Commit 2cb1d617 authored by Shinya Maeda's avatar Shinya Maeda

Use expires_in for access_token validation

parent 5663b480
module GoogleApi
class AuthorizationsController < ApplicationController
def callback
session[GoogleApi::CloudPlatform::Client.session_key_for_token] =
GoogleApi::CloudPlatform::Client.new(nil, callback_google_api_authorizations_url)
.get_token(params[:code])
token, expires_at = GoogleApi::CloudPlatform::Client
.new(nil, callback_google_api_authorizations_url)
.get_token(params[:code])
session[GoogleApi::CloudPlatform::Client.session_key_for_token] = token
session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at] =
expires_at.to_s
if params[:state]
redirect_to params[:state]
......
......@@ -6,12 +6,11 @@ class Projects::ClustersController < Projects::ApplicationController
def login
begin
@authorize_url = GoogleApi::CloudPlatform::Client.new(
nil,
callback_google_api_authorizations_url,
nil, callback_google_api_authorizations_url,
state: namespace_project_clusters_url.to_s
).authorize_url
rescue GoogleApi::Auth::ConfigMissingError
# Show an alert message that gitlab.yml is not configured properly
# no-op
end
end
......@@ -83,12 +82,19 @@ class Projects::ClustersController < Projects::ApplicationController
end
def authorize_google_api
unless token_in_session
unless GoogleApi::CloudPlatform::Client.new(token_in_session, nil)
.validate_token(expires_at_in_session)
redirect_to action: 'login'
end
end
def token_in_session
@token_in_session ||= session[GoogleApi::CloudPlatform::Client.session_key_for_token]
@token_in_session ||=
session[GoogleApi::CloudPlatform::Client.session_key_for_token]
end
def expires_at_in_session
@expires_at_in_session ||=
session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at]
end
end
......@@ -19,7 +19,8 @@ module GoogleApi
end
def get_token(code)
client.auth_code.get_token(code, redirect_uri: redirect_uri).token
ret = client.auth_code.get_token(code, redirect_uri: redirect_uri)
return ret.token, ret.expires_at
end
protected
......
......@@ -9,12 +9,28 @@ module GoogleApi
def session_key_for_token
:cloud_platform_access_token
end
def session_key_for_expires_at
:cloud_platform_expires_at
end
end
def scope
'https://www.googleapis.com/auth/cloud-platform'
end
def validate_token(expires_at)
return false unless access_token
return false unless expires_at
# Making sure that the token will have been still alive during the cluster creation.
unless DateTime.strptime(expires_at, '%s').to_time > Time.now + 10.minutes
return false
end
true
end
def projects_zones_clusters_get(project_id, zone, cluster_id)
service = Google::Apis::ContainerV1::ContainerService.new
service.authorization = access_token
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment