diff options
| author | 🤖 GitLab Bot 🤖 <gitlab-bot@gitlab.com> | 2018-12-05 10:03:28 +0300 |
|---|---|---|
| committer | 🤖 GitLab Bot 🤖 <gitlab-bot@gitlab.com> | 2018-12-05 10:03:28 +0300 |
| commit | 00acef434031b5dc0bf39576a9e83802c7806842 (patch) | |
| tree | 2cdc969cd6ee72f65bb7e6ee32841fad246ee2d0 /lib/gitlab/lfs_token.rb | |
| parent | dcc395b4730eb5a1f0fc3314195dcf46a4a8e093 (diff) | |
Revert "LfsToken uses JSONWebToken::HMACToken by default"
This reverts commit 22954f220231281360377922b709efb904559949
Diffstat (limited to 'lib/gitlab/lfs_token.rb')
| -rw-r--r-- | lib/gitlab/lfs_token.rb | 121 |
1 files changed, 19 insertions, 102 deletions
diff --git a/lib/gitlab/lfs_token.rb b/lib/gitlab/lfs_token.rb index c09d3ebc7be..05d3096a208 100644 --- a/lib/gitlab/lfs_token.rb +++ b/lib/gitlab/lfs_token.rb @@ -2,22 +2,11 @@ module Gitlab class LfsToken - module LfsTokenHelper - def user? - actor.is_a?(User) - end - - def actor_name - user? ? actor.username : "lfs+deploy-key-#{actor.id}" - end - end - - include LfsTokenHelper - - DEFAULT_EXPIRE_TIME = 1800 - attr_accessor :actor + TOKEN_LENGTH = 50 + EXPIRY_TIME = 1800 + def initialize(actor) @actor = case actor @@ -30,108 +19,36 @@ module Gitlab end end - def token(expire_time: DEFAULT_EXPIRE_TIME) - HMACToken.new(actor).token(expire_time) - end + def token + Gitlab::Redis::SharedState.with do |redis| + token = redis.get(redis_shared_state_key) + token ||= Devise.friendly_token(TOKEN_LENGTH) + redis.set(redis_shared_state_key, token, ex: EXPIRY_TIME) - def token_valid?(token_to_check) - HMACToken.new(actor).token_valid?(token_to_check) || - LegacyRedisDeviseToken.new(actor).token_valid?(token_to_check) + token + end end def deploy_key_pushable?(project) actor.is_a?(DeployKey) && actor.can_push_to?(project) end + def user? + actor.is_a?(User) + end + def type user? ? :lfs_token : :lfs_deploy_token end - private # rubocop:disable Lint/UselessAccessModifier - - class HMACToken - include LfsTokenHelper - - def initialize(actor) - @actor = actor - end - - def token(expire_time) - hmac_token = JSONWebToken::HMACToken.new(secret) - hmac_token.expire_time = Time.now + expire_time - hmac_token[:data] = { actor: actor_name } - hmac_token.encoded - end - - def token_valid?(token_to_check) - decoded_token = JSONWebToken::HMACToken.decode(token_to_check, secret).first - decoded_token.dig('data', 'actor') == actor_name - rescue JWT::DecodeError - false - end - - private - - attr_reader :actor - - def secret - salt + key - end - - def salt - case actor - when DeployKey, Key - actor.fingerprint.delete(':').first(16) - when User - # Take the last 16 characters as they're more unique than the first 16 - actor.id.to_s + actor.encrypted_password.last(16) - end - end - - def key - # Take 16 characters of attr_encrypted_db_key_base, as that's what the - # cipher needs exactly - Settings.attr_encrypted_db_key_base.first(16) - end + def actor_name + actor.is_a?(User) ? actor.username : "lfs+deploy-key-#{actor.id}" end - # TODO: LegacyRedisDeviseToken and references need to be removed after - # next released milestone - # - class LegacyRedisDeviseToken - TOKEN_LENGTH = 50 - DEFAULT_EXPIRY_TIME = 1800 * 1000 # 30 mins - - def initialize(actor) - @actor = actor - end - - def token_valid?(token_to_check) - Devise.secure_compare(stored_token, token_to_check) - end - - def stored_token - Gitlab::Redis::SharedState.with { |redis| redis.get(state_key) } - end - - # This method exists purely to facilitate legacy testing to ensure the - # same redis key is used. - # - def store_new_token(expiry_time_in_ms = DEFAULT_EXPIRY_TIME) - Gitlab::Redis::SharedState.with do |redis| - new_token = Devise.friendly_token(TOKEN_LENGTH) - redis.set(state_key, new_token, px: expiry_time_in_ms) - new_token - end - end - - private + private - attr_reader :actor - - def state_key - "gitlab:lfs_token:#{actor.class.name.underscore}_#{actor.id}" - end + def redis_shared_state_key + "gitlab:lfs_token:#{actor.class.name.underscore}_#{actor.id}" if actor end end end |