gitlab-org--gitlab-foss/spec/controllers/google_api/authorizations_controller_spec.rb

require 'spec_helper'

describe GoogleApi::AuthorizationsController do
  describe 'GET|POST #callback' do
    let(:user) { create(:user) }
    let(:token) { 'token' }
    let(:expires_at) { 1.hour.since.strftime('%s') }

    subject { get :callback, code: 'xxx', state: @state }

    before do
      sign_in(user)

      allow_any_instance_of(GoogleApi::CloudPlatform::Client)
        .to receive(:get_token).and_return([token, expires_at])
    end

    it 'sets token and expires_at in session' do
      subject

      expect(session[GoogleApi::CloudPlatform::Client.session_key_for_token])
        .to eq(token)
      expect(session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at])
        .to eq(expires_at)
    end

    context 'when second redirection url key is stored in state' do
      set(:project) { create(:project) }
      let(:second_redirect_uri) { project_clusters_url(project).to_s }

      before do
        GoogleApi::CloudPlatform::Client
          .session_key_for_second_redirect_uri.tap do |key, secure|
          @state = secure
          session[key] = second_redirect_uri
        end
      end

      it 'redirects to the URL stored in state param' do
        expect(subject).to redirect_to(second_redirect_uri)
      end
    end

    context 'when redirection url is not stored in state' do
      it 'redirects to root_path' do
        expect(subject).to redirect_to(root_path)
      end
    end
  end
end
authorizations_controller_spec. cluster_policy_spec. 2017-10-05 08:29:22 -04:00			`require 'spec_helper'`

			`describe GoogleApi::AuthorizationsController do`
			`describe 'GET\|POST #callback' do`
			`let(:user) { create(:user) }`
			`let(:token) { 'token' }`
			`let(:expires_at) { 1.hour.since.strftime('%s') }`

Security fix: redirection in google_api/authorizations_controller 2017-10-06 08:28:40 -04:00			`subject { get :callback, code: 'xxx', state: @state }`
authorizations_controller_spec. cluster_policy_spec. 2017-10-05 08:29:22 -04:00
			`before do`
			`sign_in(user)`

			`allow_any_instance_of(GoogleApi::CloudPlatform::Client)`
			`.to receive(:get_token).and_return([token, expires_at])`
			`end`

Security fix: redirection in google_api/authorizations_controller 2017-10-06 08:28:40 -04:00			`it 'sets token and expires_at in session' do`
authorizations_controller_spec. cluster_policy_spec. 2017-10-05 08:29:22 -04:00			`subject`

			`expect(session[GoogleApi::CloudPlatform::Client.session_key_for_token])`
			`.to eq(token)`
			`expect(session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at])`
			`.to eq(expires_at)`
			`end`

Security fix: redirection in google_api/authorizations_controller 2017-10-06 08:28:40 -04:00			`context 'when second redirection url key is stored in state' do`
			`set(:project) { create(:project) }`
Use short path project_clusters_url 2017-10-06 08:37:50 -04:00			`let(:second_redirect_uri) { project_clusters_url(project).to_s }`
Security fix: redirection in google_api/authorizations_controller 2017-10-06 08:28:40 -04:00
			`before do`
			`GoogleApi::CloudPlatform::Client`
			`.session_key_for_second_redirect_uri.tap do \|key, secure\|`
			`@state = secure`
			`session[key] = second_redirect_uri`
			`end`
			`end`

authorizations_controller_spec. cluster_policy_spec. 2017-10-05 08:29:22 -04:00			`it 'redirects to the URL stored in state param' do`
Security fix: redirection in google_api/authorizations_controller 2017-10-06 08:28:40 -04:00			`expect(subject).to redirect_to(second_redirect_uri)`
authorizations_controller_spec. cluster_policy_spec. 2017-10-05 08:29:22 -04:00			`end`
			`end`

			`context 'when redirection url is not stored in state' do`
			`it 'redirects to root_path' do`
			`expect(subject).to redirect_to(root_path)`
			`end`
			`end`
			`end`
			`end`