[go: up one dir, main page]

Implement Base Client and AWS Token Verification Client

Summary

Implement the foundational base client class with common functionality for all partner API integrations, and create the AWS token verification client as the first concrete implementation.

Description

This issue implements two critical components for partner token verification:

  1. Base Client: A shared foundation that handles HTTP request/response management, response size validation, timeout handling, error tracking, and standardized interfaces
  2. AWS Token Verification Client: The first concrete partner implementation that verifies AWS IAM tokens using the STS GetCallerIdentity API

The base client provides security controls and common functionality while the AWS client demonstrates the pattern for partner-specific implementations. This approach ensures consistency across all future partner integrations while maintaining security and performance standards.

Acceptance Criteria

Base Client Implementation:

  • Base client implements common HTTP operations with proper abstractions
  • Response size validation enforced (10KB limit to prevent memory exhaustion)
  • Timeout configuration applied (5 seconds default)
  • Metrics tracked for all requests (success, failure, duration)
  • Error handling standardized with custom exception hierarchy
  • NetworkError and ResponseError exceptions defined
  • TokenStatus struct defined for standardized responses
  • Protected helper methods for request handling

AWS Client Implementation:

  • AWS client extends BaseClient properly
  • Implements AWS SigV4 request signing for authentication
  • Parses GetCallerIdentity XML response correctly
  • Handle based on response error

Security & Performance:

  • No sensitive data logged (tokens masked in logs)
  • Request/response size limits enforced
  • Timeout prevents hanging connections
  • Proper error handling prevents information leakage

Implementation Details

Base Client Class

# lib/gitlab/secret_detection/partner_tokens/base_client.rb
module Gitlab
  module SecretDetection
    module PartnerTokens
      class BaseClient
        def verify_token(token_value)
          raise NotImplementedError, 'Subclasses must implement verify_token'
        end
        
        protected
        
        def make_request(uri, headers: {}, body: nil, method: :get)
          # make request logic
        end
      end
    end
  end
end

AWS Client Implementation

# lib/gitlab/secret_detection/partner_tokens/aws_client.rb
module Gitlab
  module SecretDetection
    module PartnerTokens
      class AwsClient < BaseClient
        API_ENDPOINT = 'https://sts.amazonaws.com/'
        
        def verify_token(token_value)
          # Verify token logic
        end
        
        private
        
        def parse_aws_credentials(token_value)
        end
      end
    end
  end
end

Security Considerations

  • Response size limits prevent memory exhaustion attacks
  • Timeout prevents hanging connections and resource exhaustion
  • No sensitive data logged (tokens, secrets masked in logs)
  • Proper error handling prevents information leakage
  • AWS SigV4 implementation follows security best practices

Performance Considerations

  • HTTP client connection reuse where possible
  • Efficient XML parsing
  • Memory-efficient response handling with size limits
  • Metrics tracking adds minimal overhead

MR Checklist

  • Security review requested for credential handling
  • AWS API documentation linked and implementation verified
  • XML parsing uses safe methods
  • No AWS credentials hardcoded anywhere
  • Performance impact assessed
  • Error tracking configured with proper log levels
  • Changelog entry added
  • Tests provide full coverage for both base and AWS clients
Edited by Aditya Tiwari