Improve test coverage for Oauth::GeoAuthController

d042751c · Douglas Barbosa Alexandre · 91ec7343 · d042751c
Commit d042751c authored Mar 18, 2019 by Douglas Barbosa Alexandre
Hide whitespace changes
Inline Side-by-side

Showing with 57 additions and 11 deletions

ee/spec/controllers/oauth/geo_auth_controller_spec.rb ee/spec/controllers/oauth/geo_auth_controller_spec.rb +57 -11

No files found.
--- a/ee/spec/controllers/oauth/geo_auth_controller_spec.rb
+++ b/ee/spec/controllers/oauth/geo_auth_controller_spec.rb
@@ -27,12 +27,34 @@ describe Oauth::GeoAuthController do
      expect(response).to redirect_to(root_url)
    end
-    it "redirects to primary node's oauth endpoint" do
+    shared_examples "a valid redirect to to primary node's oauth endpoint" do
-      oauth_endpoint = Gitlab::Geo::Oauth::Session.new.authorize_url(redirect_uri: oauth_geo_callback_url, state: login_state)
+      it "redirects to primary node's oauth endpoint" do
+        oauth_endpoint = Gitlab::Geo::Oauth::Session.new.authorize_url(redirect_uri: oauth_geo_callback_url, state: login_state)
-      get :auth, params: { state: login_state }
+        get :auth, params: { state: login_state }
+        expect(response).to redirect_to(oauth_endpoint)
+      end
+    end
+    context 'without a tampered header' do
+      it_behaves_like "a valid redirect to to primary node's oauth endpoint"
+    end
+    context 'with a tampered HOST header' do
+      before do
+        request.headers['HOST'] = 'http://this.is.not.my.host'
+      end
+      it_behaves_like "a valid redirect to to primary node's oauth endpoint"
+    end
+    context 'with a tampered X-Forwarded-Host header' do
+      before do
+        request.headers['X-Forwarded-Host'] = 'http://this.is.not.my.host'
+      end
-      expect(response).to redirect_to(oauth_endpoint)
+      it_behaves_like "a valid redirect to to primary node's oauth endpoint"
    end
  end
@@ -55,16 +77,40 @@ describe Oauth::GeoAuthController do
        expect(response).to redirect_to(new_user_session_path)
      end
-      it 'redirects to redirect_url if state is valid' do
+      context 'with a valid state' do
-        get :callback, params: { state: login_state }
+        shared_examples 'a valid redirect to redirect_url' do
+          it "redirects to primary node's oauth endpoint" do
+            get :callback, params: { state: login_state }
-        expect(response).to redirect_to('/')
+            expect(response).to redirect_to('/')
-      end
+          end
+        end
-      it 'does not display a flash message if state is valid' do
+        context 'without a tampered header' do
-        get :callback, params: { state: login_state }
+          it_behaves_like 'a valid redirect to redirect_url'
+        end
+        context 'with a tampered HOST header' do
+          before do
+            request.headers['HOST'] = 'http://this.is.not.my.host'
+          end
+          it_behaves_like 'a valid redirect to redirect_url'
+        end
+        context 'with a tampered X-Forwarded-Host header' do
+          before do
+            request.headers['X-Forwarded-Host'] = 'http://this.is.not.my.host'
+          end
+          it_behaves_like 'a valid redirect to redirect_url'
+        end
+        it 'does not display a flash message' do
+          get :callback, params: { state: login_state }
-        expect(controller).to set_flash[:alert].to(nil)
+          expect(controller).to set_flash[:alert].to(nil)
+        end
      end
    end