[Feature flag] Enable JWT parameter support in the upload middleware
What
The :upload_middleware_jwt_params_handler controls how multipart.rb reads the upload parameters.
When disabled, multipart.rb will read them directly from the request params.
When enabled, multipart.rb will read them in each JWT parameter (one per file upload). This JWT parameter is simply a hash that has been signed by JWT using the workhorse secret. By reading it, rails will check the signature and reject the request if it is not valid.
Owners
- Team: Package
- Most appropriate slack channel to reach out to:
#s_package - Best individual to reach out to: @10io
Expectations
What are we expecting to happen?
All the uploads request will still work as usual.
What might happen if this goes wrong?
An upload request can be rejected wrongfully.
What can we monitor to detect problems with this?
All the uploads requests in general. Here are some dashboards:
All package uploads: https://dashboards.gitlab.net/d/api-rails-controller/api-rails-controller?orgId=1&var-PROMETHEUS_DS=Global&var-environment=gprd&var-stage=main&var-action=POST%20%2Fapi%2Fprojects%2F:id%2Fpackages%2Fpypi&var-action=PUT%20%2Fapi%2Fpackages%2Fconan%2Fv1%2Ffiles%2F:package_name%2F:package_version%2F:package_username%2F:package_channel%2F:recipe_revision%2Fexport%2F:file_name&var-action=PUT%20%2Fapi%2Fpackages%2Fconan%2Fv1%2Ffiles%2F:package_name%2F:package_version%2F:package_username%2F:package_channel%2F:recipe_revision%2Fpackage%2F:conan_package_reference%2F:package_revision%2F:file_name&var-action=PUT%20%2Fapi%2Fprojects%2F:id%2Fpackages%2Fmaven%2Fpath%2F:file_name&var-action=PUT%20%2Fapi%2Fprojects%2F:id%2Fpackages%2Fnpm%2F:package_name&var-action=PUT%20%2Fapi%2Fprojects%2F:id%2Fpackages%2Fnuget&var-action=PUT%20%2Fapi%2Fpackages%2Fconan%2Fv1%2Ffiles%2F:package_name%2F:package_version%2F:package_username%2F:package_channel%2F:recipe_revision%2Fexport%2F:file_name%2Fauthorize&var-action=PUT%20%2Fapi%2Fpackages%2Fconan%2Fv1%2Ffiles%2F:package_name%2F:package_version%2F:package_username%2F:package_channel%2F:recipe_revision%2Fpackage%2F:conan_package_reference%2F:package_revision%2F:file_name%2Fauthorize&var-action=PUT%20%2Fapi%2Fprojects%2F:id%2Fpackages%2Fnuget%2Fauthorize&var-action=PUT%20%2Fapi%2Fprojects%2F:id%2Fpackages%2Fmaven%2Fpath%2F:file_name%2Fauthorize&var-action=POST%20%2Fapi%2Fprojects%2F:id%2Fpackages%2Fpypi%2Fauthorize
graphQL uploads: https://dashboards.gitlab.net/dashboard/snapshot/AR4YMRk7lgpmXVjmQfFkbwc551Zt84FY?orgId=1&var-PROMETHEUS_DS=Global&var-environment=gprd&var-stage=main&var-controller=GraphqlController&var-action=All (note that this dashboard shows all the requests. Upload requests are made with a POST)
Beta groups/projects
Not applicable.
The feature flag is global for all uploads
Roll Out Steps
-
Enable on staging -
Test on staging - [-] Ensure that documentation has been updated
-
Enable on GitLab.com for individual groups/projects listed above and verify behaviour -
Coordinate a time to enable the flag with #productionand#g_deliveryon slack. -
Announce on the issue an estimated time this will be enabled on GitLab.com -
Enable on GitLab.com by running chatops command in #production -
Cross post chatops slack command to #support_gitlab-com(more guidance when this is necessary in the dev docs) and in your team channel -
Announce on the issue that the flag has been enabled -
Remove feature flag and add changelog entry. - TODOs in the code source:
-
In multipart.rb, remove the duplicated Handler class, see !33277 (comment 410387857) -
In uploaded_file.rb, remove.from_paramsclass method and rename.from_params_without_fieldto.from_params, see !33277 (comment 412697747)
-
- TODOs in the code source:
-
After the flag removal is deployed, clean up the feature flag by running chatops command in #productionchannel