From e70b3a0a8a85dd059aaa0db6b39a30daece6f63f Mon Sep 17 00:00:00 2001
From: Dmytro Biryukov <dbiryukov@gitlab.com>
Date: Thu, 7 Dec 2023 10:25:04 +0000
Subject: [PATCH] Introduce a FF cache_control_headers_for_openid_jwks

Changelog: changed
---
 app/controllers/jwks_controller.rb            |  4 ++++
 .../cache_control_headers_for_openid_jwks.yml |  8 +++++++
 spec/requests/jwks_controller_spec.rb         | 21 +++++++++++++++++++
 3 files changed, 33 insertions(+)
 create mode 100644 config/feature_flags/development/cache_control_headers_for_openid_jwks.yml

diff --git a/app/controllers/jwks_controller.rb b/app/controllers/jwks_controller.rb
index d3a8d3dafea3..2e030cf46c4d 100644
--- a/app/controllers/jwks_controller.rb
+++ b/app/controllers/jwks_controller.rb
@@ -2,6 +2,10 @@
 
 class JwksController < Doorkeeper::OpenidConnect::DiscoveryController
   def index
+    if ::Feature.enabled?(:cache_control_headers_for_openid_jwks)
+      expires_in 24.hours, public: true, must_revalidate: true, 'no-transform': true
+    end
+
     render json: { keys: payload }
   end
 
diff --git a/config/feature_flags/development/cache_control_headers_for_openid_jwks.yml b/config/feature_flags/development/cache_control_headers_for_openid_jwks.yml
new file mode 100644
index 000000000000..79f7a27eeacb
--- /dev/null
+++ b/config/feature_flags/development/cache_control_headers_for_openid_jwks.yml
@@ -0,0 +1,8 @@
+---
+name: cache_control_headers_for_openid_jwks
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138405
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/433360
+milestone: '16.7'
+type: development
+group: group::pipeline security
+default_enabled: false
\ No newline at end of file
diff --git a/spec/requests/jwks_controller_spec.rb b/spec/requests/jwks_controller_spec.rb
index f756c1758e4f..3dc3ed68311e 100644
--- a/spec/requests/jwks_controller_spec.rb
+++ b/spec/requests/jwks_controller_spec.rb
@@ -55,5 +55,26 @@
         end
       end
     end
+
+    it 'has cache control header' do
+      get jwks_url
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response.headers['Cache-Control']).to include('max-age=86400', 'public', 'must-revalidate', 'no-transform')
+    end
+
+    context 'when cache_control_headers_for_openid_jwks feature flag is disabled' do
+      before do
+        stub_feature_flags(cache_control_headers_for_openid_jwks: false)
+      end
+
+      it 'does not have cache control header' do
+        get jwks_url
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response.headers['Cache-Control']).not_to include('max-age=86400', 'public',
+          'no-transform')
+      end
+    end
   end
 end
-- 
GitLab