions: actions } if actions.present? + end - def can_access?(requested_project, requested_action) - case requested_action - when 'pull' - requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project) - when 'push' - requested_project == project || can?(current_user, :create_container_registry, requested_project) - else - false + def can_access?(requested_project, requested_action) + case requested_action + when 'pull' + requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project) + when 'push' + requested_project == project || can?(current_user, :create_container_registry, requested_project) + else + false + end end - end - def registry - Gitlab.config.registry + def registry + Gitlab.config.registry + end end end end |