Automatic merge of gitlab-org/gitlab-ce master

4da44a5d · GitLab Bot · cd03aebe · cbb35ea8 · 4da44a5d · 4da44a5d
Commit 4da44a5d authored Sep 09, 2019 by GitLab Bot
8 changed files
--- a/.gitignore
+++ b/.gitignore
@@ -65,6 +65,7 @@ eslint-report.html
 /vendor/gitaly-ruby
 /builds*
 /.gitlab_workhorse_secret
+/.gitlab_pages_shared_secret
 /webpack-report/
 /knapsack/
 /rspec_flaky/

--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -321,6 +321,9 @@ production: &base
    # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
    admin:
      address: unix:/home/git/gitlab/tmp/sockets/private/pages-admin.socket # TCP connections are supported too (e.g. tcp://host:port)
+    # File that contains the shared secret key for verifying access for gitlab-pages.
+    # Default is '.gitlab_pages_shared_secret' relative to Rails.root (i.e. root of the GitLab app).
+    # secret_file: /home/git/gitlab/.gitlab_pages_shared_secret

  ## Mattermost
  ## For enabling Add to Mattermost button

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -292,6 +292,7 @@ Settings.pages['artifacts_server']  ||= Settings.pages['enabled'] if Settings.pa

 Settings.pages['admin'] ||= Settingslogic.new({})
 Settings.pages.admin['certificate'] ||= ''
+Settings.pages['secret_file'] ||= Rails.root.join('.gitlab_pages_shared_secret')

 #
 # Geo

--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -119,6 +119,7 @@ module API
    mount ::API::GroupVariables
    mount ::API::ImportGithub
    mount ::API::Internal::Base
+    mount ::API::Internal::Pages
    mount ::API::Issues
    mount ::API::JobArtifacts
    mount ::API::Jobs

--- a/lib/api/internal/pages.rb
+++ b/lib/api/internal/pages.rb
+# frozen_string_literal: true
+
+module API
+  # Pages Internal API
+  module Internal
+    class Pages < Grape::API
+      before do
+        not_found! unless Feature.enabled?(:pages_internal_api)
+        authenticate_gitlab_pages_request!
+      end
+
+      helpers do
+        def authenticate_gitlab_pages_request!
+          unauthorized! unless Gitlab::Pages.verify_api_request(headers)
+        end
+      end
+
+      namespace 'internal' do
+        namespace 'pages' do
+          get "/" do
+            status :ok
+          end
+        end
+      end
+    end
+  end
+end
--- a/lib/gitlab/pages.rb
+++ b/lib/gitlab/pages.rb
 # frozen_string_literal: true

 module Gitlab
-  module Pages
+  class Pages
    VERSION = File.read(Rails.root.join("GITLAB_PAGES_VERSION")).strip.freeze
+    INTERNAL_API_REQUEST_HEADER = 'Gitlab-Pages-Api-Request'.freeze
+
+    include JwtAuthenticatable
+
+    class << self
+      def verify_api_request(request_headers)
+        decode_jwt_for_issuer('gitlab-pages', request_headers[INTERNAL_API_REQUEST_HEADER])
+      rescue JWT::DecodeError
+        false
+      end
+
+      def secret_path
+        Gitlab.config.pages.secret_file
+      end
+    end
  end
 end
--- a/spec/lib/gitlab/pages_spec.rb
+++ b/spec/lib/gitlab/pages_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::Pages do
+  let(:pages_shared_secret) { SecureRandom.random_bytes(Gitlab::Pages::SECRET_LENGTH) }
+
+  before do
+    allow(described_class).to receive(:secret).and_return(pages_shared_secret)
+  end
+
+  describe '.verify_api_request' do
+    let(:payload) { { 'iss' => 'gitlab-pages' } }
+
+    it 'returns false if fails to validate the JWT' do
+      encoded_token = JWT.encode(payload, 'wrongsecret', 'HS256')
+      headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
+
+      expect(described_class.verify_api_request(headers)).to eq(false)
+    end
+
+    it 'returns the decoded JWT' do
+      encoded_token = JWT.encode(payload, described_class.secret, 'HS256')
+      headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
+
+      expect(described_class.verify_api_request(headers)).to eq([{ "iss" => "gitlab-pages" }, { "alg" => "HS256" }])
+    end
+  end
+end
--- a/spec/requests/api/internal/pages_spec.rb
+++ b/spec/requests/api/internal/pages_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe API::Internal::Pages do
+  describe "GET /internal/pages" do
+    let(:pages_shared_secret) { SecureRandom.random_bytes(Gitlab::Pages::SECRET_LENGTH) }
+
+    before do
+      allow(Gitlab::Pages).to receive(:secret).and_return(pages_shared_secret)
+    end
+
+    def query_host(host, headers = {})
+      get api("/internal/pages"), headers: headers, params: { host: host }
+    end
+
+    context 'feature flag disabled' do
+      before do
+        stub_feature_flags(pages_internal_api: false)
+      end
+
+      it 'responds with 404 Not Found' do
+        query_host('pages.gitlab.io')
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
+    context 'feature flag enabled' do
+      context 'not authenticated' do
+        it 'responds with 401 Unauthorized' do
+          query_host('pages.gitlab.io')
+
+          expect(response).to have_gitlab_http_status(401)
+        end
+      end
+
+      context 'authenticated' do
+        def query_host(host)
+          jwt_token = JWT.encode({ 'iss' => 'gitlab-pages' }, Gitlab::Pages.secret, 'HS256')
+          headers = { Gitlab::Pages::INTERNAL_API_REQUEST_HEADER => jwt_token }
+
+          super(host, headers)
+        end
+
+        it 'responds with 200 OK' do
+          query_host('pages.gitlab.io')
+
+          expect(response).to have_gitlab_http_status(200)
+        end
+      end
+    end
+  end
+end