Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
bfe8b968
Commit
bfe8b968
authored
Jul 26, 2017
by
Douwe Maan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add specs
parent
dcf4a2e8
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
145 additions
and
7 deletions
+145
-7
spec/features/oauth_login_spec.rb
spec/features/oauth_login_spec.rb
+1
-1
spec/lib/gitlab/request_forgery_protection_spec.rb
spec/lib/gitlab/request_forgery_protection_spec.rb
+89
-0
spec/requests/api/helpers_spec.rb
spec/requests/api/helpers_spec.rb
+44
-6
spec/support/forgery_protection.rb
spec/support/forgery_protection.rb
+11
-0
No files found.
spec/features/oauth_login_spec.rb
View file @
bfe8b968
require
'spec_helper'
require
'spec_helper'
feature
'OAuth Login'
,
js:
true
do
feature
'OAuth Login'
,
:js
,
:allow_forgery_protection
do
include
DeviseHelpers
include
DeviseHelpers
def
enter_code
(
code
)
def
enter_code
(
code
)
...
...
spec/lib/gitlab/request_forgery_protection_spec.rb
0 → 100644
View file @
bfe8b968
require
'spec_helper'
describe
Gitlab
::
RequestForgeryProtection
,
:allow_forgery_protection
do
let
(
:csrf_token
)
{
SecureRandom
.
base64
(
ActionController
::
RequestForgeryProtection
::
AUTHENTICITY_TOKEN_LENGTH
)
}
let
(
:env
)
do
{
'rack.input'
=>
''
,
'rack.session'
=>
{
_csrf_token:
csrf_token
}
}
end
describe
'.call'
do
context
'when the request method is GET'
do
before
do
env
[
'REQUEST_METHOD'
]
=
'GET'
end
it
'does not raise an exception'
do
expect
{
described_class
.
call
(
env
)
}.
not_to
raise_exception
end
end
context
'when the request method is POST'
do
before
do
env
[
'REQUEST_METHOD'
]
=
'POST'
end
context
'when the CSRF token is valid'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
csrf_token
end
it
'does not raise an exception'
do
expect
{
described_class
.
call
(
env
)
}.
not_to
raise_exception
end
end
context
'when the CSRF token is invalid'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
'foo'
end
it
'raises an ActionController::InvalidAuthenticityToken exception'
do
expect
{
described_class
.
call
(
env
)
}.
to
raise_exception
(
ActionController
::
InvalidAuthenticityToken
)
end
end
end
end
describe
'.verified?'
do
context
'when the request method is GET'
do
before
do
env
[
'REQUEST_METHOD'
]
=
'GET'
end
it
'returns true'
do
expect
(
described_class
.
verified?
(
env
)).
to
be_truthy
end
end
context
'when the request method is POST'
do
before
do
env
[
'REQUEST_METHOD'
]
=
'POST'
end
context
'when the CSRF token is valid'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
csrf_token
end
it
'returns true'
do
expect
(
described_class
.
verified?
(
env
)).
to
be_truthy
end
end
context
'when the CSRF token is invalid'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
'foo'
end
it
'returns false'
do
expect
(
described_class
.
verified?
(
env
)).
to
be_falsey
end
end
end
end
end
spec/requests/api/helpers_spec.rb
View file @
bfe8b968
...
@@ -10,8 +10,16 @@ describe API::Helpers do
...
@@ -10,8 +10,16 @@ describe API::Helpers do
let
(
:key
)
{
create
(
:key
,
user:
user
)
}
let
(
:key
)
{
create
(
:key
,
user:
user
)
}
let
(
:params
)
{
{}
}
let
(
:params
)
{
{}
}
let
(
:env
)
{
{
'REQUEST_METHOD'
=>
'GET'
}
}
let
(
:csrf_token
)
{
SecureRandom
.
base64
(
ActionController
::
RequestForgeryProtection
::
AUTHENTICITY_TOKEN_LENGTH
)
}
let
(
:request
)
{
Rack
::
Request
.
new
(
env
)
}
let
(
:env
)
do
{
'rack.input'
=>
''
,
'rack.session'
=>
{
_csrf_token:
csrf_token
},
'REQUEST_METHOD'
=>
'GET'
}
end
let
(
:header
)
{
}
let
(
:header
)
{
}
before
do
before
do
...
@@ -58,7 +66,7 @@ describe API::Helpers do
...
@@ -58,7 +66,7 @@ describe API::Helpers do
describe
".current_user"
do
describe
".current_user"
do
subject
{
current_user
}
subject
{
current_user
}
describe
"Warden authentication"
do
describe
"Warden authentication"
,
:allow_forgery_protection
do
before
do
before
do
doorkeeper_guard_returns
false
doorkeeper_guard_returns
false
end
end
...
@@ -99,24 +107,54 @@ describe API::Helpers do
...
@@ -99,24 +107,54 @@ describe API::Helpers do
env
[
'REQUEST_METHOD'
]
=
'PUT'
env
[
'REQUEST_METHOD'
]
=
'PUT'
end
end
context
'without CSRF token'
do
it
{
is_expected
.
to
be_nil
}
it
{
is_expected
.
to
be_nil
}
end
end
context
'with CSRF token'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
csrf_token
end
it
{
is_expected
.
to
eq
(
user
)
}
end
end
context
"POST request"
do
context
"POST request"
do
before
do
before
do
env
[
'REQUEST_METHOD'
]
=
'POST'
env
[
'REQUEST_METHOD'
]
=
'POST'
end
end
context
'without CSRF token'
do
it
{
is_expected
.
to
be_nil
}
it
{
is_expected
.
to
be_nil
}
end
end
context
'with CSRF token'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
csrf_token
end
it
{
is_expected
.
to
eq
(
user
)
}
end
end
context
"DELETE request"
do
context
"DELETE request"
do
before
do
before
do
env
[
'REQUEST_METHOD'
]
=
'DELETE'
env
[
'REQUEST_METHOD'
]
=
'DELETE'
end
end
context
'without CSRF token'
do
it
{
is_expected
.
to
be_nil
}
it
{
is_expected
.
to
be_nil
}
end
end
context
'with CSRF token'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
csrf_token
end
it
{
is_expected
.
to
eq
(
user
)
}
end
end
end
end
end
end
...
...
spec/support/forgery_protection.rb
0 → 100644
View file @
bfe8b968
RSpec
.
configure
do
|
config
|
config
.
around
(
:each
,
:allow_forgery_protection
)
do
|
example
|
begin
ActionController
::
Base
.
allow_forgery_protection
=
true
example
.
call
ensure
ActionController
::
Base
.
allow_forgery_protection
=
false
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment