Commit daca2144 authored by Kamil Trzcinski's avatar Kamil Trzcinski

Make code more clear in what is done

parent 9f679ac2
...@@ -8,8 +8,9 @@ class JwtController < ApplicationController ...@@ -8,8 +8,9 @@ class JwtController < ApplicationController
def auth def auth
@authenticated = authenticate_with_http_basic do |login, password| @authenticated = authenticate_with_http_basic do |login, password|
@ci_project = ci_project(login, password) # if it's possible we first try to authenticate project with login and password
@user = authenticate_user(login, password) unless @ci_project @project = authenticate_project(login, password)
@user = authenticate_user(login, password) unless @project
end end
unless @authenticated unless @authenticated
...@@ -19,7 +20,7 @@ class JwtController < ApplicationController ...@@ -19,7 +20,7 @@ class JwtController < ApplicationController
service = SERVICES[params[:service]] service = SERVICES[params[:service]]
head :not_found unless service head :not_found unless service
result = service.new(@ci_project, @user, auth_params).execute result = service.new(@project, @user, auth_params).execute
return head result[:http_status] if result[:http_status] return head result[:http_status] if result[:http_status]
render json: result render json: result
...@@ -31,7 +32,7 @@ class JwtController < ApplicationController ...@@ -31,7 +32,7 @@ class JwtController < ApplicationController
params.permit(:service, :scope, :offline_token, :account, :client_id) params.permit(:service, :scope, :offline_token, :account, :client_id)
end end
def ci_project(login, password) def authenticate_project(login, password)
matched_login = /(?<s>^[a-zA-Z]*-ci)-token$/.match(login) matched_login = /(?<s>^[a-zA-Z]*-ci)-token$/.match(login)
if matched_login.present? if matched_login.present?
......
...@@ -5,12 +5,12 @@ module Jwt ...@@ -5,12 +5,12 @@ module Jwt
return error('forbidden', 403) unless current_user return error('forbidden', 403) unless current_user
end end
{ token: token.encoded } { token: authorized_token.encoded }
end end
private private
def token def authorized_token
token = ::Jwt::RSAToken.new(registry.key) token = ::Jwt::RSAToken.new(registry.key)
token.issuer = registry.issuer token.issuer = registry.issuer
token.audience = params[:service] token.audience = params[:service]
...@@ -37,22 +37,22 @@ module Jwt ...@@ -37,22 +37,22 @@ module Jwt
end end
def process_repository_access(type, name, actions) def process_repository_access(type, name, actions)
current_project = Project.find_with_namespace(name) requested_project = Project.find_with_namespace(name)
return unless current_project return unless requested_project
actions = actions.select do |action| actions = actions.select do |action|
can_access?(current_project, action) can_access?(requested_project, action)
end end
{ type: type, name: name, actions: actions } if actions { type: type, name: name, actions: actions } if actions
end end
def can_access?(current_project, action) def can_access?(requested_project, requested_action)
case action case requested_action
when 'pull' when 'pull'
current_project == project || can?(current_user, :download_code, current_project) requested_project.public? || requested_project == project || can?(current_user, :download_code, requested_project)
when 'push' when 'push'
current_project == project || can?(current_user, :push_code, current_project) requested_project == project || can?(current_user, :push_code, requested_project)
else else
false false
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment