Class: AccessTokenValidationService

Inherits:
Object
  • Object
show all
Defined in:
app/services/access_token_validation_service.rb

Constant Summary collapse

VALID =

Results:

:valid
EXPIRED =
:expired
REVOKED =
:revoked
INSUFFICIENT_SCOPE =
:insufficient_scope
IMPERSONATION_DISABLED =
:impersonation_disabled

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(token, request: nil) ⇒ AccessTokenValidationService

Returns a new instance of AccessTokenValidationService.


13
14
15
16
# File 'app/services/access_token_validation_service.rb', line 13

def initialize(token, request: nil)
  @token = token
  @request = request
end

Instance Attribute Details

#requestObject (readonly)

Returns the value of attribute request


11
12
13
# File 'app/services/access_token_validation_service.rb', line 11

def request
  @request
end

#tokenObject (readonly)

Returns the value of attribute token


11
12
13
# File 'app/services/access_token_validation_service.rb', line 11

def token
  @token
end

Instance Method Details

#include_any_scope?(required_scopes) ⇒ Boolean

True if the token's scope contains any of the passed scopes.

Returns:

  • (Boolean)

39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# File 'app/services/access_token_validation_service.rb', line 39

def include_any_scope?(required_scopes)
  if required_scopes.blank?
    true
  else
    # We're comparing each required_scope against all token scopes, which would
    # take quadratic time. This consideration is irrelevant here because of the
    # small number of records involved.
    # https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/12300/#note_33689006
    token_scopes = token.scopes.map(&:to_sym)

    required_scopes.any? do |scope|
      scope = API::Scope.new(scope) unless scope.is_a?(API::Scope)
      scope.sufficient?(token_scopes, request)
    end
  end
end

#validate(scopes: []) ⇒ Object


18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# File 'app/services/access_token_validation_service.rb', line 18

def validate(scopes: [])
  if token.expired?
    EXPIRED

  elsif token.revoked?
    REVOKED

  elsif !self.include_any_scope?(scopes)
    INSUFFICIENT_SCOPE

  elsif token.respond_to?(:impersonation) &&
      token.impersonation &&
      !Gitlab.config.gitlab.impersonation_enabled
    IMPERSONATION_DISABLED

  else
    VALID
  end
end