gitlab-org--gitlab-foss/spec/controllers/oauth/applications_controller_spec.rb

# frozen_string_literal: true

require 'spec_helper'

describe Oauth::ApplicationsController do
  let(:user) { create(:user) }

  context 'project members' do
    before do
      sign_in(user)
    end

    describe 'GET #index' do
      it 'shows list of applications' do
        get :index

        expect(response).to have_gitlab_http_status(200)
      end

      it 'shows list of applications' do
        disable_user_oauth

        get :index

        expect(response).to have_gitlab_http_status(200)
      end
    end

    describe 'POST #create' do
      it 'creates an application' do
        post :create, params: oauth_params

        expect(response).to have_gitlab_http_status(302)
        expect(response).to redirect_to(oauth_application_path(Doorkeeper::Application.last))
      end

      it 'redirects back to profile page if OAuth applications are disabled' do
        disable_user_oauth

        post :create, params: oauth_params

        expect(response).to have_gitlab_http_status(302)
        expect(response).to redirect_to(profile_path)
      end

      context 'redirect_uri' do
        render_views

        it 'shows an error for a forbidden URI' do
          invalid_uri_params = {
            doorkeeper_application: {
              name: 'foo',
              redirect_uri: 'javascript://alert()'
            }
          }

          post :create, params: invalid_uri_params

          expect(response.body).to include 'Redirect URI is forbidden by the server'
        end
      end
    end
  end

  def disable_user_oauth
    allow(Gitlab::CurrentSettings.current_application_settings).to receive(:user_oauth_applications?).and_return(false)
  end

  def oauth_params
    {
      doorkeeper_application: {
        name: 'foo',
        redirect_uri: 'http://example.org'
      }
    }
  end
end
Add some frozen string to spec/*/.rb Adds frozen string to the following: * spec/bin/*/.rb * spec/config/*/.rb * spec/controllers/*/.rb xref https://gitlab.com/gitlab-org/gitlab-ce/issues/59758 2019-04-15 06:17:05 -04:00			`# frozen_string_literal: true`

Fix endless redirections when accessing user OAuth applications when they are disabled Also hides the "Applications" nav button if OAuth applications are disabled by the admin. Closes #14770 2016-06-08 02:15:45 -04:00			`require 'spec_helper'`

			`describe Oauth::ApplicationsController do`
			`let(:user) { create(:user) }`

			`context 'project members' do`
			`before do`
			`sign_in(user)`
			`end`

			`describe 'GET #index' do`
			`it 'shows list of applications' do`
			`get :index`

Refactor `have_http_status` into `have_gitlab_http_status` in the specs 2017-10-19 14:28:19 -04:00			`expect(response).to have_gitlab_http_status(200)`
Fix endless redirections when accessing user OAuth applications when they are disabled Also hides the "Applications" nav button if OAuth applications are disabled by the admin. Closes #14770 2016-06-08 02:15:45 -04:00			`end`

Fix spec message in spec/controllers/oauth/applications_controller_spec.rb Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2018-09-21 04:03:00 -04:00			`it 'shows list of applications' do`
Always allow user to revoke an authorized application Even if User OAuth applications setting is disabled in admin settings. Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2018-09-20 07:02:59 -04:00			`disable_user_oauth`
Fix endless redirections when accessing user OAuth applications when they are disabled Also hides the "Applications" nav button if OAuth applications are disabled by the admin. Closes #14770 2016-06-08 02:15:45 -04:00
			`get :index`

Always allow user to revoke an authorized application Even if User OAuth applications setting is disabled in admin settings. Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2018-09-20 07:02:59 -04:00			`expect(response).to have_gitlab_http_status(200)`
			`end`
			`end`

			`describe 'POST #create' do`
			`it 'creates an application' do`
Update specs to rails5 format Updates specs to use new rails5 format. The old format: `get :show, { some: params }, { some: headers }` The new format: `get :show, params: { some: params }, headers: { some: headers }` 2018-12-17 17:52:17 -05:00			`post :create, params: oauth_params`
Always allow user to revoke an authorized application Even if User OAuth applications setting is disabled in admin settings. Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2018-09-20 07:02:59 -04:00
			`expect(response).to have_gitlab_http_status(302)`
			`expect(response).to redirect_to(oauth_application_path(Doorkeeper::Application.last))`
			`end`

			`it 'redirects back to profile page if OAuth applications are disabled' do`
			`disable_user_oauth`

Update specs to rails5 format Updates specs to use new rails5 format. The old format: `get :show, { some: params }, { some: headers }` The new format: `get :show, params: { some: params }, headers: { some: headers }` 2018-12-17 17:52:17 -05:00			`post :create, params: oauth_params`
Always allow user to revoke an authorized application Even if User OAuth applications setting is disabled in admin settings. Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2018-09-20 07:02:59 -04:00
Refactor `have_http_status` into `have_gitlab_http_status` in the specs 2017-10-19 14:28:19 -04:00			`expect(response).to have_gitlab_http_status(302)`
Fix endless redirections when accessing user OAuth applications when they are disabled Also hides the "Applications" nav button if OAuth applications are disabled by the admin. Closes #14770 2016-06-08 02:15:45 -04:00			`expect(response).to redirect_to(profile_path)`
			`end`
Merge branch 'security-fix-uri-xss-applications' into 'master' [master] Resolve "Reflected XSS in OAuth Authorize window due to redirect_uri allowing arbitrary protocols" See merge request gitlab/gitlabhq!2572 2018-11-28 17:53:48 -05:00
			`context 'redirect_uri' do`
			`render_views`

			`it 'shows an error for a forbidden URI' do`
			`invalid_uri_params = {`
			`doorkeeper_application: {`
			`name: 'foo',`
			`redirect_uri: 'javascript://alert()'`
			`}`
			`}`

Update specs to rails5 format Updates specs to use new rails5 format. The old format: `get :show, { some: params }, { some: headers }` The new format: `get :show, params: { some: params }, headers: { some: headers }` 2018-12-17 17:52:17 -05:00			`post :create, params: invalid_uri_params`
Merge branch 'security-fix-uri-xss-applications' into 'master' [master] Resolve "Reflected XSS in OAuth Authorize window due to redirect_uri allowing arbitrary protocols" See merge request gitlab/gitlabhq!2572 2018-11-28 17:53:48 -05:00
			`expect(response.body).to include 'Redirect URI is forbidden by the server'`
			`end`
			`end`
Fix endless redirections when accessing user OAuth applications when they are disabled Also hides the "Applications" nav button if OAuth applications are disabled by the admin. Closes #14770 2016-06-08 02:15:45 -04:00			`end`
			`end`
Always allow user to revoke an authorized application Even if User OAuth applications setting is disabled in admin settings. Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2018-09-20 07:02:59 -04:00
			`def disable_user_oauth`
			`allow(Gitlab::CurrentSettings.current_application_settings).to receive(:user_oauth_applications?).and_return(false)`
			`end`

			`def oauth_params`
			`{`
			`doorkeeper_application: {`
			`name: 'foo',`
			`redirect_uri: 'http://example.org'`
			`}`
			`}`
			`end`
Fix endless redirections when accessing user OAuth applications when they are disabled Also hides the "Applications" nav button if OAuth applications are disabled by the admin. Closes #14770 2016-06-08 02:15:45 -04:00			`end`