1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe KasCookie, feature_category: :deployment_management do
describe '#set_kas_cookie' do
controller(ApplicationController) do
include KasCookie
def index
set_kas_cookie
render json: {}, status: :ok
end
end
before do
allow(::Gitlab::Kas).to receive(:enabled?).and_return(true)
end
subject(:kas_cookie) do
get :index
request.env['action_dispatch.cookies'][Gitlab::Kas::COOKIE_KEY]
end
context 'when user is signed out' do
it { is_expected.to be_blank }
end
context 'when user is signed in' do
let_it_be(:user) { create(:user) }
before do
sign_in(user)
end
it 'sets the KAS cookie', :aggregate_failures do
allow(::Gitlab::Kas::UserAccess).to receive(:cookie_data).and_return('foobar')
expect(kas_cookie).to be_present
expect(kas_cookie).to eq('foobar')
expect(::Gitlab::Kas::UserAccess).to have_received(:cookie_data)
end
end
end
describe '#content_security_policy' do
let_it_be(:user) { create(:user) }
let(:gitlab_config) do
Gitlab.config.gitlab.deep_merge(
{
'host' => 'gitlab.example.com',
'content_security_policy' => { 'enabled' => content_security_policy_enabled }
}
)
end
let(:content_security_policy_enabled) { true }
controller(ApplicationController) do
include KasCookie
def index
render json: {}, status: :ok
end
end
before do
stub_config_setting(gitlab_config)
sign_in(user)
allow(::Gitlab::Kas).to receive(:enabled?).and_return(true)
allow(::Gitlab::Kas).to receive(:tunnel_url).and_return(kas_tunnel_url)
end
subject(:kas_csp_connect_src) do
get :index
request.env['action_dispatch.content_security_policy'].directives['connect-src']
end
context 'when KAS is on same domain as rails' do
let_it_be(:kas_tunnel_url) { 'ws://gitlab.example.com/-/k8s-proxy/' }
it 'does not add KAS url to CSP connect-src directive' do
expect(kas_csp_connect_src).not_to include(::Gitlab::Kas.tunnel_url)
end
end
context 'when KAS is on subdomain' do
let_it_be(:kas_tunnel_url) { 'http://kas.gitlab.example.com/k8s-proxy/' }
it 'adds KAS url to CSP connect-src directive' do
expect(kas_csp_connect_src).to include(::Gitlab::Kas.tunnel_url)
end
it 'adds websocket connections' do
expect(kas_csp_connect_src).to include('ws://kas.gitlab.example.com/k8s-proxy/')
end
context 'when content_security_policy is disabled' do
let(:content_security_policy_enabled) { false }
it 'does not add KAS url to CSP connect-src directive' do
expect(kas_csp_connect_src).not_to include(::Gitlab::Kas.tunnel_url)
end
end
end
context 'when KAS tunnel has ssl' do
let_it_be(:kas_tunnel_url) { 'https://kas.gitlab.example.com/k8s-proxy/' }
it 'adds websocket connections' do
expect(kas_csp_connect_src).to include('wss://kas.gitlab.example.com/k8s-proxy/')
end
end
context 'when KAS tunnel url is configured without trailing slash' do
let_it_be(:kas_tunnel_url) { 'ws://kas.gitlab.example.com/k8s-proxy' }
it 'adds KAS url to CSP connect-src directive with trailing slash' do
expect(kas_csp_connect_src).to include("#{::Gitlab::Kas.tunnel_url}/")
end
context 'when content_security_policy is disabled' do
let(:content_security_policy_enabled) { false }
it 'does not add KAS url to CSP connect-src directive' do
expect(kas_csp_connect_src).not_to include("#{::Gitlab::Kas.tunnel_url}/")
end
end
end
end
end
|
