Merge branch '512451-cc-keys-rake-task' into 'master'

Cloud Connector: add key rotation rake tasks See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182711 Merged-by: Aleksei Lipniagov <alipniagov@gitlab.com> Approved-by: Surabhi Suman <ssuman@gitlab.com> Approved-by: Aleksei Lipniagov <alipniagov@gitlab.com> Reviewed-by: Aleksei Lipniagov <alipniagov@gitlab.com> Reviewed-by: Surabhi Suman <ssuman@gitlab.com> Co-authored-by: Matthias Kaeppler <mkaeppler@gitlab.com>

Merge branch '512451-cc-keys-rake-task' into 'master'
caee5532 · Aleksei Lipniagov · GitLab · 487f4a87 · 54a43ece · caee5532
--- a/ee/app/models/cloud_connector/keys.rb
+++ b/ee/app/models/cloud_connector/keys.rb
@@ -8,21 +8,59 @@ class Keys < ApplicationRecord
    validates :secret_key, rsa_key: true, allow_nil: true
    scope :valid, -> { where.not(secret_key: nil) }
+    scope :ordered_by_date, -> { valid.order(created_at: :asc) }
    class << self
      def current
-        valid.order(created_at: :asc).first
+        ordered_by_date.first
      end
      def current_as_jwk
-        current&.secret_key&.then do |key_data|
+        current&.secret_key&.then { |keydata| pem_to_jwk(keydata) }
-          ::JWT::JWK.new(OpenSSL::PKey::RSA.new(key_data), kid_generator: ::JWT::JWK::Thumbprint)
-        end
      end
      def all_as_pem
        valid.map(&:secret_key)
      end
+      def create_new_key!
+        create!(secret_key: new_private_key.to_pem)
+      end
+      def rotate!
+        keys = ordered_by_date
+        key_count = keys.count
+        raise "Key rotation requires exactly 2 keys, found #{key_count}" if key_count != 2
+        current_key, next_key = *keys
+        transaction do
+          current_key_data = current_key.secret_key
+          current_key.update!(secret_key: next_key.secret_key)
+          next_key.update!(secret_key: current_key_data)
+        end
+      end
+      def trim!
+        raise 'Refusing to remove single key, as it is in use' if valid.count == 1
+        ordered_by_date.last&.destroy
+      end
+      private
+      def new_private_key
+        OpenSSL::PKey::RSA.new(2048)
+      end
+      def pem_to_jwk(key_data)
+        ::JWT::JWK.new(OpenSSL::PKey::RSA.new(key_data), kid_generator: ::JWT::JWK::Thumbprint)
+      end
+    end
+    def truncated_pem
+      secret_key&.truncate(90)
    end
  end
 end
--- a/ee/lib/tasks/cloud_connector/keys.rake
+++ b/ee/lib/tasks/cloud_connector/keys.rake
+# frozen_string_literal: true
+namespace :cloud_connector do
+  namespace :keys do
+    desc 'GitLab | Cloud Connector | List private keys in PEM format'
+    task :list, [:truncate] => :environment do |_, args|
+      truncate_keys = Gitlab::Utils.to_boolean(args[:truncate], default: true)
+      keys = truncate_keys ? CloudConnector::Keys.valid.map(&:truncated_pem) : CloudConnector::Keys.all_as_pem
+      puts <<~TXT.strip
+      ================================================================================
+      #{keys.any? ? keys.join("\n") : 'No keys found.'}
+      ================================================================================
+      TXT
+    rescue StandardError => e
+      exit_with_message(e.message)
+    end
+    desc 'GitLab | Cloud Connector | Create and store a new private key'
+    task create: :environment do
+      key = CloudConnector::Keys.create_new_key!
+      puts <<~TXT.strip
+      ================================================================================
+      Key created: #{key.truncated_pem}
+      This key will now be published via /oauth/discovery/keys.
+      If an older key existed prior to creation, run
+      `bundle exec rake cloud_connector:keys:rotate` to use it for signing tokens.
+      ================================================================================
+      TXT
+    rescue StandardError => e
+      exit_with_message(e.message)
+    end
+    desc 'GitLab | Cloud Connector | Performs key rotation by swapping two keys'
+    task rotate: :environment do
+      CloudConnector::Keys.rotate!
+      puts <<~TXT.strip
+      ================================================================================
+      Keys swapped successfully.
+      Run this task again to revert to using the previous key.
+      If the key that is now used to sign tokens should remain in use, run
+      `bundle exec rake cloud_connector:keys:trim` to remove the old key.
+      ================================================================================
+      TXT
+    rescue StandardError => e
+      exit_with_message(e.message)
+    end
+    desc 'GitLab | Cloud Connector | Removes the newest key'
+    task trim: :environment do
+      key = CloudConnector::Keys.trim!
+      puts <<~TXT.strip
+      ================================================================================
+      Key removed: #{key.truncated_pem}
+      ================================================================================
+      TXT
+    rescue StandardError => e
+      exit_with_message(e.message)
+    end
+    private
+    def exit_with_message(message)
+      puts <<~TXT.strip
+      ================================================================================
+      ERROR: #{message}
+      ================================================================================
+      TXT
+      exit(1)
+    end
+  end
+end
--- a/ee/spec/models/cloud_connector/keys_spec.rb
+++ b/ee/spec/models/cloud_connector/keys_spec.rb
@@ -44,13 +44,22 @@
  end
  describe '.valid' do
-    subject(:jwks) { described_class.valid }
+    subject(:keys) { described_class.valid }
    include_examples 'serving valid keys'
  end
+  describe '.ordered_by_date' do
+    subject(:keys) { described_class.ordered_by_date }
+    let_it_be(:first_key) { create(:cloud_connector_keys, created_at: Time.current - 1.minute) }
+    let_it_be(:second_key) { create(:cloud_connector_keys) }
+    it { is_expected.to eq([first_key, second_key]) }
+  end
  describe '.all_as_pem' do
-    subject(:jwks) { described_class.all_as_pem }
+    subject(:keys) { described_class.all_as_pem }
    include_examples 'serving valid keys'
@@ -132,4 +141,70 @@
      end
    end
  end
+  describe '.create_new_key!' do
+    it 'creates a new valid key' do
+      expect { described_class.create_new_key! }.to change { described_class.valid.count }.from(0).to(1)
+    end
+  end
+  describe '.rotate!' do
+    subject(:rotate) { described_class.rotate! }
+    let_it_be(:first_key) { create(:cloud_connector_keys, created_at: Time.current - 1.minute) }
+    context 'when fewer than 2 keys exist' do
+      it { expect { rotate }.to raise_error(StandardError, 'Key rotation requires exactly 2 keys, found 1') }
+    end
+    context 'when more than 2 keys exist' do
+      before do
+        create_list(:cloud_connector_keys, 2)
+      end
+      it { expect { rotate }.to raise_error(StandardError, 'Key rotation requires exactly 2 keys, found 3') }
+    end
+    context 'when exactly 2 keys exist' do
+      let_it_be(:second_key) { create(:cloud_connector_keys) }
+      it 'swaps the keys' do
+        expect { rotate }.to change { described_class.valid.pluck(:secret_key) }
+          .from([first_key.secret_key, second_key.secret_key])
+          .to([second_key.secret_key, first_key.secret_key])
+      end
+    end
+  end
+  describe '.trim!' do
+    subject(:trimmed_key) { described_class.trim! }
+    context 'with no keys' do
+      it { is_expected.to be_nil }
+    end
+    context 'with a single key' do
+      let_it_be(:key) { create(:cloud_connector_keys) }
+      it { expect { trimmed_key }.to raise_error(StandardError, 'Refusing to remove single key, as it is in use') }
+    end
+    context 'with more than 1 key' do
+      let_it_be(:first_key) { create(:cloud_connector_keys, created_at: Time.current - 1.minute) }
+      let_it_be(:second_key) { create(:cloud_connector_keys) }
+      it 'removes the newest key' do
+        expect(trimmed_key).to eq(second_key)
+        expect(described_class.all).to contain_exactly(first_key)
+      end
+    end
+  end
+  describe '#truncated_pem' do
+    subject(:short_pem) { create(:cloud_connector_keys).truncated_pem }
+    it 'truncates the PEM string to 90 characters' do
+      expect(short_pem.length).to eq(90)
+    end
+  end
 end
--- a/ee/spec/tasks/cloud_connector/keys_rake_spec.rb
+++ b/ee/spec/tasks/cloud_connector/keys_rake_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe 'cloud_connector:keys', :silence_stdout, feature_category: :cloud_connector do
+  include RakeHelpers
+  let(:key) { build(:cloud_connector_keys) }
+  before do
+    Rake.application.rake_require('ee/lib/tasks/cloud_connector/keys', [Rails.root.to_s])
+  end
+  shared_examples 'handles errors' do
+    it { expect { task }.to raise_error(SystemExit) }
+  end
+  describe 'list' do
+    subject(:task) { run_rake_task('cloud_connector:keys:list', args) }
+    let(:args) { [] }
+    before do
+      allow(CloudConnector::Keys).to receive(:valid).and_return([key])
+    end
+    context 'without arguments' do
+      it 'lists PEM private keys in truncated form' do
+        expect(key).to receive(:truncated_pem).and_return('ABC...')
+        expect { task }.to output(/ABC.../).to_stdout
+      end
+    end
+    context 'with truncate: false' do
+      let(:args) { ['false'] }
+      it 'lists full PEM private keys' do
+        expect(key).to receive(:secret_key).and_return('ABCDEF')
+        expect { task }.to output(/ABCDEF/).to_stdout
+      end
+    end
+    context 'when an error occurs' do
+      before do
+        allow(CloudConnector::Keys).to receive(:valid).and_raise(StandardError)
+      end
+      include_examples 'handles errors'
+    end
+  end
+  describe 'create' do
+    subject(:task) { run_rake_task('cloud_connector:keys:create') }
+    it 'creates a new key' do
+      expect(CloudConnector::Keys).to receive(:create_new_key!).and_return(key)
+      expect(key).to receive(:truncated_pem).and_return('ABCDEF')
+      expect { task }.to output(/Key created: ABCDEF/).to_stdout
+    end
+    context 'when an error occurs' do
+      before do
+        allow(CloudConnector::Keys).to receive(:create_new_key!).and_raise(StandardError)
+      end
+      include_examples 'handles errors'
+    end
+  end
+  describe 'rotate' do
+    subject(:task) { run_rake_task('cloud_connector:keys:rotate') }
+    it 'rotates keys' do
+      expect(CloudConnector::Keys).to receive(:rotate!)
+      expect { task }.to output(/Keys swapped successfully/).to_stdout
+    end
+    context 'when an error occurs' do
+      before do
+        allow(CloudConnector::Keys).to receive(:rotate!).and_raise(StandardError)
+      end
+      include_examples 'handles errors'
+    end
+  end
+  describe 'trim' do
+    subject(:task) { run_rake_task('cloud_connector:keys:trim') }
+    it 'trims keys' do
+      expect(CloudConnector::Keys).to receive(:trim!).and_return(key)
+      expect(key).to receive(:truncated_pem).and_return('ABCDEF')
+      expect { task }.to output(/Key removed: ABCDEF/).to_stdout
+    end
+    context 'when an error occurs' do
+      before do
+        allow(CloudConnector::Keys).to receive(:trim!).and_raise(StandardError)
+      end
+      include_examples 'handles errors'
+    end
+  end
+end