diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-02-23 03:09:14 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-02-23 03:09:14 +0300 |
| commit | 9c71f76e2b49c070c35cb209fe3729e01a7ce92c (patch) | |
| tree | f48aa6258fc5af462df9f20df28531fdfbfd20ae /spec | |
| parent | ed45528885b7b44c61f18175fe7cdbda12360669 (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/features/ide/static_object_external_storage_csp_spec.rb | 31 | ||||
| -rw-r--r-- | spec/features/projects/sourcegraph_csp_spec.rb | 90 | ||||
| -rw-r--r-- | spec/support/shared_examples/csp.rb | 79 |
3 files changed, 122 insertions, 78 deletions
diff --git a/spec/features/ide/static_object_external_storage_csp_spec.rb b/spec/features/ide/static_object_external_storage_csp_spec.rb new file mode 100644 index 00000000000..93c22b35786 --- /dev/null +++ b/spec/features/ide/static_object_external_storage_csp_spec.rb @@ -0,0 +1,31 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'Static Object External Storage Content Security Policy' do + let_it_be(:user) { create(:user) } + + shared_context 'disable feature' do + before do + allow_any_instance_of(ApplicationSetting).to receive(:static_objects_external_storage_url).and_return(nil) + end + end + + it_behaves_like 'setting CSP connect-src' do + let_it_be(:whitelisted_url) { 'https://static-objects.test' } + let_it_be(:extended_controller_class) { IdeController } + + subject do + visit ide_path + + response_headers['Content-Security-Policy'] + end + + before do + allow_any_instance_of(ApplicationSetting).to receive(:static_objects_external_storage_url).and_return(whitelisted_url) + allow_any_instance_of(ApplicationSetting).to receive(:static_objects_external_storage_auth_token).and_return('letmein') + + sign_in(user) + end + end +end diff --git a/spec/features/projects/sourcegraph_csp_spec.rb b/spec/features/projects/sourcegraph_csp_spec.rb index 57d1e8e3034..385a797368c 100644 --- a/spec/features/projects/sourcegraph_csp_spec.rb +++ b/spec/features/projects/sourcegraph_csp_spec.rb @@ -5,94 +5,28 @@ require 'spec_helper' describe 'Sourcegraph Content Security Policy' do let_it_be(:user) { create(:user) } let_it_be(:project) { create(:project, :repository, namespace: user.namespace) } - let_it_be(:default_csp_values) { "'self' https://some-cdn.test" } - let_it_be(:sourcegraph_url) { 'https://sourcegraph.test' } - let(:sourcegraph_enabled) { true } - subject do - visit project_blob_path(project, File.join('master', 'README.md')) - - response_headers['Content-Security-Policy'] - end - - before do - allow(Gitlab::CurrentSettings).to receive(:sourcegraph_url).and_return(sourcegraph_url) - allow(Gitlab::CurrentSettings).to receive(:sourcegraph_enabled).and_return(sourcegraph_enabled) - - sign_in(user) - end - - shared_context 'csp config' do |csp_rule| + shared_context 'disable feature' do before do - csp = ActionDispatch::ContentSecurityPolicy.new do |p| - p.send(csp_rule, default_csp_values) if csp_rule - end - - expect_next_instance_of(Projects::BlobController) do |controller| - expect(controller).to receive(:current_content_security_policy).and_return(csp) - end + allow(Gitlab::CurrentSettings).to receive(:sourcegraph_enabled).and_return(false) end end - context 'when no CSP config' do - include_context 'csp config', nil + it_behaves_like 'setting CSP connect-src' do + let_it_be(:whitelisted_url) { 'https://sourcegraph.test' } + let_it_be(:extended_controller_class) { Projects::BlobController } - it 'does not add CSP directives' do - is_expected.to be_blank - end - end - - describe 'when a CSP config exists for connect-src' do - include_context 'csp config', :connect_src + subject do + visit project_blob_path(project, File.join('master', 'README.md')) - context 'when sourcegraph enabled' do - it 'appends to connect-src' do - is_expected.to eql("connect-src #{default_csp_values} #{sourcegraph_url}") - end + response_headers['Content-Security-Policy'] end - context 'when sourcegraph disabled' do - let(:sourcegraph_enabled) { false } - - it 'keeps original connect-src' do - is_expected.to eql("connect-src #{default_csp_values}") - end - end - end - - describe 'when a CSP config exists for default-src but not connect-src' do - include_context 'csp config', :default_src - - context 'when sourcegraph enabled' do - it 'uses default-src values in connect-src' do - is_expected.to eql("default-src #{default_csp_values}; connect-src #{default_csp_values} #{sourcegraph_url}") - end - end - - context 'when sourcegraph disabled' do - let(:sourcegraph_enabled) { false } - - it 'does not add connect-src' do - is_expected.to eql("default-src #{default_csp_values}") - end - end - end - - describe 'when a CSP config exists for font-src but not connect-src' do - include_context 'csp config', :font_src - - context 'when sourcegraph enabled' do - it 'uses default-src values in connect-src' do - is_expected.to eql("font-src #{default_csp_values}; connect-src #{sourcegraph_url}") - end - end - - context 'when sourcegraph disabled' do - let(:sourcegraph_enabled) { false } + before do + allow(Gitlab::CurrentSettings).to receive(:sourcegraph_url).and_return(whitelisted_url) + allow(Gitlab::CurrentSettings).to receive(:sourcegraph_enabled).and_return(true) - it 'does not add connect-src' do - is_expected.to eql("font-src #{default_csp_values}") - end + sign_in(user) end end end diff --git a/spec/support/shared_examples/csp.rb b/spec/support/shared_examples/csp.rb new file mode 100644 index 00000000000..10c4158522f --- /dev/null +++ b/spec/support/shared_examples/csp.rb @@ -0,0 +1,79 @@ +# frozen_string_literal: true + +RSpec.shared_examples 'setting CSP connect-src' do + let_it_be(:default_csp_values) { "'self' https://some-cdn.test" } + + shared_context 'csp config' do |csp_rule| + before do + csp = ActionDispatch::ContentSecurityPolicy.new do |p| + p.send(csp_rule, default_csp_values) if csp_rule + end + + expect_next_instance_of(extended_controller_class) do |controller| + expect(controller).to receive(:current_content_security_policy).and_return(csp) + end + end + end + + context 'when no CSP config' do + include_context 'csp config', nil + + it 'does not add CSP directives' do + is_expected.to be_blank + end + end + + describe 'when a CSP config exists for connect-src' do + include_context 'csp config', :connect_src + + context 'when feature is enabled' do + it 'appends to connect-src' do + is_expected.to eql("connect-src #{default_csp_values} #{whitelisted_url}") + end + end + + context 'when feature is disabled' do + include_context 'disable feature' + + it 'keeps original connect-src' do + is_expected.to eql("connect-src #{default_csp_values}") + end + end + end + + describe 'when a CSP config exists for default-src but not connect-src' do + include_context 'csp config', :default_src + + context 'when feature is enabled' do + it 'uses default-src values in connect-src' do + is_expected.to eql("default-src #{default_csp_values}; connect-src #{default_csp_values} #{whitelisted_url}") + end + end + + context 'when feature is disabled' do + include_context 'disable feature' + + it 'does not add connect-src' do + is_expected.to eql("default-src #{default_csp_values}") + end + end + end + + describe 'when a CSP config exists for font-src but not connect-src' do + include_context 'csp config', :font_src + + context 'when feature is enabled' do + it 'uses default-src values in connect-src' do + is_expected.to eql("font-src #{default_csp_values}; connect-src #{whitelisted_url}") + end + end + + context 'when feature is disabled' do + include_context 'disable feature' + + it 'does not add connect-src' do + is_expected.to eql("font-src #{default_csp_values}") + end + end + end +end |