diff options
| author | Krasimir Angelov <kangelov@gitlab.com> | 2019-09-04 02:03:20 +0300 |
|---|---|---|
| committer | Krasimir Angelov <kangelov@gitlab.com> | 2019-09-04 02:03:20 +0300 |
| commit | 4c63c631922b4b86ad4d3a5f61104d1455d046b2 (patch) | |
| tree | d580ed15c37453770860589aa9d9f5f262a5e309 /lib/gitlab/workhorse.rb | |
| parent | 89409a1925d65d4a62b523b5a7c0650287250cb5 (diff) | |
Extract Workhorse <-> GitLab authentication to make it reusable
Introduce JWTAutheticatable module that can be reused for ai=uthtication
between Pages and GitLab (the same way we use do now for Workhorse).
Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/61927.
Diffstat (limited to 'lib/gitlab/workhorse.rb')
| -rw-r--r-- | lib/gitlab/workhorse.rb | 28 |
1 files changed, 2 insertions, 26 deletions
diff --git a/lib/gitlab/workhorse.rb b/lib/gitlab/workhorse.rb index 29087d26007..139ec6e384a 100644 --- a/lib/gitlab/workhorse.rb +++ b/lib/gitlab/workhorse.rb @@ -15,9 +15,7 @@ module Gitlab ALLOWED_GIT_HTTP_ACTIONS = %w[git_receive_pack git_upload_pack info_refs].freeze DETECT_HEADER = 'Gitlab-Workhorse-Detect-Content-Type'.freeze - # Supposedly the effective key size for HMAC-SHA256 is 256 bits, i.e. 32 - # bytes https://tools.ietf.org/html/rfc4868#section-2.6 - SECRET_LENGTH = 32 + include JwtAuthenticatable class << self def git_http_ok(repository, repo_type, user, action, show_all_refs: false) @@ -187,34 +185,12 @@ module Gitlab path.readable? ? path.read.chomp : 'unknown' end - def secret - @secret ||= begin - bytes = Base64.strict_decode64(File.read(secret_path).chomp) - raise "#{secret_path} does not contain #{SECRET_LENGTH} bytes" if bytes.length != SECRET_LENGTH - - bytes - end - end - - def write_secret - bytes = SecureRandom.random_bytes(SECRET_LENGTH) - File.open(secret_path, 'w:BINARY', 0600) do |f| - f.chmod(0600) # If the file already existed, the '0600' passed to 'open' above was a no-op. - f.write(Base64.strict_encode64(bytes)) - end - end - def verify_api_request!(request_headers) decode_jwt(request_headers[INTERNAL_API_REQUEST_HEADER]) end def decode_jwt(encoded_message) - JWT.decode( - encoded_message, - secret, - true, - { iss: 'gitlab-workhorse', verify_iss: true, algorithm: 'HS256' } - ) + decode_jwt_for_issuer('gitlab-workhorse', encoded_message) end def secret_path |