-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add artifacts v4 jwt to job message and accept it
- Loading branch information
1 parent
1df06e3
commit 3174bee
Showing
3 changed files
with
119 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
// Copyright 2024 The Gitea Authors. All rights reserved. | ||
// SPDX-License-Identifier: MIT | ||
|
||
package actions | ||
|
||
import ( | ||
"fmt" | ||
"net/http" | ||
"strings" | ||
"time" | ||
|
||
"code.gitea.io/gitea/modules/log" | ||
"code.gitea.io/gitea/modules/setting" | ||
|
||
"github.com/golang-jwt/jwt/v5" | ||
) | ||
|
||
type actionsClaims struct { | ||
jwt.RegisteredClaims | ||
Scp string `json:"scp"` | ||
TaskID int64 | ||
RunID int64 | ||
JobID int64 | ||
} | ||
|
||
func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) { | ||
now := time.Now() | ||
|
||
claims := actionsClaims{ | ||
RegisteredClaims: jwt.RegisteredClaims{ | ||
ExpiresAt: jwt.NewNumericDate(now.Add(24 * time.Hour)), | ||
NotBefore: jwt.NewNumericDate(now), | ||
}, | ||
Scp: fmt.Sprintf("Actions.Results:%d:%d", runID, jobID), | ||
TaskID: taskID, | ||
RunID: runID, | ||
JobID: jobID, | ||
} | ||
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) | ||
|
||
tokenString, err := token.SignedString([]byte(setting.SecretKey)) | ||
if err != nil { | ||
return "", err | ||
} | ||
|
||
return tokenString, nil | ||
} | ||
|
||
func ParseAuthorizationToken(req *http.Request) (int64, error) { | ||
h := req.Header.Get("Authorization") | ||
if h == "" { | ||
return 0, nil | ||
} | ||
|
||
parts := strings.SplitN(h, " ", 2) | ||
if len(parts) != 2 { | ||
log.Error("split token failed: %s", h) | ||
return 0, fmt.Errorf("split token failed") | ||
} | ||
|
||
token, err := jwt.ParseWithClaims(parts[1], &actionsClaims{}, func(t *jwt.Token) (any, error) { | ||
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok { | ||
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"]) | ||
} | ||
return []byte(setting.SecretKey), nil | ||
}) | ||
if err != nil { | ||
return 0, err | ||
} | ||
|
||
c, ok := token.Claims.(*actionsClaims) | ||
if !token.Valid || !ok { | ||
return 0, fmt.Errorf("invalid token claim") | ||
} | ||
|
||
return c.TaskID, nil | ||
} |