Add additional JWT audiences when validating the Jira JWT token
What does this MR do and why?
- Adds a new JSONB column called
jira_connect_settingsto theapplication_settingstable - Adds a new setting called
jira_connect_additional_audience_urland exposes this in theAdmin area > Settings > GitLab for Jira app > Jira Connect Additional Audience URLfield - If the additional audience is set, append this to the
audarray during validation
These changes are to address an error that can occur when the JWT audiences mismatch. See the issue description in #498587 (closed).
References
Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Run the source branch in Gitpod.
- Set
gitlab: rails: application_settings_cache_seconds: 0ingdk.ymlandgdk reconfigure. - If GDK is not coming up in the Gitpod, run
rm /workspace/gitlab-development-kit/gitlab/db/docs/subscription_user_add_on_assignment_versions.yml. - Setup a reverse proxy. See NGINX config for example.
- Install the GitLab for Jira Cloud app from the Atlassian Marketplace
- In step 4 of configure the GitLab for Jira Cloud app, enter the reverse proxy FQDN. You should see a
Failed to update the GitLab instanceerror as per #498587 (closed). - In GitLab, set an additional JWT audience. Use the reverse proxy FQDN.
- Try step 4 of configure the GitLab for Jira Cloud app, enter the reverse proxy FQDN. This should now succeed.
NGINX config
server {
listen *:80;
server_name jira-nginx-proxy.gcp.gitlabsandbox.net;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/;
}
location / {
return 301 https://jira-nginx-proxy.gcp.gitlabsandbox.net:443$request_uri;
}
}
server {
listen *:443 ssl;
server_tokens off;
server_name jira-nginx-proxy.gcp.gitlabsandbox.net;
ssl_certificate /etc/letsencrypt/live/jira-nginx-proxy.gcp.gitlabsandbox.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jira-nginx-proxy.gcp.gitlabsandbox.net/privkey.pem;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_session_timeout 1d;
access_log "/var/log/nginx/proxy_access.log";
error_log "/var/log/nginx/proxy_error.log";
location / {
proxy_pass https://3000-gitlaborg-gitlab-hwt3tcwlcxu.ws-us116.gitpod.io;
proxy_hide_header upgrade;
proxy_set_header Host 3000-gitlaborg-gitlab-hwt3tcwlcxu.ws-us116.gitpod.io;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Handle redirects
proxy_redirect https://3000-gitlaborg-gitlab-hwt3tcwlcxu.ws-us116.gitpod.io/ https://jira-nginx-proxy.gcp.gitlabsandbox.net/;
# Optional: Add these if you want to preserve the protocol
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}Edited by Anton Smith