Merge branch '214607-ci-jwt-signing-key/check' into 'master'

Add system check for CI JWT signing key See merge request gitlab-org/gitlab!33920

Merge branch '214607-ci-jwt-signing-key/check' into 'master'
Add system check for CI JWT signing key See merge request gitlab-org/gitlab!33920
d7ba793d · Shinya Maeda · 434470b5 · ab8a0dd5 · d7ba793d · d7ba793d
Commit d7ba793d authored Jun 16, 2020 by Shinya Maeda
4 changed files
--- a/changelogs/unreleased/214607-ci-jwt-signing-key-check.yml
+++ b/changelogs/unreleased/214607-ci-jwt-signing-key-check.yml
+---
+title: Add system check for CI JWT signing key
+merge_request: 33920
+author:
+type: added
--- a/lib/system_check/app/ci_jwt_signing_key_check.rb
+++ b/lib/system_check/app/ci_jwt_signing_key_check.rb
+# frozen_string_literal: true
+
+module SystemCheck
+  module App
+    class CiJwtSigningKeyCheck < SystemCheck::BaseCheck
+      set_name 'Valid CI JWT signing key?'
+
+      def check?
+        key_data = Rails.application.secrets.ci_jwt_signing_key
+        return false unless key_data.present?
+
+        OpenSSL::PKey::RSA.new(key_data)
+
+        true
+      rescue OpenSSL::PKey::RSAError
+        false
+      end
+
+      def show_error
+        $stdout.puts '  Rails.application.secrets.ci_jwt_signing_key is missing or not a valid RSA key.'.color(:red)
+        $stdout.puts '  CI_JOB_JWT will not be generated for CI jobs.'.color(:red)
+
+        for_more_information(
+          'doc/ci/variables/predefined_variables.md',
+          'doc/ci/examples/authenticating-with-hashicorp-vault/index.md'
+        )
+      end
+    end
+  end
+end
--- a/lib/system_check/rake_task/app_task.rb
+++ b/lib/system_check/rake_task/app_task.rb
@@ -33,7 +33,8 @@ module SystemCheck
          SystemCheck::App::ActiveUsersCheck,
          SystemCheck::App::AuthorizedKeysPermissionCheck,
          SystemCheck::App::HashedStorageEnabledCheck,
-          SystemCheck::App::HashedStorageAllProjectsCheck
+          SystemCheck::App::HashedStorageAllProjectsCheck,
+          SystemCheck::App::CiJwtSigningKeyCheck
        ]
      end
    end

--- a/spec/lib/system_check/app/ci_jwt_signing_key_check_spec.rb
+++ b/spec/lib/system_check/app/ci_jwt_signing_key_check_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe SystemCheck::App::CiJwtSigningKeyCheck do
+  subject(:system_check) { described_class.new }
+
+  describe '#check?' do
+    it 'returns false when key is not present' do
+      expect(Rails.application.secrets).to receive(:ci_jwt_signing_key).and_return(nil)
+
+      expect(system_check.check?).to eq(false)
+    end
+
+    it 'returns false when key is not valid RSA key' do
+      invalid_key = OpenSSL::PKey::RSA.new(1024).to_s.delete("\n")
+      expect(Rails.application.secrets).to receive(:ci_jwt_signing_key).and_return(invalid_key)
+
+      expect(system_check.check?).to eq(false)
+    end
+
+    it 'returns true when key is valid RSA key' do
+      valid_key = OpenSSL::PKey::RSA.new(1024).to_s
+      expect(Rails.application.secrets).to receive(:ci_jwt_signing_key).and_return(valid_key)
+
+      expect(system_check.check?).to eq(true)
+    end
+  end
+end