BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
f4f9184a
Commit
f4f9184a
authored
May 14, 2016
by
Kamil Trzcinski
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Rename JWT to JSONWebToken
parent
df973df8
Show whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
22 additions
and
27 deletions
+22
-27
jwt_controller.rb
app/controllers/jwt_controller.rb
+1
-1
ability.rb
app/models/ability.rb
+6
-6
container_registry_authentication_service.rb
...ervices/auth/container_registry_authentication_service.rb
+10
-15
rsa_token.rb
lib/json_web_token/rsa_token.rb
+1
-1
token.rb
lib/json_web_token/token.rb
+1
-1
rsa_token_spec.rb
spec/lib/json_web_token/rsa_token_spec.rb
+1
-1
token_spec.rb
spec/lib/json_web_token/token_spec.rb
+1
-1
container_registry_authentication_service_spec.rb
...es/auth/container_registry_authentication_service_spec.rb
+1
-1
No files found.
app/controllers/jwt_controller.rb
View file @
f4f9184a
...
@@ -4,7 +4,7 @@ class JwtController < ApplicationController
...
@@ -4,7 +4,7 @@ class JwtController < ApplicationController
before_action
:authenticate_project_or_user
before_action
:authenticate_project_or_user
SERVICES
=
{
SERVICES
=
{
'container_registry'
=>
Auth
::
ContainerRegistryAuthenticationService
,
Auth
::
ContainerRegistryAuthenticationService
::
AUDIENCE
=>
Auth
::
ContainerRegistryAuthenticationService
,
}
}
def
auth
def
auth
...
...
app/models/ability.rb
View file @
f4f9184a
...
@@ -61,7 +61,7 @@ class Ability
...
@@ -61,7 +61,7 @@ class Ability
:read_merge_request
,
:read_merge_request
,
:read_note
,
:read_note
,
:read_commit_status
,
:read_commit_status
,
:read_container_
registry
,
:read_container_
image
,
:download_code
:download_code
]
]
...
@@ -204,7 +204,7 @@ class Ability
...
@@ -204,7 +204,7 @@ class Ability
:admin_label
,
:admin_label
,
:read_commit_status
,
:read_commit_status
,
:read_build
,
:read_build
,
:read_container_
registry
,
:read_container_
image
,
]
]
end
end
...
@@ -219,8 +219,8 @@ class Ability
...
@@ -219,8 +219,8 @@ class Ability
:create_merge_request
,
:create_merge_request
,
:create_wiki
,
:create_wiki
,
:push_code
,
:push_code
,
:create_container_
registry
,
:create_container_
image
,
:update_container_
registry
,
:update_container_
image
,
]
]
end
end
...
@@ -247,7 +247,7 @@ class Ability
...
@@ -247,7 +247,7 @@ class Ability
:admin_project
,
:admin_project
,
:admin_commit_status
,
:admin_commit_status
,
:admin_build
,
:admin_build
,
:admin_container_
registry
,
:admin_container_
image
,
]
]
end
end
...
@@ -293,7 +293,7 @@ class Ability
...
@@ -293,7 +293,7 @@ class Ability
end
end
unless
project
.
container_registry_enabled
unless
project
.
container_registry_enabled
rules
+=
named_abilities
(
'container_
registry
'
)
rules
+=
named_abilities
(
'container_
image
'
)
end
end
rules
rules
...
...
app/services/auth/container_registry_authentication_service.rb
View file @
f4f9184a
...
@@ -9,40 +9,35 @@ module Auth
...
@@ -9,40 +9,35 @@ module Auth
return
error
(
'forbidden'
,
403
)
unless
current_user
return
error
(
'forbidden'
,
403
)
unless
current_user
end
end
return
error
(
'forbidden'
,
401
)
if
scopes
.
blank?
return
error
(
'forbidden'
,
401
)
unless
scope
{
token:
authorized_token
(
scope
s
).
encoded
}
{
token:
authorized_token
(
scope
).
encoded
}
end
end
private
private
def
authorized_token
(
acces
s
)
def
authorized_token
(
*
accesse
s
)
token
=
::
JWT
::
RSAToken
.
new
(
registry
.
key
)
token
=
JSONWebToken
::
RSAToken
.
new
(
registry
.
key
)
token
.
issuer
=
registry
.
issuer
token
.
issuer
=
registry
.
issuer
token
.
audience
=
params
[
:service
]
token
.
audience
=
params
[
:service
]
token
.
subject
=
current_user
.
try
(
:username
)
token
.
subject
=
current_user
.
try
(
:username
)
token
[
:access
]
=
access
token
[
:access
]
=
access
es
token
token
end
end
def
scope
s
def
scope
return
unless
params
[
:scope
]
return
unless
params
[
:scope
]
@scopes
||=
begin
@scope
||=
process_scope
(
params
[
:scope
])
scope
=
process_scope
(
params
[
:scope
])
[
scope
].
compact
end
end
end
def
process_scope
(
scope
)
def
process_scope
(
scope
)
type
,
name
,
actions
=
scope
.
split
(
':'
,
3
)
type
,
name
,
actions
=
scope
.
split
(
':'
,
3
)
actions
=
actions
.
split
(
','
)
actions
=
actions
.
split
(
','
)
return
unless
type
==
'repository'
case
type
when
'repository'
process_repository_access
(
type
,
name
,
actions
)
process_repository_access
(
type
,
name
,
actions
)
end
end
end
def
process_repository_access
(
type
,
name
,
actions
)
def
process_repository_access
(
type
,
name
,
actions
)
requested_project
=
Project
.
find_with_namespace
(
name
)
requested_project
=
Project
.
find_with_namespace
(
name
)
...
@@ -60,9 +55,9 @@ module Auth
...
@@ -60,9 +55,9 @@ module Auth
case
requested_action
case
requested_action
when
'pull'
when
'pull'
requested_project
==
project
||
can?
(
current_user
,
:read_container_
registry
,
requested_project
)
requested_project
==
project
||
can?
(
current_user
,
:read_container_
image
,
requested_project
)
when
'push'
when
'push'
requested_project
==
project
||
can?
(
current_user
,
:create_container_
registry
,
requested_project
)
requested_project
==
project
||
can?
(
current_user
,
:create_container_
image
,
requested_project
)
else
else
false
false
end
end
...
...
lib/j
wt
/rsa_token.rb
→
lib/j
son_web_token
/rsa_token.rb
View file @
f4f9184a
module
J
WT
module
J
SONWebToken
class
RSAToken
<
Token
class
RSAToken
<
Token
attr_reader
:key_file
attr_reader
:key_file
...
...
lib/j
wt
/token.rb
→
lib/j
son_web_token
/token.rb
View file @
f4f9184a
module
J
WT
module
J
SONWebToken
class
Token
class
Token
attr_accessor
:issuer
,
:subject
,
:audience
,
:id
attr_accessor
:issuer
,
:subject
,
:audience
,
:id
attr_accessor
:issued_at
,
:not_before
,
:expire_time
attr_accessor
:issued_at
,
:not_before
,
:expire_time
...
...
spec/lib/j
wt
/rsa_token_spec.rb
→
spec/lib/j
son_web_token
/rsa_token_spec.rb
View file @
f4f9184a
describe
J
WT
::
RSAToken
do
describe
J
SONWebToken
::
RSAToken
do
let
(
:rsa_key
)
{
generate_key
}
let
(
:rsa_key
)
{
generate_key
}
let
(
:rsa_token
)
{
described_class
.
new
(
nil
)
}
let
(
:rsa_token
)
{
described_class
.
new
(
nil
)
}
let
(
:rsa_encoded
)
{
rsa_token
.
encoded
}
let
(
:rsa_encoded
)
{
rsa_token
.
encoded
}
...
...
spec/lib/j
wt
/token_spec.rb
→
spec/lib/j
son_web_token
/token_spec.rb
View file @
f4f9184a
describe
J
WT
::
Token
do
describe
J
SONWebToken
::
Token
do
let
(
:token
)
{
described_class
.
new
}
let
(
:token
)
{
described_class
.
new
}
context
'custom parameters'
do
context
'custom parameters'
do
...
...
spec/services/auth/container_registry_authentication_service_spec.rb
View file @
f4f9184a
...
@@ -18,7 +18,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
...
@@ -18,7 +18,7 @@ describe Auth::ContainerRegistryAuthenticationService, services: true do
before
do
before
do
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
registry_settings
)
allow
(
Gitlab
.
config
.
registry
).
to
receive_messages
(
registry_settings
)
allow_any_instance_of
(
J
WT
::
RSAToken
).
to
receive
(
:key
).
and_return
(
rsa_key
)
allow_any_instance_of
(
J
SONWebToken
::
RSAToken
).
to
receive
(
:key
).
and_return
(
rsa_key
)
end
end
shared_examples
'an authenticated'
do
shared_examples
'an authenticated'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment