Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-07-21 12:10:13 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-07-21 12:10:13 +0300
commit: c1cea595b6a9b4d85424e9afd2cb765101ee04bf (patch)
tree: b018f6244b8491815f70a7d32ee8087a0f37d1cd /spec/lib
parent: 3aca7e52f313182275fea4576c2e0a30483dedb5 (diff)
2 files changed, 61 insertions, 8 deletions
diff --git a/spec/lib/gitlab/jwt_authenticatable_spec.rb b/spec/lib/gitlab/jwt_authenticatable_spec.rb
index 98c87ef627a..eea93c4e3fe 100644
--- a/spec/lib/gitlab/jwt_authenticatable_spec.rb
+++ b/spec/lib/gitlab/jwt_authenticatable_spec.rb
@@ -148,9 +148,9 @@ RSpec.describe Gitlab::JwtAuthenticatable, feature_category: :system_access do
 
       it 'returns decoded payload if issuer is correct' do
         encoded_message = JWT.encode(payload, test_class.secret, 'HS256')
-        payload = test_class.decode_jwt(encoded_message, issuer: 'test_issuer')
+        decoded_payload = test_class.decode_jwt(encoded_message, issuer: 'test_issuer')
 
-        expect(payload[0]).to match a_hash_including('iss' => 'test_issuer')
+        expect(decoded_payload[0]).to match a_hash_including('iss' => 'test_issuer')
       end
 
       it 'raises an error when the issuer is incorrect' do
@@ -159,6 +159,38 @@ RSpec.describe Gitlab::JwtAuthenticatable, feature_category: :system_access do
 
         expect { test_class.decode_jwt(encoded_message, issuer: 'test_issuer') }.to raise_error(JWT::DecodeError)
       end
+
+      it 'raises an error when the issuer is nil' do
+        payload['iss'] = nil
+        encoded_message = JWT.encode(payload, test_class.secret, 'HS256')
+
+        expect { test_class.decode_jwt(encoded_message, issuer: 'test_issuer') }.to raise_error(JWT::DecodeError)
+      end
+    end
+
+    context 'audience option' do
+      let(:payload) { { 'aud' => 'test_audience' } }
+
+      it 'returns decoded payload if audience is correct' do
+        encoded_message = JWT.encode(payload, test_class.secret, 'HS256')
+        decoded_payload = test_class.decode_jwt(encoded_message, audience: 'test_audience')
+
+        expect(decoded_payload[0]).to match a_hash_including('aud' => 'test_audience')
+      end
+
+      it 'raises an error when the audience is incorrect' do
+        payload['aud'] = 'somebody else'
+        encoded_message = JWT.encode(payload, test_class.secret, 'HS256')
+
+        expect { test_class.decode_jwt(encoded_message, audience: 'test_audience') }.to raise_error(JWT::DecodeError)
+      end
+
+      it 'raises an error when the audience is nil' do
+        payload['aud'] = nil
+        encoded_message = JWT.encode(payload, test_class.secret, 'HS256')
+
+        expect { test_class.decode_jwt(encoded_message, audience: 'test_audience') }.to raise_error(JWT::DecodeError)
+      end
     end
 
     context 'iat_after option' do
diff --git a/spec/lib/gitlab/kas_spec.rb b/spec/lib/gitlab/kas_spec.rb
index 34eb48a3221..1b42b031c42 100644
--- a/spec/lib/gitlab/kas_spec.rb
+++ b/spec/lib/gitlab/kas_spec.rb
@@ -10,20 +10,41 @@ RSpec.describe Gitlab::Kas do
   end
 
   describe '.verify_api_request' do
-    let(:payload) { { 'iss' => described_class::JWT_ISSUER } }
+    let(:payload) { { 'iss' => described_class::JWT_ISSUER, 'aud' => described_class::JWT_AUDIENCE } }
 
-    it 'returns nil if fails to validate the JWT' do
-      encoded_token = JWT.encode(payload, 'wrongsecret', 'HS256')
-      headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
+    context 'returns nil if fails to validate the JWT' do
+      it 'when secret is wrong' do
+        encoded_token = JWT.encode(payload, 'wrong secret', 'HS256')
+        headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
+
+        expect(described_class.verify_api_request(headers)).to be_nil
+      end
+
+      it 'when issuer is wrong' do
+        payload['iss'] = 'wrong issuer'
+        encoded_token = JWT.encode(payload, described_class.secret, 'HS256')
+        headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
 
-      expect(described_class.verify_api_request(headers)).to be_nil
+        expect(described_class.verify_api_request(headers)).to be_nil
+      end
+
+      it 'when audience is wrong' do
+        payload['aud'] = 'wrong audience'
+        encoded_token = JWT.encode(payload, described_class.secret, 'HS256')
+        headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
+
+        expect(described_class.verify_api_request(headers)).to be_nil
+      end
     end
 
     it 'returns the decoded JWT' do
       encoded_token = JWT.encode(payload, described_class.secret, 'HS256')
       headers = { described_class::INTERNAL_API_REQUEST_HEADER => encoded_token }
 
-      expect(described_class.verify_api_request(headers)).to eq([{ "iss" => described_class::JWT_ISSUER }, { "alg" => "HS256" }])
+      expect(described_class.verify_api_request(headers)).to eq([
+        { 'iss' => described_class::JWT_ISSUER, 'aud' => described_class::JWT_AUDIENCE },
+        { 'alg' => 'HS256' }
+      ])
     end
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-07-21 12:10:13 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-07-21 12:10:13 +0300
commit	c1cea595b6a9b4d85424e9afd2cb765101ee04bf (patch)
tree	b018f6244b8491815f70a7d32ee8087a0f37d1cd /spec/lib
parent	3aca7e52f313182275fea4576c2e0a30483dedb5 (diff)