Add specs

bfe8b968 · Douwe Maan · dcf4a2e8 · bfe8b968 · bfe8b968 · bfe8b968
4 changed file
--- a/spec/features/oauth_login_spec.rb
+++ b/spec/features/oauth_login_spec.rb
 require 'spec_helper'

-feature 'OAuth Login', js: true do
+feature 'OAuth Login', :js, :allow_forgery_protection do
  include DeviseHelpers

  def enter_code(code)

--- a/spec/lib/gitlab/request_forgery_protection_spec.rb
+++ b/spec/lib/gitlab/request_forgery_protection_spec.rb
+require 'spec_helper'
+
+describe Gitlab::RequestForgeryProtection, :allow_forgery_protection do
+  let(:csrf_token) { SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH) }
+  let(:env) do
+    {
+      'rack.input' => '',
+      'rack.session' => {
+        _csrf_token: csrf_token
+      }
+    }
+  end
+
+  describe '.call' do
+    context 'when the request method is GET' do
+      before do
+        env['REQUEST_METHOD'] = 'GET'
+      end
+
+      it 'does not raise an exception' do
+        expect { described_class.call(env) }.not_to raise_exception
+      end
+    end
+
+    context 'when the request method is POST' do
+      before do
+        env['REQUEST_METHOD'] = 'POST'
+      end
+
+      context 'when the CSRF token is valid' do
+        before do
+          env['HTTP_X_CSRF_TOKEN'] = csrf_token
+        end
+
+        it 'does not raise an exception' do
+          expect { described_class.call(env) }.not_to raise_exception
+        end
+      end
+
+      context 'when the CSRF token is invalid' do
+        before do
+          env['HTTP_X_CSRF_TOKEN'] = 'foo'
+        end
+
+        it 'raises an ActionController::InvalidAuthenticityToken exception' do
+          expect { described_class.call(env) }.to raise_exception(ActionController::InvalidAuthenticityToken)
+        end
+      end
+    end
+  end
+
+  describe '.verified?' do
+    context 'when the request method is GET' do
+      before do
+        env['REQUEST_METHOD'] = 'GET'
+      end
+
+      it 'returns true' do
+        expect(described_class.verified?(env)).to be_truthy
+      end
+    end
+
+    context 'when the request method is POST' do
+      before do
+        env['REQUEST_METHOD'] = 'POST'
+      end
+
+      context 'when the CSRF token is valid' do
+        before do
+          env['HTTP_X_CSRF_TOKEN'] = csrf_token
+        end
+
+        it 'returns true' do
+          expect(described_class.verified?(env)).to be_truthy
+        end
+      end
+
+      context 'when the CSRF token is invalid' do
+        before do
+          env['HTTP_X_CSRF_TOKEN'] = 'foo'
+        end
+
+        it 'returns false' do
+          expect(described_class.verified?(env)).to be_falsey
+        end
+      end
+    end
+  end
+end
--- a/spec/requests/api/helpers_spec.rb
+++ b/spec/requests/api/helpers_spec.rb
@@ -10,8 +10,16 @@ describe API::Helpers do
  let(:key) { create(:key, user: user) }

  let(:params) { {} }
-  let(:env) { { 'REQUEST_METHOD' => 'GET' } }
-  let(:request) { Rack::Request.new(env) }
+  let(:csrf_token) { SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH) }
+  let(:env) do
+    {
+      'rack.input' => '',
+      'rack.session' => {
+        _csrf_token: csrf_token
+      },
+      'REQUEST_METHOD' => 'GET'
+    }
+  end
  let(:header) { }

  before do
@@ -58,7 +66,7 @@ describe API::Helpers do
  describe ".current_user" do
    subject { current_user }

-    describe "Warden authentication" do
+    describe "Warden authentication", :allow_forgery_protection do
      before do
        doorkeeper_guard_returns false
      end
@@ -99,7 +107,17 @@ describe API::Helpers do
            env['REQUEST_METHOD'] = 'PUT'
          end

-          it { is_expected.to be_nil }
+          context 'without CSRF token' do
+            it { is_expected.to be_nil }
+          end
+
+          context 'with CSRF token' do
+            before do
+              env['HTTP_X_CSRF_TOKEN'] = csrf_token
+            end
+
+            it { is_expected.to eq(user) }
+          end
        end

        context "POST request" do
@@ -107,7 +125,17 @@ describe API::Helpers do
            env['REQUEST_METHOD'] = 'POST'
          end

-          it { is_expected.to be_nil }
+          context 'without CSRF token' do
+            it { is_expected.to be_nil }
+          end
+
+          context 'with CSRF token' do
+            before do
+              env['HTTP_X_CSRF_TOKEN'] = csrf_token
+            end
+
+            it { is_expected.to eq(user) }
+          end
        end

        context "DELETE request" do
@@ -115,7 +143,17 @@ describe API::Helpers do
            env['REQUEST_METHOD'] = 'DELETE'
          end

-          it { is_expected.to be_nil }
+          context 'without CSRF token' do
+            it { is_expected.to be_nil }
+          end
+
+          context 'with CSRF token' do
+            before do
+              env['HTTP_X_CSRF_TOKEN'] = csrf_token
+            end
+
+            it { is_expected.to eq(user) }
+          end
        end
      end
    end

--- a/spec/support/forgery_protection.rb
+++ b/spec/support/forgery_protection.rb
+RSpec.configure do |config|
+  config.around(:each, :allow_forgery_protection) do |example|
+    begin
+      ActionController::Base.allow_forgery_protection = true
+
+      example.call
+    ensure
+      ActionController::Base.allow_forgery_protection = false
+    end
+  end
+end