Skip to content

Add authentication to suggested reviewer client

Tan Le requested to merge jwt-authentication-suggested-reviewer into master

What does this MR do and why?

This MR add JWT authentication on the Suggested Reviewer gRPC client.

The user-facing functions are gated behind a feature flag suggested_reviewers

Relates to https://gitlab.com/gitlab-org/modelops/applied-ml/review-recommender/recommender-bot-service/-/issues/19

Implementations

  • GitLab: store signing key in an environment variable (issue)
  • GitLab: attach a JWT token to the request header with HMAC using SHA-256 hash algorithm signed with signing key <-- this MR
  • Suggested Reviewer: store verifying key in an environment variable (MR)
  • Suggested Reviewer decode the message in the request and validate current time is not more than the expired time (MR)

How to set up and validate locally

  1. Run the recommender-bot-service in a development K8s cluster
  2. Update the rpc_url value, e.g suggested-reviewer.dev:443
  3. Copy the certificate used by the service in Step 1 to the gitlab folder, e.g. dev.crt
  4. In the gitlab folder, try bundle exec rails c
    pry(main)> certs = File.read('dev.crt')
    pry(main)> ENV['SUGGESTED_REVIEWERS_SECRET'] = 'fBwSLJ32cjJPxuzkN7IXsPwC6aDAe3LdrwUM1vfaj9sv09QhDmJYEAv5ipfB8mc9'
    pry(main)> c = ::Gitlab::AppliedMl::SuggestedReviewers::Client.new(rpc_url: 'suggested-reviewer.dev:443', certs: certs)
    pry(main)> d = c.suggested_reviewers(project_id: 15238759, merge_request_iid: 1, top_n: 5, changes: ['db', 'ee/db'], author_username: 'joe')
    => {:version=>"0.1.0", :top_n=>5, :reviewers=>[]}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Tan Le

Merge request reports

Loading