Merge branch 'add-jwt-strategy-to-gitlab-suite' into 'master'

Ports omniauth-jwt gem onto GitLab OmniAuth Strategies suite

See merge request gitlab-org/gitlab-ce!18580

8 files changed, 158 insertions, 8 deletions

diff --git a/Gemfile b/Gemfile
index 6a6dc32b406..e61dfd8e470 100644
--- a/Gemfile
+++ b/Gemfile
@@ -51,7 +51,6 @@ gem 'omniauth-shibboleth', '~> 1.2.0'
 gem 'omniauth-twitter', '~> 1.4'
 gem 'omniauth_crowd', '~> 2.2.0'
 gem 'omniauth-authentiq', '~> 0.3.1'
-gem 'omniauth-jwt', '~> 0.0.2'
 gem 'rack-oauth2', '~> 1.2.1'
 gem 'jwt', '~> 1.5.6'
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 54e3e73ecf4..31b0dc9c0e6 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -554,9 +554,6 @@ GEM
       jwt (>= 1.5)
       omniauth (>= 1.1.1)
       omniauth-oauth2 (>= 1.5)
-    omniauth-jwt (0.0.2)
-      jwt
-      omniauth (~> 1.1)
     omniauth-kerberos (0.3.0)
       omniauth-multipassword
       timfel-krb5-auth (~> 0.8)
@@ -1118,7 +1115,6 @@ DEPENDENCIES
   omniauth-github (~> 1.1.1)
   omniauth-gitlab (~> 1.0.2)
   omniauth-google-oauth2 (~> 0.5.3)
-  omniauth-jwt (~> 0.0.2)
   omniauth-kerberos (~> 0.3.0)
   omniauth-oauth2-generic (~> 0.2.2)
   omniauth-saml (~> 1.10)
diff --git a/changelogs/unreleased/add-jwt-strategy-to-gitlab-suite.yml b/changelogs/unreleased/add-jwt-strategy-to-gitlab-suite.yml
new file mode 100644
index 00000000000..22a839cef56
--- /dev/null
+++ b/changelogs/unreleased/add-jwt-strategy-to-gitlab-suite.yml
@@ -0,0 +1,5 @@
+---
+title: Ports omniauth-jwt gem onto GitLab OmniAuth Strategies suite
+merge_request: 18580
+author:
+type: fixed
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 8c39a1f2aa9..722ac67da0b 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -532,7 +532,7 @@ production: &base
       #             required_claims: ["name", "email"],
       #             info_map: { name: "name", email: "email" },
       #             auth_url: 'https://example.com/',
-      #             valid_within: nil,
+      #             valid_within: null,
       #           }
       #   }
       # - { name: 'saml',
@@ -823,7 +823,7 @@ test:
                   required_claims: ["name", "email"],
                   info_map: { name: "name", email: "email" },
                   auth_url: 'https://example.com/',
-                  valid_within: nil,
+                  valid_within: null,
                 }
         }
       - { name: 'auth0',
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index 00baea08613..e33ebb25c4c 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -25,5 +25,6 @@ end
 module OmniAuth
   module Strategies
     autoload :Bitbucket, Rails.root.join('lib', 'omni_auth', 'strategies', 'bitbucket')
+    autoload :Jwt, Rails.root.join('lib', 'omni_auth', 'strategies', 'jwt')
   end
 end
diff --git a/doc/administration/auth/jwt.md b/doc/administration/auth/jwt.md
index b51e705ab52..8b00f52ffc1 100644
--- a/doc/administration/auth/jwt.md
+++ b/doc/administration/auth/jwt.md
@@ -50,7 +50,7 @@ JWT will provide you with a secret key for you to use.
                 required_claims: ["name", "email"],
                 info_map: { name: "name", email: "email" },
                 auth_url: 'https://example.com/',
-                valid_within: nil,
+                valid_within: null,
               }
       }
     ```
diff --git a/lib/omni_auth/strategies/jwt.rb b/lib/omni_auth/strategies/jwt.rb
new file mode 100644
index 00000000000..2349b2a28aa
--- /dev/null
+++ b/lib/omni_auth/strategies/jwt.rb
@@ -0,0 +1,62 @@
+require 'omniauth'
+require 'jwt'
+
+module OmniAuth
+  module Strategies
+    class JWT
+      ClaimInvalid = Class.new(StandardError)
+
+      include OmniAuth::Strategy
+
+      args [:secret]
+
+      option :secret, nil
+      option :algorithm, 'HS256'
+      option :uid_claim, 'email'
+      option :required_claims, %w(name email)
+      option :info_map, { name: "name", email: "email" }
+      option :auth_url, nil
+      option :valid_within, nil
+
+      uid { decoded[options.uid_claim] }
+
+      extra do
+        { raw_info: decoded }
+      end
+
+      info do
+        options.info_map.each_with_object({}) do |(k, v), h|
+          h[k.to_s] = decoded[v.to_s]
+        end
+      end
+
+      def request_phase
+        redirect options.auth_url
+      end
+
+      def decoded
+        @decoded ||= ::JWT.decode(request.params['jwt'], options.secret, options.algorithm).first
+
+        (options.required_claims || []).each do |field|
+          raise ClaimInvalid, "Missing required '#{field}' claim" unless @decoded.key?(field.to_s)
+        end
+
+        raise ClaimInvalid, "Missing required 'iat' claim" if options.valid_within && !@decoded["iat"]
+
+        if options.valid_within && (Time.now.to_i - @decoded["iat"]).abs > options.valid_within
+          raise ClaimInvalid, "'iat' timestamp claim is too skewed from present"
+        end
+
+        @decoded
+      end
+
+      def callback_phase
+        super
+      rescue ClaimInvalid => e
+        fail! :claim_invalid, e
+      end
+    end
+
+    class Jwt < JWT; end
+  end
+end
diff --git a/spec/lib/omni_auth/strategies/jwt_spec.rb b/spec/lib/omni_auth/strategies/jwt_spec.rb
new file mode 100644
index 00000000000..23485fbcb18
--- /dev/null
+++ b/spec/lib/omni_auth/strategies/jwt_spec.rb
@@ -0,0 +1,87 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::Jwt do
+  include Rack::Test::Methods
+  include DeviseHelpers
+
+  context '.decoded' do
+    let(:strategy) { described_class.new({}) }
+    let(:timestamp) { Time.now.to_i }
+    let(:jwt_config) { Devise.omniauth_configs[:jwt] }
+    let(:key) { JWT.encode(claims, jwt_config.strategy.secret) }
+
+    let(:claims) do
+      {
+        id: 123,
+        name: "user_example",
+        email: "user@example.com",
+        iat: timestamp
+      }
+    end
+
+    before do
+      allow_any_instance_of(OmniAuth::Strategy).to receive(:options).and_return(jwt_config.strategy)
+      allow_any_instance_of(Rack::Request).to receive(:params).and_return({ 'jwt' => key })
+    end
+
+    it 'decodes the user information' do
+      result = strategy.decoded
+
+      expect(result["id"]).to eq(123)
+      expect(result["name"]).to eq("user_example")
+      expect(result["email"]).to eq("user@example.com")
+      expect(result["iat"]).to eq(timestamp)
+    end
+
+    context 'required claims is missing' do
+      let(:claims) do
+        {
+          id: 123,
+          email: "user@example.com",
+          iat: timestamp
+        }
+      end
+
+      it 'raises error' do
+        expect { strategy.decoded }.to raise_error(OmniAuth::Strategies::JWT::ClaimInvalid)
+      end
+    end
+
+    context 'when valid_within is specified but iat attribute is missing in response' do
+      let(:claims) do
+        {
+          id: 123,
+          name: "user_example",
+          email: "user@example.com"
+        }
+      end
+
+      before do
+        jwt_config.strategy.valid_within = Time.now.to_i
+      end
+
+      it 'raises error' do
+        expect { strategy.decoded }.to raise_error(OmniAuth::Strategies::JWT::ClaimInvalid)
+      end
+    end
+
+    context 'when timestamp claim is too skewed from present' do
+      let(:claims) do
+        {
+          id: 123,
+          name: "user_example",
+          email: "user@example.com",
+          iat: timestamp - 10.minutes.to_i
+        }
+      end
+
+      before do
+        jwt_config.strategy.valid_within = 2.seconds
+      end
+
+      it 'raises error' do
+        expect { strategy.decoded }.to raise_error(OmniAuth::Strategies::JWT::ClaimInvalid)
+      end
+    end
+  end
+end