Commit 2cb1d617 authored by Shinya Maeda's avatar Shinya Maeda

Use expires_in for access_token validation

parent 5663b480
module GoogleApi module GoogleApi
class AuthorizationsController < ApplicationController class AuthorizationsController < ApplicationController
def callback def callback
session[GoogleApi::CloudPlatform::Client.session_key_for_token] = token, expires_at = GoogleApi::CloudPlatform::Client
GoogleApi::CloudPlatform::Client.new(nil, callback_google_api_authorizations_url) .new(nil, callback_google_api_authorizations_url)
.get_token(params[:code]) .get_token(params[:code])
session[GoogleApi::CloudPlatform::Client.session_key_for_token] = token
session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at] =
expires_at.to_s
if params[:state] if params[:state]
redirect_to params[:state] redirect_to params[:state]
......
...@@ -6,12 +6,11 @@ class Projects::ClustersController < Projects::ApplicationController ...@@ -6,12 +6,11 @@ class Projects::ClustersController < Projects::ApplicationController
def login def login
begin begin
@authorize_url = GoogleApi::CloudPlatform::Client.new( @authorize_url = GoogleApi::CloudPlatform::Client.new(
nil, nil, callback_google_api_authorizations_url,
callback_google_api_authorizations_url,
state: namespace_project_clusters_url.to_s state: namespace_project_clusters_url.to_s
).authorize_url ).authorize_url
rescue GoogleApi::Auth::ConfigMissingError rescue GoogleApi::Auth::ConfigMissingError
# Show an alert message that gitlab.yml is not configured properly # no-op
end end
end end
...@@ -83,12 +82,19 @@ class Projects::ClustersController < Projects::ApplicationController ...@@ -83,12 +82,19 @@ class Projects::ClustersController < Projects::ApplicationController
end end
def authorize_google_api def authorize_google_api
unless token_in_session unless GoogleApi::CloudPlatform::Client.new(token_in_session, nil)
.validate_token(expires_at_in_session)
redirect_to action: 'login' redirect_to action: 'login'
end end
end end
def token_in_session def token_in_session
@token_in_session ||= session[GoogleApi::CloudPlatform::Client.session_key_for_token] @token_in_session ||=
session[GoogleApi::CloudPlatform::Client.session_key_for_token]
end
def expires_at_in_session
@expires_at_in_session ||=
session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at]
end end
end end
...@@ -19,7 +19,8 @@ module GoogleApi ...@@ -19,7 +19,8 @@ module GoogleApi
end end
def get_token(code) def get_token(code)
client.auth_code.get_token(code, redirect_uri: redirect_uri).token ret = client.auth_code.get_token(code, redirect_uri: redirect_uri)
return ret.token, ret.expires_at
end end
protected protected
......
...@@ -9,12 +9,28 @@ module GoogleApi ...@@ -9,12 +9,28 @@ module GoogleApi
def session_key_for_token def session_key_for_token
:cloud_platform_access_token :cloud_platform_access_token
end end
def session_key_for_expires_at
:cloud_platform_expires_at
end
end end
def scope def scope
'https://www.googleapis.com/auth/cloud-platform' 'https://www.googleapis.com/auth/cloud-platform'
end end
def validate_token(expires_at)
return false unless access_token
return false unless expires_at
# Making sure that the token will have been still alive during the cluster creation.
unless DateTime.strptime(expires_at, '%s').to_time > Time.now + 10.minutes
return false
end
true
end
def projects_zones_clusters_get(project_id, zone, cluster_id) def projects_zones_clusters_get(project_id, zone, cluster_id)
service = Google::Apis::ContainerV1::ContainerService.new service = Google::Apis::ContainerV1::ContainerService.new
service.authorization = access_token service.authorization = access_token
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment