Merge branch 'remove_old_csrf_generation_monkey_patch' into 'master'

Removes monkey patch to generate 6.0.3 style token See merge request gitlab-org/gitlab!35104

Merge branch 'remove_old_csrf_generation_monkey_patch' into 'master'
Removes monkey patch to generate 6.0.3 style token See merge request gitlab-org/gitlab!35104
94cbd2d0 · Heinrich Lee Yu · 90051967 · 834b6d69 · 94cbd2d0 · 90051967
Commit 94cbd2d0 authored Jun 23, 2020 by Heinrich Lee Yu
3 changed files
--- a/changelogs/unreleased/remove_old_csrf_generation_monkey_patch.yml
+++ b/changelogs/unreleased/remove_old_csrf_generation_monkey_patch.yml
+---
+title: Removes monkey patch to generate 6.0.3 style token
+merge_request: 35104
+author:
+type: other
--- a/config/initializers/actionpack_generate_old_csrf_token.rb
+++ b/config/initializers/actionpack_generate_old_csrf_token.rb
-# frozen_string_literal: true
-
-module Gitlab
-  module RequestForgeryProtectionPatch
-    private
-
-    # Patch to generate 6.0.3 tokens so that we do not have CSRF errors while
-    # rolling out 6.0.3.1. This enables GitLab to have a mix of 6.0.3 and
-    # 6.0.3.1 Rails servers
-    #
-    # 1. Deploy this patch with :global_csrf_token FF disabled.
-    # 2. Once all Rails servers are on 6.0.3.1, enable :global_csrf_token FF.
-    # 3. On GitLab 13.2, remove this patch
-    def masked_authenticity_token(session, form_options: {})
-      action, method = form_options.values_at(:action, :method)
-
-      raw_token = if per_form_csrf_tokens && action && method
-                    action_path = normalize_action_path(action)
-                    per_form_csrf_token(session, action_path, method)
-                  else
-                    if Feature.enabled?(:global_csrf_token)
-                      global_csrf_token(session)
-                    else
-                      real_csrf_token(session)
-                    end
-                  end
-
-      mask_token(raw_token)
-    end
-  end
-end
-
-ActionController::Base.include Gitlab::RequestForgeryProtectionPatch
--- a/spec/initializers/actionpack_generate_old_csrf_token_spec.rb
+++ b/spec/initializers/actionpack_generate_old_csrf_token_spec.rb
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe ActionController::Base, 'CSRF token generation patch', type: :controller do # rubocop:disable RSpec/FilePath
-  let(:fixed_seed) { SecureRandom.random_bytes(described_class::AUTHENTICITY_TOKEN_LENGTH) }
-
-  context 'global_csrf_token feature flag is enabled' do
-    it 'generates 6.0.3.1 style CSRF token', :aggregate_failures do
-      generated_token = controller.send(:form_authenticity_token)
-
-      expect(valid_authenticity_token?(generated_token)).to be_truthy
-      expect(compare_with_real_token(generated_token)).to be_falsey
-      expect(compare_with_global_token(generated_token)).to be_truthy
-    end
-  end
-
-  context 'global_csrf_token feature flag is disabled' do
-    before do
-      stub_feature_flags(global_csrf_token: false)
-    end
-
-    it 'generates 6.0.3 style CSRF token', :aggregate_failures do
-      generated_token = controller.send(:form_authenticity_token)
-
-      expect(valid_authenticity_token?(generated_token)).to be_truthy
-      expect(compare_with_real_token(generated_token)).to be_truthy
-      expect(compare_with_global_token(generated_token)).to be_falsey
-    end
-  end
-
-  def compare_with_global_token(token)
-    unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
-
-    controller.send(:compare_with_global_token, unmasked_token, session)
-  end
-
-  def compare_with_real_token(token)
-    unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
-
-    controller.send(:compare_with_real_token, unmasked_token, session)
-  end
-
-  def valid_authenticity_token?(token)
-    controller.send(:valid_authenticity_token?, session, token)
-  end
-end