Merge branch 'kas_internal_api_unauthorized' into 'master'

Fix HTTP status code for agent tokens that are invalid or missing See merge request gitlab-org/gitlab!57777

Merge branch 'kas_internal_api_unauthorized' into 'master'
Fix HTTP status code for agent tokens that are invalid or missing See merge request gitlab-org/gitlab!57777
52ab1ffd · Bob Van Landuyt · 31a2515e · ccb6b0fc · 52ab1ffd · 52ab1ffd
Commit 52ab1ffd authored Mar 31, 2021 by Bob Van Landuyt
3 changed files
--- a/ee/spec/requests/api/internal/kubernetes_spec.rb
+++ b/ee/spec/requests/api/internal/kubernetes_spec.rb
@@ -38,16 +38,16 @@ RSpec.describe API::Internal::Kubernetes do
  end

  shared_examples 'agent authentication' do
-    it 'returns 403 if Authorization header not sent' do
+    it 'returns 401 if Authorization header not sent' do
      send_request

-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
    end

-    it 'returns 403 if Authorization is for non-existent agent' do
+    it 'returns 401 if Authorization is for non-existent agent' do
      send_request(headers: { 'Authorization' => 'Bearer NONEXISTENT' })

-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
    end
  end


--- a/lib/api/internal/kubernetes.rb
+++ b/lib/api/internal/kubernetes.rb
@@ -13,7 +13,7 @@ module API

      helpers do
        def authenticate_gitlab_kas_request!
-          unauthorized! unless Gitlab::Kas.verify_api_request(headers)
+          render_api_error!('KAS JWT authentication invalid', 401) unless Gitlab::Kas.verify_api_request(headers)
        end

        def agent_token
@@ -51,7 +51,7 @@ module API
        end

        def check_agent_token
-          forbidden! unless agent_token
+          unauthorized! unless agent_token

          forbidden! unless Gitlab::Kas.included_in_gitlab_com_rollout?(agent.project)


--- a/spec/requests/api/internal/kubernetes_spec.rb
+++ b/spec/requests/api/internal/kubernetes_spec.rb
@@ -38,16 +38,16 @@ RSpec.describe API::Internal::Kubernetes do
  end

  shared_examples 'agent authentication' do
-    it 'returns 403 if Authorization header not sent' do
+    it 'returns 401 if Authorization header not sent' do
      send_request

-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
    end

-    it 'returns 403 if Authorization is for non-existent agent' do
+    it 'returns 401 if Authorization is for non-existent agent' do
      send_request(headers: { 'Authorization' => 'Bearer NONEXISTENT' })

-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
    end
  end