Commit d55e091e authored by Stan Hu's avatar Stan Hu Committed by Michael Kozono

Merge branch '3787-expire-geo-jwts' into 'security-10-1-ee'

Include standard JWT claims in Geo JWTs [10.1]

See merge request gitlab/gitlab-ee!554

(cherry picked from commit 676a194bf27facbb431abf6e9fa57ea6ad29af42)

f2e5dee8 Include standard JWT claims in Geo JWTs
parent fef0f650
...@@ -26,10 +26,10 @@ module Gitlab ...@@ -26,10 +26,10 @@ module Gitlab
geo_node = requesting_node geo_node = requesting_node
raise GeoNodeNotFoundError unless geo_node raise GeoNodeNotFoundError unless geo_node
payload = { data: message.to_json, iat: Time.now.to_i } token = JSONWebToken::HMACToken.new(geo_node.secret_access_key)
token = JWT.encode(payload, geo_node.secret_access_key, 'HS256') token[:data] = message.to_json
"#{GITLAB_GEO_AUTH_TOKEN_TYPE} #{geo_node.access_key}:#{token}" "#{GITLAB_GEO_AUTH_TOKEN_TYPE} #{geo_node.access_key}:#{token.encoded}"
end end
def requesting_node def requesting_node
......
module JSONWebToken
class HMACToken < Token
def initialize(secret)
super()
@secret = secret
end
def encoded
JWT.encode(payload, @secret, 'HS256')
end
end
end
...@@ -33,7 +33,13 @@ describe Gitlab::Geo::JwtRequestDecoder do ...@@ -33,7 +33,13 @@ describe Gitlab::Geo::JwtRequestDecoder do
Timecop.travel(30.seconds.ago) { expect(subject.decode).to eq(data) } Timecop.travel(30.seconds.ago) { expect(subject.decode).to eq(data) }
end end
it 'returns nil when clocks are not in sync' do it 'fails to decode after expiring' do
subject
Timecop.travel(2.minutes) { expect(subject.decode).to be_nil }
end
it 'fails to decode when clocks are not in sync' do
subject subject
Timecop.travel(2.minutes.ago) { expect(subject.decode).to be_nil } Timecop.travel(2.minutes.ago) { expect(subject.decode).to be_nil }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment