Add latest changes from gitlab-org/gitlab@master

1 files changed, 50 insertions, 0 deletions

diff --git a/lib/gitlab/mail_room/authenticator.rb b/lib/gitlab/mail_room/authenticator.rb
new file mode 100644
index 00000000000..26ebdca8beb
--- /dev/null
+++ b/lib/gitlab/mail_room/authenticator.rb
@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module MailRoom
+    class Authenticator
+      include JwtAuthenticatable
+
+      SecretConfigurationError = Class.new(StandardError)
+      INTERNAL_API_REQUEST_HEADER = 'Gitlab-Mailroom-Api-Request'
+      INTERNAL_API_REQUEST_JWT_ISSUER = 'gitlab-mailroom'
+
+      # Only allow token generated within the last 5 minutes
+      EXPIRATION = 5.minutes
+
+      class << self
+        def verify_api_request(request_headers, mailbox_type)
+          mailbox_type = mailbox_type.to_sym
+          return false if enabled_configs[mailbox_type].blank?
+
+          decode_jwt(
+            request_headers[INTERNAL_API_REQUEST_HEADER],
+            secret(mailbox_type),
+            issuer: INTERNAL_API_REQUEST_JWT_ISSUER, iat_after: Time.current - EXPIRATION
+          )
+        rescue JWT::DecodeError => e
+          ::Gitlab::AppLogger.warn("Fail to decode MailRoom JWT token: #{e.message}") if Rails.env.development?
+
+          false
+        end
+
+        def secret(mailbox_type)
+          strong_memoize("jwt_secret_#{mailbox_type}".to_sym) do
+            secret_path = enabled_configs[mailbox_type][:secret_file]
+            raise SecretConfigurationError, "#{mailbox_type}'s secret_file configuration is missing" if secret_path.blank?
+
+            begin
+              read_secret(secret_path)
+            rescue StandardError => e
+              raise SecretConfigurationError, "Fail to read #{mailbox_type}'s secret: #{e.message}"
+            end
+          end
+        end
+
+        def enabled_configs
+          Gitlab::MailRoom.enabled_configs
+        end
+      end
+    end
+  end
+end