blob: 26343a3a9db8fca28e29e3bae2da8e57ea31cfc4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
# frozen_string_literal: true
module Integrations
module GoogleCloudPlatform
class Jwt < ::JSONWebToken::RSAToken
extend ::Gitlab::Utils::Override
JWT_OPTIONS_ERROR = 'This jwt needs jwt claims audience and wlif to be set.'
NoSigningKeyError = Class.new(StandardError)
def initialize(project:, user:, claims:)
super
raise ArgumentError, JWT_OPTIONS_ERROR if claims[:audience].blank? || claims[:wlif].blank?
@claims = claims
@project = project
@user = user
end
def encoded
@custom_payload.merge!(custom_claims)
super
end
private
override :subject
def subject
"project_#{@project.id}_user_#{@user.id}"
end
override :key_data
def key_data
@key_data ||= begin
# TODO Feels strange to use the CI signing key but do
# we have a different signing key?
key_data = Gitlab::CurrentSettings.ci_jwt_signing_key
raise NoSigningKeyError unless key_data
key_data
end
end
def custom_claims
{
namespace_id: namespace.id.to_s,
namespace_path: namespace.full_path,
root_namespace_path: root_namespace.full_path,
root_namespace_id: root_namespace.id.to_s,
project_id: @project.id.to_s,
project_path: @project.full_path,
user_id: @user&.id.to_s,
user_login: @user&.username,
user_email: @user&.email,
wlif: @claims[:wlif]
}
end
def namespace
@project.namespace
end
def root_namespace
@project.root_namespace
end
override :issuer
def issuer
Feature.enabled?(:oidc_issuer_url) ? Gitlab.config.gitlab.url : Settings.gitlab.base_url
end
override :audience
def audience
@claims[:audience]
end
override :kid
def kid
rsa_key = OpenSSL::PKey::RSA.new(key_data)
rsa_key.public_key.to_jwk[:kid]
end
end
end
end
|