1 files changed, 110 insertions, 0 deletions

diff --git a/spec/requests/openid_connect_spec.rb b/spec/requests/openid_connect_spec.rb
index 7b682d76150..5bf786f2290 100644
--- a/spec/requests/openid_connect_spec.rb
+++ b/spec/requests/openid_connect_spec.rb
@@ -41,6 +41,8 @@ RSpec.describe 'OpenID Connect requests' do
     }
   end
 
+  let(:cors_request_headers) { { 'Origin' => 'http://notgitlab.com' } }
+
   def request_access_token!
     login_as user
 
@@ -81,6 +83,24 @@ RSpec.describe 'OpenID Connect requests' do
     end
   end
 
+  shared_examples 'cross-origin GET request' do
+    it 'allows cross-origin request' do
+      expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
+      expect(response.headers['Access-Control-Allow-Methods']).to eq 'GET, HEAD'
+      expect(response.headers['Access-Control-Allow-Headers']).to be_nil
+      expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
+    end
+  end
+
+  shared_examples 'cross-origin GET and POST request' do
+    it 'allows cross-origin request' do
+      expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
+      expect(response.headers['Access-Control-Allow-Methods']).to eq 'GET, HEAD, POST'
+      expect(response.headers['Access-Control-Allow-Headers']).to be_nil
+      expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
+    end
+  end
+
   context 'Application with OpenID scope' do
     let(:application) { create :oauth_application, scopes: 'openid' }
 
@@ -180,6 +200,51 @@ RSpec.describe 'OpenID Connect requests' do
         expect(response).to redirect_to('/users/sign_in')
       end
     end
+
+    context 'OpenID Discovery keys' do
+      context 'with a cross-origin request' do
+        before do
+          get '/oauth/discovery/keys', headers: cors_request_headers
+        end
+
+        it 'returns data' do
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+
+        it_behaves_like 'cross-origin GET request'
+      end
+
+      context 'with a cross-origin preflight OPTIONS request' do
+        before do
+          options '/oauth/discovery/keys', headers: cors_request_headers
+        end
+
+        it_behaves_like 'cross-origin GET request'
+      end
+    end
+
+    context 'OpenID WebFinger endpoint' do
+      context 'with a cross-origin request' do
+        before do
+          get '/.well-known/webfinger', headers: cors_request_headers, params: { resource: 'user@example.com' }
+        end
+
+        it 'returns data' do
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(json_response['subject']).to eq('user@example.com')
+        end
+
+        it_behaves_like 'cross-origin GET request'
+      end
+    end
+
+    context 'with a cross-origin preflight OPTIONS request' do
+      before do
+        options '/.well-known/webfinger', headers: cors_request_headers, params: { resource: 'user@example.com' }
+      end
+
+      it_behaves_like 'cross-origin GET request'
+    end
   end
 
   context 'OpenID configuration information' do
@@ -191,6 +256,27 @@ RSpec.describe 'OpenID Connect requests' do
       expect(json_response['jwks_uri']).to eq('http://www.example.com/oauth/discovery/keys')
       expect(json_response['scopes_supported']).to eq(%w[api read_user read_api read_repository write_repository sudo openid profile email])
     end
+
+    context 'with a cross-origin request' do
+      before do
+        get '/.well-known/openid-configuration', headers: cors_request_headers
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response['issuer']).to eq('http://localhost')
+        expect(json_response['jwks_uri']).to eq('http://www.example.com/oauth/discovery/keys')
+        expect(json_response['scopes_supported']).to eq(%w[api read_user read_api read_repository write_repository sudo openid profile email])
+      end
+
+      it_behaves_like 'cross-origin GET request'
+    end
+
+    context 'with a cross-origin preflight OPTIONS request' do
+      before do
+        options '/.well-known/openid-configuration', headers: cors_request_headers
+      end
+
+      it_behaves_like 'cross-origin GET request'
+    end
   end
 
   context 'Application with OpenID and email scopes' do
@@ -218,6 +304,30 @@ RSpec.describe 'OpenID Connect requests' do
       it 'has true in email_verified claim' do
         expect(json_response['email_verified']).to eq(true)
       end
+
+      context 'with a cross-origin request' do
+        before do
+          get '/oauth/userinfo', headers: cors_request_headers
+        end
+
+        it_behaves_like 'cross-origin GET and POST request'
+      end
+
+      context 'with a cross-origin POST request' do
+        before do
+          post '/oauth/userinfo', headers: cors_request_headers
+        end
+
+        it_behaves_like 'cross-origin GET and POST request'
+      end
+
+      context 'with a cross-origin preflight OPTIONS request' do
+        before do
+          options '/oauth/userinfo', headers: cors_request_headers
+        end
+
+        it_behaves_like 'cross-origin GET and POST request'
+      end
     end
 
     context 'ID token payload' do