Skip to content

Add JWT token to GitLab Rails request

Igor Drozdov requested to merge id-gitlabnet-jwt into main

What does this MR do and why?

It adds JWT token to Gitlab Rails API request. It is passed as a Gitlab-Shell-Api-Request header and uses the same shared secret in order to sign the token.

How it works now:

  • Gitlab Shell and Gitlab Rails have a pre-shared secret key
  • This secret (base64 encoded) is sent from Gitlab Shell to Gitlab Rails on every request in order to authenticate the request
  • If the secret is leaked while in transit, an attacker can perform unlimited number of requests

Our plan:

  • Gitlab Shell and Gitlab Rails have a pre-shared secret key
  • This secret is used to sign payload to send it as JWT token from Gitlab Shell to Gitlab Rails on every request in order to authenticate the request

This merge request adds JWT token as Gitlab-Shell-Api-Request, but also keeps sending shared secret until GitLab Rails logic that processes Gitlab-Shell-Api-Request is implemented and works as expected

Related issue: https://gitlab.com/gitlab-org/gitlab/-/issues/325167

Edited by Igor Drozdov

Merge request reports

Loading