diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-19 04:45:44 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-19 04:45:44 +0300 |
commit | 85dc423f7090da0a52c73eb66faf22ddb20efff9 (patch) | |
tree | 9160f299afd8c80c038f08e1545be119f5e3f1e1 /spec/features/jira_connect/subscriptions_spec.rb | |
parent | 15c2c8c66dbe422588e5411eee7e68f1fa440bb8 (diff) |
Add latest changes from gitlab-org/gitlab@13-4-stable-ee
Diffstat (limited to 'spec/features/jira_connect/subscriptions_spec.rb')
-rw-r--r-- | spec/features/jira_connect/subscriptions_spec.rb | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/spec/features/jira_connect/subscriptions_spec.rb b/spec/features/jira_connect/subscriptions_spec.rb new file mode 100644 index 00000000000..9be6b7c67ee --- /dev/null +++ b/spec/features/jira_connect/subscriptions_spec.rb @@ -0,0 +1,47 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe 'Subscriptions Content Security Policy' do + let(:installation) { create(:jira_connect_installation) } + let(:qsh) { Atlassian::Jwt.create_query_string_hash('https://gitlab.test/subscriptions', 'GET', 'https://gitlab.test') } + let(:jwt) { Atlassian::Jwt.encode({ iss: installation.client_key, qsh: qsh }, installation.shared_secret) } + + subject { response_headers['Content-Security-Policy'] } + + context 'when there is no global config' do + before do + expect_next_instance_of(JiraConnect::SubscriptionsController) do |controller| + expect(controller).to receive(:current_content_security_policy) + .and_return(ActionDispatch::ContentSecurityPolicy.new) + end + end + + it 'does not add CSP directives' do + visit jira_connect_subscriptions_path(jwt: jwt) + + is_expected.to be_blank + end + end + + context 'when a global CSP config exists' do + before do + csp = ActionDispatch::ContentSecurityPolicy.new do |p| + p.script_src :self, 'https://some-cdn.test' + p.style_src :self, 'https://some-cdn.test' + end + + expect_next_instance_of(JiraConnect::SubscriptionsController) do |controller| + expect(controller).to receive(:current_content_security_policy).and_return(csp) + end + end + + it 'appends to CSP directives' do + visit jira_connect_subscriptions_path(jwt: jwt) + + is_expected.to include("frame-ancestors 'self' https://*.atlassian.net") + is_expected.to include("script-src 'self' https://some-cdn.test https://connect-cdn.atl-paas.net https://unpkg.com/jquery@3.3.1/") + is_expected.to include("style-src 'self' https://some-cdn.test 'unsafe-inline' https://unpkg.com/@atlaskit/") + end + end +end |