Merge branch 'dbiryukov_add_response_headers_to_jwks_mr-374001' into 'master'

Add cache headers to JWKS

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138405



Merged-by: Smriti Garg <sgarg@gitlab.com>
Approved-by: Aboobacker MK <akarakath@gitlab.com>
Approved-by: Smriti Garg <sgarg@gitlab.com>
Co-authored-by: Dmytro Biryukov <dbiryukov@gitlab.com>

app/controllers/jwks_controller.rb

@@ -2,6 +2,10 @@
 
 class JwksController < Doorkeeper::OpenidConnect::DiscoveryController
   def index
+    if ::Feature.enabled?(:cache_control_headers_for_openid_jwks)
+      expires_in 24.hours, public: true, must_revalidate: true, 'no-transform': true
+    end
+
     render json: { keys: payload }
   end
 

config/feature_flags/development/cache_control_headers_for_openid_jwks.yml

+---
+name: cache_control_headers_for_openid_jwks
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138405
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/433360
+milestone: '16.7'
+type: development
+group: group::pipeline security
+default_enabled: false
\ No newline at end of file

spec/requests/jwks_controller_spec.rb

@@ -55,5 +55,26 @@
         end
       end
     end
+
+    it 'has cache control header' do
+      get jwks_url
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response.headers['Cache-Control']).to include('max-age=86400', 'public', 'must-revalidate', 'no-transform')
+    end
+
+    context 'when cache_control_headers_for_openid_jwks feature flag is disabled' do
+      before do
+        stub_feature_flags(cache_control_headers_for_openid_jwks: false)
+      end
+
+      it 'does not have cache control header' do
+        get jwks_url
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response.headers['Cache-Control']).not_to include('max-age=86400', 'public',
+          'no-transform')
+      end
+    end
   end
 end