Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
bfe8b968
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
bfe8b968
编写于
7月 26, 2017
作者:
D
Douwe Maan
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add specs
上级
dcf4a2e8
变更
4
显示空白变更内容
内联
并排
Showing
4 changed file
with
145 addition
and
7 deletion
+145
-7
spec/features/oauth_login_spec.rb
spec/features/oauth_login_spec.rb
+1
-1
spec/lib/gitlab/request_forgery_protection_spec.rb
spec/lib/gitlab/request_forgery_protection_spec.rb
+89
-0
spec/requests/api/helpers_spec.rb
spec/requests/api/helpers_spec.rb
+44
-6
spec/support/forgery_protection.rb
spec/support/forgery_protection.rb
+11
-0
未找到文件。
spec/features/oauth_login_spec.rb
浏览文件 @
bfe8b968
require
'spec_helper'
feature
'OAuth Login'
,
js:
true
do
feature
'OAuth Login'
,
:js
,
:allow_forgery_protection
do
include
DeviseHelpers
def
enter_code
(
code
)
...
...
spec/lib/gitlab/request_forgery_protection_spec.rb
0 → 100644
浏览文件 @
bfe8b968
require
'spec_helper'
describe
Gitlab
::
RequestForgeryProtection
,
:allow_forgery_protection
do
let
(
:csrf_token
)
{
SecureRandom
.
base64
(
ActionController
::
RequestForgeryProtection
::
AUTHENTICITY_TOKEN_LENGTH
)
}
let
(
:env
)
do
{
'rack.input'
=>
''
,
'rack.session'
=>
{
_csrf_token:
csrf_token
}
}
end
describe
'.call'
do
context
'when the request method is GET'
do
before
do
env
[
'REQUEST_METHOD'
]
=
'GET'
end
it
'does not raise an exception'
do
expect
{
described_class
.
call
(
env
)
}.
not_to
raise_exception
end
end
context
'when the request method is POST'
do
before
do
env
[
'REQUEST_METHOD'
]
=
'POST'
end
context
'when the CSRF token is valid'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
csrf_token
end
it
'does not raise an exception'
do
expect
{
described_class
.
call
(
env
)
}.
not_to
raise_exception
end
end
context
'when the CSRF token is invalid'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
'foo'
end
it
'raises an ActionController::InvalidAuthenticityToken exception'
do
expect
{
described_class
.
call
(
env
)
}.
to
raise_exception
(
ActionController
::
InvalidAuthenticityToken
)
end
end
end
end
describe
'.verified?'
do
context
'when the request method is GET'
do
before
do
env
[
'REQUEST_METHOD'
]
=
'GET'
end
it
'returns true'
do
expect
(
described_class
.
verified?
(
env
)).
to
be_truthy
end
end
context
'when the request method is POST'
do
before
do
env
[
'REQUEST_METHOD'
]
=
'POST'
end
context
'when the CSRF token is valid'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
csrf_token
end
it
'returns true'
do
expect
(
described_class
.
verified?
(
env
)).
to
be_truthy
end
end
context
'when the CSRF token is invalid'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
'foo'
end
it
'returns false'
do
expect
(
described_class
.
verified?
(
env
)).
to
be_falsey
end
end
end
end
end
spec/requests/api/helpers_spec.rb
浏览文件 @
bfe8b968
...
...
@@ -10,8 +10,16 @@ describe API::Helpers do
let
(
:key
)
{
create
(
:key
,
user:
user
)
}
let
(
:params
)
{
{}
}
let
(
:env
)
{
{
'REQUEST_METHOD'
=>
'GET'
}
}
let
(
:request
)
{
Rack
::
Request
.
new
(
env
)
}
let
(
:csrf_token
)
{
SecureRandom
.
base64
(
ActionController
::
RequestForgeryProtection
::
AUTHENTICITY_TOKEN_LENGTH
)
}
let
(
:env
)
do
{
'rack.input'
=>
''
,
'rack.session'
=>
{
_csrf_token:
csrf_token
},
'REQUEST_METHOD'
=>
'GET'
}
end
let
(
:header
)
{
}
before
do
...
...
@@ -58,7 +66,7 @@ describe API::Helpers do
describe
".current_user"
do
subject
{
current_user
}
describe
"Warden authentication"
do
describe
"Warden authentication"
,
:allow_forgery_protection
do
before
do
doorkeeper_guard_returns
false
end
...
...
@@ -99,24 +107,54 @@ describe API::Helpers do
env
[
'REQUEST_METHOD'
]
=
'PUT'
end
context
'without CSRF token'
do
it
{
is_expected
.
to
be_nil
}
end
context
'with CSRF token'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
csrf_token
end
it
{
is_expected
.
to
eq
(
user
)
}
end
end
context
"POST request"
do
before
do
env
[
'REQUEST_METHOD'
]
=
'POST'
end
context
'without CSRF token'
do
it
{
is_expected
.
to
be_nil
}
end
context
'with CSRF token'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
csrf_token
end
it
{
is_expected
.
to
eq
(
user
)
}
end
end
context
"DELETE request"
do
before
do
env
[
'REQUEST_METHOD'
]
=
'DELETE'
end
context
'without CSRF token'
do
it
{
is_expected
.
to
be_nil
}
end
context
'with CSRF token'
do
before
do
env
[
'HTTP_X_CSRF_TOKEN'
]
=
csrf_token
end
it
{
is_expected
.
to
eq
(
user
)
}
end
end
end
end
...
...
spec/support/forgery_protection.rb
0 → 100644
浏览文件 @
bfe8b968
RSpec
.
configure
do
|
config
|
config
.
around
(
:each
,
:allow_forgery_protection
)
do
|
example
|
begin
ActionController
::
Base
.
allow_forgery_protection
=
true
example
.
call
ensure
ActionController
::
Base
.
allow_forgery_protection
=
false
end
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录