blob: 29f5a50d809ffb5f53a6c5a55dc0fb8f7714dd0d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
# frozen_string_literal: true
module Auth
class DependencyProxyAuthenticationService < BaseService
AUDIENCE = 'dependency_proxy'
HMAC_KEY = 'gitlab-dependency-proxy'
DEFAULT_EXPIRE_TIME = 1.minute
REQUIRED_ABILITIES = %i[read_container_image create_container_image].freeze
def execute(authentication_abilities:)
return error('dependency proxy not enabled', 404) unless ::Gitlab.config.dependency_proxy.enabled
return error('access forbidden', 403) unless valid_user_actor?(authentication_abilities)
{ token: authorized_token.encoded }
end
class << self
include ::Gitlab::Utils::StrongMemoize
def secret
strong_memoize(:secret) do
OpenSSL::HMAC.hexdigest(
'sha256',
::Settings.attr_encrypted_db_key_base,
HMAC_KEY
)
end
end
def token_expire_at
Time.current + Gitlab::CurrentSettings.container_registry_token_expire_delay.minutes
end
end
private
def valid_user_actor?(authentication_abilities)
feature_user = deploy_token&.user || current_user
if Feature.enabled?(:packages_dependency_proxy_containers_scope_check, feature_user)
if deploy_token
deploy_token.valid_for_dependency_proxy?
elsif current_user&.project_bot?
group_access_token&.active? && has_required_abilities?(authentication_abilities)
else
current_user
end
else
current_user || valid_deploy_token?
end
end
def has_required_abilities?(authentication_abilities)
(REQUIRED_ABILITIES & authentication_abilities).size == REQUIRED_ABILITIES.size
end
def group_access_token
PersonalAccessTokensFinder.new(state: 'active').find_by_token(raw_token)
end
def valid_deploy_token?
deploy_token && deploy_token.valid_for_dependency_proxy?
end
def authorized_token
JSONWebToken::HMACToken.new(self.class.secret).tap do |token|
token['user_id'] = current_user.id if current_user
token['deploy_token'] = deploy_token.token if deploy_token
token.expire_time = self.class.token_expire_at
end
end
def deploy_token
params[:deploy_token]
end
def raw_token
params[:raw_token]
end
end
end
|