Add CI_JOB_JWT signing key signature to jwks Doorkeeper Open ID Connect

8c880e54 · Brad Downey · Terri Chu · 85ebea6c · 8c880e54 · 8c880e54
Commit 8c880e54 authored Nov 15, 2021 by Brad Downey Committed by Terri Chu Nov 15, 2021
4 changed files
--- a/app/controllers/jwks_controller.rb
+++ b/app/controllers/jwks_controller.rb
 # frozen_string_literal: true

-class JwksController < ActionController::Base # rubocop:disable Rails/ApplicationController
+class JwksController < Doorkeeper::OpenidConnect::DiscoveryController
  def index
-    render json: { keys: keys }
+    render json: { keys: payload }
+  end
+
+  def keys
+    index
  end

  private

-  def keys
+  def payload
    [
      # We keep openid_connect_signing_key so that we can seamlessly
      # replace it with ci_jwt_signing_key and remove it on the next release.

--- a/config/routes.rb
+++ b/config/routes.rb
@@ -43,12 +43,15 @@ Rails.application.routes.draw do

  draw :oauth

-  use_doorkeeper_openid_connect
+  use_doorkeeper_openid_connect do
+    controllers discovery: 'jwks'
+  end
+
  # Add OPTIONS method for CORS preflight requests
  match '/oauth/userinfo' => 'doorkeeper/openid_connect/userinfo#show', via: :options
-  match '/oauth/discovery/keys' => 'doorkeeper/openid_connect/discovery#keys', via: :options
-  match '/.well-known/openid-configuration' => 'doorkeeper/openid_connect/discovery#provider', via: :options
-  match '/.well-known/webfinger' => 'doorkeeper/openid_connect/discovery#webfinger', via: :options
+  match '/oauth/discovery/keys' => 'jwks#keys', via: :options
+  match '/.well-known/openid-configuration' => 'jwks#provider', via: :options
+  match '/.well-known/webfinger' => 'jwks#webfinger', via: :options

  match '/oauth/token' => 'oauth/tokens#create', via: :options
  match '/oauth/revoke' => 'oauth/tokens#revoke', via: :options

--- a/spec/requests/jwks_controller_spec.rb
+++ b/spec/requests/jwks_controller_spec.rb
@@ -3,6 +3,20 @@
 require 'spec_helper'

 RSpec.describe JwksController do
+  describe 'Endpoints from the parent Doorkeeper::OpenidConnect::DiscoveryController' do
+    it 'respond successfully' do
+      [
+        "/oauth/discovery/keys",
+        "/.well-known/openid-configuration",
+        "/.well-known/webfinger?resource=#{create(:user).email}"
+      ].each do |endpoint|
+        get endpoint
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+    end
+  end
+
  describe 'GET /-/jwks' do
    let(:ci_jwt_signing_key) { OpenSSL::PKey::RSA.generate(1024) }
    let(:ci_jwk) { ci_jwt_signing_key.to_jwk }

--- a/spec/routing/openid_connect_spec.rb
+++ b/spec/routing/openid_connect_spec.rb
@@ -2,20 +2,20 @@

 require 'spec_helper'

-# oauth_discovery_keys      GET /oauth/discovery/keys(.:format)             doorkeeper/openid_connect/discovery#keys
-# oauth_discovery_provider  GET /.well-known/openid-configuration(.:format) doorkeeper/openid_connect/discovery#provider
-# oauth_discovery_webfinger GET /.well-known/webfinger(.:format)            doorkeeper/openid_connect/discovery#webfinger
+# oauth_discovery_keys      GET /oauth/discovery/keys(.:format)             jwks#keys
+# oauth_discovery_provider  GET /.well-known/openid-configuration(.:format) jwks#provider
+# oauth_discovery_webfinger GET /.well-known/webfinger(.:format)            jwks#webfinger
 RSpec.describe Doorkeeper::OpenidConnect::DiscoveryController, 'routing' do
  it "to #provider" do
-    expect(get('/.well-known/openid-configuration')).to route_to('doorkeeper/openid_connect/discovery#provider')
+    expect(get('/.well-known/openid-configuration')).to route_to('jwks#provider')
  end

  it "to #webfinger" do
-    expect(get('/.well-known/webfinger')).to route_to('doorkeeper/openid_connect/discovery#webfinger')
+    expect(get('/.well-known/webfinger')).to route_to('jwks#webfinger')
  end

  it "to #keys" do
-    expect(get('/oauth/discovery/keys')).to route_to('doorkeeper/openid_connect/discovery#keys')
+    expect(get('/oauth/discovery/keys')).to route_to('jwks#keys')
  end
 end