diff options
Diffstat (limited to 'spec/requests/oauth/authorizations_controller_spec.rb')
-rw-r--r-- | spec/requests/oauth/authorizations_controller_spec.rb | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/spec/requests/oauth/authorizations_controller_spec.rb b/spec/requests/oauth/authorizations_controller_spec.rb new file mode 100644 index 00000000000..8d19c92865e --- /dev/null +++ b/spec/requests/oauth/authorizations_controller_spec.rb @@ -0,0 +1,76 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Oauth::AuthorizationsController do + let_it_be(:user) { create(:user) } + let_it_be(:application) { create(:oauth_application, redirect_uri: 'custom://test') } + let_it_be(:oauth_authorization_path) do + Gitlab::Routing.url_helpers.oauth_authorization_url( + client_id: application.uid, + response_type: 'code', + scope: application.scopes, + redirect_uri: application.redirect_uri, + state: SecureRandom.hex + ) + end + + before do + sign_in(user) + end + + describe 'GET #new' do + context 'when application redirect URI has a custom scheme' do + context 'when CSP is disabled' do + before do + allow_next_instance_of(ActionDispatch::Request) do |instance| + allow(instance).to receive(:content_security_policy).and_return(nil) + end + end + + it 'does not add a CSP' do + get oauth_authorization_path + + expect(response.headers['Content-Security-Policy']).to be_nil + end + end + + context 'when CSP contains form-action' do + before do + csp = ActionDispatch::ContentSecurityPolicy.new do |p| + p.form_action "'self'" + end + + allow_next_instance_of(ActionDispatch::Request) do |instance| + allow(instance).to receive(:content_security_policy).and_return(csp) + end + end + + it 'adds custom scheme to CSP form-action' do + get oauth_authorization_path + + expect(response.headers['Content-Security-Policy']).to include("form-action 'self' custom:") + end + end + + context 'when CSP does not contain form-action' do + before do + csp = ActionDispatch::ContentSecurityPolicy.new do |p| + p.script_src :self, 'https://some-cdn.test' + p.style_src :self, 'https://some-cdn.test' + end + + allow_next_instance_of(ActionDispatch::Request) do |instance| + allow(instance).to receive(:content_security_policy).and_return(csp) + end + end + + it 'does not add form-action to the CSP' do + get oauth_authorization_path + + expect(response.headers['Content-Security-Policy']).not_to include('form-action') + end + end + end + end +end |