Class: Authn::Tokens::IamOauthToken

Inherits:
Object
  • Object
show all
Includes:
Gitlab::Utils::StrongMemoize
Defined in:
lib/authn/tokens/iam_oauth_token.rb

Constant Summary collapse

FEATURE_FLAG =

Feature flag for gradual rollout, will be used in Gitlab::Auth layer TODO: Remove when implemented in

:iam_svc_oauth

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(user_id:, scopes:, id:, expires_at:, issued_at:, scope_user_id: nil) ⇒ IamOauthToken

Returns a new instance of IamOauthToken.



61
62
63
64
65
66
67
68
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 61

def initialize(user_id:, scopes:, id:, expires_at:, issued_at:, scope_user_id: nil)
  @user_id = user_id
  @scopes = scopes
  @id = id
  @expires_at = expires_at
  @issued_at = issued_at
  @scope_user_id = scope_user_id
end

Instance Attribute Details

#expires_atObject (readonly)

Returns the value of attribute expires_at.



57
58
59
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 57

def expires_at
  @expires_at
end

#idObject (readonly)

Returns the value of attribute id.



57
58
59
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 57

def id
  @id
end

#issued_atObject (readonly)

Returns the value of attribute issued_at.



57
58
59
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 57

def issued_at
  @issued_at
end

#scope_user_idObject (readonly)

Returns the value of attribute scope_user_id.



57
58
59
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 57

def scope_user_id
  @scope_user_id
end

#scopesObject (readonly)

Returns the value of attribute scopes.



57
58
59
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 57

def scopes
  @scopes
end

#user_idObject (readonly)

Returns the value of attribute user_id.



57
58
59
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 57

def user_id
  @user_id
end

Class Method Details

.from_jwt(token_string) ⇒ Object

Primary public interface for creating validated tokens.



14
15
16
17
18
19
20
21
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 14

def from_jwt(token_string)
  return unless iam_issued_jwt?(token_string)

  result = ::Authn::IamService::JwtValidationService.new(token: token_string).execute
  return unless result.success?

  from_validated_jwt(result.payload)
end

Instance Method Details

#active?Boolean

Returns:

  • (Boolean) 


70
71
72
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 70

def active?
  !expired? && !revoked?
end

#expired?Boolean

Returns:

  • (Boolean) 


74
75
76
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 74

def expired?
  expires_at.present? && expires_at.past?
end

#reloadObject 



78
79
80
81
82
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 78

def reload
  clear_memoization(:user)
  clear_memoization(:scope_user)
  self
end

#resource_owner_idObject

For compatibility with AccessTokenValidationService



85
86
87
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 85

def resource_owner_id
  user_id
end

#revoked?Boolean

IAM JWTs are stateless and cannot be revoked individually by default. TODO: Implement JTI-based revocation list to support token invalidation.

Returns:

  • (Boolean) 


91
92
93
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 91

def revoked?
  false
end

#scope_userObject

Extracted scoped user from ‘user:X’ scope (for composite identity)



96
97
98
99
100
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 96

def scope_user
  return unless scope_user_id

  User.find_by_id(scope_user_id)
end

#to_sObject 



103
104
105
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 103

def to_s
  "Authn::Tokens::IamOauthToken(id: #{id}, user_id: #{user_id})"
end

#userObject

Lazy load user (follows OAuth token association pattern)



108
109
110
 
# File 'lib/authn/tokens/iam_oauth_token.rb', line 108

def user
  User.find_by_id(user_id)
end