lib/gitlab/jwt_authenticatable.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

# frozen_string_literal: true

module Gitlab
  module JwtAuthenticatable
    # Supposedly the effective key size for HMAC-SHA256 is 256 bits, i.e. 32
    # bytes https://www.rfc-editor.org/rfc/rfc4868#section-2.6
    SECRET_LENGTH = 32

    def self.included(base)
      base.extend(ClassMethods)
    end

    module ClassMethods
      include Gitlab::Utils::StrongMemoize

      def decode_jwt(encoded_message, jwt_secret = secret, issuer: nil, iat_after: nil)
        options = { algorithm: 'HS256' }
        options = options.merge(iss: issuer, verify_iss: true) if issuer.present?
        options = options.merge(verify_iat: true) if iat_after.present?

        decoded_message = JWT.decode(encoded_message, jwt_secret, true, options)
        payload = decoded_message[0]
        if iat_after.present?
          raise JWT::DecodeError, "JWT iat claim is missing" if payload['iat'].blank?

          iat = payload['iat'].to_i
          raise JWT::ExpiredSignature, 'Token has expired' if iat < iat_after.to_i
        end

        decoded_message
      end

      def secret
        strong_memoize(:secret) do
          read_secret(secret_path)
        end
      end

      def read_secret(path)
        Base64.strict_decode64(File.read(path).chomp).tap do |bytes|
          raise "#{path} does not contain #{SECRET_LENGTH} bytes" if bytes.length != SECRET_LENGTH
        end
      end

      def write_secret(path = secret_path)
        bytes = SecureRandom.random_bytes(SECRET_LENGTH)
        File.open(path, 'w:BINARY', 0600) do |f|
          f.chmod(0600) # If the file already existed, the '0600' passed to 'open' above was a no-op.
          f.write(Base64.strict_encode64(bytes))
        end
      end
    end
  end
end