diff options
Diffstat (limited to 'spec/requests/groups/observability_controller_spec.rb')
-rw-r--r-- | spec/requests/groups/observability_controller_spec.rb | 96 |
1 files changed, 10 insertions, 86 deletions
diff --git a/spec/requests/groups/observability_controller_spec.rb b/spec/requests/groups/observability_controller_spec.rb index a08231fe939..46690d60539 100644 --- a/spec/requests/groups/observability_controller_spec.rb +++ b/spec/requests/groups/observability_controller_spec.rb @@ -2,14 +2,13 @@ require 'spec_helper' -RSpec.describe Groups::ObservabilityController do - include ContentSecurityPolicyHelpers - +RSpec.describe Groups::ObservabilityController, feature_category: :tracing do let_it_be(:group) { create(:group) } let_it_be(:user) { create(:user) } let(:observability_url) { Gitlab::Observability.observability_url } - let(:expected_observability_path) { "/" } + let(:path) { nil } + let(:expected_observability_path) { nil } shared_examples 'observability route request' do subject do @@ -17,6 +16,10 @@ RSpec.describe Groups::ObservabilityController do response end + it_behaves_like 'observability csp policy' do + let(:tested_path) { path } + end + context 'when user is not authenticated' do it 'returns 404' do expect(subject).to have_gitlab_http_status(:not_found) @@ -70,101 +73,22 @@ RSpec.describe Groups::ObservabilityController do describe 'GET #dashboards' do let(:path) { group_observability_dashboards_path(group) } - let(:expected_observability_path) { "#{observability_url}/#{group.id}/" } + let(:expected_observability_path) { "#{observability_url}/-/#{group.id}/" } it_behaves_like 'observability route request' end describe 'GET #manage' do let(:path) { group_observability_manage_path(group) } - let(:expected_observability_path) { "#{observability_url}/#{group.id}/dashboards" } + let(:expected_observability_path) { "#{observability_url}/-/#{group.id}/dashboards" } it_behaves_like 'observability route request' end describe 'GET #explore' do let(:path) { group_observability_explore_path(group) } - let(:expected_observability_path) { "#{observability_url}/#{group.id}/explore" } + let(:expected_observability_path) { "#{observability_url}/-/#{group.id}/explore" } it_behaves_like 'observability route request' end - - describe 'CSP' do - before do - setup_csp_for_controller(described_class, csp) - end - - subject do - get group_observability_dashboards_path(group) - response.headers['Content-Security-Policy'] - end - - context 'when there is no CSP config' do - let(:csp) { ActionDispatch::ContentSecurityPolicy.new } - - it 'does not add any csp header' do - expect(subject).to be_blank - end - end - - context 'when frame-src exists in the CSP config' do - let(:csp) do - ActionDispatch::ContentSecurityPolicy.new do |p| - p.frame_src 'https://something.test' - end - end - - it 'appends the proper url to frame-src CSP directives' do - expect(subject).to include( - "frame-src https://something.test #{observability_url} 'self'") - end - end - - context 'when self is already present in the policy' do - let(:csp) do - ActionDispatch::ContentSecurityPolicy.new do |p| - p.frame_src "'self'" - end - end - - it 'does not append self again' do - expect(subject).to include( - "frame-src 'self' #{observability_url};") - end - end - - context 'when default-src exists in the CSP config' do - let(:csp) do - ActionDispatch::ContentSecurityPolicy.new do |p| - p.default_src 'https://something.test' - end - end - - it 'does not change default-src' do - expect(subject).to include( - "default-src https://something.test;") - end - - it 'appends the proper url to frame-src CSP directives' do - expect(subject).to include( - "frame-src https://something.test #{observability_url} 'self'") - end - end - - context 'when frame-src and default-src exist in the CSP config' do - let(:csp) do - ActionDispatch::ContentSecurityPolicy.new do |p| - p.default_src 'https://something_default.test' - p.frame_src 'https://something.test' - end - end - - it 'appends to frame-src CSP directives' do - expect(subject).to include( - "frame-src https://something.test #{observability_url} 'self'") - expect(subject).to include( - "default-src https://something_default.test") - end - end - end end |