Fix HTTP status code for agent tokens that are invalid or missing

ccb6b0fc · Thong Kuah · a853e5ad · ccb6b0fc · ccb6b0fc · ccb6b0fc
Commit ccb6b0fc authored Mar 30, 2021 by Thong Kuah
3 changed files
--- a/ee/spec/requests/api/internal/kubernetes_spec.rb
+++ b/ee/spec/requests/api/internal/kubernetes_spec.rb
@@ -38,16 +38,16 @@ RSpec.describe API::Internal::Kubernetes do
  end

  shared_examples 'agent authentication' do
-    it 'returns 403 if Authorization header not sent' do
+    it 'returns 401 if Authorization header not sent' do
      send_request

-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
    end

-    it 'returns 403 if Authorization is for non-existent agent' do
+    it 'returns 401 if Authorization is for non-existent agent' do
      send_request(headers: { 'Authorization' => 'Bearer NONEXISTENT' })

-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
    end
  end


--- a/lib/api/internal/kubernetes.rb
+++ b/lib/api/internal/kubernetes.rb
@@ -13,7 +13,7 @@ module API

      helpers do
        def authenticate_gitlab_kas_request!
-          unauthorized! unless Gitlab::Kas.verify_api_request(headers)
+          render_api_error!('KAS JWT authentication invalid', 401) unless Gitlab::Kas.verify_api_request(headers)
        end

        def agent_token
@@ -51,7 +51,7 @@ module API
        end

        def check_agent_token
-          forbidden! unless agent_token
+          unauthorized! unless agent_token

          forbidden! unless Gitlab::Kas.included_in_gitlab_com_rollout?(agent.project)


--- a/spec/requests/api/internal/kubernetes_spec.rb
+++ b/spec/requests/api/internal/kubernetes_spec.rb
@@ -38,16 +38,16 @@ RSpec.describe API::Internal::Kubernetes do
  end

  shared_examples 'agent authentication' do
-    it 'returns 403 if Authorization header not sent' do
+    it 'returns 401 if Authorization header not sent' do
      send_request

-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
    end

-    it 'returns 403 if Authorization is for non-existent agent' do
+    it 'returns 401 if Authorization is for non-existent agent' do
      send_request(headers: { 'Authorization' => 'Bearer NONEXISTENT' })

-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
    end
  end