[go: up one dir, main page]

Cloud Connector: Extract new JWT implementation

Matthias Käpplerrequested to merge
mk-new-cc-jwt into master

What does this MR do and why?

Adds a new JSON Web Token (JWT) type, to be extracted into a library later on, as we will let CustomersDot and GitLab share this implementation.

This primarily changes things such as hard-coding GitLab-specific inputs that would not work were this class used in a different system, such as:

  • The key used to sign the token
  • The token issuer
  • The token expiration time
  • The gitlab realm (.com vs self-managed)

This change is behind a feature flag. Once rolled out, we will remove SelfIssuedToken.

References

Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

In Rails console:

[5] pry(main)> before = CloudConnector::AvailableServices.find_by_name(:code_suggestions).access_token 
[9] pry(main)> JWT.decode(before, nil, false)
=> [{"jti"=>"66131fe5-abf1-4988-8e9d-aba6a3e8dad9",
  "aud"=>"gitlab-ai-gateway",
  "sub"=>"14cb5c47-1337-4694-b8d2-f486e37e2fb6",
  "iss"=>"http://gitlab.local:3000",
  "iat"=>1731421563,
  "nbf"=>1731421558,
  "exp"=>1731425163,
  "gitlab_realm"=>"self-managed",
  "scopes"=>["code_suggestions", "complete_code", "generate_code"]},
 {"typ"=>"JWT", "alg"=>"RS256"}]
[11] pry(main)> Feature.enable(:cloud_connector_jwt_replace)
[12] pry(main)> after = CloudConnector::AvailableServices.find_by_name(:code_suggestions).access_token
[13] pry(main)> JWT.decode(after, nil, false)
=> [{"jti"=>"2b5debc1-cd12-4c06-bc70-0529343f415d",
  "aud"=>"gitlab-ai-gateway",
  "sub"=>"14cb5c47-1337-4694-b8d2-f486e37e2fb6",
  "iss"=>"http://gitlab.local:3000",
  "iat"=>1731421680,
  "nbf"=>1731421675,
  "exp"=>1731425280,
  "gitlab_realm"=>"self-managed",
  "scopes"=>["code_suggestions", "complete_code", "generate_code"]},
 {"typ"=>"JWT", "kid"=>"99635098e1afacb9caac61c5e2be2e6c8cd4da4167c72f3fe2159d8ca7b4f518", "alg"=>"RS256"}]

The token should have identical contents, except for time-based field values and the addition of the kid (key ID) field. We will make use of this in future iterations.

Edited by Matthias Käppler

Merge request reports