Refactor Geo signing data logic
What does this MR do and why?
Extracts specific encoding/decoding and signing data logic
in a separate Gitlab::Geo::SignedData class to decouple
from request authorization logic.
This can then be used separately to generate JWT signed tokens from an existing node that can encode arbitrary data as needed.
for context: I've extracted this out of !82697 (merged) where I'll probably end up doing (after this is merged) something like:
diff --git a/ee/lib/gitlab/geo.rb b/ee/lib/gitlab/geo.rb
index 708f79304e6..bbc18fa93bf 100644
--- a/ee/lib/gitlab/geo.rb
+++ b/ee/lib/gitlab/geo.rb
@@ -32,6 +32,8 @@ module Geo
::Geo::JobArtifactReplicator
].freeze
+ PROXY_JWT_VALIDITY_PERIOD = 1.hour
+
def self.current_node
self.cache_value(:current_node, as: GeoNode) { GeoNode.current_node }
end
@@ -44,6 +46,24 @@ def self.secondary_nodes
self.cache_value(:secondary_nodes, as: GeoNode) { GeoNode.secondary_nodes }
end
+ def self.proxy_extra_data
+ self.cache_value(:proxy_extra_data) { self.uncached_proxy_extra_data }
+ end
+
+ def self.uncached_proxy_extra_data
+ # Extra data that can be computed/sent for all proxied requests.
+ #
+ # We're currently only interested in the signing node which can
+ # be figured out from the signing key, so not sending any actual
+ # extra data.
+ data = {}
+
+ Gitlab::Geo::SignedData.new(geo_node: self.current_node, validity_period: PROXY_JWT_VALIDITY_PERIOD)
+ .sign_and_encode_data(data)
+ rescue GeoNodeNotFoundError, OpenSSL::Cipher::Error
+ nil
+ end
+
def self.connected?
# GeoNode#connected? only attempts to use existing DB connections so it can't
# be relied upon in initializers, without this active DB connectivity check.Screenshots or screen recordings
How to set up and validate locally
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.