blob: b1a951c663b4fbe523586f1e51d06537eb98270d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe KasCookie, feature_category: :kubernetes_management do
describe '#set_kas_cookie' do
controller(ApplicationController) do
include KasCookie
def index
set_kas_cookie
render json: {}, status: :ok
end
end
before do
allow(::Gitlab::Kas).to receive(:enabled?).and_return(true)
end
subject(:kas_cookie) do
get :index
request.env['action_dispatch.cookies'][Gitlab::Kas::COOKIE_KEY]
end
context 'when user is signed out' do
it { is_expected.to be_blank }
end
context 'when user is signed in' do
let_it_be(:user) { create(:user) }
before do
sign_in(user)
end
it 'sets the KAS cookie', :aggregate_failures do
allow(::Gitlab::Kas::UserAccess).to receive(:cookie_data).and_return('foobar')
expect(kas_cookie).to be_present
expect(kas_cookie).to eq('foobar')
expect(::Gitlab::Kas::UserAccess).to have_received(:cookie_data)
end
context 'when feature flag is disabled' do
before do
stub_feature_flags(kas_user_access: false)
end
it { is_expected.to be_blank }
end
end
end
describe '#content_security_policy' do
let_it_be(:user) { create(:user) }
controller(ApplicationController) do
include KasCookie
def index
render json: {}, status: :ok
end
end
before do
stub_config_setting(host: 'gitlab.example.com')
sign_in(user)
allow(::Gitlab::Kas).to receive(:enabled?).and_return(true)
allow(::Gitlab::Kas).to receive(:tunnel_url).and_return(kas_tunnel_url)
end
subject(:kas_csp_connect_src) do
get :index
request.env['action_dispatch.content_security_policy'].directives['connect-src']
end
context "when feature flag is disabled" do
let_it_be(:kas_tunnel_url) { 'ws://gitlab.example.com/-/k8s-proxy/' }
before do
stub_feature_flags(kas_user_access: false)
end
it 'does not add KAS url to connect-src directives' do
expect(kas_csp_connect_src).not_to include(::Gitlab::Kas.tunnel_url)
end
end
context 'when feature flag is enabled' do
before do
stub_feature_flags(kas_user_access: true)
end
context 'when KAS is on same domain as rails' do
let_it_be(:kas_tunnel_url) { 'ws://gitlab.example.com/-/k8s-proxy/' }
it 'does not add KAS url to CSP connect-src directive' do
expect(kas_csp_connect_src).not_to include(::Gitlab::Kas.tunnel_url)
end
end
context 'when KAS is on subdomain' do
let_it_be(:kas_tunnel_url) { 'ws://kas.gitlab.example.com/k8s-proxy/' }
it 'adds KAS url to CSP connect-src directive' do
expect(kas_csp_connect_src).to include(::Gitlab::Kas.tunnel_url)
end
end
context 'when KAS tunnel url is configured without trailing slash' do
let_it_be(:kas_tunnel_url) { 'ws://kas.gitlab.example.com/k8s-proxy' }
it 'adds KAS url to CSP connect-src directive with trailing slash' do
expect(kas_csp_connect_src).to include("#{::Gitlab::Kas.tunnel_url}/")
end
end
end
end
end
|
