Revert "Merge branch '512450-expose-cc-db-keys' into 'master'"

This reverts merge request !180385

Revert "Merge branch '512450-expose-cc-db-keys' into 'master'"
8beaa411 · Matthias Käppler · GitLab · 0734d33d · 8beaa411 · 8beaa411
Verified Commit 8beaa411 authored 3 weeks ago by Matthias Käppler 2️⃣ Committed by GitLab 3 weeks ago
--- a/app/controllers/jwks_controller.rb
+++ b/app/controllers/jwks_controller.rb
@@ -12,22 +12,13 @@ def keys
  def payload
    [
      Rails.application.credentials.openid_connect_signing_key,
-      Gitlab::CurrentSettings.ci_jwt_signing_key,
-      cloud_connector_keys
-    ].flatten.compact.map { |key_data| pem_to_jwk(key_data) }.uniq
-  end
-
-  def cloud_connector_keys
-    return unless Gitlab.ee?
-
-    CloudConnector::Keys.all_as_pem
-  end
-
-  def pem_to_jwk(key_data)
-    OpenSSL::PKey::RSA.new(key_data)
+      Gitlab::CurrentSettings.ci_jwt_signing_key
+    ].compact.map do |key_data|
+      OpenSSL::PKey::RSA.new(key_data)
        .public_key
        .to_jwk
        .slice(:kty, :kid, :e, :n)
        .merge(use: 'sig', alg: 'RS256')
+    end
  end
 end
--- a/ee/app/models/cloud_connector/keys.rb
+++ b/ee/app/models/cloud_connector/keys.rb
@@ -6,13 +6,5 @@ class Keys < ApplicationRecord

    encrypts :secret_key, key_provider: ActiveRecord::Encryption::EnvelopeEncryptionKeyProvider.new
    validates :secret_key, rsa_key: true, allow_nil: true
-
-    scope :valid, -> { where.not(secret_key: nil) }
-
-    class << self
-      def all_as_pem
-        valid.map(&:secret_key)
-      end
-    end
  end
 end
--- a/ee/spec/models/cloud_connector/keys_spec.rb
+++ b/ee/spec/models/cloud_connector/keys_spec.rb
@@ -24,40 +24,4 @@
      it { is_expected.not_to be_valid }
    end
  end
-
-  shared_examples 'serving valid keys' do
-    context 'when there are no records' do
-      it { is_expected.to be_empty }
-    end
-
-    context 'when there are records but the key is nil' do
-      let_it_be(:key_record) { create(:cloud_connector_keys, secret_key: nil) }
-
-      it { is_expected.to be_empty }
-    end
-
-    context 'when there are valid records' do
-      let_it_be(:key_record) { create_list(:cloud_connector_keys, 2) }
-
-      it { is_expected.to have_attributes(size: 2) }
-    end
-  end
-
-  describe '.valid' do
-    subject(:jwks) { described_class.valid }
-
-    include_examples 'serving valid keys'
-  end
-
-  describe '.all_as_pem' do
-    subject(:jwks) { described_class.all_as_pem }
-
-    include_examples 'serving valid keys'
-
-    context 'when there are valid records' do
-      let_it_be(:key_record) { create_list(:cloud_connector_keys, 2) }
-
-      it { is_expected.to all(match(/^-----BEGIN RSA PRIVATE KEY-----/)) }
-    end
-  end
 end
--- a/ee/spec/requests/jwks_controller_spec.rb
+++ b/ee/spec/requests/jwks_controller_spec.rb
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe JwksController, feature_category: :system_access do
-  describe '/oauth/discovery/keys' do
-    include_context 'when doing OIDC key discovery'
-
-    it 'flattens Cloud Connector key list' do
-      expect(Rails.application.credentials).to receive(:openid_connect_signing_key).and_return(nil)
-      expect(Gitlab::CurrentSettings).to receive(:ci_jwt_signing_key).and_return(nil)
-      expect(CloudConnector::Keys).to receive(:all_as_pem).and_return([rsa_key_1.to_pem, rsa_key_2.to_pem])
-
-      expect(jwks.size).to eq(2)
-      expect(jwks).to match_array([
-        satisfy { |jwk| key_match?(jwk, rsa_key_1) },
-        satisfy { |jwk| key_match?(jwk, rsa_key_2) }
-      ])
-    end
-  end
-end
--- a/spec/requests/jwks_controller_spec.rb
+++ b/spec/requests/jwks_controller_spec.rb
@@ -16,28 +16,4 @@
      end
    end
  end
-
-  describe '/oauth/discovery/keys' do
-    include_context 'when doing OIDC key discovery'
-
-    it 'removes missing keys' do
-      expect(Rails.application.credentials).to receive(:openid_connect_signing_key).and_return(rsa_key_1.to_pem)
-      expect(Gitlab::CurrentSettings).to receive(:ci_jwt_signing_key).and_return(nil)
-
-      expect(jwks.size).to eq(1)
-      expect(jwks).to match_array([
-        satisfy { |jwk| key_match?(jwk, rsa_key_1) }
-      ])
-    end
-
-    it 'removes duplicate keys' do
-      expect(Rails.application.credentials).to receive(:openid_connect_signing_key).and_return(rsa_key_1.to_pem)
-      expect(Gitlab::CurrentSettings).to receive(:ci_jwt_signing_key).and_return(rsa_key_1.to_pem)
-
-      expect(jwks.size).to eq(1)
-      expect(jwks).to match_array([
-        satisfy { |jwk| key_match?(jwk, rsa_key_1) }
-      ])
-    end
-  end
 end
--- a/spec/support/shared_contexts/requests/api/oidc_discovery_shared_context.rb
+++ b/spec/support/shared_contexts/requests/api/oidc_discovery_shared_context.rb
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.shared_context 'when doing OIDC key discovery' do
-  let_it_be(:rsa_key_1) { OpenSSL::PKey::RSA.new(2048) }
-  let_it_be(:rsa_key_2) { OpenSSL::PKey::RSA.new(2048) }
-
-  subject(:jwks) do
-    get '/oauth/discovery/keys'
-
-    jwks = Gitlab::Json.parse(response.body)
-    jwks['keys'].map { |json| ::JWT::JWK.new(json) }
-  end
-
-  def key_match?(jwk, private_key)
-    jwk.public_key.to_pem == private_key.public_key.to_pem
-  end
-end