Enable serving static objects from an external storagestatic-objects-external-storage

It consists of two parts:

1. Redirecting users to the configured external storage
1. Allowing the external storage to request the static object(s)
   on behalf of the user by means of specific tokens

Part of https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829

3 files changed, 20 insertions, 0 deletions

diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index e39d655325f..3409411c3b1 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -8,6 +8,7 @@ class ApplicationSetting < ApplicationRecord
 
   add_authentication_token_field :runners_registration_token, encrypted: -> { Feature.enabled?(:application_settings_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
   add_authentication_token_field :health_check_access_token
+  add_authentication_token_field :static_objects_external_storage_auth_token
 
   belongs_to :instance_administration_project, class_name: "Project"
 
@@ -211,6 +212,13 @@ class ApplicationSetting < ApplicationRecord
             allow_blank: false,
             if: :asset_proxy_enabled?
 
+  validates :static_objects_external_storage_url,
+            addressable_url: true, allow_blank: true
+
+  validates :static_objects_external_storage_auth_token,
+            presence: true,
+            if: :static_objects_external_storage_url?
+
   SUPPORTED_KEY_TYPES.each do |type|
     validates :"#{type}_key_restriction", presence: true, key_restriction: { type: type }
   end
diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb
index f402c0e2775..8d9597aa5a4 100644
--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -306,6 +306,10 @@ module ApplicationSettingImplementation
     archive_builds_in_seconds.seconds.ago if archive_builds_in_seconds
   end
 
+  def static_objects_external_storage_enabled?
+    static_objects_external_storage_url.present?
+  end
+
   private
 
   def array_to_string(arr)
diff --git a/app/models/user.rb b/app/models/user.rb
index 67d730e2fa3..75532aeebb3 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -31,6 +31,7 @@ class User < ApplicationRecord
 
   add_authentication_token_field :incoming_email_token, token_generator: -> { SecureRandom.hex.to_i(16).to_s(36) }
   add_authentication_token_field :feed_token
+  add_authentication_token_field :static_object_token
 
   default_value_for :admin, false
   default_value_for(:external) { Gitlab::CurrentSettings.user_default_external }
@@ -1437,6 +1438,13 @@ class User < ApplicationRecord
     ensure_feed_token!
   end
 
+  # Each existing user needs to have a `static_object_token`.
+  # We do this on read since migrating all existing users is not a feasible
+  # solution.
+  def static_object_token
+    ensure_static_object_token!
+  end
+
   def sync_attribute?(attribute)
     return true if ldap_user? && attribute == :email