diff options
Diffstat (limited to 'spec/models/concerns/token_authenticatable_strategies/encryption_helper_spec.rb')
| -rw-r--r-- | spec/models/concerns/token_authenticatable_strategies/encryption_helper_spec.rb | 94 |
1 files changed, 84 insertions, 10 deletions
diff --git a/spec/models/concerns/token_authenticatable_strategies/encryption_helper_spec.rb b/spec/models/concerns/token_authenticatable_strategies/encryption_helper_spec.rb index 6f322a32a3b..671e51e3913 100644 --- a/spec/models/concerns/token_authenticatable_strategies/encryption_helper_spec.rb +++ b/spec/models/concerns/token_authenticatable_strategies/encryption_helper_spec.rb @@ -3,25 +3,99 @@ require 'spec_helper' RSpec.describe TokenAuthenticatableStrategies::EncryptionHelper do - let(:encrypted_token) { described_class.encrypt_token('my-value') } + let(:encrypted_token) { described_class.encrypt_token('my-value-my-value-my-value') } describe '.encrypt_token' do - it 'encrypts token' do - expect(encrypted_token).not_to eq('my-value') + context 'when dynamic_nonce feature flag is switched on' do + it 'adds nonce identifier on the beginning' do + expect(encrypted_token.first).to eq(described_class::DYNAMIC_NONCE_IDENTIFIER) + end + + it 'adds nonce at the end' do + nonce = encrypted_token.last(described_class::NONCE_SIZE) + + expect(nonce).to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*')) + end + + it 'encrypts token' do + expect(encrypted_token[1...-described_class::NONCE_SIZE]).not_to eq('my-value-my-value-my-value') + end + end + + context 'when dynamic_nonce feature flag is switched off' do + before do + stub_feature_flags(dynamic_nonce: false) + end + + it 'does not add nonce identifier on the beginning' do + expect(encrypted_token.first).not_to eq(described_class::DYNAMIC_NONCE_IDENTIFIER) + end + + it 'does not add nonce in the end' do + nonce = encrypted_token.last(described_class::NONCE_SIZE) + + expect(nonce).not_to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*')) + end + + it 'encrypts token with static iv' do + token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value-my-value-my-value') + + expect(encrypted_token).to eq(token) + end end end describe '.decrypt_token' do - it 'decrypts token with static iv' do - expect(described_class.decrypt_token(encrypted_token)).to eq('my-value') + context 'with feature flag switched off' do + before do + stub_feature_flags(dynamic_nonce: false) + end + + it 'decrypts token with static iv' do + encrypted_token = described_class.encrypt_token('my-value') + + expect(described_class.decrypt_token(encrypted_token)).to eq('my-value') + end + + it 'decrypts token if feature flag changed after encryption' do + encrypted_token = described_class.encrypt_token('my-value') + + expect(encrypted_token).not_to eq('my-value') + + stub_feature_flags(dynamic_nonce: true) + + expect(described_class.decrypt_token(encrypted_token)).to eq('my-value') + end + + it 'decrypts token with dynamic iv' do + iv = ::Digest::SHA256.hexdigest('my-value').bytes.take(described_class::NONCE_SIZE).pack('c*') + token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value', nonce: iv) + encrypted_token = "#{described_class::DYNAMIC_NONCE_IDENTIFIER}#{token}#{iv}" + + expect(described_class.decrypt_token(encrypted_token)).to eq('my-value') + end end - it 'decrypts token with dynamic iv' do - iv = ::Digest::SHA256.hexdigest('my-value').bytes.take(described_class::NONCE_SIZE).pack('c*') - token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value', nonce: iv) - encrypted_token = "#{described_class::DYNAMIC_NONCE_IDENTIFIER}#{token}#{iv}" + context 'with feature flag switched on' do + before do + stub_feature_flags(dynamic_nonce: true) + end + + it 'decrypts token with dynamic iv' do + encrypted_token = described_class.encrypt_token('my-value') + + expect(described_class.decrypt_token(encrypted_token)).to eq('my-value') + end + + it 'decrypts token if feature flag changed after encryption' do + encrypted_token = described_class.encrypt_token('my-value') + + expect(encrypted_token).not_to eq('my-value') + + stub_feature_flags(dynamic_nonce: false) - expect(described_class.decrypt_token(encrypted_token)).to eq('my-value') + expect(described_class.decrypt_token(encrypted_token)).to eq('my-value') + end end end end |