debian-mirror-gitlab/app/services/auth/dependency_proxy_authentication_service.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

57 lines
1.4 KiB
Ruby
Raw Permalink Normal View History

2021-02-22 17:27:13 +05:30
# frozen_string_literal: true
module Auth
class DependencyProxyAuthenticationService < BaseService
AUDIENCE = 'dependency_proxy'
HMAC_KEY = 'gitlab-dependency-proxy'
DEFAULT_EXPIRE_TIME = 1.minute
def execute(authentication_abilities:)
return error('dependency proxy not enabled', 404) unless ::Gitlab.config.dependency_proxy.enabled
2021-10-27 15:23:28 +05:30
return error('access forbidden', 403) unless valid_user_actor?
2021-02-22 17:27:13 +05:30
{ token: authorized_token.encoded }
end
class << self
include ::Gitlab::Utils::StrongMemoize
def secret
strong_memoize(:secret) do
OpenSSL::HMAC.hexdigest(
'sha256',
::Settings.attr_encrypted_db_key_base,
HMAC_KEY
)
end
end
def token_expire_at
Time.current + Gitlab::CurrentSettings.container_registry_token_expire_delay.minutes
end
end
private
2021-10-27 15:23:28 +05:30
def valid_user_actor?
current_user || valid_deploy_token?
end
def valid_deploy_token?
deploy_token && deploy_token.valid_for_dependency_proxy?
end
2021-02-22 17:27:13 +05:30
def authorized_token
JSONWebToken::HMACToken.new(self.class.secret).tap do |token|
2021-10-27 15:23:28 +05:30
token['user_id'] = current_user.id if current_user
token['deploy_token'] = deploy_token.token if deploy_token
2021-02-22 17:27:13 +05:30
token.expire_time = self.class.token_expire_at
end
end
2021-10-27 15:23:28 +05:30
def deploy_token
params[:deploy_token]
end
2021-02-22 17:27:13 +05:30
end
end