diff options
author | Krasimir Angelov <kangelov@gitlab.com> | 2019-09-04 02:03:20 +0300 |
---|---|---|
committer | Krasimir Angelov <kangelov@gitlab.com> | 2019-09-04 02:03:20 +0300 |
commit | 4c63c631922b4b86ad4d3a5f61104d1455d046b2 (patch) | |
tree | d580ed15c37453770860589aa9d9f5f262a5e309 /lib/gitlab/jwt_authenticatable.rb | |
parent | 89409a1925d65d4a62b523b5a7c0650287250cb5 (diff) |
Extract Workhorse <-> GitLab authentication to make it reusable
Introduce JWTAutheticatable module that can be reused for ai=uthtication
between Pages and GitLab (the same way we use do now for Workhorse).
Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/61927.
Diffstat (limited to 'lib/gitlab/jwt_authenticatable.rb')
-rw-r--r-- | lib/gitlab/jwt_authenticatable.rb | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/lib/gitlab/jwt_authenticatable.rb b/lib/gitlab/jwt_authenticatable.rb new file mode 100644 index 00000000000..1270a148e8d --- /dev/null +++ b/lib/gitlab/jwt_authenticatable.rb @@ -0,0 +1,42 @@ +# frozen_string_literal: true + +module Gitlab + module JwtAuthenticatable + # Supposedly the effective key size for HMAC-SHA256 is 256 bits, i.e. 32 + # bytes https://tools.ietf.org/html/rfc4868#section-2.6 + SECRET_LENGTH = 32 + + def self.included(base) + base.extend(ClassMethods) + end + + module ClassMethods + include Gitlab::Utils::StrongMemoize + + def decode_jwt_for_issuer(issuer, encoded_message) + JWT.decode( + encoded_message, + secret, + true, + { iss: issuer, verify_iss: true, algorithm: 'HS256' } + ) + end + + def secret + strong_memoize(:secret) do + Base64.strict_decode64(File.read(secret_path).chomp).tap do |bytes| + raise "#{secret_path} does not contain #{SECRET_LENGTH} bytes" if bytes.length != SECRET_LENGTH + end + end + end + + def write_secret + bytes = SecureRandom.random_bytes(SECRET_LENGTH) + File.open(secret_path, 'w:BINARY', 0600) do |f| + f.chmod(0600) # If the file already existed, the '0600' passed to 'open' above was a no-op. + f.write(Base64.strict_encode64(bytes)) + end + end + end + end +end |