diff options
Diffstat (limited to 'spec/lib/integrations/google_cloud_platform/jwt_spec.rb')
-rw-r--r-- | spec/lib/integrations/google_cloud_platform/jwt_spec.rb | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/spec/lib/integrations/google_cloud_platform/jwt_spec.rb b/spec/lib/integrations/google_cloud_platform/jwt_spec.rb new file mode 100644 index 00000000000..51707c26a3a --- /dev/null +++ b/spec/lib/integrations/google_cloud_platform/jwt_spec.rb @@ -0,0 +1,86 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Integrations::GoogleCloudPlatform::Jwt, feature_category: :shared do + let_it_be(:project) { create(:project) } + let_it_be(:user) { create(:user) } + + let(:claims) { { audience: 'http://sandbox.test', wlif: 'http://wlif.test' } } + let(:jwt) { described_class.new(project: project, user: user, claims: claims) } + + describe '#encoded' do + let_it_be(:rsa_key) { OpenSSL::PKey::RSA.generate(3072) } + let_it_be(:rsa_key_data) { rsa_key.to_s } + + subject(:encoded) { jwt.encoded } + + before do + stub_application_setting(ci_jwt_signing_key: rsa_key_data) + end + + it 'creates a valid jwt' do + payload, headers = JWT.decode(encoded, rsa_key.public_key, true, { algorithm: 'RS256' }) + + expect(payload).to include( + 'root_namespace_path' => project.root_namespace.full_path, + 'root_namespace_id' => project.root_namespace.id.to_s, + 'wlif' => claims[:wlif], + 'aud' => claims[:audience], + 'project_id' => project.id.to_s, + 'project_path' => project.full_path, + 'user_id' => user.id.to_s, + 'user_email' => user.email, + 'sub' => "project_#{project.id}_user_#{user.id}", + 'iss' => Gitlab.config.gitlab.url + ) + + expect(headers).to include( + 'kid' => rsa_key.public_key.to_jwk[:kid] + ) + end + + context 'with missing jwt audience' do + let(:claims) { { wlif: 'http://wlif.test' } } + + it 'raises an ArgumentError' do + expect { encoded }.to raise_error(ArgumentError, described_class::JWT_OPTIONS_ERROR) + end + end + + context 'with missing jwt wlif' do + let(:claims) { { audience: 'http://sandbox.test' } } + + it 'raises an ArgumentError' do + expect { encoded }.to raise_error(ArgumentError, described_class::JWT_OPTIONS_ERROR) + end + end + + context 'with no ci signing key' do + before do + stub_application_setting(ci_jwt_signing_key: nil) + end + + it 'raises a NoSigningKeyError' do + expect { encoded }.to raise_error(described_class::NoSigningKeyError) + end + end + + context 'with oidc_issuer_url feature flag disabled' do + before do + stub_feature_flags(oidc_issuer_url: false) + # Settings.gitlab.base_url and Gitlab.config.gitlab.url are the + # same for test. Changing that to assert the proper behavior here. + allow(Settings.gitlab).to receive(:base_url).and_return('test.dev') + end + + it 'uses a different issuer' do + payload, _ = JWT.decode(encoded, rsa_key.public_key, true, { algorithm: 'RS256' }) + + expect(payload).to include( + 'iss' => Settings.gitlab.base_url + ) + end + end + end +end |