Class: Authn::Tokens::Jwt

Inherits:

Object

• Object
• Authn::Tokens::Jwt

Includes:

Gitlab::Utils::StrongMemoize

Defined in:

lib/authn/tokens/jwt.rb

Constant Summary

InvalidSubjectForTokenError =

Class.new(StandardError)

ISSUER =

Settings.gitlab.host

AUDIENCE =

'gitlab-authz-token'

VERSION =

'0.1.0'

Instance Attribute Summary

• #payload ⇒ Object readonly

  Returns the value of attribute payload.

• #subject_type ⇒ Object readonly

  Returns the value of attribute subject_type.

Class Method Summary

• .rsa_decode(token:, signing_public_key:, subject_type:, token_prefix:) ⇒ Object
• .rsa_encode(subject:, signing_key:, expire_time:, token_prefix:, custom_payload: {}) ⇒ Object

Instance Method Summary

• #initialize(payload:, subject_type:) ⇒ Jwt constructor

  A new instance of Jwt.

• #subject ⇒ Object

Constructor Details

#initialize(payload:, subject_type:) ⇒ Jwt

Returns a new instance of Jwt.

# File 'lib/authn/tokens/jwt.rb', line 66

def initialize(payload:, subject_type:)
  @payload = payload
  @subject_type = subject_type
end

Instance Attribute Details

#payload ⇒ Object (readonly)

Returns the value of attribute payload.

# File 'lib/authn/tokens/jwt.rb', line 81

def payload
  @payload
end

#subject_type ⇒ Object (readonly)

Returns the value of attribute subject_type.

# File 'lib/authn/tokens/jwt.rb', line 81

def subject_type
  @subject_type
end

Class Method Details

.rsa_decode(token:, signing_public_key:, subject_type:, token_prefix:) ⇒ Object

# File 'lib/authn/tokens/jwt.rb', line 52

def rsa_decode(token:, signing_public_key:, subject_type:, token_prefix:)
  return unless token.start_with?(token_prefix)

  token = token.delete_prefix(token_prefix)

  payload, _header = ::JSONWebToken::RSAToken.decode(token, signing_public_key)

  new(payload: payload, subject_type: subject_type)
rescue JWT::DecodeError
  # The token received is not a JWT
  nil
end

.rsa_encode(subject:, signing_key:, expire_time:, token_prefix:, custom_payload: {}) ⇒ Object

Raises:

• (InvalidSubjectForTokenError)

# File 'lib/authn/tokens/jwt.rb', line 29

def rsa_encode(subject:, signing_key:, expire_time:, token_prefix:, custom_payload: {})
  subject_global_id = GlobalID.create(subject).to_s if subject
  raise InvalidSubjectForTokenError unless subject_global_id.present?

  jwt = ::JSONWebToken::Token.new.tap do |token|
    token.subject = subject_global_id
    token.issuer = ISSUER
    token.audience = AUDIENCE
    token.expire_time = expire_time
    token[:version] = VERSION

    custom_payload.each { |key, value| token[key] = value } if custom_payload.present?
  end

  token = ::JSONWebToken::RSAToken.encode(
    jwt.payload,
    signing_key,
    signing_key.public_key.to_jwk[:kid]
  )

  token_prefix + token
end

Instance Method Details

#subject ⇒ Object

# File 'lib/authn/tokens/jwt.rb', line 71

def subject
  return unless payload

  GitlabSchema.parse_gid(payload['sub'], expected_type: subject_type)&.find
rescue Gitlab::Graphql::Errors::ArgumentError, ActiveRecord::RecordNotFound
  # The subject doesn't exist anymore
  nil
end