debian-mirror-gitlab/spec/requests/groups/observability_controller_spec.rb

191 lines
6.1 KiB
Ruby
Raw Normal View History

2022-10-11 01:57:18 +05:30
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Groups::ObservabilityController do
include ContentSecurityPolicyHelpers
let_it_be(:group) { create(:group) }
let_it_be(:user) { create(:user) }
subject do
get group_observability_index_path(group)
response
end
describe 'GET #index' do
context 'when user is not authenticated' do
it 'returns 404' do
expect(subject).to have_gitlab_http_status(:not_found)
end
end
context 'when observability url is missing' do
before do
allow(described_class).to receive(:observability_url).and_return("")
end
it 'returns 404' do
expect(subject).to have_gitlab_http_status(:not_found)
end
end
context 'when user is not a developer' do
before do
sign_in(user)
end
it 'returns 404' do
expect(subject).to have_gitlab_http_status(:not_found)
end
end
context 'when user is authenticated and a developer' do
before do
sign_in(user)
group.add_developer(user)
end
it 'returns 200' do
expect(subject).to have_gitlab_http_status(:ok)
end
it 'renders the proper layout' do
expect(subject).to render_template("layouts/group")
expect(subject).to render_template("layouts/fullscreen")
expect(subject).not_to render_template('layouts/nav/breadcrumbs')
expect(subject).to render_template("nav/sidebar/_group")
end
describe 'iframe' do
subject do
get group_observability_index_path(group)
Nokogiri::HTML.parse(response.body).at_css('iframe#observability-ui-iframe')
end
it 'sets the iframe src to the proper URL' do
expect(subject.attributes['src'].value).to eq("https://observe.gitlab.com/-/#{group.id}")
end
it 'when the env is staging, sets the iframe src to the proper URL' do
stub_config_setting(url: Gitlab::Saas.staging_com_url)
expect(subject.attributes['src'].value).to eq("https://staging.observe.gitlab.com/-/#{group.id}")
end
it 'overrides the iframe src url if specified by OVERRIDE_OBSERVABILITY_URL env' do
stub_env('OVERRIDE_OBSERVABILITY_URL', 'http://foo.test')
expect(subject.attributes['src'].value).to eq("http://foo.test/-/#{group.id}")
end
end
describe 'CSP' do
before do
setup_existing_csp_for_controller(described_class, csp)
end
subject do
get group_observability_index_path(group)
response.headers['Content-Security-Policy']
end
context 'when there is no CSP config' do
let(:csp) { ActionDispatch::ContentSecurityPolicy.new }
it 'does not add any csp header' do
expect(subject).to be_blank
end
end
context 'when frame-src exists in the CSP config' do
let(:csp) do
ActionDispatch::ContentSecurityPolicy.new do |p|
p.frame_src 'https://something.test'
end
end
it 'appends the proper url to frame-src CSP directives' do
expect(subject).to include(
"frame-src https://something.test https://observe.gitlab.com 'self'")
end
it 'appends the proper url to frame-src CSP directives when Gilab.staging?' do
stub_config_setting(url: Gitlab::Saas.staging_com_url)
expect(subject).to include(
"frame-src https://something.test https://staging.observe.gitlab.com 'self'")
end
it 'appends the proper url to frame-src CSP directives when OVERRIDE_OBSERVABILITY_URL is specified' do
stub_env('OVERRIDE_OBSERVABILITY_URL', 'http://foo.test')
expect(subject).to include(
"frame-src https://something.test http://foo.test 'self'")
end
end
context 'when self is already present in the policy' do
let(:csp) do
ActionDispatch::ContentSecurityPolicy.new do |p|
p.frame_src "'self'"
end
end
it 'does not append self again' do
expect(subject).to include(
"frame-src 'self' https://observe.gitlab.com;")
end
end
context 'when default-src exists in the CSP config' do
let(:csp) do
ActionDispatch::ContentSecurityPolicy.new do |p|
p.default_src 'https://something.test'
end
end
it 'does not change default-src' do
expect(subject).to include(
"default-src https://something.test;")
end
it 'appends the proper url to frame-src CSP directives' do
expect(subject).to include(
"frame-src https://something.test https://observe.gitlab.com 'self'")
end
it 'appends the proper url to frame-src CSP directives when Gilab.staging?' do
stub_config_setting(url: Gitlab::Saas.staging_com_url)
expect(subject).to include(
"frame-src https://something.test https://staging.observe.gitlab.com 'self'")
end
it 'appends the proper url to frame-src CSP directives when OVERRIDE_OBSERVABILITY_URL is specified' do
stub_env('OVERRIDE_OBSERVABILITY_URL', 'http://foo.test')
expect(subject).to include(
"frame-src https://something.test http://foo.test 'self'")
end
end
context 'when frame-src and default-src exist in the CSP config' do
let(:csp) do
ActionDispatch::ContentSecurityPolicy.new do |p|
p.default_src 'https://something_default.test'
p.frame_src 'https://something.test'
end
end
it 'appends to frame-src CSP directives' do
expect(subject).to include(
"frame-src https://something.test https://observe.gitlab.com 'self'")
expect(subject).to include(
"default-src https://something_default.test")
end
end
end
end
end
end