• Stan Hu's avatar
    Add basic support for GitLab Geo file transfers over HTTP · 1aff5fe4
    Stan Hu authored
    A Geo transfer request arrives with a JWT header with the right data (e.g. URL
    `/api/v4/geo/transfers/lfs/1` for LFS object ID 1, with a JWT token that
    includes the corresponding LFS OID).
    
    Workhorse proxies the request and the Rails backend verifies the validity of
    the request.  If the request is valid, the Rails backend uses X-Sendfile
    functionality in Workhorse/nginx to send data back to the client.
    
    Current Geo Nodes use the system hook token for authentication, which is not
    that secure. This implementation creates an access identifier and an secret
    access key for each GeoNode. The GeoNode uses that to create a JWT token in
    the Authorization header. The secret access key is encrypted with the
    db_key_base valid and replicated in PostgreSQL. Since `db_key_base` has to be
    correct to decode this field, we are ultimately relying on the security of
    that key.
    
    The primary GeoNode receives the Authorization header, looks up the proper
    GeoNode with the access identifier, and then validates the JWT token. We
    expect that the times of the nodes are synchronized within 1 minute to prevent
    replay attacks.
    1aff5fe4
jwt_request_decoder.rb 1.93 KB