blob: 868d7023d1457377e8052812abc5ed9919a33d1b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
# frozen_string_literal: true
# Verifies that the proper CSP rules for Observabilty UI are applied to a given controller/path
#
# The path under test needs to be declared with `let(:tested_path) { .. }` in the context including this example
#
# ```
# it_behaves_like "observability csp policy" do
# let(:tested_path) { ....the path under test }
# end
# ```
#
# It optionally supports specifying the controller class handling the tested path as a parameter, e.g.
#
# ```
# it_behaves_like "observability csp policy", Groups::ObservabilityController
# ```
# (If not specified it will default to `described_class`)
#
RSpec.shared_examples 'observability csp policy' do |controller_class = described_class|
include ContentSecurityPolicyHelpers
let(:observability_url) { Gitlab::Observability.observability_url }
let(:signin_url) do
Gitlab::Utils.append_path(Gitlab.config.gitlab.url,
'/users/sign_in')
end
let(:oauth_url) do
Gitlab::Utils.append_path(Gitlab.config.gitlab.url,
'/oauth/authorize')
end
before do
setup_csp_for_controller(controller_class, csp, any_time: true)
end
subject do
get tested_path
response.headers['Content-Security-Policy']
end
context 'when there is no CSP config' do
let(:csp) { ActionDispatch::ContentSecurityPolicy.new }
it 'does not add any csp header' do
expect(subject).to be_blank
end
end
context 'when frame-src exists in the CSP config' do
let(:csp) do
ActionDispatch::ContentSecurityPolicy.new do |p|
p.frame_src 'https://something.test'
end
end
it 'appends the proper url to frame-src CSP directives' do
expect(subject).to include(
"frame-src https://something.test #{observability_url} #{signin_url} #{oauth_url}")
end
end
context 'when signin is already present in the policy' do
let(:csp) do
ActionDispatch::ContentSecurityPolicy.new do |p|
p.frame_src signin_url
end
end
it 'does not append signin again' do
expect(subject).to include(
"frame-src #{signin_url} #{observability_url} #{oauth_url};")
end
end
context 'when oauth is already present in the policy' do
let(:csp) do
ActionDispatch::ContentSecurityPolicy.new do |p|
p.frame_src oauth_url
end
end
it 'does not append oauth again' do
expect(subject).to include(
"frame-src #{oauth_url} #{observability_url} #{signin_url};")
end
end
context 'when default-src exists in the CSP config' do
let(:csp) do
ActionDispatch::ContentSecurityPolicy.new do |p|
p.default_src 'https://something.test'
end
end
it 'does not change default-src' do
expect(subject).to include(
"default-src https://something.test;")
end
it 'appends the proper url to frame-src CSP directives' do
expect(subject).to include(
"frame-src https://something.test #{observability_url} #{signin_url} #{oauth_url}")
end
end
context 'when frame-src and default-src exist in the CSP config' do
let(:csp) do
ActionDispatch::ContentSecurityPolicy.new do |p|
p.default_src 'https://something_default.test'
p.frame_src 'https://something.test'
end
end
it 'appends to frame-src CSP directives' do
expect(subject).to include(
"frame-src https://something.test #{observability_url} #{signin_url} #{oauth_url}")
expect(subject).to include(
"default-src https://something_default.test")
end
end
end
|
