diff options
Diffstat (limited to 'lib/gitlab/conan_token.rb')
| -rw-r--r-- | lib/gitlab/conan_token.rb | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/lib/gitlab/conan_token.rb b/lib/gitlab/conan_token.rb new file mode 100644 index 00000000000..7526c10b608 --- /dev/null +++ b/lib/gitlab/conan_token.rb @@ -0,0 +1,64 @@ +# frozen_string_literal: true + +# The Conan client uses a JWT for authenticating with remotes. +# This class encodes and decodes a user's personal access token or +# CI_JOB_TOKEN into a JWT that is used by the Conan client to +# authenticate with GitLab + +module Gitlab + class ConanToken + HMAC_KEY = 'gitlab-conan-packages'.freeze + + attr_reader :access_token_id, :user_id + + class << self + def from_personal_access_token(access_token) + new(access_token_id: access_token.id, user_id: access_token.user_id) + end + + def from_job(job) + new(access_token_id: job.token, user_id: job.user.id) + end + + def from_deploy_token(deploy_token) + new(access_token_id: deploy_token.token, user_id: deploy_token.username) + end + + def decode(jwt) + payload = JSONWebToken::HMACToken.decode(jwt, secret).first + + new(access_token_id: payload['access_token'], user_id: payload['user_id']) + rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::ImmatureSignature + # we return on expired and errored tokens because the Conan client + # will request a new token automatically. + end + + def secret + OpenSSL::HMAC.hexdigest( + OpenSSL::Digest::SHA256.new, + ::Settings.attr_encrypted_db_key_base, + HMAC_KEY + ) + end + end + + def initialize(access_token_id:, user_id:) + @access_token_id = access_token_id + @user_id = user_id + end + + def to_jwt + hmac_token.encoded + end + + private + + def hmac_token + JSONWebToken::HMACToken.new(self.class.secret).tap do |token| + token['access_token'] = access_token_id + token['user_id'] = user_id + token.expire_time = token.issued_at + 1.hour + end + end + end +end |