Removes monkey patch to generate 6.0.3 style token

Going forward, we will generate CSRF tokens using Rails 6.0.3.1. Unblocks any future Rails upgrades

Removes monkey patch to generate 6.0.3 style token
Going forward, we will generate CSRF tokens using Rails 6.0.3.1. Unblocks any future Rails upgrades
834b6d69 · Thong Kuah · c9d043c6 · 834b6d69 · c9d043c6 · c9d043c6
Commit 834b6d69 authored Jun 23, 2020 by Thong Kuah
3 changed files
--- a/changelogs/unreleased/remove_old_csrf_generation_monkey_patch.yml
+++ b/changelogs/unreleased/remove_old_csrf_generation_monkey_patch.yml
+---
+title: Removes monkey patch to generate 6.0.3 style token
+merge_request: 35104
+author:
+type: other
--- a/config/initializers/actionpack_generate_old_csrf_token.rb
+++ b/config/initializers/actionpack_generate_old_csrf_token.rb
-# frozen_string_literal: true
-
-module Gitlab
-  module RequestForgeryProtectionPatch
-    private
-
-    # Patch to generate 6.0.3 tokens so that we do not have CSRF errors while
-    # rolling out 6.0.3.1. This enables GitLab to have a mix of 6.0.3 and
-    # 6.0.3.1 Rails servers
-    #
-    # 1. Deploy this patch with :global_csrf_token FF disabled.
-    # 2. Once all Rails servers are on 6.0.3.1, enable :global_csrf_token FF.
-    # 3. On GitLab 13.2, remove this patch
-    def masked_authenticity_token(session, form_options: {})
-      action, method = form_options.values_at(:action, :method)
-
-      raw_token = if per_form_csrf_tokens && action && method
-                    action_path = normalize_action_path(action)
-                    per_form_csrf_token(session, action_path, method)
-                  else
-                    if Feature.enabled?(:global_csrf_token)
-                      global_csrf_token(session)
-                    else
-                      real_csrf_token(session)
-                    end
-                  end
-
-      mask_token(raw_token)
-    end
-  end
-end
-
-ActionController::Base.include Gitlab::RequestForgeryProtectionPatch
--- a/spec/initializers/actionpack_generate_old_csrf_token_spec.rb
+++ b/spec/initializers/actionpack_generate_old_csrf_token_spec.rb
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe ActionController::Base, 'CSRF token generation patch', type: :controller do # rubocop:disable RSpec/FilePath
-  let(:fixed_seed) { SecureRandom.random_bytes(described_class::AUTHENTICITY_TOKEN_LENGTH) }
-
-  context 'global_csrf_token feature flag is enabled' do
-    it 'generates 6.0.3.1 style CSRF token', :aggregate_failures do
-      generated_token = controller.send(:form_authenticity_token)
-
-      expect(valid_authenticity_token?(generated_token)).to be_truthy
-      expect(compare_with_real_token(generated_token)).to be_falsey
-      expect(compare_with_global_token(generated_token)).to be_truthy
-    end
-  end
-
-  context 'global_csrf_token feature flag is disabled' do
-    before do
-      stub_feature_flags(global_csrf_token: false)
-    end
-
-    it 'generates 6.0.3 style CSRF token', :aggregate_failures do
-      generated_token = controller.send(:form_authenticity_token)
-
-      expect(valid_authenticity_token?(generated_token)).to be_truthy
-      expect(compare_with_real_token(generated_token)).to be_truthy
-      expect(compare_with_global_token(generated_token)).to be_falsey
-    end
-  end
-
-  def compare_with_global_token(token)
-    unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
-
-    controller.send(:compare_with_global_token, unmasked_token, session)
-  end
-
-  def compare_with_real_token(token)
-    unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
-
-    controller.send(:compare_with_real_token, unmasked_token, session)
-  end
-
-  def valid_authenticity_token?(token)
-    controller.send(:valid_authenticity_token?, session, token)
-  end
-end