Trim secret before signing JWT tokens (!686) · Merge requests · GitLab.org / gitlab-shell

Igor Drozdov requested to merge id-fix-jwt-tokens into main Sep 27, 2022

Currently, we send plain secret to Gitlab Rails in order to authenticate gitlab-shell requests, but we want to use JWT tokens instead: https://gitlab.com/gitlab-org/gitlab/-/issues/325167. However, Rails part removes trailing new lines both from the input (sent gitlab-shell header) and the secret that it reads from the config.

I thought that we could workaround it by reading plain values for the secret from the file. But it's unreliable since shared secrets for Rails, Gitlab Shell and Gitaly can be different files.

With this change, we don't rely on the secret to either contain a newline or not contain it. When we update the version of gitlab-shell with this change on Rails part, some test may fail because Gitaly won't contain the change yet. So my plan is:

Review and merge this change
Update the gitlab-shell version and fix the failed tests (probably by explicitly disabling gitlab_shell_jwt_token)
Introduce the change the Gitaly client
Enabled feature flag for the failing tests

Trim secret before signing JWT tokens

Merge request reports