Merge branch '5796-fix-invalid-signature-time-error' into 'master'

Rescue from `InvalidSignatureTimeError` on Geo API

Closes #5796

See merge request gitlab-org/gitlab-ee!5495

ee/changelogs/unreleased/5796-fix-invalid-signature-time-error.yml

+---
+title: 'Geo: Admin page will not crash with 500 because of InvalidSignatureTimeError'
+merge_request: 5495
+author:
+type: fixed

ee/lib/ee/api/helpers.rb

@@ -18,7 +18,7 @@ module EE
           unless auth_header && ::Gitlab::Geo::JwtRequestDecoder.new(auth_header).decode
             unauthorized!
           end
-        rescue ::Gitlab::Geo::InvalidDecryptionKeyError, ::Gitlab::Geo::SignatureTimeInvalidError => e
+        rescue ::Gitlab::Geo::InvalidDecryptionKeyError, ::Gitlab::Geo::InvalidSignatureTimeError => e
           render_api_error!(e.to_s, 401)
         end
       end

ee/spec/lib/ee/api/helpers_spec.rb

 require 'spec_helper'
 
 describe EE::API::Helpers do
-  include API::APIGuard::HelperMethods
-  include API::Helpers
+  include Rack::Test::Methods
 
-  let(:options) { {} }
-  let(:params) { {} }
-  let(:env) do
-    {
-      'rack.input' => '',
-      'REQUEST_METHOD' => 'GET'
-    }
+  let(:helper) do
+    Class.new(Grape::API) do
+      helpers EE::API::Helpers
+      helpers API::APIGuard::HelperMethods
+      helpers API::Helpers
+      format :json
+
+      get 'user' do
+        current_user ? { id: current_user.id } : { found: false }
       end
-  let(:header) { }
-  let(:request) { Grape::Request.new(env)}
 
-  before do
-    allow(Gitlab::Database::LoadBalancing).to receive(:enable?).and_return(true)
+      get 'protected' do
+        authenticate_by_gitlab_geo_node_token!
+      end
+    end
+  end
+
+  def app
+    helper
   end
 
   describe '#current_user' do
     let(:user) { build(:user, id: 42) }
 
+    before do
+      allow(Gitlab::Database::LoadBalancing).to receive(:enable?).and_return(true)
+    end
+
     it 'handles sticking when a user could be found' do
       allow_any_instance_of(API::Helpers).to receive(:initial_current_user).and_return(user)
 
       expect(Gitlab::Database::LoadBalancing::RackMiddleware)
-        .to receive(:stick_or_unstick).with(env, :user, 42)
+        .to receive(:stick_or_unstick).with(any_args, :user, 42)
+
+      get 'user'
 
-      current_user
+      expect(JSON.parse(last_response.body)).to eq({ 'id' => user.id })
     end
 
     it 'does not handle sticking if no user could be found' do
@@ -37,13 +48,37 @@ describe EE::API::Helpers do
       expect(Gitlab::Database::LoadBalancing::RackMiddleware)
         .not_to receive(:stick_or_unstick)
 
-      current_user
+      get 'user'
+
+      expect(JSON.parse(last_response.body)).to eq({ 'found' => false })
     end
 
     it 'returns the user if one could be found' do
       allow_any_instance_of(API::Helpers).to receive(:initial_current_user).and_return(user)
 
-      expect(current_user).to eq(user)
+      get 'user'
+
+      expect(JSON.parse(last_response.body)).to eq({ 'id' => user.id })
+    end
+  end
+
+  describe '#authenticate_by_gitlab_geo_node_token!' do
+    it 'rescues from ::Gitlab::Geo::InvalidDecryptionKeyError' do
+      expect_any_instance_of(::Gitlab::Geo::JwtRequestDecoder).to receive(:decode) { raise ::Gitlab::Geo::InvalidDecryptionKeyError }
+
+      header 'Authorization', 'test'
+      get 'protected', current_user: 'test'
+
+      expect(JSON.parse(last_response.body)).to eq({ 'message' => 'Gitlab::Geo::InvalidDecryptionKeyError' })
+    end
+
+    it 'rescues from ::Gitlab::Geo::InvalidSignatureTimeError' do
+      allow_any_instance_of(::Gitlab::Geo::JwtRequestDecoder).to receive(:decode) { raise ::Gitlab::Geo::InvalidSignatureTimeError }
+
+      header 'Authorization', 'test'
+      get 'protected', current_user: 'test'
+
+      expect(JSON.parse(last_response.body)).to eq({ 'message' => 'Gitlab::Geo::InvalidSignatureTimeError' })
     end
   end
 end