summaryrefslogtreecommitdiff
path: root/app/controllers/groups/dependency_proxy/application_controller.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/controllers/groups/dependency_proxy/application_controller.rb')
-rw-r--r--app/controllers/groups/dependency_proxy/application_controller.rb66
1 files changed, 66 insertions, 0 deletions
diff --git a/app/controllers/groups/dependency_proxy/application_controller.rb b/app/controllers/groups/dependency_proxy/application_controller.rb
new file mode 100644
index 00000000000..fd9db41f748
--- /dev/null
+++ b/app/controllers/groups/dependency_proxy/application_controller.rb
@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Groups
+ module DependencyProxy
+ class ApplicationController < ::ApplicationController
+ EMPTY_AUTH_RESULT = Gitlab::Auth::Result.new(nil, nil, nil, nil).freeze
+
+ delegate :actor, to: :@authentication_result, allow_nil: true
+
+ # This allows auth_user to be set in the base ApplicationController
+ alias_method :authenticated_user, :actor
+
+ # We disable `authenticate_user!` since the `DependencyProxy::ApplicationController` performs auth using JWT token
+ skip_before_action :authenticate_user!, raise: false
+
+ prepend_before_action :authenticate_user_from_jwt_token!
+
+ def authenticate_user_from_jwt_token!
+ return unless dependency_proxy_for_private_groups?
+
+ authenticate_with_http_token do |token, _|
+ @authentication_result = EMPTY_AUTH_RESULT
+
+ found_user = user_from_token(token)
+ sign_in(found_user) if found_user.is_a?(User)
+ end
+
+ request_bearer_token! unless authenticated_user
+ end
+
+ private
+
+ def dependency_proxy_for_private_groups?
+ Feature.enabled?(:dependency_proxy_for_private_groups, default_enabled: true)
+ end
+
+ def request_bearer_token!
+ # unfortunately, we cannot use https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html#method-i-authentication_request
+ response.headers['WWW-Authenticate'] = ::DependencyProxy::Registry.authenticate_header
+ render plain: '', status: :unauthorized
+ end
+
+ def user_from_token(token)
+ token_payload = ::DependencyProxy::AuthTokenService.decoded_token_payload(token)
+
+ if token_payload['user_id']
+ token_user = User.find(token_payload['user_id'])
+ return unless token_user
+
+ @authentication_result = Gitlab::Auth::Result.new(token_user, nil, :user, [])
+ return token_user
+ elsif token_payload['deploy_token']
+ deploy_token = DeployToken.active.find_by_token(token_payload['deploy_token'])
+ return unless deploy_token
+
+ @authentication_result = Gitlab::Auth::Result.new(deploy_token, nil, :deploy_token, [])
+ return deploy_token
+ end
+
+ nil
+ rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::ImmatureSignature
+ nil
+ end
+ end
+ end
+end
View Lorry Controller Status