Merge branch 'sh-bump-omniauth-google-gem' into 'master'

Upgrade Omniauth and JWT gems to switch away from Google+ API Closes #55668 See merge request gitlab-org/gitlab-ce!24068

Merge branch 'sh-bump-omniauth-google-gem' into 'master'
Upgrade Omniauth and JWT gems to switch away from Google+ API Closes #55668 See merge request gitlab-org/gitlab-ce!24068
594bcf37 · Sean McGivern · eab7e3c8 · c6d7130f · 594bcf37 · 594bcf37
Commit 594bcf37 authored Jan 01, 2019 by Sean McGivern
8 changed files
--- a/Gemfile
+++ b/Gemfile
@@ -34,7 +34,7 @@ gem 'omniauth-cas3', '~> 1.1.4'
 gem 'omniauth-facebook', '~> 4.0.0'
 gem 'omniauth-github', '~> 1.3'
 gem 'omniauth-gitlab', '~> 1.0.2'
-gem 'omniauth-google-oauth2', '~> 0.5.3'
+gem 'omniauth-google-oauth2', '~> 0.6.0'
 gem 'omniauth-kerberos', '~> 0.3.0', group: :kerberos
 gem 'omniauth-oauth2-generic', '~> 0.2.2'
 gem 'omniauth-saml', '~> 1.10'
@@ -43,7 +43,7 @@ gem 'omniauth-twitter', '~> 1.4'
 gem 'omniauth_crowd', '~> 2.2.0'
 gem 'omniauth-authentiq', '~> 0.3.3'
 gem 'rack-oauth2', '~> 1.2.1'
-gem 'jwt', '~> 1.5.6'
+gem 'jwt', '~> 2.1.0'

 # Spam and anti-bot protection
 gem 'recaptcha', '~> 3.0', require: 'recaptcha/rails'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -403,7 +403,7 @@ GEM
      bindata
    json-schema (2.8.0)
      addressable (>= 2.4)
-    jwt (1.5.6)
+    jwt (2.1.0)
    kaminari (1.0.1)
      activesupport (>= 4.1.0)
      kaminari-actionview (= 1.0.1)
@@ -483,24 +483,24 @@ GEM
      nokogiri
    numerizer (0.1.1)
    oauth (0.5.4)
-    oauth2 (1.4.0)
-      faraday (>= 0.8, < 0.13)
-      jwt (~> 1.0)
+    oauth2 (1.4.1)
+      faraday (>= 0.8, < 0.16.0)
+      jwt (>= 1.0, < 3.0)
      multi_json (~> 1.3)
      multi_xml (~> 0.5)
      rack (>= 1.2, < 3)
    octokit (4.9.0)
      sawyer (~> 0.8.0, >= 0.5.3)
-    omniauth (1.8.1)
-      hashie (>= 3.4.6, < 3.6.0)
+    omniauth (1.9.0)
+      hashie (>= 3.4.6, < 3.7.0)
      rack (>= 1.6.2, < 3)
    omniauth-auth0 (2.0.0)
      omniauth-oauth2 (~> 1.4)
    omniauth-authentiq (0.3.3)
      jwt (>= 1.5)
      omniauth-oauth2 (>= 1.5)
-    omniauth-azure-oauth2 (0.0.9)
-      jwt (~> 1.0)
+    omniauth-azure-oauth2 (0.0.10)
+      jwt (>= 1.0, < 3.0)
      omniauth (~> 1.0)
      omniauth-oauth2 (~> 1.4)
    omniauth-cas3 (1.1.4)
@@ -515,8 +515,8 @@ GEM
    omniauth-gitlab (1.0.3)
      omniauth (~> 1.0)
      omniauth-oauth2 (~> 1.0)
-    omniauth-google-oauth2 (0.5.3)
-      jwt (>= 1.5)
+    omniauth-google-oauth2 (0.6.0)
+      jwt (>= 2.0)
      omniauth (>= 1.1.1)
      omniauth-oauth2 (>= 1.5)
    omniauth-kerberos (0.3.0)
@@ -527,9 +527,9 @@ GEM
    omniauth-oauth (1.1.0)
      oauth
      omniauth (~> 1.0)
-    omniauth-oauth2 (1.5.0)
+    omniauth-oauth2 (1.6.0)
      oauth2 (~> 1.1)
-      omniauth (~> 1.2)
+      omniauth (~> 1.9)
    omniauth-oauth2-generic (0.2.2)
      omniauth-oauth2 (~> 1.0)
    omniauth-saml (1.10.0)
@@ -1041,7 +1041,7 @@ DEPENDENCIES
  jquery-atwho-rails (~> 1.3.2)
  js_regex (~> 2.2.1)
  json-schema (~> 2.8.0)
-  jwt (~> 1.5.6)
+  jwt (~> 2.1.0)
  kaminari (~> 1.0)
  knapsack (~> 1.17)
  kubeclient (~> 4.0.0)
@@ -1070,7 +1070,7 @@ DEPENDENCIES
  omniauth-facebook (~> 4.0.0)
  omniauth-github (~> 1.3)
  omniauth-gitlab (~> 1.0.2)
-  omniauth-google-oauth2 (~> 0.5.3)
+  omniauth-google-oauth2 (~> 0.6.0)
  omniauth-kerberos (~> 0.3.0)
  omniauth-oauth2-generic (~> 0.2.2)
  omniauth-saml (~> 1.10)

--- a/changelogs/unreleased/sh-bump-omniauth-google-gem.yml
+++ b/changelogs/unreleased/sh-bump-omniauth-google-gem.yml
+---
+title: Upgrade Omniauth and JWT gems to switch away from Google+ API
+merge_request: 24068
+author:
+type: changed
--- a/doc/integration/google.md
+++ b/doc/integration/google.md
@@ -35,7 +35,6 @@ In Google's side:

 1. You should now be able to see a Client ID and Client secret. Note them down
   or keep this page open as you will need them later.
-1. From the **Dashboard** select **ENABLE APIS AND SERVICES > Social > Google+ API > Enable**
 1. To enable projects to access [Google Kubernetes Engine](../user/project/clusters/index.md), you must also
   enable these APIs:
   - Google Kubernetes Engine API

--- a/lib/json_web_token/hmac_token.rb
+++ b/lib/json_web_token/hmac_token.rb
@@ -18,7 +18,7 @@ module JSONWebToken
    end

    def encoded
-      JWT.encode(payload, secret, JWT_ALGORITHM)
+      JWT.encode(payload, secret, JWT_ALGORITHM, { typ: 'JWT' })
    end

    private

--- a/lib/json_web_token/rsa_token.rb
+++ b/lib/json_web_token/rsa_token.rb
@@ -11,7 +11,8 @@ module JSONWebToken

    def encoded
      headers = {
-        kid: kid
+        kid: kid,
+        typ: 'JWT'
      }
      JWT.encode(payload, key, 'RS256', headers)
    end

--- a/spec/lib/json_web_token/rsa_token_spec.rb
+++ b/spec/lib/json_web_token/rsa_token_spec.rb
@@ -25,7 +25,7 @@ describe JSONWebToken::RSAToken do
        rsa_token['key'] = 'value'
      end

-      subject { JWT.decode(rsa_encoded, rsa_key) }
+      subject { JWT.decode(rsa_encoded, rsa_key, true, { algorithm: 'RS256' }) }

      it { expect {subject}.not_to raise_error }
      it { expect(subject.first).to include('key' => 'value') }
@@ -39,7 +39,7 @@ describe JSONWebToken::RSAToken do

    context 'for invalid key to raise an exception' do
      let(:new_key) { OpenSSL::PKey::RSA.generate(512) }
-      subject { JWT.decode(rsa_encoded, new_key) }
+      subject { JWT.decode(rsa_encoded, new_key, true, { algorithm: 'RS256' }) }

      it { expect {subject}.to raise_error(JWT::DecodeError) }
    end

--- a/spec/services/auth/container_registry_authentication_service_spec.rb
+++ b/spec/services/auth/container_registry_authentication_service_spec.rb
@@ -5,7 +5,7 @@ describe Auth::ContainerRegistryAuthenticationService do
  let(:current_user) { nil }
  let(:current_params) { {} }
  let(:rsa_key) { OpenSSL::PKey::RSA.generate(512) }
-  let(:payload) { JWT.decode(subject[:token], rsa_key).first }
+  let(:payload) { JWT.decode(subject[:token], rsa_key, true, { algorithm: 'RS256' }).first }

  let(:authentication_abilities) do
    [:read_container_image, :create_container_image, :admin_container_image]