blob: 671e51e3913530cf403768d742b560042703825b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe TokenAuthenticatableStrategies::EncryptionHelper do
let(:encrypted_token) { described_class.encrypt_token('my-value-my-value-my-value') }
describe '.encrypt_token' do
context 'when dynamic_nonce feature flag is switched on' do
it 'adds nonce identifier on the beginning' do
expect(encrypted_token.first).to eq(described_class::DYNAMIC_NONCE_IDENTIFIER)
end
it 'adds nonce at the end' do
nonce = encrypted_token.last(described_class::NONCE_SIZE)
expect(nonce).to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*'))
end
it 'encrypts token' do
expect(encrypted_token[1...-described_class::NONCE_SIZE]).not_to eq('my-value-my-value-my-value')
end
end
context 'when dynamic_nonce feature flag is switched off' do
before do
stub_feature_flags(dynamic_nonce: false)
end
it 'does not add nonce identifier on the beginning' do
expect(encrypted_token.first).not_to eq(described_class::DYNAMIC_NONCE_IDENTIFIER)
end
it 'does not add nonce in the end' do
nonce = encrypted_token.last(described_class::NONCE_SIZE)
expect(nonce).not_to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*'))
end
it 'encrypts token with static iv' do
token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value-my-value-my-value')
expect(encrypted_token).to eq(token)
end
end
end
describe '.decrypt_token' do
context 'with feature flag switched off' do
before do
stub_feature_flags(dynamic_nonce: false)
end
it 'decrypts token with static iv' do
encrypted_token = described_class.encrypt_token('my-value')
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
it 'decrypts token if feature flag changed after encryption' do
encrypted_token = described_class.encrypt_token('my-value')
expect(encrypted_token).not_to eq('my-value')
stub_feature_flags(dynamic_nonce: true)
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
it 'decrypts token with dynamic iv' do
iv = ::Digest::SHA256.hexdigest('my-value').bytes.take(described_class::NONCE_SIZE).pack('c*')
token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value', nonce: iv)
encrypted_token = "#{described_class::DYNAMIC_NONCE_IDENTIFIER}#{token}#{iv}"
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
end
context 'with feature flag switched on' do
before do
stub_feature_flags(dynamic_nonce: true)
end
it 'decrypts token with dynamic iv' do
encrypted_token = described_class.encrypt_token('my-value')
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
it 'decrypts token if feature flag changed after encryption' do
encrypted_token = described_class.encrypt_token('my-value')
expect(encrypted_token).not_to eq('my-value')
stub_feature_flags(dynamic_nonce: false)
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
end
end
end
|