Add DPoP checks in GraphQL and API requests
What does this MR do and why?
See Sender constraining personal access tokens (#425130 - closed) for more context. This MR makes use of the backend DPoP checks that are introduced in Parse and validate DPoP Tokens (!166206 - merged).
How to set up and validate locally
- In rails console, enable the feature flag for the user you are going to be testing the feature with:
Feature.enable(:dpop_authentication, User.find(1))- Using the rails console, enable DPoP for the user :
UserPreferences::UpdateService.new(User.find(1), {dpop_enabled: true}).execute
- Ensure you have an SSH key-pair setup with the public key uploaded to your user account. Ensure that the key type is saved as "Signing" or "Authentication and Signing".
- Build
glabfrom this branch. - Using
glabgenerate a DPoP header:bin/glab auth dpop-gen --pat "<glpat-PAT>" --private-key ~/.ssh/id_rsa - Use the generated header to make an HTTP API request eg.:
curl http://localhost:3000/api/v4/projects --header "Private-Token: <glpat-PAT>" --header "DPoP: <GLAB OUTPUT HERE>" - Confirm valid response is received. Confirm that the request fails without a valid DPoP header.
- Repeat and confirm for GraphQL requests, e.g.
curl -X POST -H "Content-Type: application/json" -H "Private-Token: <glpat-PAT>" -H "DPoP: <GLAB OUTPUT HERE>" -d '{ "query": "query { currentUser { id } }" }' "http://localhost:3000/api/graphql" - Confirm that the server responds with accurate error messages related to the failing DPoP check (eg. signature expired, JWT invalid, etc.).
Merge request reports
Activity
assigned to @ameyadarshan
added pipelinetier-3 pipeline:run-e2e-omnibus-once labels
- A deleted user
added backend label
Resolved by 🤖 GitLab Bot 🤖Proper labels assigned to this merge request. Please ignore me.
👋 @ameyadarshan- please see the following guidance and update this merge request.1 Error ❌ Please add typebug typefeature, or typemaintenance label to this merge request. Edited by 🤖 GitLab Bot 🤖
mentioned in merge request !166206 (merged)
added 4 commits
-
3aa42034...c0ebefd8 - 3 commits from branch
ameya-dpop-1 - bc1a38d6 - Merge branch 'ameya-dpop-1' into 'ameya-dpop-2'
-
3aa42034...c0ebefd8 - 3 commits from branch
E2E Test Result Summary
allure-report-publishergenerated test report!e2e-test-on-gdk:
➖ test report for f2f98757expand test summary
+------------------------------------------------------------+ | suites summary | +-------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +-------+--------+--------+---------+-------+-------+--------+ +-------+--------+--------+---------+-------+-------+--------+ | Total | 0 | 0 | 0 | 0 | 0 | ➖ | +-------+--------+--------+---------+-------+-------+--------+Edited by Ghost Useradded AppSecWorkTypeKR label
added AppSecWeightXLarge label
added AppSecWorkflowin-progress label
changed milestone to %17.6
added Application Security Team label
added typefeature label and removed Application Security Team label
mentioned in issue #425130 (closed)
added devopsgovern groupauthentication sectionsec labels
