Merge branch '33601-add-csrf-token-verification-to-api' into 'master'

Resolve "Add CSRF token verification to API" Closes #33601 See merge request !12154
author: Sean McGivern <sean@mcgivern.me.uk> 2017-07-27 13:20:52 +0300
committer: Sean McGivern <sean@mcgivern.me.uk> 2017-07-27 13:20:52 +0300
commit: ef50875d3aa27a8e7bcc3296f911da4710be0585 (patch)
tree: 6b3522c20239dc319719203372464a0aa88fd9cb /spec/lib
parent: 2850efcdd51909a5a92f844e7b8940ed0190d234 (diff)
parent: bfe8b96874c66c54e2e4c1a66a520087b217e9e7 (diff)
1 files changed, 89 insertions, 0 deletions
diff --git a/spec/lib/gitlab/request_forgery_protection_spec.rb b/spec/lib/gitlab/request_forgery_protection_spec.rb
new file mode 100644
index 00000000000..305de613866
--- /dev/null
+++ b/spec/lib/gitlab/request_forgery_protection_spec.rb
@@ -0,0 +1,89 @@
+require 'spec_helper'
+
+describe Gitlab::RequestForgeryProtection, :allow_forgery_protection do
+  let(:csrf_token) { SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH) }
+  let(:env) do
+    {
+      'rack.input' => '',
+      'rack.session' => {
+        _csrf_token: csrf_token
+      }
+    }
+  end
+
+  describe '.call' do
+    context 'when the request method is GET' do
+      before do
+        env['REQUEST_METHOD'] = 'GET'
+      end
+
+      it 'does not raise an exception' do
+        expect { described_class.call(env) }.not_to raise_exception
+      end
+    end
+
+    context 'when the request method is POST' do
+      before do
+        env['REQUEST_METHOD'] = 'POST'
+      end
+
+      context 'when the CSRF token is valid' do
+        before do
+          env['HTTP_X_CSRF_TOKEN'] = csrf_token
+        end
+
+        it 'does not raise an exception' do
+          expect { described_class.call(env) }.not_to raise_exception
+        end
+      end
+
+      context 'when the CSRF token is invalid' do
+        before do
+          env['HTTP_X_CSRF_TOKEN'] = 'foo'
+        end
+
+        it 'raises an ActionController::InvalidAuthenticityToken exception' do
+          expect { described_class.call(env) }.to raise_exception(ActionController::InvalidAuthenticityToken)
+        end
+      end
+    end
+  end
+
+  describe '.verified?' do
+    context 'when the request method is GET' do
+      before do
+        env['REQUEST_METHOD'] = 'GET'
+      end
+
+      it 'returns true' do
+        expect(described_class.verified?(env)).to be_truthy
+      end
+    end
+
+    context 'when the request method is POST' do
+      before do
+        env['REQUEST_METHOD'] = 'POST'
+      end
+
+      context 'when the CSRF token is valid' do
+        before do
+          env['HTTP_X_CSRF_TOKEN'] = csrf_token
+        end
+
+        it 'returns true' do
+          expect(described_class.verified?(env)).to be_truthy
+        end
+      end
+
+      context 'when the CSRF token is invalid' do
+        before do
+          env['HTTP_X_CSRF_TOKEN'] = 'foo'
+        end
+
+        it 'returns false' do
+          expect(described_class.verified?(env)).to be_falsey
+        end
+      end
+    end
+  end
+end
author	Sean McGivern <sean@mcgivern.me.uk>	2017-07-27 13:20:52 +0300
committer	Sean McGivern <sean@mcgivern.me.uk>	2017-07-27 13:20:52 +0300
commit	ef50875d3aa27a8e7bcc3296f911da4710be0585 (patch)
tree	6b3522c20239dc319719203372464a0aa88fd9cb /spec/lib
parent	2850efcdd51909a5a92f844e7b8940ed0190d234 (diff)
parent	bfe8b96874c66c54e2e4c1a66a520087b217e9e7 (diff)