3 files changed, 118 insertions, 10 deletions

diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb
index 84bbbac39b0..0b3833e6515 100644
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -641,24 +641,32 @@ describe ApplicationController do
         end
       end
 
-      it 'does not set a custom header' do
+      it 'sets a custom header' do
         get :index, format: :json
 
-        expect(response.headers['X-GitLab-Custom-Error']).to be_nil
+        expect(response.headers['X-GitLab-Custom-Error']).to eq '1'
       end
-    end
 
-    context 'given a json response for an html request' do
-      controller do
-        def index
-          render json: {}, status: :unprocessable_entity
+      context 'for html request' do
+        it 'sets a custom header' do
+          get :index
+
+          expect(response.headers['X-GitLab-Custom-Error']).to eq '1'
         end
       end
 
-      it 'does not set a custom header' do
-        get :index
+      context 'for 200 response' do
+        controller do
+          def index
+            render json: {}, status: :ok
+          end
+        end
 
-        expect(response.headers['X-GitLab-Custom-Error']).to be_nil
+        it 'does not set a custom header' do
+          get :index, format: :json
+
+          expect(response.headers['X-GitLab-Custom-Error']).to be_nil
+        end
       end
     end
   end
diff --git a/spec/controllers/projects/cycle_analytics_controller_spec.rb b/spec/controllers/projects/cycle_analytics_controller_spec.rb
index 2dc97e18113..5e6ceef2517 100644
--- a/spec/controllers/projects/cycle_analytics_controller_spec.rb
+++ b/spec/controllers/projects/cycle_analytics_controller_spec.rb
@@ -11,6 +11,20 @@ describe Projects::CycleAnalyticsController do
     project.add_maintainer(user)
   end
 
+  context "counting page views for 'show'" do
+    it 'increases the counter' do
+      expect(Gitlab::UsageDataCounters::CycleAnalyticsCounter).to receive(:count).with(:views)
+
+      get(:show,
+          params: {
+            namespace_id: project.namespace,
+            project_id: project
+          })
+
+      expect(response).to be_success
+    end
+  end
+
   describe 'cycle analytics not set up flag' do
     context 'with no data' do
       it 'is true' do
diff --git a/spec/controllers/registrations_controller_spec.rb b/spec/controllers/registrations_controller_spec.rb
index faf3c990cb2..d05482f095e 100644
--- a/spec/controllers/registrations_controller_spec.rb
+++ b/spec/controllers/registrations_controller_spec.rb
@@ -5,6 +5,10 @@ require 'spec_helper'
 describe RegistrationsController do
   include TermsHelper
 
+  before do
+    stub_feature_flags(invisible_captcha: false)
+  end
+
   describe '#create' do
     let(:base_user_params) { { name: 'new_user', username: 'new_username', email: 'new@user.com', password: 'Any_password' } }
     let(:user_params) { { user: base_user_params } }
@@ -88,6 +92,88 @@ describe RegistrationsController do
       end
     end
 
+    context 'when invisible captcha is enabled' do
+      before do
+        stub_feature_flags(invisible_captcha: true)
+        InvisibleCaptcha.timestamp_threshold = treshold
+      end
+
+      let(:treshold) { 4 }
+      let(:session_params) { { invisible_captcha_timestamp: form_rendered_time.iso8601 } }
+      let(:form_rendered_time) { Time.current }
+      let(:submit_time) { form_rendered_time + treshold }
+      let(:auth_log_attributes) do
+        {
+          message: auth_log_message,
+          env: :invisible_captcha_signup_bot_detected,
+          ip: '0.0.0.0',
+          request_method: 'POST',
+          fullpath: '/users'
+        }
+      end
+
+      describe 'the honeypot has not been filled and the signup form has not been submitted too quickly' do
+        it 'creates an account' do
+          travel_to(submit_time) do
+            expect { post(:create, params: user_params, session: session_params) }.to change(User, :count).by(1)
+          end
+        end
+      end
+
+      describe 'honeypot spam detection' do
+        let(:user_params) { super().merge(firstname: 'Roy', lastname: 'Batty') }
+        let(:auth_log_message) { 'Invisible_Captcha_Honeypot_Request' }
+
+        it 'logs the request, refuses to create an account and renders an empty body' do
+          travel_to(submit_time) do
+            expect(Gitlab::Metrics).to receive(:counter)
+              .with(:bot_blocked_by_invisible_captcha_honeypot, 'Counter of blocked sign up attempts with filled honeypot')
+              .and_call_original
+            expect(Gitlab::AuthLogger).to receive(:error).with(auth_log_attributes).once
+            expect { post(:create, params: user_params, session: session_params) }.not_to change(User, :count)
+            expect(response).to have_gitlab_http_status(200)
+            expect(response.body).to be_empty
+          end
+        end
+      end
+
+      describe 'timestamp spam detection' do
+        let(:auth_log_message) { 'Invisible_Captcha_Timestamp_Request' }
+
+        context 'the sign up form has been submitted without the invisible_captcha_timestamp parameter' do
+          let(:session_params) { nil }
+
+          it 'logs the request, refuses to create an account and displays a flash alert' do
+            travel_to(submit_time) do
+              expect(Gitlab::Metrics).to receive(:counter)
+                .with(:bot_blocked_by_invisible_captcha_timestamp, 'Counter of blocked sign up attempts with invalid timestamp')
+                .and_call_original
+              expect(Gitlab::AuthLogger).to receive(:error).with(auth_log_attributes).once
+              expect { post(:create, params: user_params, session: session_params) }.not_to change(User, :count)
+              expect(response).to redirect_to(new_user_session_path)
+              expect(flash[:alert]).to include 'That was a bit too quick! Please resubmit.'
+            end
+          end
+        end
+
+        context 'the sign up form has been submitted too quickly' do
+          let(:submit_time) { form_rendered_time }
+
+          it 'logs the request, refuses to create an account and displays a flash alert' do
+            travel_to(submit_time) do
+              expect(Gitlab::Metrics).to receive(:counter)
+                .with(:bot_blocked_by_invisible_captcha_timestamp, 'Counter of blocked sign up attempts with invalid timestamp')
+                .and_call_original
+              expect(Gitlab::AuthLogger).to receive(:error).with(auth_log_attributes).once
+              expect { post(:create, params: user_params, session: session_params) }.not_to change(User, :count)
+              expect(response).to redirect_to(new_user_session_path)
+              expect(flash[:alert]).to include 'That was a bit too quick! Please resubmit.'
+            end
+          end
+        end
+      end
+    end
+
     context 'when terms are enforced' do
       before do
         enforce_terms