Merge branch 'ce-to-ee-2018-11-13' into 'master'

CE upstream - 2018-11-13 09:21 UTC See merge request gitlab-org/gitlab-ee!8418

Merge branch 'ce-to-ee-2018-11-13' into 'master'
CE upstream - 2018-11-13 09:21 UTC See merge request gitlab-org/gitlab-ee!8418
fb7a068f · Sean McGivern · 7c4a0452 · 7b8351e2 · fb7a068f · fb7a068f
Commit fb7a068f authored Nov 13, 2018 by Sean McGivern
14 changed files
--- a/Gemfile
+++ b/Gemfile
@@ -354,7 +354,7 @@ group :development, :test do
  gem 'minitest', '~> 5.7.0'
  # Generate Fake data
-  gem 'ffaker', '~> 2.4'
+  gem 'ffaker', '~> 2.10'
  gem 'capybara', '~> 2.15'
  gem 'capybara-screenshot', '~> 1.0.0'
@@ -369,7 +369,7 @@ group :development, :test do
  gem 'rubocop-rspec', '~> 1.22.1'
  gem 'scss_lint', '~> 0.56.0', require: false
-  gem 'haml_lint', '~> 0.26.0', require: false
+  gem 'haml_lint', '~> 0.28.0', require: false
  gem 'simplecov', '~> 0.14.0', require: false
  gem 'bundler-audit', '~> 0.5.0', require: false

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -226,7 +226,7 @@ GEM
      multi_json
    fast_blank (1.0.0)
    fast_gettext (1.6.0)
-    ffaker (2.4.0)
+    ffaker (2.10.0)
    ffi (1.9.25)
    flipper (0.13.0)
    flipper-active_record (0.13.0)
@@ -364,11 +364,11 @@ GEM
    haml (5.0.4)
      temple (>= 0.8.0)
      tilt
-    haml_lint (0.26.0)
+    haml_lint (0.28.0)
      haml (>= 4.0, < 5.1)
      rainbow
      rake (>= 10, < 13)
-      rubocop (>= 0.49.0)
+      rubocop (>= 0.50.0)
      sysexits (~> 1.1)
    hamlit (2.8.8)
      temple (>= 0.8.0)
@@ -1011,7 +1011,7 @@ DEPENDENCIES
  faraday (~> 0.12)
  faraday_middleware-aws-signers-v4
  fast_blank
-  ffaker (~> 2.4)
+  ffaker (~> 2.10)
  flipper (~> 0.13.0)
  flipper-active_record (~> 0.13.0)
  flipper-active_support_cache_store (~> 0.13.0)
@@ -1049,7 +1049,7 @@ DEPENDENCIES
  graphql (~> 1.8.0)
  grpc (~> 1.15.0)
  gssapi
-  haml_lint (~> 0.26.0)
+  haml_lint (~> 0.28.0)
  hamlit (~> 2.8.8)
  hangouts-chat (~> 0.0.5)
  hashie-forbidden_attributes

--- a/Gemfile.rails5.lock
+++ b/Gemfile.rails5.lock
@@ -229,7 +229,7 @@ GEM
      multi_json
    fast_blank (1.0.0)
    fast_gettext (1.6.0)
-    ffaker (2.4.0)
+    ffaker (2.10.0)
    ffi (1.9.25)
    flipper (0.13.0)
    flipper-active_record (0.13.0)
@@ -367,11 +367,11 @@ GEM
    haml (5.0.4)
      temple (>= 0.8.0)
      tilt
-    haml_lint (0.26.0)
+    haml_lint (0.28.0)
      haml (>= 4.0, < 5.1)
      rainbow
      rake (>= 10, < 13)
-      rubocop (>= 0.49.0)
+      rubocop (>= 0.50.0)
      sysexits (~> 1.1)
    hamlit (2.8.8)
      temple (>= 0.8.0)
@@ -1020,7 +1020,7 @@ DEPENDENCIES
  faraday (~> 0.12)
  faraday_middleware-aws-signers-v4
  fast_blank
-  ffaker (~> 2.4)
+  ffaker (~> 2.10)
  flipper (~> 0.13.0)
  flipper-active_record (~> 0.13.0)
  flipper-active_support_cache_store (~> 0.13.0)
@@ -1058,7 +1058,7 @@ DEPENDENCIES
  graphql (~> 1.8.0)
  grpc (~> 1.15.0)
  gssapi
-  haml_lint (~> 0.26.0)
+  haml_lint (~> 0.28.0)
  hamlit (~> 2.8.8)
  hangouts-chat (~> 0.0.5)
  hashie-forbidden_attributes

--- a/app/assets/javascripts/jobs/store/actions.js
+++ b/app/assets/javascripts/jobs/store/actions.js
@@ -80,8 +80,8 @@ export const fetchJob = ({ state, dispatch }) => {
 export const receiveJobSuccess = ({ commit }, data = {}) => {
  commit(types.RECEIVE_JOB_SUCCESS, data);
-  if (data.favicon) {
+  if (data.status && data.status.favicon) {
-    setFaviconOverlay(data.favicon);
+    setFaviconOverlay(data.status.favicon);
  } else {
    resetFavicon();
  }

--- a/changelogs/unreleased/53289-update-haml_lint-to-0-28-0.yml
+++ b/changelogs/unreleased/53289-update-haml_lint-to-0-28-0.yml
+---
+title: Update haml_lint to 0.28.0
+merge_request: 22660
+author: Takuya Noguchi
+type: other
--- a/changelogs/unreleased/53291-update-ffaker-to-2-10-0.yml
+++ b/changelogs/unreleased/53291-update-ffaker-to-2-10-0.yml
+---
+title: Update ffaker to 2.10.0
+merge_request: 22661
+author: Takuya Noguchi
+type: other
--- a/changelogs/unreleased/53888-missing-favicon.yml
+++ b/changelogs/unreleased/53888-missing-favicon.yml
+---
+title: Adds CI favicon back to jobs page
+merge_request:
+author:
+type: fixed
--- a/changelogs/unreleased/ashmckenzie-hmac-token-decode-and-tests.yml
+++ b/changelogs/unreleased/ashmckenzie-hmac-token-decode-and-tests.yml
+---
+title: Relocate JSONWebToken::HMACToken from EE
+merge_request: 22906
+author:
+type: changed
--- a/changelogs/unreleased/zj-remove-broken-storage.yml
+++ b/changelogs/unreleased/zj-remove-broken-storage.yml
+---
+title: Remove obsolete gitlab_shell rake tasks
+merge_request: 22417
+author:
+type: removed
--- a/ee/lib/json_web_token/hmac_token.rb
+++ b/ee/lib/json_web_token/hmac_token.rb
-module JSONWebToken
-  class HMACToken < Token
-    def initialize(secret)
-      super()
-      @secret = secret
-    end
-    def encoded
-      JWT.encode(payload, @secret, 'HS256')
-    end
-  end
-end
--- a/lib/json_web_token/hmac_token.rb
+++ b/lib/json_web_token/hmac_token.rb
+# frozen_string_literal: true
+require 'jwt'
+module JSONWebToken
+  class HMACToken < Token
+    IAT_LEEWAY = 60
+    JWT_ALGORITHM = 'HS256'
+    def initialize(secret)
+      super()
+      @secret = secret
+    end
+    def self.decode(token, secret, leeway: IAT_LEEWAY, verify_iat: true)
+      JWT.decode(token, secret, true, leeway: leeway, verify_iat: verify_iat, algorithm: JWT_ALGORITHM)
+    end
+    def encoded
+      JWT.encode(payload, secret, JWT_ALGORITHM)
+    end
+    private
+    attr_reader :secret
+  end
+end
--- a/lib/json_web_token/token.rb
+++ b/lib/json_web_token/token.rb
 # frozen_string_literal: true
+require 'securerandom'
 module JSONWebToken
  class Token
    attr_accessor :issuer, :subject, :audience, :id
    attr_accessor :issued_at, :not_before, :expire_time
+    DEFAULT_NOT_BEFORE_TIME = 5
+    DEFAULT_EXPIRE_TIME = 60
    def initialize
      @id = SecureRandom.uuid
      @issued_at = Time.now
      # we give a few seconds for time shift
-      @not_before = issued_at - 5.seconds
+      @not_before = issued_at - DEFAULT_NOT_BEFORE_TIME
      # default 60 seconds should be more than enough for this authentication token
-      @expire_time = issued_at + 1.minute
+      @expire_time = issued_at + DEFAULT_EXPIRE_TIME
      @custom_payload = {}
    end

--- a/lib/tasks/gitlab/check.rake
+++ b/lib/tasks/gitlab/check.rake
@@ -48,7 +48,6 @@ namespace :gitlab do
      start_checking "GitLab Shell"
      check_gitlab_shell
-      check_repos_hooks_directory_is_link
      check_gitlab_shell_self_test
      finished_checking "GitLab Shell"
@@ -57,42 +56,6 @@ namespace :gitlab do
    # Checks
    ########################
-    def check_repos_hooks_directory_is_link
-      print "hooks directories in repos are links: ... "
-      gitlab_shell_hooks_path = Gitlab.config.gitlab_shell.hooks_path
-      unless Project.count > 0
-        puts "can't check, you have no projects".color(:magenta)
-        return
-      end
-      puts ""
-      Project.find_each(batch_size: 100) do |project|
-        print sanitized_message(project)
-        project_hook_directory = File.join(project.repository.path_to_repo, "hooks")
-        if project.empty_repo?
-          puts "repository is empty".color(:magenta)
-        elsif File.directory?(project_hook_directory) && File.directory?(gitlab_shell_hooks_path) &&
-            (File.realpath(project_hook_directory) == File.realpath(gitlab_shell_hooks_path))
-          puts 'ok'.color(:green)
-        else
-          puts "wrong or missing hooks".color(:red)
-          try_fixing_it(
-            sudo_gitlab("#{File.join(gitlab_shell_path, 'bin/create-hooks')} #{repository_storage_paths_args.join(' ')}"),
-            'Check the hooks_path in config/gitlab.yml',
-            'Check your gitlab-shell installation'
-          )
-          for_more_information(
-            see_installation_guide_section "GitLab Shell"
-          )
-          fix_and_rerun
-        end
-      end
-    end
    def check_gitlab_shell_self_test
      gitlab_shell_repo_base = gitlab_shell_path
      check_cmd = File.expand_path('bin/check', gitlab_shell_repo_base)

--- a/spec/lib/json_web_token/hmac_token_spec.rb
+++ b/spec/lib/json_web_token/hmac_token_spec.rb
+# frozen_string_literal: true
+require 'json'
+require 'timecop'
+describe JSONWebToken::HMACToken do
+  let(:secret) { 'shh secret squirrel' }
+  shared_examples 'a valid, non-expired token' do
+    it 'is an Array with two elements' do
+      expect(decoded_token).to be_a(Array)
+      expect(decoded_token.count).to eq(2)
+    end
+    it 'contains the following keys in the first Array element Hash - jti, iat, nbf, exp' do
+      expect(decoded_token[0].keys).to include('jti', 'iat', 'nbf', 'exp')
+    end
+    it 'contains the following keys in the second Array element Hash - typ and alg' do
+      expect(decoded_token[1]['typ']).to eql('JWT')
+      expect(decoded_token[1]['alg']).to eql('HS256')
+    end
+  end
+  describe '.decode' do
+    let(:leeway) { described_class::IAT_LEEWAY }
+    let(:decoded_token) { described_class.decode(encoded_token, secret, leeway: leeway) }
+    context 'with an invalid token' do
+      context 'that is junk' do
+        let(:encoded_token) { 'junk' }
+        it "raises exception saying 'Not enough or too many segments'" do
+          expect { decoded_token }.to raise_error(JWT::DecodeError, 'Not enough or too many segments')
+        end
+      end
+      context 'that has been fiddled with' do
+        let(:encoded_token) do
+          described_class.new(secret).encoded.tap { |token| token[0] = 'E' }
+        end
+        it "raises exception saying 'Invalid segment encoding'" do
+          expect { decoded_token }.to raise_error(JWT::DecodeError, 'Invalid segment encoding')
+        end
+      end
+      context 'that was generated using a different secret' do
+        let(:encoded_token) { described_class.new('some other secret').encoded }
+        it "raises exception saying 'Signature verification raised" do
+          expect { decoded_token }.to raise_error(JWT::VerificationError, 'Signature verification raised')
+        end
+      end
+      context 'that is expired' do
+        # Needs the ! so Timecop.freeze() is effective
+        let!(:encoded_token) { described_class.new(secret).encoded }
+        it "raises exception saying 'Signature has expired'" do
+          # Needs to be 120 seconds, because the default expiry is 60 seconds
+          # with an additional 60 second leeway.
+          Timecop.freeze(Time.now + 120) do
+            expect { decoded_token }.to raise_error(JWT::ExpiredSignature, 'Signature has expired')
+          end
+        end
+      end
+    end
+    context 'with a valid token' do
+      let(:encoded_token) do
+        hmac_token = described_class.new(secret)
+        hmac_token.expire_time = Time.now + expire_time
+        hmac_token.encoded
+      end
+      context 'that has expired' do
+        let(:expire_time) { 0 }
+        context 'with the default leeway' do
+          Timecop.freeze(Time.now + 1) do
+            it_behaves_like 'a valid, non-expired token'
+          end
+        end
+        context 'with a leeway of 0 seconds' do
+          let(:leeway) { 0 }
+          it "raises exception saying 'Signature has expired'" do
+            Timecop.freeze(Time.now + 1) do
+              expect { decoded_token }.to raise_error(JWT::ExpiredSignature, 'Signature has expired')
+            end
+          end
+        end
+      end
+      context 'that has not expired' do
+        let(:expire_time) { described_class::DEFAULT_EXPIRE_TIME }
+        it_behaves_like 'a valid, non-expired token'
+      end
+    end
+  end
+  describe '#encoded' do
+    let(:decoded_token) { described_class.decode(encoded_token, secret) }
+    context 'without data' do
+      let(:encoded_token) { described_class.new(secret).encoded }
+      it_behaves_like 'a valid, non-expired token'
+    end
+    context 'with data' do
+      let(:data) { { secret_key: 'secret value' }.to_json }
+      let(:encoded_token) do
+        ec = described_class.new(secret)
+        ec[:data] = data
+        ec.encoded
+      end
+      it_behaves_like 'a valid, non-expired token'
+      it "contains the 'data' key in the first Array element Hash" do
+        expect(decoded_token[0]).to have_key('data')
+      end
+      it 'can re-read back the data' do
+        expect(decoded_token[0]['data']).to eql(data)
+      end
+    end
+  end
+end