diff options
| author | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-05-14 19:11:48 +0300 |
|---|---|---|
| committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-05-14 19:11:48 +0300 |
| commit | 63cdf1aeb04b9694c0b6d44b1141868fcc5a0904 (patch) | |
| tree | 120712f0af4d3dc9e8916dc39e3052fbf4d6b000 /app/services/auth | |
| parent | 774a5107822d3d451b88ed3a7257aeac8d91c35a (diff) | |
Use Auth::ContainerRegistryAuthenticationService
Diffstat (limited to 'app/services/auth')
| -rw-r--r-- | app/services/auth/container_registry_authentication_service.rb | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb new file mode 100644 index 00000000000..0323a42b697 --- /dev/null +++ b/app/services/auth/container_registry_authentication_service.rb @@ -0,0 +1,69 @@ +module Auth + class ContainerRegistryAuthenticationService < BaseService + def execute + if params[:offline_token] + return error('forbidden', 403) unless current_user + end + + return error('forbidden', 401) if scopes.blank? + + { token: authorized_token(scopes).encoded } + end + + private + + def authorized_token(access) + token = ::JWT::RSAToken.new(registry.key) + token.issuer = registry.issuer + token.audience = params[:service] + token.subject = current_user.try(:username) + token[:access] = access + token + end + + def scopes + return unless params[:scope] + + @scopes ||= begin + scope = process_scope(params[:scope]) + [scope].compact + end + end + + def process_scope(scope) + type, name, actions = scope.split(':', 3) + actions = actions.split(',') + + case type + when 'repository' + process_repository_access(type, name, actions) + end + end + + def process_repository_access(type, name, actions) + requested_project = Project.find_with_namespace(name) + return unless requested_project + + actions = actions.select do |action| + can_access?(requested_project, action) + end + + { type: type, name: name, actions: actions } if actions.present? + end + + def can_access?(requested_project, requested_action) + case requested_action + when 'pull' + requested_project.public? || requested_project == project || can?(current_user, :read_container_registry, requested_project) + when 'push' + requested_project == project || can?(current_user, :create_container_registry, requested_project) + else + false + end + end + + def registry + Gitlab.config.registry + end + end +end |