Merge branch 'gitlab-workhorse-safeties' into 'master'

Security and safety improvements for gitlab-workhorse integration Companion to https://gitlab.com/gitlab-org/gitlab-workhorse/merge_requests/60 - Use a custom content type when sending data to gitlab-workhorse - Verify (using JWT and a shared secret on disk) that internal API requests came from gitlab-workhorse This will allow us to build features in gitlab-workhorse that require more trust, and protect us against programming mistakes in the future. This is designed so that no action is required for installations from source. For omnibus-gitlab we need to add code that manages the shared secret. See merge request !5907
author: Jacob Vosmaer (GitLab) <jacob@gitlab.com> 2016-09-09 14:33:08 +0300
committer: Jacob Vosmaer (GitLab) <jacob@gitlab.com> 2016-09-09 14:33:08 +0300
commit: b7e6da5a4baf1e6ac0e6d62ef6ff5a09de44d6f1 (patch)
tree: e99ed8e70ababbeaacf301345e8d356ff73c0409 /spec/support
parent: 483a28a46bc3ad060749e36585912033440ae8c3 (diff)
parent: 7ad0bfac2301e6d5be9d0621edcf695ce9f9c01a (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/spec/support/workhorse_helpers.rb b/spec/support/workhorse_helpers.rb
index 107b6e30924..47673cd4c3a 100644
--- a/spec/support/workhorse_helpers.rb
+++ b/spec/support/workhorse_helpers.rb
@@ -13,4 +13,9 @@ module WorkhorseHelpers
       ]
     end
   end
+
+  def workhorse_internal_api_request_header
+    jwt_token = JWT.encode({ 'iss' => 'gitlab-workhorse' }, Gitlab::Workhorse.secret, 'HS256')
+    { 'HTTP_' + Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER.upcase.tr('-', '_') => jwt_token }
+  end
 end
author	Jacob Vosmaer (GitLab) <jacob@gitlab.com>	2016-09-09 14:33:08 +0300
committer	Jacob Vosmaer (GitLab) <jacob@gitlab.com>	2016-09-09 14:33:08 +0300
commit	b7e6da5a4baf1e6ac0e6d62ef6ff5a09de44d6f1 (patch)
tree	e99ed8e70ababbeaacf301345e8d356ff73c0409 /spec/support
parent	483a28a46bc3ad060749e36585912033440ae8c3 (diff)
parent	7ad0bfac2301e6d5be9d0621edcf695ce9f9c01a (diff)