Commit bfe8b968 authored by Douwe Maan's avatar Douwe Maan

Add specs

parent dcf4a2e8
require 'spec_helper' require 'spec_helper'
feature 'OAuth Login', js: true do feature 'OAuth Login', :js, :allow_forgery_protection do
include DeviseHelpers include DeviseHelpers
def enter_code(code) def enter_code(code)
......
require 'spec_helper'
describe Gitlab::RequestForgeryProtection, :allow_forgery_protection do
let(:csrf_token) { SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH) }
let(:env) do
{
'rack.input' => '',
'rack.session' => {
_csrf_token: csrf_token
}
}
end
describe '.call' do
context 'when the request method is GET' do
before do
env['REQUEST_METHOD'] = 'GET'
end
it 'does not raise an exception' do
expect { described_class.call(env) }.not_to raise_exception
end
end
context 'when the request method is POST' do
before do
env['REQUEST_METHOD'] = 'POST'
end
context 'when the CSRF token is valid' do
before do
env['HTTP_X_CSRF_TOKEN'] = csrf_token
end
it 'does not raise an exception' do
expect { described_class.call(env) }.not_to raise_exception
end
end
context 'when the CSRF token is invalid' do
before do
env['HTTP_X_CSRF_TOKEN'] = 'foo'
end
it 'raises an ActionController::InvalidAuthenticityToken exception' do
expect { described_class.call(env) }.to raise_exception(ActionController::InvalidAuthenticityToken)
end
end
end
end
describe '.verified?' do
context 'when the request method is GET' do
before do
env['REQUEST_METHOD'] = 'GET'
end
it 'returns true' do
expect(described_class.verified?(env)).to be_truthy
end
end
context 'when the request method is POST' do
before do
env['REQUEST_METHOD'] = 'POST'
end
context 'when the CSRF token is valid' do
before do
env['HTTP_X_CSRF_TOKEN'] = csrf_token
end
it 'returns true' do
expect(described_class.verified?(env)).to be_truthy
end
end
context 'when the CSRF token is invalid' do
before do
env['HTTP_X_CSRF_TOKEN'] = 'foo'
end
it 'returns false' do
expect(described_class.verified?(env)).to be_falsey
end
end
end
end
end
...@@ -10,8 +10,16 @@ describe API::Helpers do ...@@ -10,8 +10,16 @@ describe API::Helpers do
let(:key) { create(:key, user: user) } let(:key) { create(:key, user: user) }
let(:params) { {} } let(:params) { {} }
let(:env) { { 'REQUEST_METHOD' => 'GET' } } let(:csrf_token) { SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH) }
let(:request) { Rack::Request.new(env) } let(:env) do
{
'rack.input' => '',
'rack.session' => {
_csrf_token: csrf_token
},
'REQUEST_METHOD' => 'GET'
}
end
let(:header) { } let(:header) { }
before do before do
...@@ -58,7 +66,7 @@ describe API::Helpers do ...@@ -58,7 +66,7 @@ describe API::Helpers do
describe ".current_user" do describe ".current_user" do
subject { current_user } subject { current_user }
describe "Warden authentication" do describe "Warden authentication", :allow_forgery_protection do
before do before do
doorkeeper_guard_returns false doorkeeper_guard_returns false
end end
...@@ -99,24 +107,54 @@ describe API::Helpers do ...@@ -99,24 +107,54 @@ describe API::Helpers do
env['REQUEST_METHOD'] = 'PUT' env['REQUEST_METHOD'] = 'PUT'
end end
context 'without CSRF token' do
it { is_expected.to be_nil } it { is_expected.to be_nil }
end end
context 'with CSRF token' do
before do
env['HTTP_X_CSRF_TOKEN'] = csrf_token
end
it { is_expected.to eq(user) }
end
end
context "POST request" do context "POST request" do
before do before do
env['REQUEST_METHOD'] = 'POST' env['REQUEST_METHOD'] = 'POST'
end end
context 'without CSRF token' do
it { is_expected.to be_nil } it { is_expected.to be_nil }
end end
context 'with CSRF token' do
before do
env['HTTP_X_CSRF_TOKEN'] = csrf_token
end
it { is_expected.to eq(user) }
end
end
context "DELETE request" do context "DELETE request" do
before do before do
env['REQUEST_METHOD'] = 'DELETE' env['REQUEST_METHOD'] = 'DELETE'
end end
context 'without CSRF token' do
it { is_expected.to be_nil } it { is_expected.to be_nil }
end end
context 'with CSRF token' do
before do
env['HTTP_X_CSRF_TOKEN'] = csrf_token
end
it { is_expected.to eq(user) }
end
end
end end
end end
......
RSpec.configure do |config|
config.around(:each, :allow_forgery_protection) do |example|
begin
ActionController::Base.allow_forgery_protection = true
example.call
ensure
ActionController::Base.allow_forgery_protection = false
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment