Add latest changes from gitlab-org/gitlab@master

2 files changed, 146 insertions, 13 deletions

diff --git a/spec/lib/api/helpers_spec.rb b/spec/lib/api/helpers_spec.rb
index cd41d362d03..f25c75ef93c 100644
--- a/spec/lib/api/helpers_spec.rb
+++ b/spec/lib/api/helpers_spec.rb
@@ -865,4 +865,93 @@ RSpec.describe API::Helpers do
       helper.bad_request!('custom reason')
     end
   end
+
+  describe '#authenticate_by_gitlab_shell_token!' do
+    include GitlabShellHelpers
+
+    let(:valid_secret_token) { 'valid' }
+    let(:invalid_secret_token) { 'invalid' }
+    let(:headers) { {} }
+    let(:params) { {} }
+
+    shared_examples 'authorized' do
+      it 'authorized' do
+        expect(helper).not_to receive(:unauthorized!)
+
+        helper.authenticate_by_gitlab_shell_token!
+      end
+    end
+
+    shared_examples 'unauthorized' do
+      it 'unauthorized' do
+        expect(helper).to receive(:unauthorized!)
+
+        helper.authenticate_by_gitlab_shell_token!
+      end
+    end
+
+    before do
+      allow(Gitlab::Shell).to receive(:secret_token).and_return(valid_secret_token)
+      allow(helper).to receive_messages(params: params, headers: headers, secret_token: valid_secret_token)
+    end
+
+    context 'when jwt token is not provided' do
+      it_behaves_like 'unauthorized'
+    end
+
+    context 'when jwt token is invalid' do
+      let(:headers) { gitlab_shell_internal_api_request_header(secret_token: invalid_secret_token) }
+
+      it_behaves_like 'unauthorized'
+    end
+
+    context 'when jwt token issuer is invalid' do
+      let(:headers) { gitlab_shell_internal_api_request_header(issuer: 'gitlab-workhorse') }
+
+      it_behaves_like 'unauthorized'
+    end
+
+    context 'when jwt token is valid' do
+      let(:headers) { gitlab_shell_internal_api_request_header }
+
+      it_behaves_like 'authorized'
+    end
+
+    context 'when gitlab_shell_jwt_token is disabled' do
+      let(:valid_secret_token) { +'valid' } # mutable string to use chomp!
+      let(:invalid_secret_token) { +'invalid' } # mutable string to use chomp!
+
+      before do
+        stub_feature_flags(gitlab_shell_jwt_token: false)
+      end
+
+      context 'when shared secret is not provided' do
+        it_behaves_like 'unauthorized'
+      end
+
+      context 'when shared secret provided via params' do
+        let(:params) { { 'secret_token' => valid_secret_token } }
+
+        it_behaves_like 'authorized'
+
+        context 'but it is invalid' do
+          let(:params) { { 'secret_token' => invalid_secret_token } }
+
+          it_behaves_like 'unauthorized'
+        end
+      end
+
+      context 'when shared secret provided via headers' do
+        let(:headers) { { described_class::GITLAB_SHARED_SECRET_HEADER => Base64.encode64(valid_secret_token) } }
+
+        it_behaves_like 'authorized'
+
+        context 'but it is invalid' do
+          let(:headers) { { described_class::GITLAB_SHARED_SECRET_HEADER => Base64.encode64(invalid_secret_token) } }
+
+          it_behaves_like 'unauthorized'
+        end
+      end
+    end
+  end
 end
diff --git a/spec/lib/gitlab/diff/highlight_cache_spec.rb b/spec/lib/gitlab/diff/highlight_cache_spec.rb
index 1d1ffc8c275..67751144565 100644
--- a/spec/lib/gitlab/diff/highlight_cache_spec.rb
+++ b/spec/lib/gitlab/diff/highlight_cache_spec.rb
@@ -109,23 +109,67 @@ RSpec.describe Gitlab::Diff::HighlightCache, :clean_gitlab_redis_cache do
   end
 
   shared_examples 'caches missing entries' do
-    it 'filters the key/value list of entries to be caches for each invocation' do
-      expect(cache).to receive(:write_to_redis_hash)
-        .with(hash_including(*paths))
-        .once
-        .and_call_original
-
-      Gitlab::Redis::Cache.with do |redis|
-        expect(redis).to receive(:expire).with(cache.key, described_class::EXPIRATION)
+    where(:expiration_period, :renewable_expiration_ff, :short_renewable_expiration_ff) do
+      [
+        [1.day, false, true],
+        [1.day, false, false],
+        [1.hour, true, true],
+        [8.hours, true, false]
+      ]
+    end
+
+    with_them do
+      before do
+        stub_feature_flags(
+          highlight_diffs_renewable_expiration: renewable_expiration_ff,
+          highlight_diffs_short_renewable_expiration: short_renewable_expiration_ff
+        )
       end
 
-      2.times { cache.write_if_empty }
-    end
+      it 'filters the key/value list of entries to be caches for each invocation' do
+        expect(cache).to receive(:write_to_redis_hash)
+          .with(hash_including(*paths))
+          .once
+          .and_call_original
 
-    it 'reads from cache once' do
-      expect(cache).to receive(:read_cache).once.and_call_original
+        Gitlab::Redis::Cache.with do |redis|
+          expect(redis).to receive(:expire).with(cache.key, expiration_period).at_least(:once)
+        end
 
-      cache.write_if_empty
+        2.times { cache.write_if_empty }
+      end
+
+      it 'reads from cache once' do
+        expect(cache).to receive(:read_cache).once.and_call_original
+
+        Gitlab::Redis::Cache.with do |redis|
+          expect(redis).to receive(:expire).with(cache.key, expiration_period).at_least(:once)
+        end
+
+        cache.write_if_empty
+      end
+
+      it 'refreshes TTL of the key on read' do
+        cache.write_if_empty
+
+        time_until_expire = 30.minutes
+
+        Gitlab::Redis::Cache.with do |redis|
+          # Emulate that a key is going to expire soon
+          redis.expire(cache.key, time_until_expire)
+
+          expect(redis.ttl(cache.key)).to be <= time_until_expire
+
+          cache.send(:read_cache)
+
+          if renewable_expiration_ff
+            expect(redis.ttl(cache.key)).to be > time_until_expire
+            expect(redis.ttl(cache.key)).to be_within(1.minute).of(expiration_period)
+          else
+            expect(redis.ttl(cache.key)).to be <= time_until_expire
+          end
+        end
+      end
     end
   end