Consolidate JWT implementation
What does this MR do and why?
There are similarities and the code duplications between Gitlab::Ci::Jwt
, Gitlab::Ci::JwtV2
and GoogleCloud::Jwt
.
This MR introduces new classes Authn::JSONWebToken::ProjectTokenClaims
and Gitlab::CI::JwtBase
and refactors existing classes.
The following diagram reflects the changes:
graph TD;
JSONWebToken::RSAToken --> Gitlab::Ci::JwtBase
JSONWebToken::Token --> Gitlab::Ci::JwtBase
Gitlab::Ci::JwtBase --> GoogleCloud::Jwt
Gitlab::Ci::JwtBase --> Gitlab::Ci::Jwt
Authn::JSONWebToken::ProjectTokenClaims --> GoogleCloud::Jwt
Authn::JSONWebToken::ProjectTokenClaims --> Gitlab::Ci::Jwt
Gitlab::Ci::Jwt --> Gitlab::Ci::JwtV2
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
No.
How to set up and validate locally
GoogleCloud::Jwt
The changes in -
Required setup for Google Cloud is described here
-
Prepare the project with the Google Artifact Management and Google Cloud IAM integrations.
-
Visit
http://gdk.test:3000/-/graphql-explorer
and create the request.query getGarArtifactsFromProject { project(fullPath: "<project full path>") { googleCloudArtifactRegistryRepository { projectId, repository, artifactRegistryRepositoryUrl, artifacts { nodes { ... on GoogleCloudArtifactRegistryDockerImage { name } } } } } }
The request should return all requested data and doesn't contain any errors. The successful response means the correct token exchange using
JWT
token with theglgo
service.
Gitlab::Ci::Jwt
, Gitlab::Ci::JwtV2
The changes in I'm relying on the tests suite that does encoding/decoding and asserts all required fields.
Related to #435739 (closed)