Merge branch '341430-onetrust-implementation-gitlab-com' into 'master'

Add OneTrust installation script to non-product pages See merge request gitlab-org/gitlab!71243

Merge branch '341430-onetrust-implementation-gitlab-com' into 'master'
Add OneTrust installation script to non-product pages See merge request gitlab-org/gitlab!71243
0873c85b · Stan Hu · cc20c5cd · 8efbd545 · 0873c85b · 0873c85b
Commit 0873c85b authored Oct 13, 2021 by Stan Hu
13 changed files
--- a/app/controllers/concerns/one_trust_csp.rb
+++ b/app/controllers/concerns/one_trust_csp.rb
+# frozen_string_literal: true
+module OneTrustCSP
+  extend ActiveSupport::Concern
+  included do
+    content_security_policy do |policy|
+      next if policy.directives.blank?
+      default_script_src = policy.directives['script-src'] || policy.directives['default-src']
+      script_src_values = Array.wrap(default_script_src) | ["'unsafe-eval'", 'https://cdn.cookielaw.org https://*.onetrust.com']
+      policy.script_src(*script_src_values)
+      default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
+      connect_src_values = Array.wrap(default_connect_src) | ['https://cdn.cookielaw.org']
+      policy.connect_src(*connect_src_values)
+    end
+  end
+end
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -5,6 +5,7 @@ class RegistrationsController < Devise::RegistrationsController
  include AcceptsPendingInvitations
  include RecaptchaHelper
  include InvisibleCaptchaOnSignup
+  include OneTrustCSP
  layout 'devise'

--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -9,6 +9,7 @@ class SessionsController < Devise::SessionsController
  include RendersLdapServers
  include KnownSignIn
  include Gitlab::Utils::StrongMemoize
+  include OneTrustCSP
  skip_before_action :check_two_factor_requirement, only: [:destroy]
  skip_before_action :check_password_expiration, only: [:destroy]

--- a/app/helpers/one_trust_helper.rb
+++ b/app/helpers/one_trust_helper.rb
+# frozen_string_literal: true
+module OneTrustHelper
+  def one_trust_enabled?
+    Feature.enabled?(:ecomm_instrumentation, type: :ops) &&
+      Gitlab.config.extra.has_key?('one_trust_id') &&
+      Gitlab.config.extra.one_trust_id.present? &&
+      !current_user
+  end
+end
--- a/app/views/devise/registrations/new.html.haml
+++ b/app/views/devise/registrations/new.html.haml
@@ -2,6 +2,7 @@
 - add_page_specific_style 'page_bundles/signup'
 - content_for :page_specific_javascripts do
  = render "layouts/google_tag_manager_head"
+  = render "layouts/one_trust"
 = render "layouts/google_tag_manager_body"
 .signup-page

--- a/app/views/devise/sessions/new.html.haml
+++ b/app/views/devise/sessions/new.html.haml
 - page_title _("Sign in")
 - content_for :page_specific_javascripts do
  = render "layouts/google_tag_manager_head"
+  = render "layouts/one_trust"
 = render "layouts/google_tag_manager_body"
 #signin-container

--- a/app/views/layouts/_one_trust.html.haml
+++ b/app/views/layouts/_one_trust.html.haml
+- if one_trust_enabled?
+  - one_trust_id = sanitize(extra_config.one_trust_id, scrubber: Rails::Html::TextOnlyScrubber.new)
+  <!-- OneTrust -->
+  = javascript_include_tag "https://cdn.cookielaw.org/consent/#{one_trust_id}/OtAutoBlock.js"
+  = javascript_tag nonce: content_security_policy_nonce do
+    :plain
+      const oneTrustScript = document.createElement('script');
+      oneTrustScript.src = 'https://cdn.cookielaw.org/scripttemplates/otSDKStub.js';
+      oneTrustScript.dataset.domainScript = '#{one_trust_id}';
+      oneTrustScript.nonce = '#{content_security_policy_nonce}'
+      oneTrustScript.charset = 'UTF-8';
+      oneTrustScript.defer = true;
+      document.head.appendChild(oneTrustScript);
+      function OptanonWrapper() { }
--- a/config/feature_flags/ops/ecomm_instrumentation.yml
+++ b/config/feature_flags/ops/ecomm_instrumentation.yml
+---
+name: ecomm_instrumentation
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/71243
+rollout_issue_url:
+milestone: '14.4'
+type: ops
+group: group::product intelligence
+default_enabled: false
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -1295,6 +1295,9 @@ production: &base
    ## Google tag manager
    # google_tag_manager_id: '_your_tracking_id'
+    ## OneTrust
+    # one_trust_id: '_your_one_trust_id'
    ## Matomo analytics.
    # matomo_url: '_your_matomo_url'
    # matomo_site_id: '_your_matomo_site_id'

--- a/ee/app/controllers/trial_registrations_controller.rb
+++ b/ee/app/controllers/trial_registrations_controller.rb
@@ -5,6 +5,8 @@
 class TrialRegistrationsController < RegistrationsController
  extend ::Gitlab::Utils::Override
+  include OneTrustCSP
  layout 'minimal'
  skip_before_action :require_no_authentication

--- a/ee/app/views/trial_registrations/new.html.haml
+++ b/ee/app/views/trial_registrations/new.html.haml
@@ -2,6 +2,7 @@
 - add_page_specific_style 'page_bundles/signup'
 - content_for :page_specific_javascripts do
  = render "layouts/google_tag_manager_head"
+  = render "layouts/one_trust"
 = render "layouts/google_tag_manager_body"
 - registration_form_content = capture do

--- a/spec/features/users/login_spec.rb
+++ b/spec/features/users/login_spec.rb
@@ -171,6 +171,18 @@ RSpec.describe 'Login', :clean_gitlab_redis_shared_state do
    end
  end
+  describe 'with OneTrust authentication' do
+    before do
+      stub_config(extra: { one_trust_id: SecureRandom.uuid })
+    end
+    it 'has proper Content-Security-Policy headers' do
+      visit root_path
+      expect(response_headers['Content-Security-Policy']).to include('https://cdn.cookielaw.org https://*.onetrust.com')
+    end
+  end
  describe 'with two-factor authentication', :js do
    def enter_code(code)
      fill_in 'user_otp_attempt', with: code

--- a/spec/helpers/one_trust_helper_spec.rb
+++ b/spec/helpers/one_trust_helper_spec.rb
+# frozen_string_literal: true
+require "spec_helper"
+RSpec.describe OneTrustHelper do
+  describe '#one_trust_enabled?' do
+    let(:user) { nil }
+    before do
+      stub_config(extra: { one_trust_id: SecureRandom.uuid })
+      allow(helper).to receive(:current_user).and_return(user)
+    end
+    subject(:one_trust_enabled?) { helper.one_trust_enabled? }
+    context 'with ecomm_instrumentation feature flag disabled' do
+      before do
+        stub_feature_flags(ecomm_instrumentation: false)
+      end
+      context 'when id is set and no user is set' do
+        let(:user) { instance_double('User') }
+        it { is_expected.to be_falsey }
+      end
+    end
+    context 'with ecomm_instrumentation feature flag enabled' do
+      context 'when current user is set' do
+        let(:user) { instance_double('User') }
+        it { is_expected.to be_falsey }
+      end
+      context 'when no id is set' do
+        before do
+          stub_config(extra: {})
+        end
+        it { is_expected.to be_falsey }
+      end
+      context 'when id is set and no user is set' do
+        it { is_expected.to be_truthy }
+      end
+    end
+  end
+end