Merge branch 'ashmckenzie/hmac-token-decode-and-tests' into 'master'
Relocate JSONWebToken::HMACToken from EE See merge request gitlab-org/gitlab-ce!22906
This commit is contained in:
commit
1239701822
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Relocate JSONWebToken::HMACToken from EE
|
||||
merge_request: 22906
|
||||
author:
|
||||
type: changed
|
|
@ -0,0 +1,28 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'jwt'
|
||||
|
||||
module JSONWebToken
|
||||
class HMACToken < Token
|
||||
IAT_LEEWAY = 60
|
||||
JWT_ALGORITHM = 'HS256'
|
||||
|
||||
def initialize(secret)
|
||||
super()
|
||||
|
||||
@secret = secret
|
||||
end
|
||||
|
||||
def self.decode(token, secret, leeway: IAT_LEEWAY, verify_iat: true)
|
||||
JWT.decode(token, secret, true, leeway: leeway, verify_iat: verify_iat, algorithm: JWT_ALGORITHM)
|
||||
end
|
||||
|
||||
def encoded
|
||||
JWT.encode(payload, secret, JWT_ALGORITHM)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
attr_reader :secret
|
||||
end
|
||||
end
|
|
@ -1,17 +1,22 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'securerandom'
|
||||
|
||||
module JSONWebToken
|
||||
class Token
|
||||
attr_accessor :issuer, :subject, :audience, :id
|
||||
attr_accessor :issued_at, :not_before, :expire_time
|
||||
|
||||
DEFAULT_NOT_BEFORE_TIME = 5
|
||||
DEFAULT_EXPIRE_TIME = 60
|
||||
|
||||
def initialize
|
||||
@id = SecureRandom.uuid
|
||||
@issued_at = Time.now
|
||||
# we give a few seconds for time shift
|
||||
@not_before = issued_at - 5.seconds
|
||||
@not_before = issued_at - DEFAULT_NOT_BEFORE_TIME
|
||||
# default 60 seconds should be more than enough for this authentication token
|
||||
@expire_time = issued_at + 1.minute
|
||||
@expire_time = issued_at + DEFAULT_EXPIRE_TIME
|
||||
@custom_payload = {}
|
||||
end
|
||||
|
||||
|
|
|
@ -0,0 +1,133 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'json'
|
||||
require 'timecop'
|
||||
|
||||
describe JSONWebToken::HMACToken do
|
||||
let(:secret) { 'shh secret squirrel' }
|
||||
|
||||
shared_examples 'a valid, non-expired token' do
|
||||
it 'is an Array with two elements' do
|
||||
expect(decoded_token).to be_a(Array)
|
||||
expect(decoded_token.count).to eq(2)
|
||||
end
|
||||
|
||||
it 'contains the following keys in the first Array element Hash - jti, iat, nbf, exp' do
|
||||
expect(decoded_token[0].keys).to include('jti', 'iat', 'nbf', 'exp')
|
||||
end
|
||||
|
||||
it 'contains the following keys in the second Array element Hash - typ and alg' do
|
||||
expect(decoded_token[1]['typ']).to eql('JWT')
|
||||
expect(decoded_token[1]['alg']).to eql('HS256')
|
||||
end
|
||||
end
|
||||
|
||||
describe '.decode' do
|
||||
let(:leeway) { described_class::IAT_LEEWAY }
|
||||
let(:decoded_token) { described_class.decode(encoded_token, secret, leeway: leeway) }
|
||||
|
||||
context 'with an invalid token' do
|
||||
context 'that is junk' do
|
||||
let(:encoded_token) { 'junk' }
|
||||
|
||||
it "raises exception saying 'Not enough or too many segments'" do
|
||||
expect { decoded_token }.to raise_error(JWT::DecodeError, 'Not enough or too many segments')
|
||||
end
|
||||
end
|
||||
|
||||
context 'that has been fiddled with' do
|
||||
let(:encoded_token) do
|
||||
described_class.new(secret).encoded.tap { |token| token[0] = 'E' }
|
||||
end
|
||||
|
||||
it "raises exception saying 'Invalid segment encoding'" do
|
||||
expect { decoded_token }.to raise_error(JWT::DecodeError, 'Invalid segment encoding')
|
||||
end
|
||||
end
|
||||
|
||||
context 'that was generated using a different secret' do
|
||||
let(:encoded_token) { described_class.new('some other secret').encoded }
|
||||
|
||||
it "raises exception saying 'Signature verification raised" do
|
||||
expect { decoded_token }.to raise_error(JWT::VerificationError, 'Signature verification raised')
|
||||
end
|
||||
end
|
||||
|
||||
context 'that is expired' do
|
||||
# Needs the ! so Timecop.freeze() is effective
|
||||
let!(:encoded_token) { described_class.new(secret).encoded }
|
||||
|
||||
it "raises exception saying 'Signature has expired'" do
|
||||
# Needs to be 120 seconds, because the default expiry is 60 seconds
|
||||
# with an additional 60 second leeway.
|
||||
Timecop.freeze(Time.now + 120) do
|
||||
expect { decoded_token }.to raise_error(JWT::ExpiredSignature, 'Signature has expired')
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'with a valid token' do
|
||||
let(:encoded_token) do
|
||||
hmac_token = described_class.new(secret)
|
||||
hmac_token.expire_time = Time.now + expire_time
|
||||
hmac_token.encoded
|
||||
end
|
||||
|
||||
context 'that has expired' do
|
||||
let(:expire_time) { 0 }
|
||||
|
||||
context 'with the default leeway' do
|
||||
Timecop.freeze(Time.now + 1) do
|
||||
it_behaves_like 'a valid, non-expired token'
|
||||
end
|
||||
end
|
||||
|
||||
context 'with a leeway of 0 seconds' do
|
||||
let(:leeway) { 0 }
|
||||
|
||||
it "raises exception saying 'Signature has expired'" do
|
||||
Timecop.freeze(Time.now + 1) do
|
||||
expect { decoded_token }.to raise_error(JWT::ExpiredSignature, 'Signature has expired')
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'that has not expired' do
|
||||
let(:expire_time) { described_class::DEFAULT_EXPIRE_TIME }
|
||||
|
||||
it_behaves_like 'a valid, non-expired token'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#encoded' do
|
||||
let(:decoded_token) { described_class.decode(encoded_token, secret) }
|
||||
|
||||
context 'without data' do
|
||||
let(:encoded_token) { described_class.new(secret).encoded }
|
||||
|
||||
it_behaves_like 'a valid, non-expired token'
|
||||
end
|
||||
|
||||
context 'with data' do
|
||||
let(:data) { { secret_key: 'secret value' }.to_json }
|
||||
let(:encoded_token) do
|
||||
ec = described_class.new(secret)
|
||||
ec[:data] = data
|
||||
ec.encoded
|
||||
end
|
||||
|
||||
it_behaves_like 'a valid, non-expired token'
|
||||
|
||||
it "contains the 'data' key in the first Array element Hash" do
|
||||
expect(decoded_token[0]).to have_key('data')
|
||||
end
|
||||
|
||||
it 'can re-read back the data' do
|
||||
expect(decoded_token[0]['data']).to eql(data)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue