1 files changed, 123 insertions, 0 deletions
diff --git a/spec/support/shared_examples/observability/csp_shared_examples.rb b/spec/support/shared_examples/observability/csp_shared_examples.rb
new file mode 100644
index 00000000000..868d7023d14
--- /dev/null
+++ b/spec/support/shared_examples/observability/csp_shared_examples.rb
@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+# Verifies that the proper CSP rules for Observabilty UI are applied to a given controller/path
+#
+# The path under test needs to be declared with  `let(:tested_path) { .. }` in the context including this example
+#
+# ```
+#   it_behaves_like "observability csp policy" do
+#     let(:tested_path) { ....the path under test }
+#   end
+# ```
+#
+# It optionally supports specifying the controller class handling the tested path as a parameter, e.g.
+#
+# ```
+#   it_behaves_like "observability csp policy", Groups::ObservabilityController
+# ```
+# (If not specified it will default to `described_class`)
+#
+RSpec.shared_examples 'observability csp policy' do |controller_class = described_class|
+  include ContentSecurityPolicyHelpers
+
+  let(:observability_url) { Gitlab::Observability.observability_url }
+  let(:signin_url) do
+    Gitlab::Utils.append_path(Gitlab.config.gitlab.url,
+  '/users/sign_in')
+  end
+
+  let(:oauth_url) do
+    Gitlab::Utils.append_path(Gitlab.config.gitlab.url,
+  '/oauth/authorize')
+  end
+
+  before do
+    setup_csp_for_controller(controller_class, csp, any_time: true)
+  end
+
+  subject do
+    get tested_path
+    response.headers['Content-Security-Policy']
+  end
+
+  context 'when there is no CSP config' do
+    let(:csp) { ActionDispatch::ContentSecurityPolicy.new }
+
+    it 'does not add any csp header' do
+      expect(subject).to be_blank
+    end
+  end
+
+  context 'when frame-src exists in the CSP config' do
+    let(:csp) do
+      ActionDispatch::ContentSecurityPolicy.new do |p|
+        p.frame_src 'https://something.test'
+      end
+    end
+
+    it 'appends the proper url to frame-src CSP directives' do
+      expect(subject).to include(
+        "frame-src https://something.test #{observability_url} #{signin_url} #{oauth_url}")
+    end
+  end
+
+  context 'when signin is already present in the policy' do
+    let(:csp) do
+      ActionDispatch::ContentSecurityPolicy.new do |p|
+        p.frame_src signin_url
+      end
+    end
+
+    it 'does not append signin again' do
+      expect(subject).to include(
+        "frame-src #{signin_url} #{observability_url} #{oauth_url};")
+    end
+  end
+
+  context 'when oauth is already present in the policy' do
+    let(:csp) do
+      ActionDispatch::ContentSecurityPolicy.new do |p|
+        p.frame_src oauth_url
+      end
+    end
+
+    it 'does not append oauth again' do
+      expect(subject).to include(
+        "frame-src #{oauth_url} #{observability_url} #{signin_url};")
+    end
+  end
+
+  context 'when default-src exists in the CSP config' do
+    let(:csp) do
+      ActionDispatch::ContentSecurityPolicy.new do |p|
+        p.default_src 'https://something.test'
+      end
+    end
+
+    it 'does not change default-src' do
+      expect(subject).to include(
+        "default-src https://something.test;")
+    end
+
+    it 'appends the proper url to frame-src CSP directives' do
+      expect(subject).to include(
+        "frame-src https://something.test #{observability_url} #{signin_url} #{oauth_url}")
+    end
+  end
+
+  context 'when frame-src and default-src exist in the CSP config' do
+    let(:csp) do
+      ActionDispatch::ContentSecurityPolicy.new do |p|
+        p.default_src 'https://something_default.test'
+        p.frame_src 'https://something.test'
+      end
+    end
+
+    it 'appends to frame-src CSP directives' do
+      expect(subject).to include(
+        "frame-src https://something.test #{observability_url} #{signin_url} #{oauth_url}")
+      expect(subject).to include(
+        "default-src https://something_default.test")
+    end
+  end
+end