From 3648e280baa04112ab0052d991d1f16e86499a5b Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Fri, 28 Dec 2018 22:56:33 -0800 Subject: Upgrade Omniauth and JWT gems to switch away from Google+ API * omniauth-google-oauth2: Google will be deprecating its support for the Google+ API, which currently omniauth-google-oauth2 uses to retrieve user info. The bump in omniauth-google-oauth2 requires an upgrade to ruby-jwt v2+ to support the verification of multiple issue providers (https://github.com/zquestz/omniauth-google-oauth2/pull/345). * jwt: This has the most number of changes that need to be reviewed: https://github.com/jwt/ruby-jwt/blob/master/CHANGELOG.md * oauth2: Needed to support ruby-jwt v2+: https://github.com/oauth-xx/oauth2/blob/master/CHANGELOG.md * omniauth-azure-oauth2 needs a version bump to support ruby-jwt v2+. * omniauth: This version bump only involves backstage improvements: https://github.com/omniauth/omniauth/releases Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/55668 --- Gemfile | 4 ++-- Gemfile.lock | 28 +++++++++++----------- .../unreleased/sh-bump-omniauth-google-gem.yml | 5 ++++ 3 files changed, 21 insertions(+), 16 deletions(-) create mode 100644 changelogs/unreleased/sh-bump-omniauth-google-gem.yml diff --git a/Gemfile b/Gemfile index c316f3b0e5f..a79276da066 100644 --- a/Gemfile +++ b/Gemfile @@ -34,7 +34,7 @@ gem 'omniauth-cas3', '~> 1.1.4' gem 'omniauth-facebook', '~> 4.0.0' gem 'omniauth-github', '~> 1.3' gem 'omniauth-gitlab', '~> 1.0.2' -gem 'omniauth-google-oauth2', '~> 0.5.3' +gem 'omniauth-google-oauth2', '~> 0.6.0' gem 'omniauth-kerberos', '~> 0.3.0', group: :kerberos gem 'omniauth-oauth2-generic', '~> 0.2.2' gem 'omniauth-saml', '~> 1.10' @@ -43,7 +43,7 @@ gem 'omniauth-twitter', '~> 1.4' gem 'omniauth_crowd', '~> 2.2.0' gem 'omniauth-authentiq', '~> 0.3.3' gem 'rack-oauth2', '~> 1.2.1' -gem 'jwt', '~> 1.5.6' +gem 'jwt', '~> 2.1.0' # Spam and anti-bot protection gem 'recaptcha', '~> 3.0', require: 'recaptcha/rails' diff --git a/Gemfile.lock b/Gemfile.lock index 942dbac27a6..b263e0e5d64 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -403,7 +403,7 @@ GEM bindata json-schema (2.8.0) addressable (>= 2.4) - jwt (1.5.6) + jwt (2.1.0) kaminari (1.0.1) activesupport (>= 4.1.0) kaminari-actionview (= 1.0.1) @@ -483,24 +483,24 @@ GEM nokogiri numerizer (0.1.1) oauth (0.5.4) - oauth2 (1.4.0) - faraday (>= 0.8, < 0.13) - jwt (~> 1.0) + oauth2 (1.4.1) + faraday (>= 0.8, < 0.16.0) + jwt (>= 1.0, < 3.0) multi_json (~> 1.3) multi_xml (~> 0.5) rack (>= 1.2, < 3) octokit (4.9.0) sawyer (~> 0.8.0, >= 0.5.3) - omniauth (1.8.1) - hashie (>= 3.4.6, < 3.6.0) + omniauth (1.9.0) + hashie (>= 3.4.6, < 3.7.0) rack (>= 1.6.2, < 3) omniauth-auth0 (2.0.0) omniauth-oauth2 (~> 1.4) omniauth-authentiq (0.3.3) jwt (>= 1.5) omniauth-oauth2 (>= 1.5) - omniauth-azure-oauth2 (0.0.9) - jwt (~> 1.0) + omniauth-azure-oauth2 (0.0.10) + jwt (>= 1.0, < 3.0) omniauth (~> 1.0) omniauth-oauth2 (~> 1.4) omniauth-cas3 (1.1.4) @@ -515,8 +515,8 @@ GEM omniauth-gitlab (1.0.3) omniauth (~> 1.0) omniauth-oauth2 (~> 1.0) - omniauth-google-oauth2 (0.5.3) - jwt (>= 1.5) + omniauth-google-oauth2 (0.6.0) + jwt (>= 2.0) omniauth (>= 1.1.1) omniauth-oauth2 (>= 1.5) omniauth-kerberos (0.3.0) @@ -527,9 +527,9 @@ GEM omniauth-oauth (1.1.0) oauth omniauth (~> 1.0) - omniauth-oauth2 (1.5.0) + omniauth-oauth2 (1.6.0) oauth2 (~> 1.1) - omniauth (~> 1.2) + omniauth (~> 1.9) omniauth-oauth2-generic (0.2.2) omniauth-oauth2 (~> 1.0) omniauth-saml (1.10.0) @@ -1041,7 +1041,7 @@ DEPENDENCIES jquery-atwho-rails (~> 1.3.2) js_regex (~> 2.2.1) json-schema (~> 2.8.0) - jwt (~> 1.5.6) + jwt (~> 2.1.0) kaminari (~> 1.0) knapsack (~> 1.17) kubeclient (~> 4.0.0) @@ -1070,7 +1070,7 @@ DEPENDENCIES omniauth-facebook (~> 4.0.0) omniauth-github (~> 1.3) omniauth-gitlab (~> 1.0.2) - omniauth-google-oauth2 (~> 0.5.3) + omniauth-google-oauth2 (~> 0.6.0) omniauth-kerberos (~> 0.3.0) omniauth-oauth2-generic (~> 0.2.2) omniauth-saml (~> 1.10) diff --git a/changelogs/unreleased/sh-bump-omniauth-google-gem.yml b/changelogs/unreleased/sh-bump-omniauth-google-gem.yml new file mode 100644 index 00000000000..2b31a55f8b2 --- /dev/null +++ b/changelogs/unreleased/sh-bump-omniauth-google-gem.yml @@ -0,0 +1,5 @@ +--- +title: Upgrade Omniauth and JWT gems to switch away from Google+ API +merge_request: 24068 +author: +type: changed -- cgit v1.2.1 From 1aa420a1fd163ed7c61c4d7f103059a38dcb6a18 Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Sat, 29 Dec 2018 00:07:45 -0800 Subject: Add typ header back into JWT payload ruby-jwt v2.0 removed the `typ` header in https://github.com/jwt/ruby-jwt/commit/cc41d53e00f8cbf015271b53f5ad761bd6ac2312. To ensure tokens don't get marked invalid during an upgrade, add it back to ensure backwards compatibility. --- lib/json_web_token/hmac_token.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/json_web_token/hmac_token.rb b/lib/json_web_token/hmac_token.rb index ceb1b9c913f..ec0917ab49d 100644 --- a/lib/json_web_token/hmac_token.rb +++ b/lib/json_web_token/hmac_token.rb @@ -18,7 +18,7 @@ module JSONWebToken end def encoded - JWT.encode(payload, secret, JWT_ALGORITHM) + JWT.encode(payload, secret, JWT_ALGORITHM, { typ: 'JWT' }) end private -- cgit v1.2.1 From ae8724ff227f7cc80f10c605cecfbd5c4f63922a Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Sat, 29 Dec 2018 00:19:16 -0800 Subject: Remove documentation requiring activation of Google+ API --- doc/integration/google.md | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/integration/google.md b/doc/integration/google.md index b91d40d4bd4..d2b4e119978 100644 --- a/doc/integration/google.md +++ b/doc/integration/google.md @@ -35,7 +35,6 @@ In Google's side: 1. You should now be able to see a Client ID and Client secret. Note them down or keep this page open as you will need them later. -1. From the **Dashboard** select **ENABLE APIS AND SERVICES > Social > Google+ API > Enable** 1. To enable projects to access [Google Kubernetes Engine](../user/project/clusters/index.md), you must also enable these APIs: - Google Kubernetes Engine API -- cgit v1.2.1 From 34f51dee0d336487a3fac0946eb198bb5996368b Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Sat, 29 Dec 2018 06:20:04 -0800 Subject: Set the JWT algorithm to RS256 in decode specs By default, the JWT decode only allows HS256 mode (HMAC using SHA-256 hash algorithm). The specs using RSA tokens failed per https://github.com/jwt/ruby-jwt#algorithms-and-usage: It is strongly recommended that you hard code the algorithm, as you may leave yourself vulnerable by dynamically picking the algorithm. --- spec/lib/json_web_token/rsa_token_spec.rb | 4 ++-- spec/services/auth/container_registry_authentication_service_spec.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/spec/lib/json_web_token/rsa_token_spec.rb b/spec/lib/json_web_token/rsa_token_spec.rb index d6edc964844..a3c54651e80 100644 --- a/spec/lib/json_web_token/rsa_token_spec.rb +++ b/spec/lib/json_web_token/rsa_token_spec.rb @@ -25,7 +25,7 @@ describe JSONWebToken::RSAToken do rsa_token['key'] = 'value' end - subject { JWT.decode(rsa_encoded, rsa_key) } + subject { JWT.decode(rsa_encoded, rsa_key, true, { algorithm: 'RS256' }) } it { expect {subject}.not_to raise_error } it { expect(subject.first).to include('key' => 'value') } @@ -39,7 +39,7 @@ describe JSONWebToken::RSAToken do context 'for invalid key to raise an exception' do let(:new_key) { OpenSSL::PKey::RSA.generate(512) } - subject { JWT.decode(rsa_encoded, new_key) } + subject { JWT.decode(rsa_encoded, new_key, true, { algorithm: 'RS256' }) } it { expect {subject}.to raise_error(JWT::DecodeError) } end diff --git a/spec/services/auth/container_registry_authentication_service_spec.rb b/spec/services/auth/container_registry_authentication_service_spec.rb index f2e9799452a..8021bd338e0 100644 --- a/spec/services/auth/container_registry_authentication_service_spec.rb +++ b/spec/services/auth/container_registry_authentication_service_spec.rb @@ -5,7 +5,7 @@ describe Auth::ContainerRegistryAuthenticationService do let(:current_user) { nil } let(:current_params) { {} } let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) } - let(:payload) { JWT.decode(subject[:token], rsa_key).first } + let(:payload) { JWT.decode(subject[:token], rsa_key, true, { algorithm: 'RS256' }).first } let(:authentication_abilities) do [:read_container_image, :create_container_image, :admin_container_image] -- cgit v1.2.1 From c6d7130f65e89f659ffd905d8b3b6be4df91a0e2 Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Sat, 29 Dec 2018 07:37:08 -0800 Subject: Set typ field in JSONWebToken::RSAToken ruby-jwt v2.0 removed the `typ` header in https://github.com/jwt/ruby-jwt/commit/cc41d53e00f8cbf015271b53f5ad761bd6ac2312. To ensure tokens don't get marked invalid during an upgrade, add it back to ensure backwards compatibility. --- lib/json_web_token/rsa_token.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/json_web_token/rsa_token.rb b/lib/json_web_token/rsa_token.rb index 160e1e506f1..bcce811cd28 100644 --- a/lib/json_web_token/rsa_token.rb +++ b/lib/json_web_token/rsa_token.rb @@ -11,7 +11,8 @@ module JSONWebToken def encoded headers = { - kid: kid + kid: kid, + typ: 'JWT' } JWT.encode(payload, key, 'RS256', headers) end -- cgit v1.2.1