GitLab for Jira app: Send installed event for Jira app installed updated for self-managed
This is a part of the epic to make the GitLab for Jira app available for self-managed (&5650 (closed))
The summary of the whole feature is that GitLab.com will act as a proxy for the self-managed instance. This means we will need a JiraConnectInstallation
record on .com and self-managed.
The installation record gets created with a webhook that we usually receive from Jira. With the proxy in place, the hook has to come from GitLab.
The hook contains:
- A shared secret that needs to be stored and will be used to authorize future requests.
- A JWT token
asymmetric JWTs:
Problem withA public key is needed to decode the JWT in the installed hook. The key can be fetched from connect-install-keys.atlassian.com/{{KEY_ID}}
and KEY_ID
is included in the JWT's kid
header.
We don't store the JWT token that was included in the installed hook to GitLab.com. So we have to construct a new token, but this won't match a public key at Atlassian.
Solution:
We can offer an endpoint to fetch public keys from on GitLab.com
The security measure in asymmetric JWT is that the domain to fetch the public key is fixed. It points to connect-install-keys.atlassian.com
. We can make this an application setting, so users can point it to gitlab.com/-/jira_connect/public_keys
instead. This would require:
- An application setting to configure the CDN URL
- A DB table or Redis cache to store public keys
- A route to return public keys