diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-19 23:18:09 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-19 23:18:09 +0000 |
commit | 6ed4ec3e0b1340f96b7c043ef51d1b33bbe85fde (patch) | |
tree | dc4d20fe6064752c0bd323187252c77e0a89144b /spec/requests/groups/observability_controller_spec.rb | |
parent | 9868dae7fc0655bd7ce4a6887d4e6d487690eeed (diff) | |
download | gitlab-ce-6ed4ec3e0b1340f96b7c043ef51d1b33bbe85fde.tar.gz |
Add latest changes from gitlab-org/gitlab@15-4-stable-eev15.4.0-rc42
Diffstat (limited to 'spec/requests/groups/observability_controller_spec.rb')
-rw-r--r-- | spec/requests/groups/observability_controller_spec.rb | 190 |
1 files changed, 190 insertions, 0 deletions
diff --git a/spec/requests/groups/observability_controller_spec.rb b/spec/requests/groups/observability_controller_spec.rb new file mode 100644 index 00000000000..9be013d4385 --- /dev/null +++ b/spec/requests/groups/observability_controller_spec.rb @@ -0,0 +1,190 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Groups::ObservabilityController do + include ContentSecurityPolicyHelpers + + let_it_be(:group) { create(:group) } + let_it_be(:user) { create(:user) } + + subject do + get group_observability_index_path(group) + response + end + + describe 'GET #index' do + context 'when user is not authenticated' do + it 'returns 404' do + expect(subject).to have_gitlab_http_status(:not_found) + end + end + + context 'when observability url is missing' do + before do + allow(described_class).to receive(:observability_url).and_return("") + end + + it 'returns 404' do + expect(subject).to have_gitlab_http_status(:not_found) + end + end + + context 'when user is not a developer' do + before do + sign_in(user) + end + + it 'returns 404' do + expect(subject).to have_gitlab_http_status(:not_found) + end + end + + context 'when user is authenticated and a developer' do + before do + sign_in(user) + group.add_developer(user) + end + + it 'returns 200' do + expect(subject).to have_gitlab_http_status(:ok) + end + + it 'renders the proper layout' do + expect(subject).to render_template("layouts/group") + expect(subject).to render_template("layouts/fullscreen") + expect(subject).not_to render_template('layouts/nav/breadcrumbs') + expect(subject).to render_template("nav/sidebar/_group") + end + + describe 'iframe' do + subject do + get group_observability_index_path(group) + Nokogiri::HTML.parse(response.body).at_css('iframe#observability-ui-iframe') + end + + it 'sets the iframe src to the proper URL' do + expect(subject.attributes['src'].value).to eq("https://observe.gitlab.com/-/#{group.id}") + end + + it 'when the env is staging, sets the iframe src to the proper URL' do + stub_config_setting(url: Gitlab::Saas.staging_com_url) + expect(subject.attributes['src'].value).to eq("https://staging.observe.gitlab.com/-/#{group.id}") + end + + it 'overrides the iframe src url if specified by OVERRIDE_OBSERVABILITY_URL env' do + stub_env('OVERRIDE_OBSERVABILITY_URL', 'http://foo.test') + + expect(subject.attributes['src'].value).to eq("http://foo.test/-/#{group.id}") + end + end + + describe 'CSP' do + before do + setup_existing_csp_for_controller(described_class, csp) + end + + subject do + get group_observability_index_path(group) + response.headers['Content-Security-Policy'] + end + + context 'when there is no CSP config' do + let(:csp) { ActionDispatch::ContentSecurityPolicy.new } + + it 'does not add any csp header' do + expect(subject).to be_blank + end + end + + context 'when frame-src exists in the CSP config' do + let(:csp) do + ActionDispatch::ContentSecurityPolicy.new do |p| + p.frame_src 'https://something.test' + end + end + + it 'appends the proper url to frame-src CSP directives' do + expect(subject).to include( + "frame-src https://something.test https://observe.gitlab.com 'self'") + end + + it 'appends the proper url to frame-src CSP directives when Gilab.staging?' do + stub_config_setting(url: Gitlab::Saas.staging_com_url) + + expect(subject).to include( + "frame-src https://something.test https://staging.observe.gitlab.com 'self'") + end + + it 'appends the proper url to frame-src CSP directives when OVERRIDE_OBSERVABILITY_URL is specified' do + stub_env('OVERRIDE_OBSERVABILITY_URL', 'http://foo.test') + + expect(subject).to include( + "frame-src https://something.test http://foo.test 'self'") + end + end + + context 'when self is already present in the policy' do + let(:csp) do + ActionDispatch::ContentSecurityPolicy.new do |p| + p.frame_src "'self'" + end + end + + it 'does not append self again' do + expect(subject).to include( + "frame-src 'self' https://observe.gitlab.com;") + end + end + + context 'when default-src exists in the CSP config' do + let(:csp) do + ActionDispatch::ContentSecurityPolicy.new do |p| + p.default_src 'https://something.test' + end + end + + it 'does not change default-src' do + expect(subject).to include( + "default-src https://something.test;") + end + + it 'appends the proper url to frame-src CSP directives' do + expect(subject).to include( + "frame-src https://something.test https://observe.gitlab.com 'self'") + end + + it 'appends the proper url to frame-src CSP directives when Gilab.staging?' do + stub_config_setting(url: Gitlab::Saas.staging_com_url) + + expect(subject).to include( + "frame-src https://something.test https://staging.observe.gitlab.com 'self'") + end + + it 'appends the proper url to frame-src CSP directives when OVERRIDE_OBSERVABILITY_URL is specified' do + stub_env('OVERRIDE_OBSERVABILITY_URL', 'http://foo.test') + + expect(subject).to include( + "frame-src https://something.test http://foo.test 'self'") + end + end + + context 'when frame-src and default-src exist in the CSP config' do + let(:csp) do + ActionDispatch::ContentSecurityPolicy.new do |p| + p.default_src 'https://something_default.test' + p.frame_src 'https://something.test' + end + end + + it 'appends to frame-src CSP directives' do + expect(subject).to include( + "frame-src https://something.test https://observe.gitlab.com 'self'") + expect(subject).to include( + "default-src https://something_default.test") + end + end + end + end + end +end |