diff options
Diffstat (limited to 'app/services/auth/container_registry_authentication_service.rb')
-rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb index b636f55d031..e57b95f21ec 100644 --- a/app/services/auth/container_registry_authentication_service.rb +++ b/app/services/auth/container_registry_authentication_service.rb @@ -1,19 +1,31 @@ module Auth class ContainerRegistryAuthenticationService < BaseService + include Gitlab::CurrentSettings + AUDIENCE = 'container_registry' def execute return error('not found', 404) unless registry.enabled - if params[:offline_token] - return error('forbidden', 403) unless current_user - else + unless current_user || project return error('forbidden', 403) unless scope end { token: authorized_token(scope).encoded } end + def self.full_access_token(*names) + registry = Gitlab.config.registry + token = JSONWebToken::RSAToken.new(registry.key) + token.issuer = registry.issuer + token.audience = AUDIENCE + token.expire_time = token_expire_at + token[:access] = names.map do |name| + { type: 'repository', name: name, actions: %w(*) } + end + token.encoded + end + private def authorized_token(*accesses) @@ -21,6 +33,7 @@ module Auth token.issuer = registry.issuer token.audience = params[:service] token.subject = current_user.try(:username) + token.expire_time = ContainerRegistryAuthenticationService.token_expire_at token[:access] = accesses.compact token end @@ -66,5 +79,9 @@ module Auth def registry Gitlab.config.registry end + + def self.token_expire_at + Time.now + current_application_settings.container_registry_token_expire_delay.minutes + end end end |