345 lines
9.2 KiB
Ruby
345 lines
9.2 KiB
Ruby
require 'spec_helper'
|
|
|
|
describe PagesDomain do
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
subject(:pages_domain) { described_class.new }
|
|
|
|
describe 'associations' do
|
|
it { is_expected.to belong_to(:project) }
|
|
end
|
|
|
|
describe 'validate domain' do
|
|
subject(:pages_domain) { build(:pages_domain, domain: domain) }
|
|
|
|
context 'is unique' do
|
|
let(:domain) { 'my.domain.com' }
|
|
|
|
it { is_expected.to validate_uniqueness_of(:domain).case_insensitive }
|
|
end
|
|
|
|
describe "hostname" do
|
|
{
|
|
'my.domain.com' => true,
|
|
'123.456.789' => true,
|
|
'0x12345.com' => true,
|
|
'0123123' => true,
|
|
'_foo.com' => false,
|
|
'reserved.com' => false,
|
|
'a.reserved.com' => false,
|
|
nil => false
|
|
}.each do |value, validity|
|
|
context "domain #{value.inspect} validity" do
|
|
before do
|
|
allow(Settings.pages).to receive(:host).and_return('reserved.com')
|
|
end
|
|
|
|
let(:domain) { value }
|
|
|
|
it { expect(pages_domain.valid?).to eq(validity) }
|
|
end
|
|
end
|
|
end
|
|
|
|
describe "HTTPS-only" do
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
let(:domain) { 'my.domain.com' }
|
|
|
|
let(:project) do
|
|
instance_double(Project, pages_https_only?: pages_https_only)
|
|
end
|
|
|
|
let(:pages_domain) do
|
|
build(:pages_domain, certificate: certificate, key: key).tap do |pd|
|
|
allow(pd).to receive(:project).and_return(project)
|
|
pd.valid?
|
|
end
|
|
end
|
|
|
|
where(:pages_https_only, :certificate, :key, :errors_on) do
|
|
attributes = attributes_for(:pages_domain)
|
|
cert, key = attributes.fetch_values(:certificate, :key)
|
|
|
|
true | nil | nil | %i(certificate key)
|
|
true | cert | nil | %i(key)
|
|
true | nil | key | %i(certificate key)
|
|
true | cert | key | []
|
|
false | nil | nil | []
|
|
false | cert | nil | %i(key)
|
|
false | nil | key | %i(key)
|
|
false | cert | key | []
|
|
end
|
|
|
|
with_them do
|
|
it "is adds the expected errors" do
|
|
expect(pages_domain.errors.keys).to eq errors_on
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'validate certificate' do
|
|
subject { domain }
|
|
|
|
context 'with matching key' do
|
|
let(:domain) { build(:pages_domain) }
|
|
|
|
it { is_expected.to be_valid }
|
|
end
|
|
|
|
context 'when no certificate is specified' do
|
|
let(:domain) { build(:pages_domain, :without_certificate) }
|
|
|
|
it { is_expected.not_to be_valid }
|
|
end
|
|
|
|
context 'when no key is specified' do
|
|
let(:domain) { build(:pages_domain, :without_key) }
|
|
|
|
it { is_expected.not_to be_valid }
|
|
end
|
|
|
|
context 'for not matching key' do
|
|
let(:domain) { build(:pages_domain, :with_missing_chain) }
|
|
|
|
it { is_expected.not_to be_valid }
|
|
end
|
|
end
|
|
|
|
describe 'validations' do
|
|
it { is_expected.to validate_presence_of(:verification_code) }
|
|
end
|
|
|
|
describe '#verification_code' do
|
|
subject { pages_domain.verification_code }
|
|
|
|
it 'is set automatically with 128 bits of SecureRandom data' do
|
|
expect(SecureRandom).to receive(:hex).with(16) { 'verification code' }
|
|
|
|
is_expected.to eq('verification code')
|
|
end
|
|
end
|
|
|
|
describe '#keyed_verification_code' do
|
|
subject { pages_domain.keyed_verification_code }
|
|
|
|
it { is_expected.to eq("gitlab-pages-verification-code=#{pages_domain.verification_code}") }
|
|
end
|
|
|
|
describe '#verification_domain' do
|
|
subject { pages_domain.verification_domain }
|
|
|
|
it { is_expected.to be_nil }
|
|
|
|
it 'is a well-known subdomain if the domain is present' do
|
|
pages_domain.domain = 'example.com'
|
|
|
|
is_expected.to eq('_gitlab-pages-verification-code.example.com')
|
|
end
|
|
end
|
|
|
|
describe '#url' do
|
|
subject { domain.url }
|
|
|
|
let(:domain) { build(:pages_domain) }
|
|
|
|
it { is_expected.to eq("https://#{domain.domain}") }
|
|
|
|
context 'without the certificate' do
|
|
let(:domain) { build(:pages_domain, :without_certificate) }
|
|
|
|
it { is_expected.to eq("http://#{domain.domain}") }
|
|
end
|
|
end
|
|
|
|
describe '#has_matching_key?' do
|
|
subject { domain.has_matching_key? }
|
|
|
|
let(:domain) { build(:pages_domain) }
|
|
|
|
it { is_expected.to be_truthy }
|
|
|
|
context 'for invalid key' do
|
|
let(:domain) { build(:pages_domain, :with_missing_chain) }
|
|
|
|
it { is_expected.to be_falsey }
|
|
end
|
|
end
|
|
|
|
describe '#has_intermediates?' do
|
|
subject { domain.has_intermediates? }
|
|
|
|
context 'for self signed' do
|
|
let(:domain) { build(:pages_domain) }
|
|
|
|
it { is_expected.to be_truthy }
|
|
end
|
|
|
|
context 'for missing certificate chain' do
|
|
let(:domain) { build(:pages_domain, :with_missing_chain) }
|
|
|
|
it { is_expected.to be_falsey }
|
|
end
|
|
|
|
context 'for trusted certificate chain' do
|
|
# We only validate that we can to rebuild the trust chain, for certificates
|
|
# We assume that 'AddTrustExternalCARoot' needed to validate the chain is in trusted store.
|
|
# It will be if ca-certificates is installed on Debian/Ubuntu/Alpine
|
|
|
|
let(:domain) { build(:pages_domain, :with_trusted_chain) }
|
|
|
|
it { is_expected.to be_truthy }
|
|
end
|
|
end
|
|
|
|
describe '#expired?' do
|
|
subject { domain.expired? }
|
|
|
|
context 'for valid' do
|
|
let(:domain) { build(:pages_domain) }
|
|
|
|
it { is_expected.to be_falsey }
|
|
end
|
|
|
|
context 'for expired' do
|
|
let(:domain) { build(:pages_domain, :with_expired_certificate) }
|
|
|
|
it { is_expected.to be_truthy }
|
|
end
|
|
end
|
|
|
|
describe '#subject' do
|
|
let(:domain) { build(:pages_domain) }
|
|
|
|
subject { domain.subject }
|
|
|
|
it { is_expected.to eq('/CN=test-certificate') }
|
|
end
|
|
|
|
describe '#certificate_text' do
|
|
let(:domain) { build(:pages_domain) }
|
|
|
|
subject { domain.certificate_text }
|
|
|
|
# We test only existence of output, since the output is long
|
|
it { is_expected.not_to be_empty }
|
|
end
|
|
|
|
describe "#https?" do
|
|
context "when a certificate is present" do
|
|
subject { build(:pages_domain) }
|
|
it { is_expected.to be_https }
|
|
end
|
|
|
|
context "when no certificate is present" do
|
|
subject { build(:pages_domain, :without_certificate) }
|
|
it { is_expected.not_to be_https }
|
|
end
|
|
end
|
|
|
|
describe '#update_daemon' do
|
|
it 'runs when the domain is created' do
|
|
domain = build(:pages_domain)
|
|
|
|
expect(domain).to receive(:update_daemon)
|
|
|
|
domain.save!
|
|
end
|
|
|
|
it 'runs when the domain is destroyed' do
|
|
domain = create(:pages_domain)
|
|
|
|
expect(domain).to receive(:update_daemon)
|
|
|
|
domain.destroy!
|
|
end
|
|
|
|
it 'delegates to Projects::UpdatePagesConfigurationService' do
|
|
service = instance_double('Projects::UpdatePagesConfigurationService')
|
|
expect(Projects::UpdatePagesConfigurationService).to receive(:new) { service }
|
|
expect(service).to receive(:execute)
|
|
|
|
create(:pages_domain)
|
|
end
|
|
|
|
context 'configuration updates when attributes change' do
|
|
set(:project1) { create(:project) }
|
|
set(:project2) { create(:project) }
|
|
set(:domain) { create(:pages_domain) }
|
|
|
|
where(:attribute, :old_value, :new_value, :update_expected) do
|
|
now = Time.now
|
|
future = now + 1.day
|
|
|
|
:project | nil | :project1 | true
|
|
:project | :project1 | :project1 | false
|
|
:project | :project1 | :project2 | true
|
|
:project | :project1 | nil | true
|
|
|
|
# domain can't be set to nil
|
|
:domain | 'a.com' | 'a.com' | false
|
|
:domain | 'a.com' | 'b.com' | true
|
|
|
|
# verification_code can't be set to nil
|
|
:verification_code | 'foo' | 'foo' | false
|
|
:verification_code | 'foo' | 'bar' | false
|
|
|
|
:verified_at | nil | now | false
|
|
:verified_at | now | now | false
|
|
:verified_at | now | future | false
|
|
:verified_at | now | nil | false
|
|
|
|
:enabled_until | nil | now | true
|
|
:enabled_until | now | now | false
|
|
:enabled_until | now | future | false
|
|
:enabled_until | now | nil | true
|
|
end
|
|
|
|
with_them do
|
|
it 'runs if a relevant attribute has changed' do
|
|
a = old_value.is_a?(Symbol) ? send(old_value) : old_value
|
|
b = new_value.is_a?(Symbol) ? send(new_value) : new_value
|
|
|
|
domain.update!(attribute => a)
|
|
|
|
if update_expected
|
|
expect(domain).to receive(:update_daemon)
|
|
else
|
|
expect(domain).not_to receive(:update_daemon)
|
|
end
|
|
|
|
domain.update!(attribute => b)
|
|
end
|
|
end
|
|
|
|
context 'TLS configuration' do
|
|
set(:domain_without_tls) { create(:pages_domain, :without_certificate, :without_key) }
|
|
set(:domain) { create(:pages_domain) }
|
|
|
|
let(:cert1) { domain.certificate }
|
|
let(:cert2) { cert1 + ' ' }
|
|
let(:key1) { domain.key }
|
|
let(:key2) { key1 + ' ' }
|
|
|
|
it 'updates when added' do
|
|
expect(domain_without_tls).to receive(:update_daemon)
|
|
|
|
domain_without_tls.update!(key: key1, certificate: cert1)
|
|
end
|
|
|
|
it 'updates when changed' do
|
|
expect(domain).to receive(:update_daemon)
|
|
|
|
domain.update!(key: key2, certificate: cert2)
|
|
end
|
|
|
|
it 'updates when removed' do
|
|
expect(domain).to receive(:update_daemon)
|
|
|
|
domain.update!(key: nil, certificate: nil)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|