Commit 322bba86 authored by Valery Sizov's avatar Valery Sizov

Change format of the scope of JWT tokens for repositories

parent d3be0812
...@@ -104,7 +104,7 @@ module Geo ...@@ -104,7 +104,7 @@ module Geo
# Build a JWT header for authentication # Build a JWT header for authentication
def jwt_authentication_header def jwt_authentication_header
authorization = ::Gitlab::Geo::RepoSyncRequest.new( authorization = ::Gitlab::Geo::RepoSyncRequest.new(
scope: ::Gitlab::Geo::JwtRequestDecoder.build_repository_scope(type, project.id) scope: project.repository.full_path
).authorization ).authorization
{ "http.#{remote_url}.extraHeader" => "Authorization: #{authorization}" } { "http.#{remote_url}.extraHeader" => "Authorization: #{authorization}" }
......
...@@ -105,10 +105,14 @@ module Gitlab ...@@ -105,10 +105,14 @@ module Gitlab
def base_headers def base_headers
@base_headers ||= { @base_headers ||= {
'Geo-GL-Id' => gl_id, 'Geo-GL-Id' => gl_id,
'Authorization' => Gitlab::Geo::BaseRequest.new.authorization 'Authorization' => Gitlab::Geo::BaseRequest.new(scope: auth_scope).authorization
} }
end end
def auth_scope
URI.parse(primary_repo).path.gsub(/(^\/|\.git$)/, '')
end
def get(url, headers) def get(url, headers)
request(url, Net::HTTP::Get, headers) request(url, Net::HTTP::Get, headers)
end end
......
...@@ -12,10 +12,6 @@ module Gitlab ...@@ -12,10 +12,6 @@ module Gitlab
token_type == ::Gitlab::Geo::BaseRequest::GITLAB_GEO_AUTH_TOKEN_TYPE token_type == ::Gitlab::Geo::BaseRequest::GITLAB_GEO_AUTH_TOKEN_TYPE
end end
def self.build_repository_scope(repository_type, project_id)
[repository_type, project_id].join('-')
end
attr_reader :auth_header attr_reader :auth_header
def initialize(auth_header) def initialize(auth_header)
......
...@@ -69,6 +69,14 @@ describe Gitlab::Geo::GitPushSSHProxy, :geo do ...@@ -69,6 +69,14 @@ describe Gitlab::Geo::GitPushSSHProxy, :geo do
let(:info_refs_headers) { base_headers.merge('Content-Type' => 'application/x-git-upload-pack-request') } let(:info_refs_headers) { base_headers.merge('Content-Type' => 'application/x-git-upload-pack-request') }
let(:info_refs_http_body_full) { "001f# service=git-receive-pack\n0000#{info_refs_body_short}" } let(:info_refs_http_body_full) { "001f# service=git-receive-pack\n0000#{info_refs_body_short}" }
context 'authorization header is scoped' do
it 'returns a Gitlab::Geo::GitPushSSHProxy::APIResponse' do
expect(Gitlab::Geo::BaseRequest).to receive(:new).with(scope: project.repository.full_path)
subject.info_refs
end
end
context 'with a failed response' do context 'with a failed response' do
let(:error_msg) { 'execution expired' } let(:error_msg) { 'execution expired' }
......
...@@ -7,12 +7,6 @@ describe Gitlab::Geo::JwtRequestDecoder do ...@@ -7,12 +7,6 @@ describe Gitlab::Geo::JwtRequestDecoder do
subject { described_class.new(request.headers['Authorization']) } subject { described_class.new(request.headers['Authorization']) }
describe ".build_repository_scope" do
it 'returns a scope that consolidates repository type and project id' do
expect(described_class.build_repository_scope('wiki', 5)).to eq('wiki-5')
end
end
describe '#decode' do describe '#decode' do
it 'decodes correct data' do it 'decodes correct data' do
expect(subject.decode).to eq(data) expect(subject.decode).to eq(data)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment