Commit 86ef86b5 authored by Thong Kuah's avatar Thong Kuah

Patch to use generate old CSRF tokens

This enables us to have a mix of old and new Rails while production
deploy is happening
parent f120d671
# frozen_string_literal: true
module Gitlab
module RequestForgeryProtectionPatch
private
# Patch to generate 6.0.3 tokens so that we do not have CSRF errors while
# rolling out 6.0.3.1. This enables GitLab to have a mix of 6.0.3 and
# 6.0.3.1 Rails servers
#
# 1. Deploy this patch with :global_csrf_token FF disabled.
# 2. Once all Rails servers are on 6.0.3.1, enable :global_csrf_token FF.
# 3. On GitLab 13.2, remove this patch
def masked_authenticity_token(session, form_options: {})
action, method = form_options.values_at(:action, :method)
raw_token = if per_form_csrf_tokens && action && method
action_path = normalize_action_path(action)
per_form_csrf_token(session, action_path, method)
else
if Feature.enabled?(:global_csrf_token)
global_csrf_token(session)
else
real_csrf_token(session)
end
end
mask_token(raw_token)
end
end
end
ActionController::Base.include Gitlab::RequestForgeryProtectionPatch
# frozen_string_literal: true
require 'spec_helper'
describe ActionController::Base, 'CSRF token generation patch', type: :controller do # rubocop:disable RSpec/FilePath
let(:fixed_seed) { SecureRandom.random_bytes(described_class::AUTHENTICITY_TOKEN_LENGTH) }
context 'global_csrf_token feature flag is enabled' do
it 'generates 6.0.3.1 style CSRF token', :aggregate_failures do
generated_token = controller.send(:form_authenticity_token)
expect(valid_authenticity_token?(generated_token)).to be_truthy
expect(compare_with_real_token(generated_token)).to be_falsey
expect(compare_with_global_token(generated_token)).to be_truthy
end
end
context 'global_csrf_token feature flag is disabled' do
before do
stub_feature_flags(global_csrf_token: false)
end
it 'generates 6.0.3 style CSRF token', :aggregate_failures do
generated_token = controller.send(:form_authenticity_token)
expect(valid_authenticity_token?(generated_token)).to be_truthy
expect(compare_with_real_token(generated_token)).to be_truthy
expect(compare_with_global_token(generated_token)).to be_falsey
end
end
def compare_with_global_token(token)
unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
controller.send(:compare_with_global_token, unmasked_token, session)
end
def compare_with_real_token(token)
unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
controller.send(:compare_with_real_token, unmasked_token, session)
end
def valid_authenticity_token?(token)
controller.send(:valid_authenticity_token?, session, token)
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment