Security and safety improvements for gitlab-workhorse integration (!5907) · Merge requests · GitLab.org / GitLab FOSS · GitLab

Do not update/delete: Banner broadcast message test data

Do not update/delete: Notification broadcast message test data

Jacob Vosmaer (GitLab) requested to merge jacobvosmaer-gitlab/gitlab-ce:gitlab-workhorse-safeties into master Aug 19, 2016

Companion to https://gitlab.com/gitlab-org/gitlab-workhorse/merge_requests/60

Use a custom content type when sending data to gitlab-workhorse
Verify (using JWT and a shared secret on disk) that internal API requests came from gitlab-workhorse

This will allow us to build features in gitlab-workhorse that require more trust, and protect us against programming mistakes in the future.

This is designed so that no action is required for installations from source. For omnibus-gitlab we need to add code that manages the shared secret.