Merge branch 'add-jwks-keys-to-doorkeeper' into 'master'

Add CI_JOB_JWT signing key signature to jwks Doorkeeper Open ID Connect

See merge request gitlab-org/gitlab!73216

app/controllers/jwks_controller.rb

 # frozen_string_literal: true
 
-class JwksController < ActionController::Base # rubocop:disable Rails/ApplicationController
+class JwksController < Doorkeeper::OpenidConnect::DiscoveryController
   def index
-    render json: { keys: keys }
+    render json: { keys: payload }
+  end
+
+  def keys
+    index
   end
 
   private
 
-  def keys
+  def payload
     [
       # We keep openid_connect_signing_key so that we can seamlessly
       # replace it with ci_jwt_signing_key and remove it on the next release.

config/routes.rb

@@ -43,12 +43,15 @@ Rails.application.routes.draw do
 
   draw :oauth
 
-  use_doorkeeper_openid_connect
+  use_doorkeeper_openid_connect do
+    controllers discovery: 'jwks'
+  end
+
   # Add OPTIONS method for CORS preflight requests
   match '/oauth/userinfo' => 'doorkeeper/openid_connect/userinfo#show', via: :options
-  match '/oauth/discovery/keys' => 'doorkeeper/openid_connect/discovery#keys', via: :options
-  match '/.well-known/openid-configuration' => 'doorkeeper/openid_connect/discovery#provider', via: :options
-  match '/.well-known/webfinger' => 'doorkeeper/openid_connect/discovery#webfinger', via: :options
+  match '/oauth/discovery/keys' => 'jwks#keys', via: :options
+  match '/.well-known/openid-configuration' => 'jwks#provider', via: :options
+  match '/.well-known/webfinger' => 'jwks#webfinger', via: :options
 
   match '/oauth/token' => 'oauth/tokens#create', via: :options
   match '/oauth/revoke' => 'oauth/tokens#revoke', via: :options

spec/requests/jwks_controller_spec.rb

@@ -3,6 +3,20 @@
 require 'spec_helper'
 
 RSpec.describe JwksController do
+  describe 'Endpoints from the parent Doorkeeper::OpenidConnect::DiscoveryController' do
+    it 'respond successfully' do
+      [
+        "/oauth/discovery/keys",
+        "/.well-known/openid-configuration",
+        "/.well-known/webfinger?resource=#{create(:user).email}"
+      ].each do |endpoint|
+        get endpoint
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+    end
+  end
+
   describe 'GET /-/jwks' do
     let(:ci_jwt_signing_key) { OpenSSL::PKey::RSA.generate(1024) }
     let(:ci_jwk) { ci_jwt_signing_key.to_jwk }

spec/routing/openid_connect_spec.rb

@@ -2,20 +2,20 @@
 
 require 'spec_helper'
 
-# oauth_discovery_keys      GET /oauth/discovery/keys(.:format)             doorkeeper/openid_connect/discovery#keys
-# oauth_discovery_provider  GET /.well-known/openid-configuration(.:format) doorkeeper/openid_connect/discovery#provider
-# oauth_discovery_webfinger GET /.well-known/webfinger(.:format)            doorkeeper/openid_connect/discovery#webfinger
+# oauth_discovery_keys      GET /oauth/discovery/keys(.:format)             jwks#keys
+# oauth_discovery_provider  GET /.well-known/openid-configuration(.:format) jwks#provider
+# oauth_discovery_webfinger GET /.well-known/webfinger(.:format)            jwks#webfinger
 RSpec.describe Doorkeeper::OpenidConnect::DiscoveryController, 'routing' do
   it "to #provider" do
-    expect(get('/.well-known/openid-configuration')).to route_to('doorkeeper/openid_connect/discovery#provider')
+    expect(get('/.well-known/openid-configuration')).to route_to('jwks#provider')
   end
 
   it "to #webfinger" do
-    expect(get('/.well-known/webfinger')).to route_to('doorkeeper/openid_connect/discovery#webfinger')
+    expect(get('/.well-known/webfinger')).to route_to('jwks#webfinger')
   end
 
   it "to #keys" do
-    expect(get('/oauth/discovery/keys')).to route_to('doorkeeper/openid_connect/discovery#keys')
+    expect(get('/oauth/discovery/keys')).to route_to('jwks#keys')
   end
 end