Commit 81978178 authored by Jacob Vosmaer (GitLab)'s avatar Jacob Vosmaer (GitLab) Committed by Ruben Davila

Merge branch 'gitlab-workhorse-safeties' into 'master'

Security and safety improvements for gitlab-workhorse integration

Companion to https://gitlab.com/gitlab-org/gitlab-workhorse/merge_requests/60

- Use a custom content type when sending data to gitlab-workhorse
- Verify (using JWT and a shared secret on disk) that internal API requests came from gitlab-workhorse

This will allow us to build features in gitlab-workhorse that require
more trust, and protect us against programming mistakes in the future.

This is designed so that no action is required for installations from
source. For omnibus-gitlab we need to add code that manages the shared
secret.

See merge request !5907
Conflicts:
	GITLAB_WORKHORSE_VERSION
	doc/install/installation.md
	doc/update/8.11-to-8.12.md
	lib/gitlab/workhorse.rb
	spec/lib/gitlab/workhorse_spec.rb
	spec/requests/ci/api/builds_spec.rb
	spec/requests/git_http_spec.rb
parent bec0c455
...@@ -153,4 +153,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController ...@@ -153,4 +153,8 @@ class Projects::GitHttpClientController < Projects::ApplicationController
def verify_workhorse_api! def verify_workhorse_api!
Gitlab::Workhorse.verify_api_request!(request.headers) Gitlab::Workhorse.verify_api_request!(request.headers)
end end
def verify_workhorse_api!
Gitlab::Workhorse.verify_api_request!(request.headers)
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment