Improve test coverage for Oauth::GeoAuthController

d042751c · Douglas Barbosa Alexandre · 91ec7343 · d042751c
Commit d042751c authored Mar 18, 2019 by Douglas Barbosa Alexandre
Show whitespace changes
Inline Side-by-side

Showing with 57 additions and 11 deletions

ee/spec/controllers/oauth/geo_auth_controller_spec.rb ee/spec/controllers/oauth/geo_auth_controller_spec.rb +57 -11

No files found.
--- a/ee/spec/controllers/oauth/geo_auth_controller_spec.rb
+++ b/ee/spec/controllers/oauth/geo_auth_controller_spec.rb
@@ -27,6 +27,7 @@ describe Oauth::GeoAuthController do
      expect(response).to redirect_to(root_url)
    end

+    shared_examples "a valid redirect to to primary node's oauth endpoint" do
      it "redirects to primary node's oauth endpoint" do
        oauth_endpoint = Gitlab::Geo::Oauth::Session.new.authorize_url(redirect_uri: oauth_geo_callback_url, state: login_state)

@@ -36,6 +37,27 @@ describe Oauth::GeoAuthController do
      end
    end

+    context 'without a tampered header' do
+      it_behaves_like "a valid redirect to to primary node's oauth endpoint"
+    end
+
+    context 'with a tampered HOST header' do
+      before do
+        request.headers['HOST'] = 'http://this.is.not.my.host'
+      end
+
+      it_behaves_like "a valid redirect to to primary node's oauth endpoint"
+    end
+
+    context 'with a tampered X-Forwarded-Host header' do
+      before do
+        request.headers['X-Forwarded-Host'] = 'http://this.is.not.my.host'
+      end
+
+      it_behaves_like "a valid redirect to to primary node's oauth endpoint"
+    end
+  end
+
  describe 'GET callback' do
    before do
      stub_current_geo_node(secondary_node)
@@ -55,18 +77,42 @@ describe Oauth::GeoAuthController do
        expect(response).to redirect_to(new_user_session_path)
      end

-      it 'redirects to redirect_url if state is valid' do
+      context 'with a valid state' do
+        shared_examples 'a valid redirect to redirect_url' do
+          it "redirects to primary node's oauth endpoint" do
            get :callback, params: { state: login_state }

            expect(response).to redirect_to('/')
          end
+        end
+
+        context 'without a tampered header' do
+          it_behaves_like 'a valid redirect to redirect_url'
+        end
+
+        context 'with a tampered HOST header' do
+          before do
+            request.headers['HOST'] = 'http://this.is.not.my.host'
+          end
+
+          it_behaves_like 'a valid redirect to redirect_url'
+        end
+
+        context 'with a tampered X-Forwarded-Host header' do
+          before do
+            request.headers['X-Forwarded-Host'] = 'http://this.is.not.my.host'
+          end

-      it 'does not display a flash message if state is valid' do
+          it_behaves_like 'a valid redirect to redirect_url'
+        end
+
+        it 'does not display a flash message' do
          get :callback, params: { state: login_state }

          expect(controller).to set_flash[:alert].to(nil)
        end
      end
+    end

    context 'invalid credentials' do
      let(:fake_response) { double('Faraday::Response', headers: {}, body: '', status: 403) }