Add latest changes from gitlab-org/gitlab@14-7-stable-eev14.7.0-rc42

2 files changed, 238 insertions, 13 deletions

diff --git a/spec/lib/gitlab/mail_room/authenticator_spec.rb b/spec/lib/gitlab/mail_room/authenticator_spec.rb
new file mode 100644
index 00000000000..44120902661
--- /dev/null
+++ b/spec/lib/gitlab/mail_room/authenticator_spec.rb
@@ -0,0 +1,188 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::MailRoom::Authenticator do
+  let(:yml_config) do
+    {
+      enabled: true,
+      address: 'address@example.com'
+    }
+  end
+
+  let(:incoming_email_secret_path) { '/path/to/incoming_email_secret' }
+  let(:incoming_email_config) { yml_config.merge(secret_file: incoming_email_secret_path) }
+
+  let(:service_desk_email_secret_path) { '/path/to/service_desk_email_secret' }
+  let(:service_desk_email_config) { yml_config.merge(secret_file: service_desk_email_secret_path) }
+
+  let(:configs) do
+    {
+      incoming_email: incoming_email_config,
+      service_desk_email: service_desk_email_config
+    }
+  end
+
+  before do
+    allow(Gitlab::MailRoom).to receive(:enabled_configs).and_return(configs)
+
+    described_class.clear_memoization(:jwt_secret_incoming_email)
+    described_class.clear_memoization(:jwt_secret_service_desk_email)
+  end
+
+  after do
+    described_class.clear_memoization(:jwt_secret_incoming_email)
+    described_class.clear_memoization(:jwt_secret_service_desk_email)
+  end
+
+  around do |example|
+    freeze_time do
+      example.run
+    end
+  end
+
+  describe '#verify_api_request' do
+    let(:incoming_email_secret) { SecureRandom.hex(16) }
+    let(:service_desk_email_secret) { SecureRandom.hex(16) }
+    let(:payload) { { iss: described_class::INTERNAL_API_REQUEST_JWT_ISSUER, iat: (Time.current - 5.minutes + 1.second).to_i } }
+
+    before do
+      allow(described_class).to receive(:secret).with(:incoming_email).and_return(incoming_email_secret)
+      allow(described_class).to receive(:secret).with(:service_desk_email).and_return(service_desk_email_secret)
+    end
+
+    context 'verify a valid token' do
+      it 'returns the decoded payload' do
+        encoded_token = JWT.encode(payload, incoming_email_secret, 'HS256')
+        headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
+
+        expect(described_class.verify_api_request(headers, 'incoming_email')[0]).to match a_hash_including(
+          "iss" => "gitlab-mailroom",
+          "iat" => be_a(Integer)
+        )
+
+        encoded_token = JWT.encode(payload, service_desk_email_secret, 'HS256')
+        headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
+
+        expect(described_class.verify_api_request(headers, 'service_desk_email')[0]).to match a_hash_including(
+          "iss" => "gitlab-mailroom",
+          "iat" => be_a(Integer)
+        )
+      end
+    end
+
+    context 'verify an invalid token' do
+      it 'returns false' do
+        encoded_token = JWT.encode(payload, 'wrong secret', 'HS256')
+        headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
+
+        expect(described_class.verify_api_request(headers, 'incoming_email')).to eq(false)
+      end
+    end
+
+    context 'verify a valid token but wrong mailbox type' do
+      it 'returns false' do
+        encoded_token = JWT.encode(payload, incoming_email_secret, 'HS256')
+        headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
+
+        expect(described_class.verify_api_request(headers, 'service_desk_email')).to eq(false)
+      end
+    end
+
+    context 'verify a valid token but wrong issuer' do
+      let(:payload) { { iss: 'invalid_issuer' } }
+
+      it 'returns false' do
+        encoded_token = JWT.encode(payload, incoming_email_secret, 'HS256')
+        headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
+
+        expect(described_class.verify_api_request(headers, 'incoming_email')).to eq(false)
+      end
+    end
+
+    context 'verify a valid token but expired' do
+      let(:payload) { { iss: described_class::INTERNAL_API_REQUEST_JWT_ISSUER, iat: (Time.current - 5.minutes - 1.second).to_i } }
+
+      it 'returns false' do
+        encoded_token = JWT.encode(payload, incoming_email_secret, 'HS256')
+        headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
+
+        expect(described_class.verify_api_request(headers, 'incoming_email')).to eq(false)
+      end
+    end
+
+    context 'verify a valid token but wrong header field' do
+      it 'returns false' do
+        encoded_token = JWT.encode(payload, incoming_email_secret, 'HS256')
+        headers = { 'a-wrong-header' => encoded_token }
+
+        expect(described_class.verify_api_request(headers, 'incoming_email')).to eq(false)
+      end
+    end
+
+    context 'verify headers for a disabled mailbox type' do
+      let(:configs) { { service_desk_email: service_desk_email_config } }
+
+      it 'returns false' do
+        encoded_token = JWT.encode(payload, incoming_email_secret, 'HS256')
+        headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
+
+        expect(described_class.verify_api_request(headers, 'incoming_email')).to eq(false)
+      end
+    end
+
+    context 'verify headers for a non-existing mailbox type' do
+      it 'returns false' do
+        headers = { described_class::INTERNAL_API_REQUEST_HEADER => 'something' }
+
+        expect(described_class.verify_api_request(headers, 'invalid_mailbox_type')).to eq(false)
+      end
+    end
+  end
+
+  describe '#secret' do
+    let(:incoming_email_secret) { SecureRandom.hex(16) }
+    let(:service_desk_email_secret) { SecureRandom.hex(16) }
+
+    context 'the secret is valid' do
+      before do
+        allow(described_class).to receive(:read_secret).with(incoming_email_secret_path).and_return(incoming_email_secret).once
+        allow(described_class).to receive(:read_secret).with(service_desk_email_secret_path).and_return(service_desk_email_secret).once
+      end
+
+      it 'returns the memorized secret from a file' do
+        expect(described_class.secret(:incoming_email)).to eql(incoming_email_secret)
+        # The second call does not trigger secret read again
+        expect(described_class.secret(:incoming_email)).to eql(incoming_email_secret)
+        expect(described_class).to have_received(:read_secret).with(incoming_email_secret_path).once
+
+        expect(described_class.secret(:service_desk_email)).to eql(service_desk_email_secret)
+        # The second call does not trigger secret read again
+        expect(described_class.secret(:service_desk_email)).to eql(service_desk_email_secret)
+        expect(described_class).to have_received(:read_secret).with(service_desk_email_secret_path).once
+      end
+    end
+
+    context 'the secret file is not configured' do
+      let(:incoming_email_config) { yml_config }
+
+      it 'raises a SecretConfigurationError exception' do
+        expect do
+          described_class.secret(:incoming_email)
+        end.to raise_error(described_class::SecretConfigurationError, "incoming_email's secret_file configuration is missing")
+      end
+    end
+
+    context 'the secret file not found' do
+      before do
+        allow(described_class).to receive(:read_secret).with(incoming_email_secret_path).and_raise(Errno::ENOENT)
+      end
+
+      it 'raises a SecretConfigurationError exception' do
+        expect do
+          described_class.secret(:incoming_email)
+        end.to raise_error(described_class::SecretConfigurationError, "Fail to read incoming_email's secret: No such file or directory")
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/mail_room/mail_room_spec.rb b/spec/lib/gitlab/mail_room/mail_room_spec.rb
index 0bd1a27c65e..a4fcf71a012 100644
--- a/spec/lib/gitlab/mail_room/mail_room_spec.rb
+++ b/spec/lib/gitlab/mail_room/mail_room_spec.rb
@@ -30,6 +30,7 @@ RSpec.describe Gitlab::MailRoom do
   end
 
   before do
+    allow(described_class).to receive(:load_yaml).and_return(configs)
     described_class.instance_variable_set(:@enabled_configs, nil)
   end
 
@@ -38,10 +39,6 @@ RSpec.describe Gitlab::MailRoom do
   end
 
   describe '#enabled_configs' do
-    before do
-      allow(described_class).to receive(:load_yaml).and_return(configs)
-    end
-
     context 'when both email and address is set' do
       it 'returns email configs' do
         expect(described_class.enabled_configs.size).to eq(2)
@@ -79,7 +76,7 @@ RSpec.describe Gitlab::MailRoom do
       let(:custom_config) { { enabled: true, address: 'address@example.com' } }
 
       it 'overwrites missing values with the default' do
-        expect(described_class.enabled_configs.first[:port]).to eq(Gitlab::MailRoom::DEFAULT_CONFIG[:port])
+        expect(described_class.enabled_configs.each_value.first[:port]).to eq(Gitlab::MailRoom::DEFAULT_CONFIG[:port])
       end
     end
 
@@ -88,7 +85,7 @@ RSpec.describe Gitlab::MailRoom do
 
       it 'returns only encoming_email' do
         expect(described_class.enabled_configs.size).to eq(1)
-        expect(described_class.enabled_configs.first[:worker]).to eq('EmailReceiverWorker')
+        expect(described_class.enabled_configs.each_value.first[:worker]).to eq('EmailReceiverWorker')
       end
     end
 
@@ -100,11 +97,12 @@ RSpec.describe Gitlab::MailRoom do
       end
 
       it 'sets redis config' do
-        config = described_class.enabled_configs.first
-
-        expect(config[:redis_url]).to eq('localhost')
-        expect(config[:redis_db]).to eq(99)
-        expect(config[:sentinels]).to eq('yes, them')
+        config = described_class.enabled_configs.each_value.first
+        expect(config).to include(
+          redis_url: 'localhost',
+          redis_db: 99,
+          sentinels: 'yes, them'
+        )
       end
     end
 
@@ -113,7 +111,7 @@ RSpec.describe Gitlab::MailRoom do
         let(:custom_config) { { log_path: 'tiny_log.log' } }
 
         it 'expands the log path to an absolute value' do
-          new_path = Pathname.new(described_class.enabled_configs.first[:log_path])
+          new_path = Pathname.new(described_class.enabled_configs.each_value.first[:log_path])
           expect(new_path.absolute?).to be_truthy
         end
       end
@@ -122,9 +120,48 @@ RSpec.describe Gitlab::MailRoom do
         let(:custom_config) { { log_path: '/dev/null' } }
 
         it 'leaves the path as-is' do
-          expect(described_class.enabled_configs.first[:log_path]).to eq '/dev/null'
+          expect(described_class.enabled_configs.each_value.first[:log_path]).to eq '/dev/null'
         end
       end
     end
   end
+
+  describe '#enabled_mailbox_types' do
+    context 'when all mailbox types are enabled' do
+      it 'returns the mailbox types' do
+        expect(described_class.enabled_mailbox_types).to match(%w[incoming_email service_desk_email])
+      end
+    end
+
+    context 'when an mailbox_types is disabled' do
+      let(:incoming_email_config) { yml_config.merge(enabled: false) }
+
+      it 'returns the mailbox types' do
+        expect(described_class.enabled_mailbox_types).to match(%w[service_desk_email])
+      end
+    end
+
+    context 'when email is disabled' do
+      let(:custom_config) { { enabled: false } }
+
+      it 'returns an empty array' do
+        expect(described_class.enabled_mailbox_types).to match_array([])
+      end
+    end
+  end
+
+  describe '#worker_for' do
+    context 'matched mailbox types' do
+      it 'returns the constantized worker class' do
+        expect(described_class.worker_for('incoming_email')).to eql(EmailReceiverWorker)
+        expect(described_class.worker_for('service_desk_email')).to eql(ServiceDeskEmailReceiverWorker)
+      end
+    end
+
+    context 'non-existing mailbox_type' do
+      it 'returns nil' do
+        expect(described_class.worker_for('another_mailbox_type')).to be(nil)
+      end
+    end
+  end
 end