diff options
Diffstat (limited to 'spec/lib/gitlab/ci/jwt_spec.rb')
-rw-r--r-- | spec/lib/gitlab/ci/jwt_spec.rb | 63 |
1 files changed, 48 insertions, 15 deletions
diff --git a/spec/lib/gitlab/ci/jwt_spec.rb b/spec/lib/gitlab/ci/jwt_spec.rb index 9b133efad9c..3130c0c0c41 100644 --- a/spec/lib/gitlab/ci/jwt_spec.rb +++ b/spec/lib/gitlab/ci/jwt_spec.rb @@ -93,32 +93,65 @@ RSpec.describe Gitlab::Ci::Jwt do end describe '.for_build' do - let(:rsa_key) { OpenSSL::PKey::RSA.new(Rails.application.secrets.openid_connect_signing_key) } + shared_examples 'generating JWT for build' do + context 'when signing key is present' do + let(:rsa_key) { OpenSSL::PKey::RSA.generate(1024) } + let(:rsa_key_data) { rsa_key.to_s } - subject(:jwt) { described_class.for_build(build) } + it 'generates JWT with key id' do + _payload, headers = JWT.decode(jwt, rsa_key.public_key, true, { algorithm: 'RS256' }) + + expect(headers['kid']).to eq(rsa_key.public_key.to_jwk['kid']) + end + + it 'generates JWT for the given job with ttl equal to build timeout' do + expect(build).to receive(:metadata_timeout).and_return(3_600) + + payload, _headers = JWT.decode(jwt, rsa_key.public_key, true, { algorithm: 'RS256' }) + ttl = payload["exp"] - payload["iat"] + + expect(ttl).to eq(3_600) + end + + it 'generates JWT for the given job with default ttl if build timeout is not set' do + expect(build).to receive(:metadata_timeout).and_return(nil) + + payload, _headers = JWT.decode(jwt, rsa_key.public_key, true, { algorithm: 'RS256' }) + ttl = payload["exp"] - payload["iat"] - it 'generates JWT with key id' do - _payload, headers = JWT.decode(jwt, rsa_key.public_key, true, { algorithm: 'RS256' }) + expect(ttl).to eq(5.minutes.to_i) + end + end + + context 'when signing key is missing' do + let(:rsa_key_data) { nil } - expect(headers['kid']).to eq(rsa_key.public_key.to_jwk['kid']) + it 'raises NoSigningKeyError' do + expect { jwt }.to raise_error described_class::NoSigningKeyError + end + end end - it 'generates JWT for the given job with ttl equal to build timeout' do - expect(build).to receive(:metadata_timeout).and_return(3_600) + subject(:jwt) { described_class.for_build(build) } + + context 'when ci_jwt_signing_key feature flag is disabled' do + before do + stub_feature_flags(ci_jwt_signing_key: false) - payload, _headers = JWT.decode(jwt, rsa_key.public_key, true, { algorithm: 'RS256' }) - ttl = payload["exp"] - payload["iat"] + allow(Rails.application.secrets).to receive(:openid_connect_signing_key).and_return(rsa_key_data) + end - expect(ttl).to eq(3_600) + it_behaves_like 'generating JWT for build' end - it 'generates JWT for the given job with default ttl if build timeout is not set' do - expect(build).to receive(:metadata_timeout).and_return(nil) + context 'when ci_jwt_signing_key feature flag is enabled' do + before do + stub_feature_flags(ci_jwt_signing_key: true) - payload, _headers = JWT.decode(jwt, rsa_key.public_key, true, { algorithm: 'RS256' }) - ttl = payload["exp"] - payload["iat"] + stub_application_setting(ci_jwt_signing_key: rsa_key_data) + end - expect(ttl).to eq(5.minutes.to_i) + it_behaves_like 'generating JWT for build' end end end |