102 lines
3.3 KiB
Ruby
102 lines
3.3 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'spec_helper'
|
|
|
|
RSpec.describe TokenAuthenticatableStrategies::EncryptionHelper do
|
|
let(:encrypted_token) { described_class.encrypt_token('my-value-my-value-my-value') }
|
|
|
|
describe '.encrypt_token' do
|
|
context 'when dynamic_nonce feature flag is switched on' do
|
|
it 'adds nonce identifier on the beginning' do
|
|
expect(encrypted_token.first).to eq(described_class::DYNAMIC_NONCE_IDENTIFIER)
|
|
end
|
|
|
|
it 'adds nonce at the end' do
|
|
nonce = encrypted_token.last(described_class::NONCE_SIZE)
|
|
|
|
expect(nonce).to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*'))
|
|
end
|
|
|
|
it 'encrypts token' do
|
|
expect(encrypted_token[1...-described_class::NONCE_SIZE]).not_to eq('my-value-my-value-my-value')
|
|
end
|
|
end
|
|
|
|
context 'when dynamic_nonce feature flag is switched off' do
|
|
before do
|
|
stub_feature_flags(dynamic_nonce: false)
|
|
end
|
|
|
|
it 'does not add nonce identifier on the beginning' do
|
|
expect(encrypted_token.first).not_to eq(described_class::DYNAMIC_NONCE_IDENTIFIER)
|
|
end
|
|
|
|
it 'does not add nonce in the end' do
|
|
nonce = encrypted_token.last(described_class::NONCE_SIZE)
|
|
|
|
expect(nonce).not_to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*'))
|
|
end
|
|
|
|
it 'encrypts token with static iv' do
|
|
token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value-my-value-my-value')
|
|
|
|
expect(encrypted_token).to eq(token)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '.decrypt_token' do
|
|
context 'with feature flag switched off' do
|
|
before do
|
|
stub_feature_flags(dynamic_nonce: false)
|
|
end
|
|
|
|
it 'decrypts token with static iv' do
|
|
encrypted_token = described_class.encrypt_token('my-value')
|
|
|
|
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
|
|
end
|
|
|
|
it 'decrypts token if feature flag changed after encryption' do
|
|
encrypted_token = described_class.encrypt_token('my-value')
|
|
|
|
expect(encrypted_token).not_to eq('my-value')
|
|
|
|
stub_feature_flags(dynamic_nonce: true)
|
|
|
|
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
|
|
end
|
|
|
|
it 'decrypts token with dynamic iv' do
|
|
iv = ::Digest::SHA256.hexdigest('my-value').bytes.take(described_class::NONCE_SIZE).pack('c*')
|
|
token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value', nonce: iv)
|
|
encrypted_token = "#{described_class::DYNAMIC_NONCE_IDENTIFIER}#{token}#{iv}"
|
|
|
|
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
|
|
end
|
|
end
|
|
|
|
context 'with feature flag switched on' do
|
|
before do
|
|
stub_feature_flags(dynamic_nonce: true)
|
|
end
|
|
|
|
it 'decrypts token with dynamic iv' do
|
|
encrypted_token = described_class.encrypt_token('my-value')
|
|
|
|
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
|
|
end
|
|
|
|
it 'decrypts token if feature flag changed after encryption' do
|
|
encrypted_token = described_class.encrypt_token('my-value')
|
|
|
|
expect(encrypted_token).not_to eq('my-value')
|
|
|
|
stub_feature_flags(dynamic_nonce: false)
|
|
|
|
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
|
|
end
|
|
end
|
|
end
|
|
end
|