Class: AccessTokenValidationService

Inherits:

Object

Object
AccessTokenValidationService

Defined in:: app/services/access_token_validation_service.rb

Constant Summary collapse

VALID = Results:

:valid

EXPIRED =

:expired

REVOKED =

:revoked

INSUFFICIENT_SCOPE =

:insufficient_scope

IMPERSONATION_DISABLED =

:impersonation_disabled

Instance Attribute Summary collapse

#request ⇒ Object readonly

Returns the value of attribute request.
#token ⇒ Object readonly

Returns the value of attribute token.

Instance Method Summary collapse

#include_any_scope?(required_scopes) ⇒ Boolean

True if the token’s scope contains any of the passed scopes.
#initialize(token, request: nil) ⇒ AccessTokenValidationService constructor

A new instance of AccessTokenValidationService.
#validate(scopes: []) ⇒ Object

Constructor Details

#initialize(token, request: nil) ⇒ `AccessTokenValidationService`

Returns a new instance of AccessTokenValidationService.

# File 'app/services/access_token_validation_service.rb', line 13

def initialize(token, request: nil)
  @token = token
  @request = request
end

Instance Attribute Details

#request ⇒ `Object` (readonly)

Returns the value of attribute request.



11
12
13

# File 'app/services/access_token_validation_service.rb', line 11

def request
  @request
end

#token ⇒ `Object` (readonly)

Returns the value of attribute token.



11
12
13

# File 'app/services/access_token_validation_service.rb', line 11

def token
  @token
end

Instance Method Details

#include_any_scope?(required_scopes) ⇒ `Boolean`

True if the token’s scope contains any of the passed scopes.

Returns:

(Boolean)

# File 'app/services/access_token_validation_service.rb', line 39

def include_any_scope?(required_scopes)
  if required_scopes.blank?
    true
  else
    # We're comparing each required_scope against all token scopes, which would
    # take quadratic time. This consideration is irrelevant here because of the
    # small number of records involved.
    # https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/12300/#note_33689006
    token_scopes = token.scopes.map(&:to_sym)

    required_scopes.any? do |scope|
      scope = API::Scope.new(scope) unless scope.is_a?(API::Scope)
      scope.sufficient?(token_scopes, request)
    end
  end
end

#validate(scopes: []) ⇒ `Object`

# File 'app/services/access_token_validation_service.rb', line 18

def validate(scopes: [])
  if token.expired?
    EXPIRED

  elsif token.revoked?
    REVOKED

  elsif !self.include_any_scope?(scopes)
    INSUFFICIENT_SCOPE

  elsif token.respond_to?(:impersonation) &&
      token.impersonation &&
      !Gitlab.config.gitlab.impersonation_enabled
    IMPERSONATION_DISABLED

  else
    VALID
  end
end