From edaa33dee2ff2f7ea3fac488d41558eb5f86d68c Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 20 Jan 2022 09:16:11 +0000 Subject: Add latest changes from gitlab-org/gitlab@14-7-stable-ee --- spec/lib/gitlab/jwt_authenticatable_spec.rb | 163 +++++++++++++++++++++++----- 1 file changed, 133 insertions(+), 30 deletions(-) (limited to 'spec/lib/gitlab/jwt_authenticatable_spec.rb') diff --git a/spec/lib/gitlab/jwt_authenticatable_spec.rb b/spec/lib/gitlab/jwt_authenticatable_spec.rb index 36bb46cb250..92d5feceb75 100644 --- a/spec/lib/gitlab/jwt_authenticatable_spec.rb +++ b/spec/lib/gitlab/jwt_authenticatable_spec.rb @@ -14,17 +14,12 @@ RSpec.describe Gitlab::JwtAuthenticatable do end before do - begin - File.delete(test_class.secret_path) - rescue Errno::ENOENT - end + FileUtils.rm_f(test_class.secret_path) test_class.write_secret end - describe '.secret' do - subject(:secret) { test_class.secret } - + shared_examples 'reading secret from the secret path' do it 'returns 32 bytes' do expect(secret).to be_a(String) expect(secret.length).to eq(32) @@ -32,62 +27,170 @@ RSpec.describe Gitlab::JwtAuthenticatable do end it 'accepts a trailing newline' do - File.open(test_class.secret_path, 'a') { |f| f.write "\n" } + File.open(secret_path, 'a') { |f| f.write "\n" } expect(secret.length).to eq(32) end it 'raises an exception if the secret file cannot be read' do - File.delete(test_class.secret_path) + File.delete(secret_path) expect { secret }.to raise_exception(Errno::ENOENT) end it 'raises an exception if the secret file contains the wrong number of bytes' do - File.truncate(test_class.secret_path, 0) + File.truncate(secret_path, 0) expect { secret }.to raise_exception(RuntimeError) end end + describe '.secret' do + it_behaves_like 'reading secret from the secret path' do + subject(:secret) { test_class.secret } + + let(:secret_path) { test_class.secret_path } + end + end + + describe '.read_secret' do + it_behaves_like 'reading secret from the secret path' do + subject(:secret) { test_class.read_secret(secret_path) } + + let(:secret_path) { test_class.secret_path } + end + end + describe '.write_secret' do - it 'uses mode 0600' do - expect(File.stat(test_class.secret_path).mode & 0777).to eq(0600) + context 'without an input' do + it 'uses mode 0600' do + expect(File.stat(test_class.secret_path).mode & 0777).to eq(0600) + end + + it 'writes base64 data' do + bytes = Base64.strict_decode64(File.read(test_class.secret_path)) + + expect(bytes).not_to be_empty + end end - it 'writes base64 data' do - bytes = Base64.strict_decode64(File.read(test_class.secret_path)) + context 'with an input' do + let(:another_path) do + Rails.root.join('tmp', 'tests', '.jwt_another_shared_secret') + end - expect(bytes).not_to be_empty + after do + File.delete(another_path) + rescue Errno::ENOENT + end + + it 'uses mode 0600' do + test_class.write_secret(another_path) + expect(File.stat(another_path).mode & 0777).to eq(0600) + end + + it 'writes base64 data' do + test_class.write_secret(another_path) + bytes = Base64.strict_decode64(File.read(another_path)) + + expect(bytes).not_to be_empty + end end end - describe '.decode_jwt_for_issuer' do - let(:payload) { { 'iss' => 'test_issuer' } } + describe '.decode_jwt' do |decode| + let(:payload) { {} } + + context 'use included class secret' do + it 'accepts a correct header' do + encoded_message = JWT.encode(payload, test_class.secret, 'HS256') + + expect { test_class.decode_jwt(encoded_message) }.not_to raise_error + end + + it 'raises an error when the JWT is not signed' do + encoded_message = JWT.encode(payload, nil, 'none') + + expect { test_class.decode_jwt(encoded_message) }.to raise_error(JWT::DecodeError) + end - it 'accepts a correct header' do - encoded_message = JWT.encode(payload, test_class.secret, 'HS256') + it 'raises an error when the header is signed with the wrong secret' do + encoded_message = JWT.encode(payload, 'wrongsecret', 'HS256') - expect { test_class.decode_jwt_for_issuer('test_issuer', encoded_message) }.not_to raise_error + expect { test_class.decode_jwt(encoded_message) }.to raise_error(JWT::DecodeError) + end end - it 'raises an error when the JWT is not signed' do - encoded_message = JWT.encode(payload, nil, 'none') + context 'use an input secret' do + let(:another_secret) { 'another secret' } + + it 'accepts a correct header' do + encoded_message = JWT.encode(payload, another_secret, 'HS256') + + expect { test_class.decode_jwt(encoded_message, another_secret) }.not_to raise_error + end - expect { test_class.decode_jwt_for_issuer('test_issuer', encoded_message) }.to raise_error(JWT::DecodeError) + it 'raises an error when the JWT is not signed' do + encoded_message = JWT.encode(payload, nil, 'none') + + expect { test_class.decode_jwt(encoded_message, another_secret) }.to raise_error(JWT::DecodeError) + end + + it 'raises an error when the header is signed with the wrong secret' do + encoded_message = JWT.encode(payload, 'wrongsecret', 'HS256') + + expect { test_class.decode_jwt(encoded_message, another_secret) }.to raise_error(JWT::DecodeError) + end end - it 'raises an error when the header is signed with the wrong secret' do - encoded_message = JWT.encode(payload, 'wrongsecret', 'HS256') + context 'issuer option' do + let(:payload) { { 'iss' => 'test_issuer' } } + + it 'returns decoded payload if issuer is correct' do + encoded_message = JWT.encode(payload, test_class.secret, 'HS256') + payload = test_class.decode_jwt(encoded_message, issuer: 'test_issuer') - expect { test_class.decode_jwt_for_issuer('test_issuer', encoded_message) }.to raise_error(JWT::DecodeError) + expect(payload[0]).to match a_hash_including('iss' => 'test_issuer') + end + + it 'raises an error when the issuer is incorrect' do + payload['iss'] = 'somebody else' + encoded_message = JWT.encode(payload, test_class.secret, 'HS256') + + expect { test_class.decode_jwt(encoded_message, issuer: 'test_issuer') }.to raise_error(JWT::DecodeError) + end end - it 'raises an error when the issuer is incorrect' do - payload['iss'] = 'somebody else' - encoded_message = JWT.encode(payload, test_class.secret, 'HS256') + context 'iat_after option' do + it 'returns decoded payload if iat is valid' do + freeze_time do + encoded_message = JWT.encode(payload.merge(iat: (Time.current - 10.seconds).to_i), test_class.secret, 'HS256') + payload = test_class.decode_jwt(encoded_message, iat_after: Time.current - 20.seconds) + + expect(payload[0]).to match a_hash_including('iat' => be_a(Integer)) + end + end + + it 'raises an error if iat is invalid' do + encoded_message = JWT.encode(payload.merge(iat: 'wrong'), test_class.secret, 'HS256') - expect { test_class.decode_jwt_for_issuer('test_issuer', encoded_message) }.to raise_error(JWT::DecodeError) + expect { test_class.decode_jwt(encoded_message, iat_after: true) }.to raise_error(JWT::DecodeError) + end + + it 'raises an error if iat is absent' do + encoded_message = JWT.encode(payload, test_class.secret, 'HS256') + + expect { test_class.decode_jwt(encoded_message, iat_after: true) }.to raise_error(JWT::DecodeError) + end + + it 'raises an error if iat is too far in the past' do + freeze_time do + encoded_message = JWT.encode(payload.merge(iat: (Time.current - 30.seconds).to_i), test_class.secret, 'HS256') + expect do + test_class.decode_jwt(encoded_message, iat_after: Time.current - 20.seconds) + end.to raise_error(JWT::ExpiredSignature, 'Token has expired') + end + end end end end -- cgit v1.2.1