summaryrefslogtreecommitdiff
path: root/app/services/auth/container_registry_authentication_service.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/services/auth/container_registry_authentication_service.rb')
-rw-r--r--app/services/auth/container_registry_authentication_service.rb23
1 files changed, 20 insertions, 3 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index b636f55d031..e57b95f21ec 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -1,19 +1,31 @@
module Auth
class ContainerRegistryAuthenticationService < BaseService
+ include Gitlab::CurrentSettings
+
AUDIENCE = 'container_registry'
def execute
return error('not found', 404) unless registry.enabled
- if params[:offline_token]
- return error('forbidden', 403) unless current_user
- else
+ unless current_user || project
return error('forbidden', 403) unless scope
end
{ token: authorized_token(scope).encoded }
end
+ def self.full_access_token(*names)
+ registry = Gitlab.config.registry
+ token = JSONWebToken::RSAToken.new(registry.key)
+ token.issuer = registry.issuer
+ token.audience = AUDIENCE
+ token.expire_time = token_expire_at
+ token[:access] = names.map do |name|
+ { type: 'repository', name: name, actions: %w(*) }
+ end
+ token.encoded
+ end
+
private
def authorized_token(*accesses)
@@ -21,6 +33,7 @@ module Auth
token.issuer = registry.issuer
token.audience = params[:service]
token.subject = current_user.try(:username)
+ token.expire_time = ContainerRegistryAuthenticationService.token_expire_at
token[:access] = accesses.compact
token
end
@@ -66,5 +79,9 @@ module Auth
def registry
Gitlab.config.registry
end
+
+ def self.token_expire_at
+ Time.now + current_application_settings.container_registry_token_expire_delay.minutes
+ end
end
end
View Lorry Controller Status