diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-25 19:56:41 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-25 19:56:41 +0300 |
commit | 696bef428fae55095e3395bfe439c7ede67c5478 (patch) | |
tree | 263abbba97f1d05582a08dcd5de1f6461c0a5fab /spec | |
parent | cdc3d9991b0cca2d2243bdf452f61aae40d778cd (diff) |
Add latest changes from gitlab-org/security/gitlab@14-8-stable-ee
Diffstat (limited to 'spec')
-rw-r--r-- | spec/models/concerns/token_authenticatable_spec.rb | 103 | ||||
-rw-r--r-- | spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb | 45 | ||||
-rw-r--r-- | spec/models/group_spec.rb | 8 | ||||
-rw-r--r-- | spec/models/project_spec.rb | 12 | ||||
-rw-r--r-- | spec/support/shared_examples/models/runners_token_prefix_shared_examples.rb | 35 |
5 files changed, 201 insertions, 2 deletions
diff --git a/spec/models/concerns/token_authenticatable_spec.rb b/spec/models/concerns/token_authenticatable_spec.rb index 2e82a12a61a..8a9e0248ed3 100644 --- a/spec/models/concerns/token_authenticatable_spec.rb +++ b/spec/models/concerns/token_authenticatable_spec.rb @@ -428,3 +428,106 @@ RSpec.describe Ci::Runner, 'TokenAuthenticatable', :freeze_time do end end end + +RSpec.shared_examples 'prefixed token rotation' do + describe "ensure_runners_token" do + subject { instance.ensure_runners_token } + + context 'token is not set' do + it 'generates a new token' do + expect(subject).to match(/^#{instance.class::RUNNERS_TOKEN_PREFIX}/) + expect(instance).not_to be_persisted + end + end + + context 'token is set, but does not match the prefix' do + before do + instance.set_runners_token('abcdef') + end + + it 'generates a new token' do + expect(subject).to match(/^#{instance.class::RUNNERS_TOKEN_PREFIX}/) + expect(instance).not_to be_persisted + end + + context 'feature flag is disabled' do + before do + flag = "#{described_class.name.downcase.pluralize}_runners_token_prefix" + stub_feature_flags(flag => false) + end + + it 'leaves the token unchanged' do + expect { subject }.not_to change(instance, :runners_token) + expect(instance).not_to be_persisted + end + end + end + + context 'token is set and matches prefix' do + before do + instance.set_runners_token(instance.class::RUNNERS_TOKEN_PREFIX + '-abcdef') + end + + it 'leaves the token unchanged' do + expect { subject }.not_to change(instance, :runners_token) + expect(instance).not_to be_persisted + end + end + end + + describe 'ensure_runners_token!' do + subject { instance.ensure_runners_token! } + + context 'token is not set' do + it 'generates a new token' do + expect(subject).to match(/^#{instance.class::RUNNERS_TOKEN_PREFIX}/) + expect(instance).to be_persisted + end + end + + context 'token is set, but does not match the prefix' do + before do + instance.set_runners_token('abcdef') + end + + it 'generates a new token' do + expect(subject).to match(/^#{instance.class::RUNNERS_TOKEN_PREFIX}/) + expect(instance).to be_persisted + end + + context 'feature flag is disabled' do + before do + flag = "#{described_class.name.downcase.pluralize}_runners_token_prefix" + stub_feature_flags(flag => false) + end + + it 'leaves the token unchanged' do + expect { subject }.not_to change(instance, :runners_token) + end + end + end + + context 'token is set and matches prefix' do + before do + instance.set_runners_token(instance.class::RUNNERS_TOKEN_PREFIX + '-abcdef') + instance.save! + end + + it 'leaves the token unchanged' do + expect { subject }.not_to change(instance, :runners_token) + end + end + end +end + +RSpec.describe Project, 'TokenAuthenticatable' do + let(:instance) { build(:project, runners_token: nil) } + + it_behaves_like 'prefixed token rotation' +end + +RSpec.describe Group, 'TokenAuthenticatable' do + let(:instance) { build(:group, runners_token: nil) } + + it_behaves_like 'prefixed token rotation' +end diff --git a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb index 1772fd0ff95..458dfb47394 100644 --- a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb +++ b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb @@ -32,6 +32,21 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do expect(subject.find_token_authenticatable('my-value')) .to eq 'encrypted resource' end + + context 'when a prefix is required' do + let(:options) { { encrypted: :required, prefix: 'GR1348941' } } + + it 'finds the encrypted resource by cleartext' do + allow(model).to receive(:where) + .and_return(model) + allow(model).to receive(:find_by) + .with('some_field_encrypted' => [encrypted, encrypted_with_static_iv]) + .and_return('encrypted resource') + + expect(subject.find_token_authenticatable('my-value')) + .to be_nil + end + end end context 'when encryption is optional' do @@ -62,6 +77,21 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do expect(subject.find_token_authenticatable('my-value')) .to eq 'plaintext resource' end + + context 'when a prefix is required' do + let(:options) { { encrypted: :optional, prefix: 'GR1348941' } } + + it 'finds the encrypted resource by cleartext' do + allow(model).to receive(:where) + .and_return(model) + allow(model).to receive(:find_by) + .with('some_field_encrypted' => [encrypted, encrypted_with_static_iv]) + .and_return('encrypted resource') + + expect(subject.find_token_authenticatable('my-value')) + .to be_nil + end + end end context 'when encryption is migrating' do @@ -88,6 +118,21 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do expect(subject.find_token_authenticatable('my-value')) .to be_nil end + + context 'when a prefix is required' do + let(:options) { { encrypted: :migrating, prefix: 'GR1348941' } } + + it 'finds the encrypted resource by cleartext' do + allow(model).to receive(:where) + .and_return(model) + allow(model).to receive(:find_by) + .with('some_field' => 'my-value') + .and_return('cleartext resource') + + expect(subject.find_token_authenticatable('my-value')) + .to be_nil + end + end end end diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb index 4bc4df02c24..db71fa4535d 100644 --- a/spec/models/group_spec.rb +++ b/spec/models/group_spec.rb @@ -3149,4 +3149,12 @@ RSpec.describe Group do it_behaves_like 'no effective expiration interval' end end + + describe '#runners_token' do + let_it_be(:group) { create(:group) } + + subject { group } + + it_behaves_like 'it has a prefixable runners_token', :groups_runners_token_prefix + end end diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index c487c87db1c..14cc4dbbea8 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -782,8 +782,8 @@ RSpec.describe Project, factory_default: :keep do end it 'does not set an random token if one provided' do - project = FactoryBot.create(:project, runners_token: 'my-token') - expect(project.runners_token).to eq('my-token') + project = FactoryBot.create(:project, runners_token: "#{Project::RUNNERS_TOKEN_PREFIX}my-token") + expect(project.runners_token).to eq("#{Project::RUNNERS_TOKEN_PREFIX}my-token") end end @@ -7997,6 +7997,14 @@ RSpec.describe Project, factory_default: :keep do end end + describe '#runners_token' do + let_it_be(:project) { create(:project) } + + subject { project } + + it_behaves_like 'it has a prefixable runners_token', :projects_runners_token_prefix + end + private def finish_job(export_job) diff --git a/spec/support/shared_examples/models/runners_token_prefix_shared_examples.rb b/spec/support/shared_examples/models/runners_token_prefix_shared_examples.rb new file mode 100644 index 00000000000..bbce67ae7b9 --- /dev/null +++ b/spec/support/shared_examples/models/runners_token_prefix_shared_examples.rb @@ -0,0 +1,35 @@ +# frozen_string_literal: true + +RSpec.shared_examples 'it has a prefixable runners_token' do |feature_flag| + context 'feature flag enabled' do + before do + stub_feature_flags(feature_flag => [subject]) + end + + describe '#runners_token' do + it 'has a runners_token_prefix' do + expect(subject.runners_token_prefix).not_to be_empty + end + + it 'starts with the runners_token_prefix' do + expect(subject.runners_token).to start_with(subject.runners_token_prefix) + end + end + end + + context 'feature flag disabled' do + before do + stub_feature_flags(feature_flag => false) + end + + describe '#runners_token' do + it 'does not have a runners_token_prefix' do + expect(subject.runners_token_prefix).to be_empty + end + + it 'starts with the runners_token_prefix' do + expect(subject.runners_token).to start_with(subject.runners_token_prefix) + end + end + end +end |