gitlab-org--gitlab-foss/spec/lib/gitlab/middleware/same_site_cookies_spec.rb

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Gitlab::Middleware::SameSiteCookies do
  using RSpec::Parameterized::TableSyntax
  include Rack::Test::Methods

  let(:user_agent) { nil }
  let(:mock_app) do
    Class.new do
      attr_reader :cookies, :user_agent

      def initialize(cookies)
        @cookies = cookies
      end

      def call(env)
        [
          200,
          { 'Set-Cookie' => cookies },
          ['OK']
        ]
      end
    end
  end

  let(:app) { mock_app.new(cookies) }

  subject do
    described_class.new(app)
  end

  describe '#call' do
    let(:request) { Rack::MockRequest.new(subject) }

    def do_request
      request.post('/some/path', { 'HTTP_USER_AGENT' => user_agent }.compact )
    end

    context 'without SSL enabled' do
      before do
        allow(Gitlab.config.gitlab).to receive(:https).and_return(false)
      end

      context 'with cookie' do
        let(:cookies) { "thiscookie=12345" }

        it 'does not add headers to cookies' do
          response = do_request

          expect(response['Set-Cookie']).to eq(cookies)
        end
      end
    end

    context 'with SSL enabled' do
      before do
        allow(Gitlab.config.gitlab).to receive(:https).and_return(true)
      end

      context 'with no cookies' do
        let(:cookies) { "" }

        it 'does not add headers' do
          response = do_request

          expect(response['Set-Cookie']).to eq("")
        end
      end

      context 'with different browsers' do
        where(:description, :user_agent, :expected) do
          "iOS 12" | "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1" | false
          "macOS 10.14 + Safari" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15" | false
          "macOS 10.14 + Opera" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36 OPR/47.0.2631.55" | false
          "macOS 10.14 + Chrome v80" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36" | true
          "Chrome v41" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36" | true
          "Chrome v50" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2348.1 Safari/537.36" | true
          "Chrome v51" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2718.15 Safari/537.36" | false
          "Chrome v62" | "Mozilla/5.0 (Macintosh; Intel NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36" | false
          "Chrome v66" | "Mozilla/5.0 (Linux; Android 4.4.2; Avvio_793 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.126 Mobile Safari/537.36" | false
          "Chrome v67" | "Mozilla/5.0 (Linux; Android 7.1.1; SM-J510F Build/NMF26X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3371.0 Mobile Safari/537.36" | true
          "Chrome v85" | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" | true
          "Chromium v66" | "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/66.0.3359.181 HeadlessChrome/66.0.3359.181 Safari/537.36" | false
          "Chromium v85" | "Mozilla/5.0 (X11; Linux aarch64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/85.0.4183.59 Chrome/85.0.4183.59 Safari/537.36" | true
          "UC Browser 12.0.4" | "Mozilla/5.0 (Linux; U; Android 4.4.4; zh-CN; A31 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.0.4.986 Mobile Safari/537.36" | false
          "UC Browser 12.13.0" | "Mozilla/5.0 (Linux; U; Android 7.1.1; en-US; SM-C9000 Build/NMF26X) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.0.1207 Mobile Safari/537.36" | false
          "UC Browser 12.13.2" | "Mozilla/5.0 (Linux; U; Android 9; en-US; Redmi Note 7 Build/PQ3B.190801.002) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.2.1208 Mobile Safari/537.36" | true
          "UC Browser 12.13.5" | "Mozilla/5.0 (Linux; U; Android 5.1.1; en-US; PHICOMM C630 (CLUE L) Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.5.1209 Mobile Safari/537.36" | true
          "Playstation" | "Mozilla/5.0 (PlayStation 4 2.51) AppleWebKit/537.73 (KHTML, like Gecko)" | true
        end

        with_them do
          let(:cookies) { "thiscookie=12345" }

          it 'returns expected SameSite status' do
            response = do_request

            if expected
              expect(response['Set-Cookie']).to include('SameSite=None')
            else
              expect(response['Set-Cookie']).not_to include('SameSite=None')
            end
          end
        end
      end

      context 'with single cookie' do
        let(:cookies) { "thiscookie=12345" }

        it 'adds required headers' do
          response = do_request

          expect(response['Set-Cookie']).to eq("#{cookies}; Secure; SameSite=None")
        end
      end

      context 'multiple cookies' do
        let(:cookies) { "thiscookie=12345\nanother_cookie=56789" }

        it 'adds required headers' do
          response = do_request

          expect(response['Set-Cookie']).to eq("thiscookie=12345; Secure; SameSite=None\nanother_cookie=56789; Secure; SameSite=None")
        end
      end

      context 'multiple cookies with some missing headers' do
        let(:cookies) { "thiscookie=12345; SameSite=None\nanother_cookie=56789; Secure" }

        it 'adds missing headers' do
          response = do_request

          expect(response['Set-Cookie']).to eq("thiscookie=12345; SameSite=None; Secure\nanother_cookie=56789; Secure; SameSite=None")
        end
      end

      context 'multiple cookies with all headers present' do
        let(:cookies) { "thiscookie=12345; Secure; SameSite=None\nanother_cookie=56789; Secure; SameSite=None" }

        it 'does not add new headers' do
          response = do_request

          expect(response['Set-Cookie']).to eq(cookies)
        end
      end
    end
  end
end
Add latest changes from gitlab-org/gitlab@master 2020-03-28 05:08:30 -04:00			`# frozen_string_literal: true`

			`require 'spec_helper'`

Add latest changes from gitlab-org/gitlab@master 2020-06-24 14:09:03 -04:00			`RSpec.describe Gitlab::Middleware::SameSiteCookies do`
Add latest changes from gitlab-org/gitlab@master 2020-08-30 20:10:37 -04:00			`using RSpec::Parameterized::TableSyntax`
Add latest changes from gitlab-org/gitlab@master 2020-03-28 05:08:30 -04:00			`include Rack::Test::Methods`

Add latest changes from gitlab-org/gitlab@master 2020-08-30 20:10:37 -04:00			`let(:user_agent) { nil }`
Add latest changes from gitlab-org/gitlab@master 2020-03-28 05:08:30 -04:00			`let(:mock_app) do`
			`Class.new do`
Add latest changes from gitlab-org/gitlab@master 2020-08-30 20:10:37 -04:00			`attr_reader :cookies, :user_agent`
Add latest changes from gitlab-org/gitlab@master 2020-03-28 05:08:30 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-09-01 08:11:01 -04:00			`def initialize(cookies)`
Add latest changes from gitlab-org/gitlab@master 2020-03-28 05:08:30 -04:00			`@cookies = cookies`
			`end`

			`def call(env)`
Add latest changes from gitlab-org/gitlab@master 2020-08-30 20:10:37 -04:00			`[`
			`200,`
Add latest changes from gitlab-org/gitlab@master 2020-09-01 08:11:01 -04:00			`{ 'Set-Cookie' => cookies },`
Add latest changes from gitlab-org/gitlab@master 2020-08-30 20:10:37 -04:00			`['OK']`
			`]`
Add latest changes from gitlab-org/gitlab@master 2020-03-28 05:08:30 -04:00			`end`
			`end`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-09-01 08:11:01 -04:00			`let(:app) { mock_app.new(cookies) }`
Add latest changes from gitlab-org/gitlab@master 2020-03-28 05:08:30 -04:00
			`subject do`
			`described_class.new(app)`
			`end`

			`describe '#call' do`
			`let(:request) { Rack::MockRequest.new(subject) }`

			`def do_request`
Add latest changes from gitlab-org/gitlab@master 2020-09-01 08:11:01 -04:00			`request.post('/some/path', { 'HTTP_USER_AGENT' => user_agent }.compact )`
Add latest changes from gitlab-org/gitlab@master 2020-03-28 05:08:30 -04:00			`end`

			`context 'without SSL enabled' do`
			`before do`
			`allow(Gitlab.config.gitlab).to receive(:https).and_return(false)`
			`end`

			`context 'with cookie' do`
			`let(:cookies) { "thiscookie=12345" }`

			`it 'does not add headers to cookies' do`
			`response = do_request`

			`expect(response['Set-Cookie']).to eq(cookies)`
			`end`
			`end`
			`end`

			`context 'with SSL enabled' do`
			`before do`
			`allow(Gitlab.config.gitlab).to receive(:https).and_return(true)`
			`end`

			`context 'with no cookies' do`
Add latest changes from gitlab-org/gitlab@master 2020-10-16 11:08:46 -04:00			`let(:cookies) { "" }`
Add latest changes from gitlab-org/gitlab@master 2020-03-28 05:08:30 -04:00
			`it 'does not add headers' do`
			`response = do_request`

Add latest changes from gitlab-org/gitlab@master 2020-10-16 11:08:46 -04:00			`expect(response['Set-Cookie']).to eq("")`
Add latest changes from gitlab-org/gitlab@master 2020-03-28 05:08:30 -04:00			`end`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-08-30 20:10:37 -04:00			`context 'with different browsers' do`
			`where(:description, :user_agent, :expected) do`
			`"iOS 12" \| "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1" \| false`
			`"macOS 10.14 + Safari" \| "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15" \| false`
			`"macOS 10.14 + Opera" \| "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36 OPR/47.0.2631.55" \| false`
			`"macOS 10.14 + Chrome v80" \| "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36" \| true`
			`"Chrome v41" \| "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36" \| true`
			`"Chrome v50" \| "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2348.1 Safari/537.36" \| true`
			`"Chrome v51" \| "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2718.15 Safari/537.36" \| false`
Add latest changes from gitlab-org/gitlab@master 2020-09-01 08:11:01 -04:00			`"Chrome v62" \| "Mozilla/5.0 (Macintosh; Intel NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36" \| false`
Add latest changes from gitlab-org/gitlab@master 2020-08-30 20:10:37 -04:00			`"Chrome v66" \| "Mozilla/5.0 (Linux; Android 4.4.2; Avvio_793 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.126 Mobile Safari/537.36" \| false`
			`"Chrome v67" \| "Mozilla/5.0 (Linux; Android 7.1.1; SM-J510F Build/NMF26X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3371.0 Mobile Safari/537.36" \| true`
			`"Chrome v85" \| "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36" \| true`
			`"Chromium v66" \| "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/66.0.3359.181 HeadlessChrome/66.0.3359.181 Safari/537.36" \| false`
			`"Chromium v85" \| "Mozilla/5.0 (X11; Linux aarch64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/85.0.4183.59 Chrome/85.0.4183.59 Safari/537.36" \| true`
			`"UC Browser 12.0.4" \| "Mozilla/5.0 (Linux; U; Android 4.4.4; zh-CN; A31 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.0.4.986 Mobile Safari/537.36" \| false`
			`"UC Browser 12.13.0" \| "Mozilla/5.0 (Linux; U; Android 7.1.1; en-US; SM-C9000 Build/NMF26X) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.0.1207 Mobile Safari/537.36" \| false`
			`"UC Browser 12.13.2" \| "Mozilla/5.0 (Linux; U; Android 9; en-US; Redmi Note 7 Build/PQ3B.190801.002) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.2.1208 Mobile Safari/537.36" \| true`
			`"UC Browser 12.13.5" \| "Mozilla/5.0 (Linux; U; Android 5.1.1; en-US; PHICOMM C630 (CLUE L) Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.5.1209 Mobile Safari/537.36" \| true`
			`"Playstation" \| "Mozilla/5.0 (PlayStation 4 2.51) AppleWebKit/537.73 (KHTML, like Gecko)" \| true`
			`end`

			`with_them do`
			`let(:cookies) { "thiscookie=12345" }`

			`it 'returns expected SameSite status' do`
			`response = do_request`

			`if expected`
			`expect(response['Set-Cookie']).to include('SameSite=None')`
			`else`
			`expect(response['Set-Cookie']).not_to include('SameSite=None')`
			`end`
			`end`
			`end`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-03-28 05:08:30 -04:00			`context 'with single cookie' do`
			`let(:cookies) { "thiscookie=12345" }`

			`it 'adds required headers' do`
			`response = do_request`

			`expect(response['Set-Cookie']).to eq("#{cookies}; Secure; SameSite=None")`
			`end`
			`end`

			`context 'multiple cookies' do`
			`let(:cookies) { "thiscookie=12345\nanother_cookie=56789" }`

			`it 'adds required headers' do`
			`response = do_request`

			`expect(response['Set-Cookie']).to eq("thiscookie=12345; Secure; SameSite=None\nanother_cookie=56789; Secure; SameSite=None")`
			`end`
			`end`

			`context 'multiple cookies with some missing headers' do`
			`let(:cookies) { "thiscookie=12345; SameSite=None\nanother_cookie=56789; Secure" }`

			`it 'adds missing headers' do`
			`response = do_request`

			`expect(response['Set-Cookie']).to eq("thiscookie=12345; SameSite=None; Secure\nanother_cookie=56789; Secure; SameSite=None")`
			`end`
			`end`

			`context 'multiple cookies with all headers present' do`
			`let(:cookies) { "thiscookie=12345; Secure; SameSite=None\nanother_cookie=56789; Secure; SameSite=None" }`

			`it 'does not add new headers' do`
			`response = do_request`

			`expect(response['Set-Cookie']).to eq(cookies)`
			`end`
			`end`
			`end`
			`end`
			`end`