Change format of the scope of JWT tokens for repositories

322bba86 · Valery Sizov · d3be0812 · 322bba86 · 322bba86 · 322bba86
Commit 322bba86 authored Feb 20, 2019 by Valery Sizov
5 changed files
--- a/ee/app/services/geo/base_sync_service.rb
+++ b/ee/app/services/geo/base_sync_service.rb
@@ -104,7 +104,7 @@ module Geo
    # Build a JWT header for authentication
    def jwt_authentication_header
      authorization = ::Gitlab::Geo::RepoSyncRequest.new(
-        scope: ::Gitlab::Geo::JwtRequestDecoder.build_repository_scope(type, project.id)
+        scope: project.repository.full_path
      ).authorization

      { "http.#{remote_url}.extraHeader" => "Authorization: #{authorization}" }

--- a/ee/lib/gitlab/geo/git_push_ssh_proxy.rb
+++ b/ee/lib/gitlab/geo/git_push_ssh_proxy.rb
@@ -105,10 +105,14 @@ module Gitlab
      def base_headers
        @base_headers ||= {
          'Geo-GL-Id' => gl_id,
-          'Authorization' => Gitlab::Geo::BaseRequest.new.authorization
+          'Authorization' => Gitlab::Geo::BaseRequest.new(scope: auth_scope).authorization
        }
      end

+      def auth_scope
+        URI.parse(primary_repo).path.gsub(/(^\/|\.git$)/, '')
+      end
+
      def get(url, headers)
        request(url, Net::HTTP::Get, headers)
      end

--- a/ee/lib/gitlab/geo/jwt_request_decoder.rb
+++ b/ee/lib/gitlab/geo/jwt_request_decoder.rb
@@ -12,10 +12,6 @@ module Gitlab
        token_type == ::Gitlab::Geo::BaseRequest::GITLAB_GEO_AUTH_TOKEN_TYPE
      end

-      def self.build_repository_scope(repository_type, project_id)
-        [repository_type, project_id].join('-')
-      end
-
      attr_reader :auth_header

      def initialize(auth_header)

--- a/ee/spec/lib/gitlab/geo/git_push_ssh_proxy_spec.rb
+++ b/ee/spec/lib/gitlab/geo/git_push_ssh_proxy_spec.rb
@@ -69,6 +69,14 @@ describe Gitlab::Geo::GitPushSSHProxy, :geo do
        let(:info_refs_headers) { base_headers.merge('Content-Type' => 'application/x-git-upload-pack-request') }
        let(:info_refs_http_body_full) { "001f# service=git-receive-pack\n0000#{info_refs_body_short}" }

+        context 'authorization header is scoped' do
+          it 'returns a Gitlab::Geo::GitPushSSHProxy::APIResponse' do
+            expect(Gitlab::Geo::BaseRequest).to receive(:new).with(scope: project.repository.full_path)
+
+            subject.info_refs
+          end
+        end
+
        context 'with a failed response' do
          let(:error_msg) { 'execution expired' }


--- a/ee/spec/lib/gitlab/geo/jwt_request_decoder_spec.rb
+++ b/ee/spec/lib/gitlab/geo/jwt_request_decoder_spec.rb
@@ -7,12 +7,6 @@ describe Gitlab::Geo::JwtRequestDecoder do

  subject { described_class.new(request.headers['Authorization']) }

-  describe ".build_repository_scope" do
-    it 'returns a scope that consolidates repository type and project id' do
-      expect(described_class.build_repository_scope('wiki', 5)).to eq('wiki-5')
-    end
-  end
-
  describe '#decode' do
    it 'decodes correct data' do
      expect(subject.decode).to eq(data)