From 43a25d93ebdabea52f99b05e15b06250cd8f07d7 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 17 May 2023 16:05:49 +0000
Subject: Add latest changes from gitlab-org/gitlab@16-0-stable-ee

---
 spec/lib/gitlab/observability_spec.rb | 186 ++++++++++++++++++++++++++++++++--
 1 file changed, 177 insertions(+), 9 deletions(-)

(limited to 'spec/lib/gitlab/observability_spec.rb')

diff --git a/spec/lib/gitlab/observability_spec.rb b/spec/lib/gitlab/observability_spec.rb
index 8068d2f8ec9..5082d193197 100644
--- a/spec/lib/gitlab/observability_spec.rb
+++ b/spec/lib/gitlab/observability_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Gitlab::Observability do
+RSpec.describe Gitlab::Observability, feature_category: :error_tracking do
   describe '.observability_url' do
     let(:gitlab_url) { 'https://example.com' }
 
@@ -31,29 +31,189 @@ RSpec.describe Gitlab::Observability do
     end
   end
 
-  describe '.observability_enabled?' do
-    let_it_be(:group) { build(:user) }
-    let_it_be(:user) { build(:group) }
+  describe '.build_full_url' do
+    let_it_be(:group) { build_stubbed(:group, id: 123) }
+    let(:observability_url) { described_class.observability_url }
+
+    it 'returns the full observability url for the given params' do
+      url = described_class.build_full_url(group, '/foo?bar=baz', '/')
+      expect(url).to eq("https://observe.gitlab.com/-/123/foo?bar=baz")
+    end
+
+    it 'handles missing / from observability_path' do
+      url = described_class.build_full_url(group, 'foo?bar=baz', '/')
+      expect(url).to eq("https://observe.gitlab.com/-/123/foo?bar=baz")
+    end
+
+    it 'sanitises observability_path' do
+      url = described_class.build_full_url(group, "/test?groupId=<script>alert('attack!')</script>", '/')
+      expect(url).to eq("https://observe.gitlab.com/-/123/test?groupId=alert('attack!')")
+    end
+
+    context 'when observability_path is missing' do
+      it 'builds the url with the fallback_path' do
+        url = described_class.build_full_url(group, nil, '/fallback')
+        expect(url).to eq("https://observe.gitlab.com/-/123/fallback")
+      end
+
+      it 'defaults to / if fallback_path is also missing' do
+        url = described_class.build_full_url(group, nil, nil)
+        expect(url).to eq("https://observe.gitlab.com/-/123/")
+      end
+    end
+  end
+
+  describe '.embeddable_url' do
+    before do
+      stub_config_setting(url: "https://www.gitlab.com")
+      # Can't use build/build_stubbed as we want the routes to be generated as well
+      create(:group, path: 'test-path', id: 123)
+    end
+
+    context 'when URL is valid' do
+      where(:input, :expected) do
+        [
+          [
+            "https://www.gitlab.com/groups/test-path/-/observability/explore?observability_path=%2Fexplore%3FgroupId%3D14485840%26left%3D%255B%2522now-1h%2522,%2522now%2522,%2522new-sentry.gitlab.net%2522,%257B%257D%255D",
+            "https://observe.gitlab.com/-/123/explore?groupId=14485840&left=%5B%22now-1h%22,%22now%22,%22new-sentry.gitlab.net%22,%7B%7D%5D"
+          ],
+          [
+            "https://www.gitlab.com/groups/test-path/-/observability/explore?observability_path=/goto/foo",
+            "https://observe.gitlab.com/-/123/goto/foo"
+          ]
+        ]
+      end
+
+      with_them do
+        it 'returns an embeddable observability url' do
+          expect(described_class.embeddable_url(input)).to eq(expected)
+        end
+      end
+    end
+
+    context 'when URL is invalid' do
+      where(:input) do
+        [
+          # direct links to observe.gitlab.com
+          "https://observe.gitlab.com/-/123/explore",
+          'https://observe.gitlab.com/v1/auth/start',
+
+          # invalid GitLab URL
+          "not a link",
+          "https://foo.bar/groups/test-path/-/observability/explore?observability_path=/explore",
+          "http://www.gitlab.com/groups/test-path/-/observability/explore?observability_path=/explore",
+          "https://www.gitlab.com:123/groups/test-path/-/observability/explore?observability_path=/explore",
+          "https://www.gitlab.com@example.com/groups/test-path/-/observability/explore?observability_path=/explore",
+          "https://www.gitlab.com/groups/test-path/-/observability/explore?observability_path=@example.com",
+
+          # invalid group/controller/actions
+          "https://www.gitlab.com/groups/INVALID_GROUP/-/observability/explore?observability_path=/explore",
+          "https://www.gitlab.com/groups/test-path/-/INVALID_CONTROLLER/explore?observability_path=/explore",
+          "https://www.gitlab.com/groups/test-path/-/observability/INVALID_ACTION?observability_path=/explore",
+
+          # invalid observablity path
+          "https://www.gitlab.com/groups/test-path/-/observability/explore",
+          "https://www.gitlab.com/groups/test-path/-/observability/explore?missing_observability_path=/explore",
+          "https://www.gitlab.com/groups/test-path/-/observability/explore?observability_path=/not_embeddable",
+          "https://www.gitlab.com/groups/test-path/-/observability/explore?observability_path=/datasources",
+          "https://www.gitlab.com/groups/test-path/-/observability/explore?observability_path=not a valid path"
+        ]
+      end
+
+      with_them do
+        it 'returns nil' do
+          expect(described_class.embeddable_url(input)).to be_nil
+        end
+      end
+
+      it 'returns nil if the path detection throws an error' do
+        test_url = "https://www.gitlab.com/groups/test-path/-/observability/explore"
+        allow(Rails.application.routes).to receive(:recognize_path).with(test_url) {
+                                             raise ActionController::RoutingError, 'test'
+                                           }
+        expect(described_class.embeddable_url(test_url)).to be_nil
+      end
+
+      it 'returns nil if parsing observaboility path throws an error' do
+        observability_path = 'some-path'
+        test_url = "https://www.gitlab.com/groups/test-path/-/observability/explore?observability_path=#{observability_path}"
+
+        allow(URI).to receive(:parse).and_call_original
+        allow(URI).to receive(:parse).with(observability_path) {
+                        raise URI::InvalidURIError, 'test'
+                      }
+
+        expect(described_class.embeddable_url(test_url)).to be_nil
+      end
+    end
+  end
+
+  describe '.allowed_for_action?' do
+    let(:group) { build_stubbed(:group) }
+    let(:user) { build_stubbed(:user) }
+
+    before do
+      allow(described_class).to receive(:allowed?).and_call_original
+    end
+
+    it 'returns false if action is nil' do
+      expect(described_class.allowed_for_action?(user, group, nil)).to eq(false)
+    end
+
+    describe 'allowed? calls' do
+      using RSpec::Parameterized::TableSyntax
+
+      where(:action, :permission) do
+        :foo          | :admin_observability
+        :explore      | :read_observability
+        :datasources  | :admin_observability
+        :manage       | :admin_observability
+        :dashboards   | :read_observability
+      end
+
+      with_them do
+        it "calls allowed? with #{params[:permission]} when actions is #{params[:action]}" do
+          described_class.allowed_for_action?(user, group, action)
+          expect(described_class).to have_received(:allowed?).with(user, group, permission)
+        end
+      end
+    end
+  end
+
+  describe '.allowed?' do
+    let(:user) { build_stubbed(:user) }
+    let(:group) { build_stubbed(:group) }
+    let(:test_permission) { :read_observability }
+
+    before do
+      allow(Ability).to receive(:allowed?).and_return(false)
+    end
 
     subject do
-      described_class.observability_enabled?(user, group)
+      described_class.allowed?(user, group, test_permission)
     end
 
-    it 'checks if read_observability ability is allowed for the given user and group' do
+    it 'checks if ability is allowed for the given user and group' do
       allow(Ability).to receive(:allowed?).and_return(true)
 
       subject
 
-      expect(Ability).to have_received(:allowed?).with(user, :read_observability, group)
+      expect(Ability).to have_received(:allowed?).with(user, test_permission, group)
     end
 
-    it 'returns true if the read_observability ability is allowed' do
+    it 'checks for admin_observability if permission is missing' do
+      described_class.allowed?(user, group)
+
+      expect(Ability).to have_received(:allowed?).with(user, :admin_observability, group)
+    end
+
+    it 'returns true if the ability is allowed' do
       allow(Ability).to receive(:allowed?).and_return(true)
 
       expect(subject).to eq(true)
     end
 
-    it 'returns false if the read_observability ability is not allowed' do
+    it 'returns false if the ability is not allowed' do
       allow(Ability).to receive(:allowed?).and_return(false)
 
       expect(subject).to eq(false)
@@ -64,5 +224,13 @@ RSpec.describe Gitlab::Observability do
 
       expect(subject).to eq(false)
     end
+
+    it 'returns false if group is missing' do
+      expect(described_class.allowed?(user, nil, :read_observability)).to eq(false)
+    end
+
+    it 'returns false if user is missing' do
+      expect(described_class.allowed?(nil, group, :read_observability)).to eq(false)
+    end
   end
 end
-- 
cgit v1.2.1