Implement POST /api/v4/internal/kubernetes/authorize_proxy_user, access_type=session_cookie

Problem to sovlve

There should be an endpoint in lib/api/internal/kubernetes.rb, so that KAS can call it with a session ID to verify whether this session is still valid before KAS can forward requests to the Kubernetes API from the frontend.

Proposal

Implement the POST /api/v4/internal/kubernetes/authorize_proxy_user request described in the doc, for access_type=session_cookie.

Put it behind a feature flag. If necessary, stub session lookup until #381561 (closed) is done (e.g. always return unauthorized or use current_user instead of looking up the session).

NOTE: The outcome of gitlab-org/cluster-integration/gitlab-agent#338 (closed) will affect the exact authorization flow here, but we should be fine to proceed behind a feature flag.

References:

https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/kubernetes_user_access.md#browser-cookie-on-gitlab-frontend
https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/kubernetes_user_access.md#authorization

Edited Nov 09, 2022 by Hordur Freyr Yngvason