Merge branch 'ashmckenzie/hmac-token-decode-and-tests' into 'master'

Relocate JSONWebToken::HMACToken from EE See merge request gitlab-org/gitlab-ce!22906
author: Stan Hu <stanhu@gmail.com> 2018-11-13 06:12:41 +0000
committer: Stan Hu <stanhu@gmail.com> 2018-11-13 06:12:41 +0000
commit: 123970182274ead330cdb93a1cb3296884b1cd69 (patch)
tree: a1a6724469a0abc8ad3cba07f89e16a900664802 /spec
parent: 5fd652decbed82366b96b0acb8446ac46202ce0a (diff)
parent: a3c80014f5dc849af1933570877f8230d98417f1 (diff)
download: gitlab-ce-123970182274ead330cdb93a1cb3296884b1cd69.tar.gz
1 files changed, 133 insertions, 0 deletions
diff --git a/spec/lib/json_web_token/hmac_token_spec.rb b/spec/lib/json_web_token/hmac_token_spec.rb
new file mode 100644
index 00000000000..f2cbc381967
--- /dev/null
+++ b/spec/lib/json_web_token/hmac_token_spec.rb
@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'timecop'
+
+describe JSONWebToken::HMACToken do
+  let(:secret) { 'shh secret squirrel' }
+
+  shared_examples 'a valid, non-expired token' do
+    it 'is an Array with two elements' do
+      expect(decoded_token).to be_a(Array)
+      expect(decoded_token.count).to eq(2)
+    end
+
+    it 'contains the following keys in the first Array element Hash - jti, iat, nbf, exp' do
+      expect(decoded_token[0].keys).to include('jti', 'iat', 'nbf', 'exp')
+    end
+
+    it 'contains the following keys in the second Array element Hash - typ and alg' do
+      expect(decoded_token[1]['typ']).to eql('JWT')
+      expect(decoded_token[1]['alg']).to eql('HS256')
+    end
+  end
+
+  describe '.decode' do
+    let(:leeway) { described_class::IAT_LEEWAY }
+    let(:decoded_token) { described_class.decode(encoded_token, secret, leeway: leeway) }
+
+    context 'with an invalid token' do
+      context 'that is junk' do
+        let(:encoded_token) { 'junk' }
+
+        it "raises exception saying 'Not enough or too many segments'" do
+          expect { decoded_token }.to raise_error(JWT::DecodeError, 'Not enough or too many segments')
+        end
+      end
+
+      context 'that has been fiddled with' do
+        let(:encoded_token) do
+          described_class.new(secret).encoded.tap { |token| token[0] = 'E' }
+        end
+
+        it "raises exception saying 'Invalid segment encoding'" do
+          expect { decoded_token }.to raise_error(JWT::DecodeError, 'Invalid segment encoding')
+        end
+      end
+
+      context 'that was generated using a different secret' do
+        let(:encoded_token) { described_class.new('some other secret').encoded }
+
+        it "raises exception saying 'Signature verification raised" do
+          expect { decoded_token }.to raise_error(JWT::VerificationError, 'Signature verification raised')
+        end
+      end
+
+      context 'that is expired' do
+        # Needs the ! so Timecop.freeze() is effective
+        let!(:encoded_token) { described_class.new(secret).encoded }
+
+        it "raises exception saying 'Signature has expired'" do
+          # Needs to be 120 seconds, because the default expiry is 60 seconds
+          # with an additional 60 second leeway.
+          Timecop.freeze(Time.now + 120) do
+            expect { decoded_token }.to raise_error(JWT::ExpiredSignature, 'Signature has expired')
+          end
+        end
+      end
+    end
+
+    context 'with a valid token' do
+      let(:encoded_token) do
+        hmac_token = described_class.new(secret)
+        hmac_token.expire_time = Time.now + expire_time
+        hmac_token.encoded
+      end
+
+      context 'that has expired' do
+        let(:expire_time) { 0 }
+
+        context 'with the default leeway' do
+          Timecop.freeze(Time.now + 1) do
+            it_behaves_like 'a valid, non-expired token'
+          end
+        end
+
+        context 'with a leeway of 0 seconds' do
+          let(:leeway) { 0 }
+
+          it "raises exception saying 'Signature has expired'" do
+            Timecop.freeze(Time.now + 1) do
+              expect { decoded_token }.to raise_error(JWT::ExpiredSignature, 'Signature has expired')
+            end
+          end
+        end
+      end
+
+      context 'that has not expired' do
+        let(:expire_time) { described_class::DEFAULT_EXPIRE_TIME }
+
+        it_behaves_like 'a valid, non-expired token'
+      end
+    end
+  end
+
+  describe '#encoded' do
+    let(:decoded_token) { described_class.decode(encoded_token, secret) }
+
+    context 'without data' do
+      let(:encoded_token) { described_class.new(secret).encoded }
+
+      it_behaves_like 'a valid, non-expired token'
+    end
+
+    context 'with data' do
+      let(:data) { { secret_key: 'secret value' }.to_json }
+      let(:encoded_token) do
+        ec = described_class.new(secret)
+        ec[:data] = data
+        ec.encoded
+      end
+
+      it_behaves_like 'a valid, non-expired token'
+
+      it "contains the 'data' key in the first Array element Hash" do
+        expect(decoded_token[0]).to have_key('data')
+      end
+
+      it 'can re-read back the data' do
+        expect(decoded_token[0]['data']).to eql(data)
+      end
+    end
+  end
+end
author	Stan Hu <stanhu@gmail.com>	2018-11-13 06:12:41 +0000
committer	Stan Hu <stanhu@gmail.com>	2018-11-13 06:12:41 +0000
commit	123970182274ead330cdb93a1cb3296884b1cd69 (patch)
tree	a1a6724469a0abc8ad3cba07f89e16a900664802 /spec
parent	5fd652decbed82366b96b0acb8446ac46202ce0a (diff)
parent	a3c80014f5dc849af1933570877f8230d98417f1 (diff)
download	gitlab-ce-123970182274ead330cdb93a1cb3296884b1cd69.tar.gz