diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-20 14:10:13 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-20 14:10:13 +0300 |
commit | 0ea3fcec397b69815975647f5e2aa5fe944a8486 (patch) | |
tree | 7979381b89d26011bcf9bdc989a40fcc2f1ed4ff /spec/requests/oauth/authorizations_controller_spec.rb | |
parent | 72123183a20411a36d607d70b12d57c484394c8e (diff) |
Add latest changes from gitlab-org/gitlab@15-1-stable-eev15.1.0-rc42
Diffstat (limited to 'spec/requests/oauth/authorizations_controller_spec.rb')
-rw-r--r-- | spec/requests/oauth/authorizations_controller_spec.rb | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/spec/requests/oauth/authorizations_controller_spec.rb b/spec/requests/oauth/authorizations_controller_spec.rb new file mode 100644 index 00000000000..8d19c92865e --- /dev/null +++ b/spec/requests/oauth/authorizations_controller_spec.rb @@ -0,0 +1,76 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Oauth::AuthorizationsController do + let_it_be(:user) { create(:user) } + let_it_be(:application) { create(:oauth_application, redirect_uri: 'custom://test') } + let_it_be(:oauth_authorization_path) do + Gitlab::Routing.url_helpers.oauth_authorization_url( + client_id: application.uid, + response_type: 'code', + scope: application.scopes, + redirect_uri: application.redirect_uri, + state: SecureRandom.hex + ) + end + + before do + sign_in(user) + end + + describe 'GET #new' do + context 'when application redirect URI has a custom scheme' do + context 'when CSP is disabled' do + before do + allow_next_instance_of(ActionDispatch::Request) do |instance| + allow(instance).to receive(:content_security_policy).and_return(nil) + end + end + + it 'does not add a CSP' do + get oauth_authorization_path + + expect(response.headers['Content-Security-Policy']).to be_nil + end + end + + context 'when CSP contains form-action' do + before do + csp = ActionDispatch::ContentSecurityPolicy.new do |p| + p.form_action "'self'" + end + + allow_next_instance_of(ActionDispatch::Request) do |instance| + allow(instance).to receive(:content_security_policy).and_return(csp) + end + end + + it 'adds custom scheme to CSP form-action' do + get oauth_authorization_path + + expect(response.headers['Content-Security-Policy']).to include("form-action 'self' custom:") + end + end + + context 'when CSP does not contain form-action' do + before do + csp = ActionDispatch::ContentSecurityPolicy.new do |p| + p.script_src :self, 'https://some-cdn.test' + p.style_src :self, 'https://some-cdn.test' + end + + allow_next_instance_of(ActionDispatch::Request) do |instance| + allow(instance).to receive(:content_security_policy).and_return(csp) + end + end + + it 'does not add form-action to the CSP' do + get oauth_authorization_path + + expect(response.headers['Content-Security-Policy']).not_to include('form-action') + end + end + end + end +end |