2018-12-13 13:39:08 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-09-29 09:46:39 +05:30
|
|
|
module Gitlab
|
|
|
|
class LfsToken
|
2019-02-15 15:39:39 +05:30
|
|
|
module LfsTokenHelper
|
|
|
|
def user?
|
|
|
|
actor.is_a?(User)
|
|
|
|
end
|
|
|
|
|
|
|
|
def actor_name
|
|
|
|
user? ? actor.username : "lfs+deploy-key-#{actor.id}"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
include LfsTokenHelper
|
2016-09-29 09:46:39 +05:30
|
|
|
|
2019-02-15 15:39:39 +05:30
|
|
|
DEFAULT_EXPIRE_TIME = 1800
|
|
|
|
|
|
|
|
attr_accessor :actor
|
2019-01-03 12:48:30 +05:30
|
|
|
|
2016-09-29 09:46:39 +05:30
|
|
|
def initialize(actor)
|
|
|
|
@actor =
|
|
|
|
case actor
|
|
|
|
when DeployKey, User
|
|
|
|
actor
|
|
|
|
when Key
|
|
|
|
actor.user
|
|
|
|
else
|
|
|
|
raise 'Bad Actor'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-07-07 11:18:12 +05:30
|
|
|
def token
|
|
|
|
HMACToken.new(actor).token(DEFAULT_EXPIRE_TIME)
|
2019-02-15 15:39:39 +05:30
|
|
|
end
|
2016-09-29 09:46:39 +05:30
|
|
|
|
2019-12-21 20:55:43 +05:30
|
|
|
# When the token is an lfs one and the actor
|
|
|
|
# is blocked or the password has been changed,
|
|
|
|
# the token is no longer valid
|
2019-02-15 15:39:39 +05:30
|
|
|
def token_valid?(token_to_check)
|
2019-12-21 20:55:43 +05:30
|
|
|
HMACToken.new(actor).token_valid?(token_to_check) && valid_user?
|
2016-09-29 09:46:39 +05:30
|
|
|
end
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
def deploy_key_pushable?(project)
|
|
|
|
actor.is_a?(DeployKey) && actor.can_push_to?(project)
|
|
|
|
end
|
|
|
|
|
2019-01-03 12:48:30 +05:30
|
|
|
def type
|
2019-02-15 15:39:39 +05:30
|
|
|
user? ? :lfs_token : :lfs_deploy_token
|
2016-09-29 09:46:39 +05:30
|
|
|
end
|
|
|
|
|
2019-12-21 20:55:43 +05:30
|
|
|
def valid_user?
|
|
|
|
return true unless user?
|
|
|
|
|
|
|
|
!actor.blocked? && (!actor.allow_password_authentication? || !actor.password_expired?)
|
|
|
|
end
|
|
|
|
|
2019-07-07 11:18:12 +05:30
|
|
|
def authentication_payload(repository_http_path)
|
|
|
|
{
|
|
|
|
username: actor_name,
|
|
|
|
lfs_token: token,
|
|
|
|
repository_http_path: repository_http_path,
|
|
|
|
expires_in: DEFAULT_EXPIRE_TIME
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
2019-12-21 20:55:43 +05:30
|
|
|
def basic_encoding
|
|
|
|
ActionController::HttpAuthentication::Basic.encode_credentials(actor_name, token)
|
|
|
|
end
|
|
|
|
|
2019-03-02 22:35:43 +05:30
|
|
|
private # rubocop:disable Lint/UselessAccessModifier
|
2019-02-15 15:39:39 +05:30
|
|
|
|
|
|
|
class HMACToken
|
|
|
|
include LfsTokenHelper
|
|
|
|
|
|
|
|
def initialize(actor)
|
|
|
|
@actor = actor
|
|
|
|
end
|
|
|
|
|
|
|
|
def token(expire_time)
|
|
|
|
hmac_token = JSONWebToken::HMACToken.new(secret)
|
|
|
|
hmac_token.expire_time = Time.now + expire_time
|
|
|
|
hmac_token[:data] = { actor: actor_name }
|
|
|
|
hmac_token.encoded
|
|
|
|
end
|
|
|
|
|
|
|
|
def token_valid?(token_to_check)
|
|
|
|
decoded_token = JSONWebToken::HMACToken.decode(token_to_check, secret).first
|
|
|
|
decoded_token.dig('data', 'actor') == actor_name
|
|
|
|
rescue JWT::DecodeError
|
|
|
|
false
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
attr_reader :actor
|
|
|
|
|
|
|
|
def secret
|
|
|
|
salt + key
|
|
|
|
end
|
|
|
|
|
|
|
|
def salt
|
|
|
|
case actor
|
|
|
|
when DeployKey, Key
|
|
|
|
actor.fingerprint.delete(':').first(16)
|
|
|
|
when User
|
|
|
|
# Take the last 16 characters as they're more unique than the first 16
|
|
|
|
actor.id.to_s + actor.encrypted_password.last(16)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def key
|
|
|
|
# Take 16 characters of attr_encrypted_db_key_base, as that's what the
|
|
|
|
# cipher needs exactly
|
|
|
|
Settings.attr_encrypted_db_key_base.first(16)
|
|
|
|
end
|
2019-01-03 12:48:30 +05:30
|
|
|
end
|
2016-09-29 09:46:39 +05:30
|
|
|
end
|
|
|
|
end
|