Commit 06fd98fd authored by Toon Claes's avatar Toon Claes

More descriptive error when clocks between Geo nodes are out of sync

In case there is a large difference between the system clocks of
different Geo nodes (> 60 seconds) the JWToken won't be valid. Make
this error more descriptive so sysadmins can identify the problem.

Closes gitlab-org/gitlab-ee#4276
parent 6f999fc5
---
title: More descriptive error when clocks between Geo nodes are out of sync
merge_request: 3860
author:
type: changed
...@@ -40,6 +40,8 @@ module EE ...@@ -40,6 +40,8 @@ module EE
render_bad_geo_auth('Bad token') render_bad_geo_auth('Bad token')
rescue ::Gitlab::Geo::InvalidDecryptionKeyError rescue ::Gitlab::Geo::InvalidDecryptionKeyError
render_bad_geo_auth("Invalid decryption key") render_bad_geo_auth("Invalid decryption key")
rescue ::Gitlab::Geo::InvalidSignatureTimeError
render_bad_geo_auth("Invalid signature time ")
end end
def render_bad_geo_auth(message) def render_bad_geo_auth(message)
......
module Gitlab module Gitlab
module Geo module Geo
InvalidDecryptionKeyError = Class.new(StandardError) InvalidDecryptionKeyError = Class.new(StandardError)
InvalidSignatureTimeError = Class.new(StandardError)
class JwtRequestDecoder class JwtRequestDecoder
include LogHelpers include LogHelpers
...@@ -55,6 +56,10 @@ module Gitlab ...@@ -55,6 +56,10 @@ module Gitlab
data = JSON.parse(message['data']) if message data = JSON.parse(message['data']) if message
data&.deep_symbolize_keys! data&.deep_symbolize_keys!
data data
rescue JWT::ImmatureSignature, JWT::ExpiredSignature
message = "Signature not within leeway of #{IAT_LEEWAY} seconds. Check your system clocks!"
log_error(message)
raise InvalidSignatureTimeError.new(message)
rescue JWT::DecodeError => e rescue JWT::DecodeError => e
log_error("Error decoding Geo request: #{e}") log_error("Error decoding Geo request: #{e}")
return return
......
...@@ -49,7 +49,7 @@ module API ...@@ -49,7 +49,7 @@ module API
unless auth_header && Gitlab::Geo::JwtRequestDecoder.new(auth_header).decode unless auth_header && Gitlab::Geo::JwtRequestDecoder.new(auth_header).decode
unauthorized! unauthorized!
end end
rescue Gitlab::Geo::InvalidDecryptionKeyError => e rescue Gitlab::Geo::InvalidDecryptionKeyError, Gitlab::Geo::SignatureTimeInvalidError => e
render_api_error!(e.to_s, 401) render_api_error!(e.to_s, 401)
end end
end end
......
...@@ -33,16 +33,16 @@ describe Gitlab::Geo::JwtRequestDecoder do ...@@ -33,16 +33,16 @@ describe Gitlab::Geo::JwtRequestDecoder do
Timecop.travel(30.seconds.ago) { expect(subject.decode).to eq(data) } Timecop.travel(30.seconds.ago) { expect(subject.decode).to eq(data) }
end end
it 'fails to decode after expiring' do it 'raises InvalidSignatureTimeError after expiring' do
subject subject
Timecop.travel(2.minutes) { expect(subject.decode).to be_nil } Timecop.travel(2.minutes) { expect { subject.decode }.to raise_error(Gitlab::Geo::InvalidSignatureTimeError) }
end end
it 'fails to decode when clocks are not in sync' do it 'raises InvalidSignatureTimeError to decode when clocks are not in sync' do
subject subject
Timecop.travel(2.minutes.ago) { expect(subject.decode).to be_nil } Timecop.travel(2.minutes.ago) { expect { subject.decode }.to raise_error(Gitlab::Geo::InvalidSignatureTimeError) }
end end
it 'raises invalid decryption key error' do it 'raises invalid decryption key error' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment