Merge branch 'id-fix-jwt-tokens' into 'main'

Trim secret before signing JWT tokens

See merge request https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/686

Merged-by: Ash McKenzie <amckenzie@gitlab.com>
Approved-by: Alejandro Rodríguez <alejandro@gitlab.com>
Approved-by: Ash McKenzie <amckenzie@gitlab.com>
Co-authored-by: Igor Drozdov <idrozdov@gitlab.com>

Author: ashmckenzie

client/client_test.go

@@ -20,7 +20,7 @@ import (
 )
 
 var (
-	secret = []byte("sssh, it's a secret")
+	secret = "sssh, it's a secret"
 )
 
 func TestClients(t *testing.T) {
@@ -31,31 +31,45 @@ func TestClients(t *testing.T) {
 		relativeURLRoot string
 		caFile          string
 		server          func(*testing.T, []testserver.TestRequestHandler) string
+		secret          string
 	}{
 		{
 			desc:   "Socket client",
 			server: testserver.StartSocketHttpServer,
+			secret: secret,
 		},
 		{
 			desc:            "Socket client with a relative URL at /",
 			relativeURLRoot: "/",
 			server:          testserver.StartSocketHttpServer,
+			secret:          secret,
 		},
 		{
 			desc:            "Socket client with relative URL at /gitlab",
 			relativeURLRoot: "/gitlab",
 			server:          testserver.StartSocketHttpServer,
+			secret:          secret,
 		},
 		{
 			desc:   "Http client",
 			server: testserver.StartHttpServer,
+			secret: secret,
 		},
 		{
 			desc:   "Https client",
 			caFile: path.Join(testhelper.TestRoot, "certs/valid/server.crt"),
 			server: func(t *testing.T, handlers []testserver.TestRequestHandler) string {
 				return testserver.StartHttpsServer(t, handlers, "")
 			},
+			secret: secret,
+		},
+		{
+			desc:   "Secret with newlines",
+			caFile: path.Join(testhelper.TestRoot, "certs/valid/server.crt"),
+			server: func(t *testing.T, handlers []testserver.TestRequestHandler) string {
+				return testserver.StartHttpsServer(t, handlers, "")
+			},
+			secret: "\n" + secret + "\n",
 		},
 	}
 
@@ -66,15 +80,15 @@ func TestClients(t *testing.T) {
 			httpClient, err := NewHTTPClientWithOpts(url, tc.relativeURLRoot, tc.caFile, "", 1, nil)
 			require.NoError(t, err)
 
-			client, err := NewGitlabNetClient("", "", string(secret), httpClient)
+			client, err := NewGitlabNetClient("", "", tc.secret, httpClient)
 			require.NoError(t, err)
 
 			testBrokenRequest(t, client)
 			testSuccessfulGet(t, client)
 			testSuccessfulPost(t, client)
 			testMissing(t, client)
 			testErrorMessage(t, client)
-			testAuthenticationHeader(t, client)
+			testAuthenticationHeader(t, tc.secret, client)
 			testJWTAuthenticationHeader(t, client)
 			testXForwardedForHeader(t, client)
 			testHostWithTrailingSlash(t, client)
@@ -154,7 +168,7 @@ func testBrokenRequest(t *testing.T, client *GitlabNetClient) {
 	})
 }
 
-func testAuthenticationHeader(t *testing.T, client *GitlabNetClient) {
+func testAuthenticationHeader(t *testing.T, secret string, client *GitlabNetClient) {
 	t.Run("Authentication headers for GET", func(t *testing.T) {
 		response, err := client.Get(context.Background(), "/auth")
 		require.NoError(t, err)
@@ -167,7 +181,7 @@ func testAuthenticationHeader(t *testing.T, client *GitlabNetClient) {
 
 		header, err := base64.StdEncoding.DecodeString(string(responseBody))
 		require.NoError(t, err)
-		require.Equal(t, secret, header)
+		require.Equal(t, secret, string(header))
 	})
 
 	t.Run("Authentication headers for POST", func(t *testing.T) {
@@ -182,7 +196,7 @@ func testAuthenticationHeader(t *testing.T, client *GitlabNetClient) {
 
 		header, err := base64.StdEncoding.DecodeString(string(responseBody))
 		require.NoError(t, err)
-		require.Equal(t, secret, header)
+		require.Equal(t, secret, string(header))
 	})
 }
 
@@ -193,7 +207,7 @@ func testJWTAuthenticationHeader(t *testing.T, client *GitlabNetClient) {
 
 		claims := &jwt.RegisteredClaims{}
 		token, err := jwt.ParseWithClaims(string(responseBody), claims, func(token *jwt.Token) (interface{}, error) {
-			return secret, nil
+			return []byte(secret), nil
 		})
 		require.NoError(t, err)
 		require.True(t, token.Valid)

client/gitlabnet.go

@@ -141,16 +141,15 @@ func (c *GitlabNetClient) DoRequest(ctx context.Context, method, path string, da
 	if user != "" && password != "" {
 		request.SetBasicAuth(user, password)
 	}
-	secretBytes := []byte(c.secret)
-
-	encodedSecret := base64.StdEncoding.EncodeToString(secretBytes)
+	encodedSecret := base64.StdEncoding.EncodeToString([]byte(c.secret))
 	request.Header.Set(secretHeaderName, encodedSecret)
 
 	claims := jwt.RegisteredClaims{
 		Issuer:    jwtIssuer,
 		IssuedAt:  jwt.NewNumericDate(time.Now()),
 		ExpiresAt: jwt.NewNumericDate(time.Now().Add(jwtTTL)),
 	}
+	secretBytes := []byte(strings.TrimSpace(c.secret))
 	tokenString, err := jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString(secretBytes)
 	if err != nil {
 		return nil, err