Introduce a FF cache_control_headers_for_openid_jwks

Changelog: changed

Introduce a FF cache_control_headers_for_openid_jwks
e70b3a0a · Dmytro Biryukov · Smriti Garg · 34b751fd · e70b3a0a · e70b3a0a
--- a/app/controllers/jwks_controller.rb
+++ b/app/controllers/jwks_controller.rb
@@ -2,6 +2,10 @@

 class JwksController < Doorkeeper::OpenidConnect::DiscoveryController
  def index
+    if ::Feature.enabled?(:cache_control_headers_for_openid_jwks)
+      expires_in 24.hours, public: true, must_revalidate: true, 'no-transform': true
+    end
+
    render json: { keys: payload }
  end


--- a/config/feature_flags/development/cache_control_headers_for_openid_jwks.yml
+++ b/config/feature_flags/development/cache_control_headers_for_openid_jwks.yml
+---
+name: cache_control_headers_for_openid_jwks
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138405
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/433360
+milestone: '16.7'
+type: development
+group: group::pipeline security
+default_enabled: false
\ No newline at end of file
--- a/spec/requests/jwks_controller_spec.rb
+++ b/spec/requests/jwks_controller_spec.rb
@@ -55,5 +55,26 @@
        end
      end
    end
+
+    it 'has cache control header' do
+      get jwks_url
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response.headers['Cache-Control']).to include('max-age=86400', 'public', 'must-revalidate', 'no-transform')
+    end
+
+    context 'when cache_control_headers_for_openid_jwks feature flag is disabled' do
+      before do
+        stub_feature_flags(cache_control_headers_for_openid_jwks: false)
+      end
+
+      it 'does not have cache control header' do
+        get jwks_url
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response.headers['Cache-Control']).not_to include('max-age=86400', 'public',
+          'no-transform')
+      end
+    end
  end
 end