Skip to content
Snippets Groups Projects
Commit 91b90057 authored by Matthias Käppler's avatar Matthias Käppler :two:
Browse files

Remove feature flag cloud_connector_jwt_replace

This was an internal refactor and not user-facing.

Changelog: removed
EE: true
parent 0db51010
No related branches found
No related tags found
1 merge request!174358Remove feature flag cloud_connector_jwt_replace
---
name: cloud_connector_jwt_replace
feature_issue_url: https://gitlab.com/gitlab-org/cloud-connector/gitlab-cloud-connector/-/issues/30
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172378
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/503739
milestone: '17.7'
group: group::cloud connector
type: gitlab_com_derisk
default_enabled: false
......@@ -42,24 +42,15 @@ def initialize(name, cut_off_date, bundled_with, backend)
override :access_token
def access_token(resource = nil, extra_claims: {})
if Feature.enabled?(:cloud_connector_jwt_replace, gitlab_org_group)
::Gitlab::CloudConnector::JsonWebToken.new(
issuer: Doorkeeper::OpenidConnect.configuration.issuer,
audience: backend,
subject: Gitlab::CurrentSettings.uuid,
realm: ::CloudConnector.gitlab_realm,
scopes: scopes_for(resource),
ttl: 1.hour,
extra_claims: extra_claims
).encode(@key_loader.signing_key)
else
::Gitlab::CloudConnector::SelfIssuedToken.new(
audience: backend,
subject: Gitlab::CurrentSettings.uuid,
scopes: scopes_for(resource),
extra_claims: extra_claims
).encoded
end
::Gitlab::CloudConnector::JsonWebToken.new(
issuer: Doorkeeper::OpenidConnect.configuration.issuer,
audience: backend,
subject: Gitlab::CurrentSettings.uuid,
realm: ::CloudConnector.gitlab_realm,
scopes: scopes_for(resource),
ttl: 1.hour,
extra_claims: extra_claims
).encode(@key_loader.signing_key)
end
private
......
# frozen_string_literal: true
module Gitlab
module CloudConnector
class SelfIssuedToken
NOT_BEFORE_TIME = 5.seconds.to_i.freeze
EXPIRES_IN = 1.hour.to_i.freeze
NoSigningKeyError = Class.new(StandardError)
attr_reader :issued_at
def initialize(audience:, subject:, scopes:, extra_claims: {})
@id = SecureRandom.uuid
@audience = audience
@subject = subject
@issuer = Doorkeeper::OpenidConnect.configuration.issuer
@issued_at = Time.now.to_i
@not_before = @issued_at - NOT_BEFORE_TIME
@expire_time = @issued_at + EXPIRES_IN
@scopes = scopes
@extra_claims = extra_claims
end
def encoded
headers = { typ: 'JWT' }
JWT.encode(payload, key, 'RS256', headers)
end
def payload
{
jti: @id,
aud: @audience,
sub: @subject,
iss: @issuer,
iat: @issued_at,
nbf: @not_before,
exp: @expire_time
}.merge(custom_claims)
end
private
def custom_claims
{
gitlab_realm: ::CloudConnector.gitlab_realm,
scopes: @scopes
}.merge(@extra_claims)
end
def key
key_data = Rails.application.credentials.openid_connect_signing_key
raise NoSigningKeyError unless key_data
OpenSSL::PKey::RSA.new(key_data)
end
end
end
end
......@@ -76,27 +76,6 @@
3.times { described_class.new(:duo_chat, cut_off_date, bundled_with, backend).access_token }
end
context 'when cloud_connector_jwt_replace is disabled' do
before do
stub_feature_flags(cloud_connector_jwt_replace: false)
end
let(:expected_token) do
instance_double('Gitlab::CloudConnector::SelfIssuedToken', encoded: encoded_token_string)
end
it 'returns the constructed token' do
expect(Gitlab::CloudConnector::SelfIssuedToken).to receive(:new).with(
audience: backend,
subject: Gitlab::CurrentSettings.uuid,
scopes: scopes,
extra_claims: extra_claims
).and_return(expected_token)
expect(access_token).to eq(encoded_token_string)
end
end
end
context 'when signing key is missing' do
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Gitlab::CloudConnector::SelfIssuedToken, feature_category: :cloud_connector do
let(:extra_claims) { {} }
subject(:token) do
described_class.new(
audience: 'gitlab-ai-gateway', subject: 'ABC-123', scopes: [:code_suggestions], extra_claims: extra_claims
)
end
describe '#payload' do
subject(:payload) { token.payload }
it 'has correct values for the standard JWT attributes', :freeze_time, :aggregate_failures do
now = Time.now.to_i
expect(payload[:iss]).to eq(Doorkeeper::OpenidConnect.configuration.issuer)
expect(payload[:aud]).to eq('gitlab-ai-gateway')
expect(payload[:sub]).to eq('ABC-123')
expect(payload[:iat]).to eq(now)
expect(payload[:nbf]).to eq(now - 5.seconds.freeze)
expect(payload[:exp]).to eq(now + 1.hour.freeze)
end
context 'when passing extra claims' do
let(:extra_claims) { { custom: 123 } }
it 'includes them in payload' do
expect(payload[:custom]).to eq(123)
end
end
end
describe '#encoded' do
context 'when signing key is present' do
it 'encodes successfully' do
expect(token.encoded).to an_instance_of(String)
end
it 'decodes successfully with public key', :aggregate_failures do
jwt = token.encoded
public_key = token.send(:key).public_key
payload, headers = JWT.decode(jwt, public_key, true, { algorithm: 'RS256' })
expect(headers).to eq("alg" => "RS256", "typ" => "JWT")
expect(payload.keys).to contain_exactly(
"jti",
"aud",
"sub",
"iss",
"iat",
"nbf",
"exp",
"gitlab_realm",
"scopes"
)
end
end
context 'when signing key is missing' do
before do
allow(Rails.application.credentials).to receive(:openid_connect_signing_key).and_return(nil)
end
it 'raises NoSigningKeyError' do
expect { token.encoded }.to raise_error(described_class::NoSigningKeyError)
end
end
end
end
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment