Merge branch 'mk-cc-jwk-rfc7638-kid' into 'master'

Use RFC 7638 thumbprints for JWT kids See merge request !173689 Merged-by: Matthias Käppler <mkaeppler@gitlab.com> Approved-by: Aleksei Lipniagov <alipniagov@gitlab.com> Approved-by: Roy Zwambag <rzwambag@gitlab.com> Reviewed-by: Aleksei Lipniagov <alipniagov@gitlab.com>

Merge branch 'mk-cc-jwk-rfc7638-kid' into 'master'
eb9602ca · Matthias Käppler · GitLab · 3cf0ba6a · f054929e · eb9602ca
Verified Commit eb9602ca authored 3 months ago by Matthias Käppler Committed by GitLab 3 months ago
--- a/ee/lib/cloud_connector/self_signed/available_service_data.rb
+++ b/ee/lib/cloud_connector/self_signed/available_service_data.rb
@@ -48,7 +48,7 @@ def load_signing_key

        raise 'Cloud Connector: no key found' unless key_data

-        ::JWT::JWK.new(OpenSSL::PKey::RSA.new(key_data))
+        ::JWT::JWK.new(OpenSSL::PKey::RSA.new(key_data), kid_generator: ::JWT::JWK::Thumbprint)
      end

      def scopes_for(resource)

--- a/ee/spec/lib/cloud_connector/self_signed/available_service_data_spec.rb
+++ b/ee/spec/lib/cloud_connector/self_signed/available_service_data_spec.rb
@@ -6,7 +6,15 @@
  let(:cut_off_date) { 1.month.ago }
  let(:bundled_with) { {} }
  let(:backend) { 'gitlab-ai-gateway' }
-  let(:available_service_data) { described_class.new(:duo_chat, cut_off_date, bundled_with, backend) }
+
+  let_it_be(:rsa_key) { OpenSSL::PKey::RSA.new(2048) }
+  let_it_be(:expected_key_data) { Rails.application.credentials.openid_connect_signing_key }
+
+  subject(:available_service_data) { described_class.new(:duo_chat, cut_off_date, bundled_with, backend) }
+
+  before do
+    allow(OpenSSL::PKey::RSA).to receive(:new).with(expected_key_data).and_return(rsa_key)
+  end

  describe '#access_token' do
    let(:resource) { create(:user) }
@@ -35,7 +43,7 @@
        allow(Gitlab::CloudConnector).to receive(:gitlab_realm).and_return(gitlab_realm)
      end

-      it 'returns the constructed token' do
+      it 'returns the encoded token' do
        expect(Gitlab::CloudConnector::JSONWebToken).to receive(:new).with(
          issuer: issuer,
          audience: backend,
@@ -50,6 +58,16 @@
        expect(access_token).to eq(encoded_token_string)
      end

+      it 'uses RFC 7638 thumbprint key generator to compute kid' do
+        jwk = ::JWT::JWK.new(rsa_key, kid_generator: ::JWT::JWK::Thumbprint)
+        _, token_header = *::JWT.decode(access_token, nil, false)
+
+        actual_kid = token_header['kid']
+        expected_kid = jwk.kid
+
+        expect(actual_kid).to eq(expected_kid)
+      end
+
      context 'when cloud_connector_jwt_replace is disabled' do
        before do
          stub_feature_flags(cloud_connector_jwt_replace: false)