Commit ab8a0dd5 authored by Krasimir Angelov's avatar Krasimir Angelov

Add system check for CI JWT signing key

Check will be executed as part of `gitlab:check` and
`gitlab:app:check` rake tasks.

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/214607.
parent acccc428
---
title: Add system check for CI JWT signing key
merge_request: 33920
author:
type: added
# frozen_string_literal: true
module SystemCheck
module App
class CiJwtSigningKeyCheck < SystemCheck::BaseCheck
set_name 'Valid CI JWT signing key?'
def check?
key_data = Rails.application.secrets.ci_jwt_signing_key
return false unless key_data.present?
OpenSSL::PKey::RSA.new(key_data)
true
rescue OpenSSL::PKey::RSAError
false
end
def show_error
$stdout.puts ' Rails.application.secrets.ci_jwt_signing_key is missing or not a valid RSA key.'.color(:red)
$stdout.puts ' CI_JOB_JWT will not be generated for CI jobs.'.color(:red)
for_more_information(
'doc/ci/variables/predefined_variables.md',
'doc/ci/examples/authenticating-with-hashicorp-vault/index.md'
)
end
end
end
end
...@@ -33,7 +33,8 @@ module SystemCheck ...@@ -33,7 +33,8 @@ module SystemCheck
SystemCheck::App::ActiveUsersCheck, SystemCheck::App::ActiveUsersCheck,
SystemCheck::App::AuthorizedKeysPermissionCheck, SystemCheck::App::AuthorizedKeysPermissionCheck,
SystemCheck::App::HashedStorageEnabledCheck, SystemCheck::App::HashedStorageEnabledCheck,
SystemCheck::App::HashedStorageAllProjectsCheck SystemCheck::App::HashedStorageAllProjectsCheck,
SystemCheck::App::CiJwtSigningKeyCheck
] ]
end end
end end
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe SystemCheck::App::CiJwtSigningKeyCheck do
subject(:system_check) { described_class.new }
describe '#check?' do
it 'returns false when key is not present' do
expect(Rails.application.secrets).to receive(:ci_jwt_signing_key).and_return(nil)
expect(system_check.check?).to eq(false)
end
it 'returns false when key is not valid RSA key' do
invalid_key = OpenSSL::PKey::RSA.new(1024).to_s.delete("\n")
expect(Rails.application.secrets).to receive(:ci_jwt_signing_key).and_return(invalid_key)
expect(system_check.check?).to eq(false)
end
it 'returns true when key is valid RSA key' do
valid_key = OpenSSL::PKey::RSA.new(1024).to_s
expect(Rails.application.secrets).to receive(:ci_jwt_signing_key).and_return(valid_key)
expect(system_check.check?).to eq(true)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment