Add latest changes from gitlab-org/security/gitlab@14-8-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-02-25 19:56:41 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-02-25 19:56:41 +0300
commit: 696bef428fae55095e3395bfe439c7ede67c5478 (patch)
tree: 263abbba97f1d05582a08dcd5de1f6461c0a5fab /spec
parent: cdc3d9991b0cca2d2243bdf452f61aae40d778cd (diff)
5 files changed, 201 insertions, 2 deletions
diff --git a/spec/models/concerns/token_authenticatable_spec.rb b/spec/models/concerns/token_authenticatable_spec.rb
index 2e82a12a61a..8a9e0248ed3 100644
--- a/spec/models/concerns/token_authenticatable_spec.rb
+++ b/spec/models/concerns/token_authenticatable_spec.rb
@@ -428,3 +428,106 @@ RSpec.describe Ci::Runner, 'TokenAuthenticatable', :freeze_time do
     end
   end
 end
+
+RSpec.shared_examples 'prefixed token rotation' do
+  describe "ensure_runners_token" do
+    subject { instance.ensure_runners_token }
+
+    context 'token is not set' do
+      it 'generates a new token' do
+        expect(subject).to match(/^#{instance.class::RUNNERS_TOKEN_PREFIX}/)
+        expect(instance).not_to be_persisted
+      end
+    end
+
+    context 'token is set, but does not match the prefix' do
+      before do
+        instance.set_runners_token('abcdef')
+      end
+
+      it 'generates a new token' do
+        expect(subject).to match(/^#{instance.class::RUNNERS_TOKEN_PREFIX}/)
+        expect(instance).not_to be_persisted
+      end
+
+      context 'feature flag is disabled' do
+        before do
+          flag = "#{described_class.name.downcase.pluralize}_runners_token_prefix"
+          stub_feature_flags(flag => false)
+        end
+
+        it 'leaves the token unchanged' do
+          expect { subject }.not_to change(instance, :runners_token)
+          expect(instance).not_to be_persisted
+        end
+      end
+    end
+
+    context 'token is set and matches prefix' do
+      before do
+        instance.set_runners_token(instance.class::RUNNERS_TOKEN_PREFIX + '-abcdef')
+      end
+
+      it 'leaves the token unchanged' do
+        expect { subject }.not_to change(instance, :runners_token)
+        expect(instance).not_to be_persisted
+      end
+    end
+  end
+
+  describe 'ensure_runners_token!' do
+    subject { instance.ensure_runners_token! }
+
+    context 'token is not set' do
+      it 'generates a new token' do
+        expect(subject).to match(/^#{instance.class::RUNNERS_TOKEN_PREFIX}/)
+        expect(instance).to be_persisted
+      end
+    end
+
+    context 'token is set, but does not match the prefix' do
+      before do
+        instance.set_runners_token('abcdef')
+      end
+
+      it 'generates a new token' do
+        expect(subject).to match(/^#{instance.class::RUNNERS_TOKEN_PREFIX}/)
+        expect(instance).to be_persisted
+      end
+
+      context 'feature flag is disabled' do
+        before do
+          flag = "#{described_class.name.downcase.pluralize}_runners_token_prefix"
+          stub_feature_flags(flag => false)
+        end
+
+        it 'leaves the token unchanged' do
+          expect { subject }.not_to change(instance, :runners_token)
+        end
+      end
+    end
+
+    context 'token is set and matches prefix' do
+      before do
+        instance.set_runners_token(instance.class::RUNNERS_TOKEN_PREFIX + '-abcdef')
+        instance.save!
+      end
+
+      it 'leaves the token unchanged' do
+        expect { subject }.not_to change(instance, :runners_token)
+      end
+    end
+  end
+end
+
+RSpec.describe Project, 'TokenAuthenticatable' do
+  let(:instance) { build(:project, runners_token: nil) }
+
+  it_behaves_like 'prefixed token rotation'
+end
+
+RSpec.describe Group, 'TokenAuthenticatable' do
+  let(:instance) { build(:group, runners_token: nil) }
+
+  it_behaves_like 'prefixed token rotation'
+end
diff --git a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
index 1772fd0ff95..458dfb47394 100644
--- a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
+++ b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
@@ -32,6 +32,21 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
         expect(subject.find_token_authenticatable('my-value'))
           .to eq 'encrypted resource'
       end
+
+      context 'when a prefix is required' do
+        let(:options) { { encrypted: :required, prefix: 'GR1348941' } }
+
+        it 'finds the encrypted resource by cleartext' do
+          allow(model).to receive(:where)
+            .and_return(model)
+          allow(model).to receive(:find_by)
+            .with('some_field_encrypted' => [encrypted, encrypted_with_static_iv])
+            .and_return('encrypted resource')
+
+          expect(subject.find_token_authenticatable('my-value'))
+            .to be_nil
+        end
+      end
     end
 
     context 'when encryption is optional' do
@@ -62,6 +77,21 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
         expect(subject.find_token_authenticatable('my-value'))
           .to eq 'plaintext resource'
       end
+
+      context 'when a prefix is required' do
+        let(:options) { { encrypted: :optional, prefix: 'GR1348941' } }
+
+        it 'finds the encrypted resource by cleartext' do
+          allow(model).to receive(:where)
+            .and_return(model)
+          allow(model).to receive(:find_by)
+            .with('some_field_encrypted' => [encrypted, encrypted_with_static_iv])
+            .and_return('encrypted resource')
+
+          expect(subject.find_token_authenticatable('my-value'))
+            .to be_nil
+        end
+      end
     end
 
     context 'when encryption is migrating' do
@@ -88,6 +118,21 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
         expect(subject.find_token_authenticatable('my-value'))
           .to be_nil
       end
+
+      context 'when a prefix is required' do
+        let(:options) { { encrypted: :migrating, prefix: 'GR1348941' } }
+
+        it 'finds the encrypted resource by cleartext' do
+          allow(model).to receive(:where)
+            .and_return(model)
+          allow(model).to receive(:find_by)
+            .with('some_field' => 'my-value')
+            .and_return('cleartext resource')
+
+          expect(subject.find_token_authenticatable('my-value'))
+            .to be_nil
+        end
+      end
     end
   end
 
diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb
index 4bc4df02c24..db71fa4535d 100644
--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -3149,4 +3149,12 @@ RSpec.describe Group do
       it_behaves_like 'no effective expiration interval'
     end
   end
+
+  describe '#runners_token' do
+    let_it_be(:group) { create(:group) }
+
+    subject { group }
+
+    it_behaves_like 'it has a prefixable runners_token', :groups_runners_token_prefix
+  end
 end
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index c487c87db1c..14cc4dbbea8 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -782,8 +782,8 @@ RSpec.describe Project, factory_default: :keep do
     end
 
     it 'does not set an random token if one provided' do
-      project = FactoryBot.create(:project, runners_token: 'my-token')
-      expect(project.runners_token).to eq('my-token')
+      project = FactoryBot.create(:project, runners_token: "#{Project::RUNNERS_TOKEN_PREFIX}my-token")
+      expect(project.runners_token).to eq("#{Project::RUNNERS_TOKEN_PREFIX}my-token")
     end
   end
 
@@ -7997,6 +7997,14 @@ RSpec.describe Project, factory_default: :keep do
     end
   end
 
+  describe '#runners_token' do
+    let_it_be(:project) { create(:project) }
+
+    subject { project }
+
+    it_behaves_like 'it has a prefixable runners_token', :projects_runners_token_prefix
+  end
+
   private
 
   def finish_job(export_job)
diff --git a/spec/support/shared_examples/models/runners_token_prefix_shared_examples.rb b/spec/support/shared_examples/models/runners_token_prefix_shared_examples.rb
new file mode 100644
index 00000000000..bbce67ae7b9
--- /dev/null
+++ b/spec/support/shared_examples/models/runners_token_prefix_shared_examples.rb
@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'it has a prefixable runners_token' do |feature_flag|
+  context 'feature flag enabled' do
+    before do
+      stub_feature_flags(feature_flag => [subject])
+    end
+
+    describe '#runners_token' do
+      it 'has a runners_token_prefix' do
+        expect(subject.runners_token_prefix).not_to be_empty
+      end
+
+      it 'starts with the runners_token_prefix' do
+        expect(subject.runners_token).to start_with(subject.runners_token_prefix)
+      end
+    end
+  end
+
+  context 'feature flag disabled' do
+    before do
+      stub_feature_flags(feature_flag => false)
+    end
+
+    describe '#runners_token' do
+      it 'does not have a runners_token_prefix' do
+        expect(subject.runners_token_prefix).to be_empty
+      end
+
+      it 'starts with the runners_token_prefix' do
+        expect(subject.runners_token).to start_with(subject.runners_token_prefix)
+      end
+    end
+  end
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-02-25 19:56:41 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-02-25 19:56:41 +0300
commit	696bef428fae55095e3395bfe439c7ede67c5478 (patch)
tree	263abbba97f1d05582a08dcd5de1f6461c0a5fab /spec
parent	cdc3d9991b0cca2d2243bdf452f61aae40d778cd (diff)