From b180d79cdca2ce0f6aa7425baf47db5b9c1ec2e3 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Mon, 9 May 2016 22:04:42 +0300 Subject: [PATCH] Rename DockerAuthenticationService to ContainerRegistryAuthenticationService --- app/controllers/jwt_controller.rb | 2 +- ...tainer_registry_authentication_service.rb} | 22 +++++++++++-------- lib/jwt/token.rb | 14 +++++------- 3 files changed, 20 insertions(+), 18 deletions(-) rename app/services/jwt/{docker_authentication_service.rb => container_registry_authentication_service.rb} (68%) diff --git a/app/controllers/jwt_controller.rb b/app/controllers/jwt_controller.rb index 9bf1ddbba21..0048a1a31ea 100644 --- a/app/controllers/jwt_controller.rb +++ b/app/controllers/jwt_controller.rb @@ -3,7 +3,7 @@ class JwtController < ApplicationController skip_before_action :verify_authenticity_token SERVICES = { - 'docker' => Jwt::DockerAuthenticationService, + 'container_registry' => Jwt::ContainerRegistryAuthenticationService, } def auth diff --git a/app/services/jwt/docker_authentication_service.rb b/app/services/jwt/container_registry_authentication_service.rb similarity index 68% rename from app/services/jwt/docker_authentication_service.rb rename to app/services/jwt/container_registry_authentication_service.rb index fb0c41a12f7..b9fcd380475 100644 --- a/app/services/jwt/docker_authentication_service.rb +++ b/app/services/jwt/container_registry_authentication_service.rb @@ -1,16 +1,18 @@ module Jwt - class DockerAuthenticationService < BaseService + class ContainerRegistryAuthenticationService < BaseService def execute if params[:offline_token] return error('forbidden', 403) unless current_user end - { token: authorized_token.encoded } + return error('forbidden', 401) if scopes.empty? + + { token: authorized_token(scopes).encoded } end private - def authorized_token + def authorized_token(access) token = ::Jwt::RSAToken.new(registry.key) token.issuer = registry.issuer token.audience = params[:service] @@ -19,11 +21,13 @@ module Jwt token end - def access + def scopes return unless params[:scope] - scope = process_scope(params[:scope]) - [scope].compact + @scopes ||= begin + scope = process_scope(params[:scope]) + [scope].compact + end end def process_scope(scope) @@ -44,15 +48,15 @@ module Jwt can_access?(requested_project, action) end - { type: type, name: name, actions: actions } if actions + { type: type, name: name, actions: actions } if actions.present? end def can_access?(requested_project, requested_action) case requested_action when 'pull' - requested_project.public? || requested_project == project || can?(current_user, :download_code, requested_project) + requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project) when 'push' - requested_project == project || can?(current_user, :push_code, requested_project) + requested_project == project || can?(current_user, :create_container_registry, requested_project) else false end diff --git a/lib/jwt/token.rb b/lib/jwt/token.rb index 38cbc8004e7..765ab0d60c7 100644 --- a/lib/jwt/token.rb +++ b/lib/jwt/token.rb @@ -4,19 +4,21 @@ module Jwt attr_accessor :issued_at, :not_before, :expire_time def initialize - @payload = {} @id = SecureRandom.uuid @issued_at = Time.now + # we give a few seconds for time shift @not_before = issued_at - 5.seconds + # default 60 seconds should be more than enough for this authentication token @expire_time = issued_at + 1.minute + @custom_payload = {} end def [](key) - @payload[key] + @custom_payload[key] end def []=(key, value) - @payload[key] = value + @custom_payload[key] = value end def encoded @@ -24,11 +26,7 @@ module Jwt end def payload - @payload.merge(default_payload) - end - - def to_json - payload.to_json + @custom_payload.merge(default_payload) end private -- GitLab