1 files changed, 28 insertions, 12 deletions

diff --git a/spec/controllers/oauth/jira_dvcs/authorizations_controller_spec.rb b/spec/controllers/oauth/jira_dvcs/authorizations_controller_spec.rb
index 496ef7859f9..3d271a22f27 100644
--- a/spec/controllers/oauth/jira_dvcs/authorizations_controller_spec.rb
+++ b/spec/controllers/oauth/jira_dvcs/authorizations_controller_spec.rb
@@ -2,24 +2,40 @@
 
 require 'spec_helper'
 
-RSpec.describe Oauth::JiraDvcs::AuthorizationsController do
+RSpec.describe Oauth::JiraDvcs::AuthorizationsController, feature_category: :integrations do
+  let_it_be(:application) { create(:oauth_application, redirect_uri: 'https://example.com/callback') }
+
   describe 'GET new' do
     it 'redirects to OAuth authorization with correct params' do
-      get :new, params: { client_id: 'client-123', scope: 'foo', redirect_uri: 'http://example.com/' }
+      get :new, params: { client_id: application.uid, scope: 'foo', redirect_uri: 'https://example.com/callback' }
 
-      expect(response).to redirect_to(oauth_authorization_url(client_id: 'client-123',
-                                                              response_type: 'code',
-                                                              scope: 'foo',
-                                                              redirect_uri: oauth_jira_dvcs_callback_url))
+      expect(response).to redirect_to(oauth_authorization_url(
+        client_id: application.uid,
+        response_type: 'code',
+        scope: 'foo',
+        redirect_uri: oauth_jira_dvcs_callback_url))
     end
 
     it 'replaces the GitHub "repo" scope with "api"' do
-      get :new, params: { client_id: 'client-123', scope: 'repo', redirect_uri: 'http://example.com/' }
+      get :new, params: { client_id: application.uid, scope: 'repo', redirect_uri: 'https://example.com/callback' }
+
+      expect(response).to redirect_to(oauth_authorization_url(
+        client_id: application.uid,
+        response_type: 'code',
+        scope: 'api',
+        redirect_uri: oauth_jira_dvcs_callback_url))
+    end
+
+    it 'returns 404 with an invalid client' do
+      get :new, params: { client_id: 'client-123', scope: 'foo', redirect_uri: 'https://example.com/callback' }
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+
+    it 'returns 403 with an incorrect redirect_uri' do
+      get :new, params: { client_id: application.uid, scope: 'foo', redirect_uri: 'http://unsafe-website.com/callback' }
 
-      expect(response).to redirect_to(oauth_authorization_url(client_id: 'client-123',
-                                                              response_type: 'code',
-                                                              scope: 'api',
-                                                              redirect_uri: oauth_jira_dvcs_callback_url))
+      expect(response).to have_gitlab_http_status(:forbidden)
     end
   end
 
@@ -47,7 +63,7 @@ RSpec.describe Oauth::JiraDvcs::AuthorizationsController do
         double(status: :ok, body: { 'access_token' => 'fake-123', 'scope' => 'foo', 'token_type' => 'bar' })
       end
 
-      post :access_token, params: { code: 'code-123', client_id: 'client-123', client_secret: 'secret-123' }
+      post :access_token, params: { code: 'code-123', client_id: application.uid, client_secret: 'secret-123' }
 
       expect(response.body).to eq('access_token=fake-123&scope=foo&token_type=bar')
     end