Merge branch 'kas_internal_api_unauthorized' into 'master'

Fix HTTP status code for agent tokens that are invalid or missing See merge request gitlab-org/gitlab!57777

Merge branch 'kas_internal_api_unauthorized' into 'master'
Fix HTTP status code for agent tokens that are invalid or missing See merge request gitlab-org/gitlab!57777
52ab1ffd · Bob Van Landuyt · 31a2515e · ccb6b0fc · 52ab1ffd · 52ab1ffd
Commit 52ab1ffd authored Mar 31, 2021 by Bob Van Landuyt
3 changed files
--- a/ee/spec/requests/api/internal/kubernetes_spec.rb
+++ b/ee/spec/requests/api/internal/kubernetes_spec.rb
@@ -38,16 +38,16 @@ RSpec.describe API::Internal::Kubernetes do
  end
  shared_examples 'agent authentication' do
-    it 'returns 403 if Authorization header not sent' do
+    it 'returns 401 if Authorization header not sent' do
      send_request
-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
    end
-    it 'returns 403 if Authorization is for non-existent agent' do
+    it 'returns 401 if Authorization is for non-existent agent' do
      send_request(headers: { 'Authorization' => 'Bearer NONEXISTENT' })
-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
    end
  end

--- a/lib/api/internal/kubernetes.rb
+++ b/lib/api/internal/kubernetes.rb
@@ -13,7 +13,7 @@ module API
      helpers do
        def authenticate_gitlab_kas_request!
-          unauthorized! unless Gitlab::Kas.verify_api_request(headers)
+          render_api_error!('KAS JWT authentication invalid', 401) unless Gitlab::Kas.verify_api_request(headers)
        end
        def agent_token
@@ -51,7 +51,7 @@ module API
        end
        def check_agent_token
-          forbidden! unless agent_token
+          unauthorized! unless agent_token
          forbidden! unless Gitlab::Kas.included_in_gitlab_com_rollout?(agent.project)

--- a/spec/requests/api/internal/kubernetes_spec.rb
+++ b/spec/requests/api/internal/kubernetes_spec.rb
@@ -38,16 +38,16 @@ RSpec.describe API::Internal::Kubernetes do
  end
  shared_examples 'agent authentication' do
-    it 'returns 403 if Authorization header not sent' do
+    it 'returns 401 if Authorization header not sent' do
      send_request
-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
    end
-    it 'returns 403 if Authorization is for non-existent agent' do
+    it 'returns 401 if Authorization is for non-existent agent' do
      send_request(headers: { 'Authorization' => 'Bearer NONEXISTENT' })
-      expect(response).to have_gitlab_http_status(:forbidden)
+      expect(response).to have_gitlab_http_status(:unauthorized)
    end
  end