OneTrust for trial and purchase flows pages

app/controllers/concerns/one_trust_csp.rb

@@ -5,7 +5,7 @@ module OneTrustCSP
 
   included do
     content_security_policy do |policy|
-      next if policy.directives.blank?
+      next unless helpers.one_trust_enabled? || policy.directives.present?
 
       default_script_src = policy.directives['script-src'] || policy.directives['default-src']
       script_src_values = Array.wrap(default_script_src) | ["'unsafe-eval'", 'https://cdn.cookielaw.org https://*.onetrust.com']

app/helpers/one_trust_helper.rb

@@ -4,7 +4,6 @@ module OneTrustHelper
   def one_trust_enabled?
     Feature.enabled?(:ecomm_instrumentation, type: :ops) &&
       Gitlab.config.extra.has_key?('one_trust_id') &&
-      Gitlab.config.extra.one_trust_id.present? &&
-      !current_user
+      Gitlab.config.extra.one_trust_id.present?
   end
 end

ee/app/controllers/subscriptions_controller.rb

@@ -2,6 +2,7 @@
 
 class SubscriptionsController < ApplicationController
   include InternalRedirect
+  include OneTrustCSP
 
   layout 'checkout'
   skip_before_action :authenticate_user!, only: [:new]

ee/app/controllers/trials_controller.rb

@@ -4,6 +4,7 @@
 # TODO: namespace https://gitlab.com/gitlab-org/gitlab/-/issues/338394
 class TrialsController < ApplicationController
   include ActionView::Helpers::SanitizeHelper
+  include OneTrustCSP
 
   layout 'minimal'
 

ee/app/views/subscriptions/buy_minutes.html.haml

 - page_title _('Buy CI Minutes')
+- content_for :page_specific_javascripts do
+  = render "layouts/one_trust"
 
 #js-buy-minutes{ data: buy_addon_data(@group, @account_id, 'pipelines-quota-tab', s_('Checkout|CI minutes')) }

ee/app/views/subscriptions/buy_storage.html.haml

 - page_title _('Buy Storage')
+- content_for :page_specific_javascripts do
+  = render "layouts/one_trust"
 
 #js-buy-storage{ data: buy_addon_data(@group, @account_id, 'storage-quota-tab', s_('Checkout|a storage subscription')) }

ee/app/views/subscriptions/new.html.haml

 - page_title _('Checkout')
+- content_for :page_specific_javascripts do
+  = render "layouts/one_trust"
 
 #js-new-subscription{ data: subscription_data(@eligible_groups) }

ee/app/views/trials/new.html.haml

 - page_title _('Start your Free Ultimate Trial')
 - glm_params = { glm_source: params[:glm_source], glm_content: params[:glm_content] }
+- content_for :page_specific_javascripts do
+  = render "layouts/one_trust"
 
 .row
   .col-md-6.offset-md-3

ee/spec/features/subscriptions_spec.rb

@@ -7,12 +7,14 @@ RSpec.describe 'Subscriptions Content Security Policy' do
 
   let_it_be(:default_csp_values) { "'self' https://some-cdn.test" }
   let_it_be(:zuora_url) { 'https://*.zuora.com' }
+  let_it_be(:onetrust_url) { 'https://*.onetrust.com' }
+  let_it_be(:cookielaw_url) { 'https://cdn.cookielaw.org' }
 
   before do
     stub_request(:get, /.*gitlab_plans.*/).to_return(status: 200, body: "{}")
 
     expect_next_instance_of(SubscriptionsController) do |controller|
-      expect(controller).to receive(:current_content_security_policy).and_return(csp)
+      expect(controller).to receive(:current_content_security_policy).and_return(csp).twice
     end
 
     sign_in(create(:user))
@@ -35,9 +37,10 @@ RSpec.describe 'Subscriptions Content Security Policy' do
       end
     end
 
-    it { is_expected.to include("script-src #{default_csp_values} 'unsafe-eval' #{zuora_url}") }
+    it { is_expected.to include("script-src #{default_csp_values} 'unsafe-eval' #{cookielaw_url} #{onetrust_url} #{zuora_url}") }
     it { is_expected.to include("frame-src #{default_csp_values} #{zuora_url}") }
     it { is_expected.to include("child-src #{default_csp_values} #{zuora_url}") }
+    it { is_expected.to include("connect-src #{cookielaw_url}") }
   end
 
   context 'when just a default CSP config exists' do
@@ -48,7 +51,7 @@ RSpec.describe 'Subscriptions Content Security Policy' do
     end
 
     it { is_expected.to include("default-src #{default_csp_values}") }
-    it { is_expected.to include("script-src #{default_csp_values} 'unsafe-eval' #{zuora_url}") }
+    it { is_expected.to include("script-src #{default_csp_values} 'unsafe-eval' #{cookielaw_url} #{onetrust_url} #{zuora_url}") }
     it { is_expected.to include("frame-src #{default_csp_values} #{zuora_url}") }
     it { is_expected.to include("child-src #{default_csp_values} #{zuora_url}") }
   end

spec/helpers/one_trust_helper_spec.rb

@@ -4,11 +4,8 @@ require "spec_helper"
 
 RSpec.describe OneTrustHelper do
   describe '#one_trust_enabled?' do
-    let(:user) { nil }
-
     before do
       stub_config(extra: { one_trust_id: SecureRandom.uuid })
-      allow(helper).to receive(:current_user).and_return(user)
     end
 
     subject(:one_trust_enabled?) { helper.one_trust_enabled? }
@@ -18,20 +15,10 @@ RSpec.describe OneTrustHelper do
         stub_feature_flags(ecomm_instrumentation: false)
       end
 
-      context 'when id is set and no user is set' do
-        let(:user) { instance_double('User') }
-
-        it { is_expected.to be_falsey }
-      end
+      it { is_expected.to be_falsey }
     end
 
     context 'with ecomm_instrumentation feature flag enabled' do
-      context 'when current user is set' do
-        let(:user) { instance_double('User') }
-
-        it { is_expected.to be_falsey }
-      end
-
       context 'when no id is set' do
         before do
           stub_config(extra: {})
@@ -39,10 +26,6 @@ RSpec.describe OneTrustHelper do
 
         it { is_expected.to be_falsey }
       end
-
-      context 'when id is set and no user is set' do
-        it { is_expected.to be_truthy }
-      end
     end
   end
 end