Skip to content
Snippets Groups Projects

Add Jira Connect public key storage

Merged Andy Schoenen requested to merge andysoiron/jira-connect-self-hosted-jwt-generation into master
All threads resolved!

What does this MR do and why?

This is part of #372967 (closed). See !96818 (closed) for a full context MR.

When a user installs the GitLab for Jira app we receive an installed hook. It includes a JWT token that we have to verify using a public key. The public key is fetched from connect-install-keys.atlassian.com (see lib/atlassian/jira_connect/jwt/asymmetric.rb:15).

To make the app available for self-managed users, GitLab.com will serve as a proxy. It forwards the installed hook to the self-managed instance, but generates a new JWT token. To make this work, we need to:

  1. Build the JWT infrastructure (This MR)
    • Add a service to generate JWT tokens.
    • Store the public keys with an expiry date.
    • Provide an endpoint to fetch public keys.
  2. Allow the public key CDN URL to be configured. (!98437 (merged))
    • Add an application setting that defaults to https://connect-install-keys.atlassian.com and can be pointed to https://gitlab.com/-/jira_connect/-/jira_connect/public_keys.
  3. Forward the installed event to self-managed
    • Add a service that sends an installed hook to the self-managed instance when instance_url is updated.

I explained the problem in more detail in #372967 (closed)

How to set up and validate locally

  1. Go to http://localhost:3000/admin/application_settings/network
  2. Expand the Outbound requests section
  3. Enable Allow requests to the local network from web hooks and services
  4. Open a rails console rails c
  5. Enable the jira_connect_oauth_self_managed feature: Feature.enable(:jira_connect_oauth_self_managed)
  6. Execute the following lines:
# Create a JiraConnect installation
installation = JiraConnectInstallation.create(client_key: '123', shared_secret: '123', base_url: 'https://sample.atlassian.net')

# Generate a new JWT token for the installation
jwt = JiraConnect::CreateAsymmetricJwtService.new(installation).execute

# Fetch the public key ID from the JWT header. The 3rd parameter defines if the decoding should be verified with a public key. In this case, it is not.
key_id = Atlassian::Jwt.decode(jwt, nil, false, algorithm: 'RS256').last['kid']

# Retrieve the public key from storage
public_key_string = Gitlab::HTTP.get('http://127.0.0.1:3000/-/jira_connect/public_keys/' + key_id).body

# Read the public key
public_key = OpenSSL::PKey.read(public_key_string)

# Do a verified decoding of the JWT using the public key
Atlassian::Jwt.decode(jwt, public_key, true, algorithm: 'RS256').first.present?
  1. Verify that the last return value is true

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andy Schoenen

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Bojan Marjanovic
  • Andy Schoenen added 1 commit

    added 1 commit

    Compare with previous version

  • Bojan Marjanovic approved this merge request

    approved this merge request

  • Bojan Marjanovic requested review from @georgekoltsov and removed review request for @bmarjanovic

    requested review from @georgekoltsov and removed review request for @bmarjanovic

  • :wave: @bmarjanovic, thanks for approving this merge request.

    This is the first time the merge request is approved. To ensure full test coverage, a new pipeline has been started.

    For more info, please refer to the following links:

  • mentioned in epic &5650 (closed)

  • George Koltsov
  • George Koltsov
  • George Koltsov
  • George Koltsov
  • George Koltsov
  • George Koltsov
  • George Koltsov removed review request for @georgekoltsov

    removed review request for @georgekoltsov

  • Andy Schoenen added 756 commits

    added 756 commits

    Compare with previous version

  • mentioned in issue #375503 (closed)

  • Andy Schoenen added 1 commit

    added 1 commit

    • d4491b3a - Implement review suggestions

    Compare with previous version

  • requested review from @georgekoltsov

  • George Koltsov resolved all threads

    resolved all threads

  • George Koltsov approved this merge request

    approved this merge request

  • George Koltsov enabled an automatic merge when the pipeline for 840ec89d succeeds

    enabled an automatic merge when the pipeline for 840ec89d succeeds

  • George Koltsov mentioned in commit 15bea338

    mentioned in commit 15bea338

  • added workflowstaging label and removed workflowcanary label

  • Andy Schoenen mentioned in merge request !101702 (merged)

    mentioned in merge request !101702 (merged)

  • 🤖 GitLab Bot 🤖 added devopsmanage label and removed 1 deleted label

    added devopsmanage label and removed 1 deleted label

  • Please register or sign in to reply
    Loading