debian-mirror-gitlab/spec/requests/api/snippets_spec.rb

489 lines
16 KiB
Ruby
Raw Normal View History

2019-12-26 22:10:19 +05:30
# frozen_string_literal: true
2019-12-04 20:38:33 +05:30
require 'spec_helper'
2017-08-17 22:00:37 +05:30
2021-01-03 14:25:43 +05:30
RSpec.describe API::Snippets, factory_default: :keep do
2020-07-28 23:09:34 +05:30
include SnippetHelpers
2021-01-03 14:25:43 +05:30
let_it_be(:admin) { create(:user, :admin) }
let_it_be(:user) { create(:user) }
let_it_be(:other_user) { create(:user) }
2017-08-17 22:00:37 +05:30
2021-01-03 14:25:43 +05:30
let_it_be(:public_snippet) { create(:personal_snippet, :repository, :public, author: user) }
let_it_be(:private_snippet) { create(:personal_snippet, :repository, :private, author: user) }
let_it_be(:internal_snippet) { create(:personal_snippet, :repository, :internal, author: user) }
let_it_be(:user_token) { create(:personal_access_token, user: user) }
let_it_be(:other_user_token) { create(:personal_access_token, user: other_user) }
let_it_be(:project) do
create_default(:project, :public).tap do |p|
p.add_maintainer(user)
end
end
2017-08-17 22:00:37 +05:30
2021-01-03 14:25:43 +05:30
describe 'GET /snippets/' do
it 'returns snippets available for user' do
get api("/snippets/", personal_access_token: user_token)
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:ok)
2017-08-17 22:00:37 +05:30
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
expect(json_response.map { |snippet| snippet['id']} ).to contain_exactly(
public_snippet.id,
internal_snippet.id,
private_snippet.id)
expect(json_response.last).to have_key('web_url')
expect(json_response.last).to have_key('raw_url')
2020-07-28 23:09:34 +05:30
expect(json_response.last).to have_key('files')
2018-11-08 19:23:39 +05:30
expect(json_response.last).to have_key('visibility')
2017-08-17 22:00:37 +05:30
end
it 'hides private snippets from regular user' do
2021-01-03 14:25:43 +05:30
get api("/snippets/", personal_access_token: other_user_token)
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:ok)
2017-08-17 22:00:37 +05:30
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
expect(json_response.size).to eq(0)
end
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
it 'returns 401 for non-authenticated' do
2018-03-17 18:26:18 +05:30
get api("/snippets/")
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:unauthorized)
2018-03-17 18:26:18 +05:30
end
it 'does not return snippets related to a project with disable feature visibility' do
2021-01-03 14:25:43 +05:30
public_snippet = create(:project_snippet, :public, author: user, project: project)
2018-03-17 18:26:18 +05:30
project.project_feature.update_attribute(:snippets_access_level, 0)
2021-01-03 14:25:43 +05:30
get api("/snippets/", personal_access_token: user_token)
2018-03-17 18:26:18 +05:30
json_response.each do |snippet|
expect(snippet["id"]).not_to eq(public_snippet.id)
end
end
2017-08-17 22:00:37 +05:30
end
describe 'GET /snippets/public' do
2020-07-28 23:09:34 +05:30
let_it_be(:public_snippet_other) { create(:personal_snippet, :repository, :public, author: other_user) }
let_it_be(:private_snippet_other) { create(:personal_snippet, :repository, :private, author: other_user) }
let_it_be(:internal_snippet_other) { create(:personal_snippet, :repository, :internal, author: other_user) }
let_it_be(:public_snippet_project) { create(:project_snippet, :repository, :public, author: user) }
let_it_be(:private_snippet_project) { create(:project_snippet, :repository, :private, author: user) }
let_it_be(:internal_snippet_project) { create(:project_snippet, :repository, :internal, author: user) }
2017-08-17 22:00:37 +05:30
2021-01-03 14:25:43 +05:30
let(:path) { "/snippets/public" }
it 'returns only public snippets from all users when authenticated' do
get api(path, personal_access_token: user_token)
2017-08-17 22:00:37 +05:30
2020-07-28 23:09:34 +05:30
aggregate_failures do
expect(response).to have_gitlab_http_status(:ok)
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
expect(json_response.map { |snippet| snippet['id']} ).to contain_exactly(
public_snippet.id,
public_snippet_other.id)
expect(json_response.map { |snippet| snippet['web_url']} ).to contain_exactly(
2020-10-24 23:57:45 +05:30
"http://localhost/-/snippets/#{public_snippet.id}",
"http://localhost/-/snippets/#{public_snippet_other.id}")
2020-07-28 23:09:34 +05:30
expect(json_response[0]['files'].first).to eq snippet_blob_file(public_snippet_other.blobs.first)
expect(json_response[1]['files'].first).to eq snippet_blob_file(public_snippet.blobs.first)
end
2017-08-17 22:00:37 +05:30
end
2019-07-07 11:18:12 +05:30
it 'requires authentication' do
2021-01-03 14:25:43 +05:30
get api(path, nil)
2019-07-07 11:18:12 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:unauthorized)
2019-07-07 11:18:12 +05:30
end
2021-01-03 14:25:43 +05:30
end
describe 'GET /snippets/:id/raw' do
let(:snippet) { private_snippet }
it_behaves_like 'snippet access with different users' do
let(:path) { "/snippets/#{snippet.id}/raw" }
end
2017-08-17 22:00:37 +05:30
it 'returns raw text' do
2021-01-03 14:25:43 +05:30
get api("/snippets/#{snippet.id}/raw", personal_access_token: user_token)
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:ok)
2020-07-28 23:09:34 +05:30
expect(response.media_type).to eq 'text/plain'
expect(headers['Content-Disposition']).to match(/^inline/)
2019-02-15 15:39:39 +05:30
end
2017-08-17 22:00:37 +05:30
it 'returns 404 for invalid snippet id' do
2020-11-24 15:15:51 +05:30
snippet.destroy!
2019-07-07 11:18:12 +05:30
2021-01-03 14:25:43 +05:30
get api("/snippets/#{snippet.id}/raw", personal_access_token: user_token)
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:not_found)
2017-08-17 22:00:37 +05:30
expect(json_response['message']).to eq('404 Snippet Not Found')
end
2019-07-07 11:18:12 +05:30
2020-05-24 23:13:21 +05:30
it_behaves_like 'snippet blob content' do
2021-01-03 14:25:43 +05:30
let_it_be(:snippet_with_empty_repo) { create(:personal_snippet, :empty_repo, :private, author: user) }
2020-05-24 23:13:21 +05:30
2021-01-03 14:25:43 +05:30
subject { get api("/snippets/#{snippet.id}/raw", snippet.author, personal_access_token: user_token) }
2020-05-24 23:13:21 +05:30
end
2017-08-17 22:00:37 +05:30
end
2020-07-28 23:09:34 +05:30
describe 'GET /snippets/:id/files/:ref/:file_path/raw' do
2021-01-03 14:25:43 +05:30
let_it_be(:snippet) { private_snippet }
2020-07-28 23:09:34 +05:30
it_behaves_like 'raw snippet files' do
let(:api_path) { "/snippets/#{snippet_id}/files/#{ref}/#{file_path}/raw" }
end
2019-07-07 11:18:12 +05:30
2021-01-03 14:25:43 +05:30
it_behaves_like 'snippet access with different users' do
let(:path) { "/snippets/#{snippet.id}/files/master/%2Egitattributes/raw" }
2019-07-07 11:18:12 +05:30
end
2021-01-03 14:25:43 +05:30
end
2017-09-10 17:25:29 +05:30
2021-01-03 14:25:43 +05:30
describe 'GET /snippets/:id' do
let(:snippet_id) { private_snippet.id }
2017-09-10 17:25:29 +05:30
2021-01-03 14:25:43 +05:30
subject { get api("/snippets/#{snippet_id}", personal_access_token: user_token) }
2020-04-22 19:07:51 +05:30
2020-07-28 23:09:34 +05:30
context 'with the author' do
it 'returns snippet json' do
subject
2019-07-07 11:18:12 +05:30
2020-07-28 23:09:34 +05:30
expect(response).to have_gitlab_http_status(:ok)
2019-07-07 11:18:12 +05:30
2020-07-28 23:09:34 +05:30
expect(json_response['title']).to eq(private_snippet.title)
expect(json_response['description']).to eq(private_snippet.description)
expect(json_response['file_name']).to eq(private_snippet.file_name_on_repo)
expect(json_response['files']).to eq(private_snippet.blobs.map { |blob| snippet_blob_file(blob) })
expect(json_response['visibility']).to eq(private_snippet.visibility)
expect(json_response['ssh_url_to_repo']).to eq(private_snippet.ssh_url_to_repo)
expect(json_response['http_url_to_repo']).to eq(private_snippet.http_url_to_repo)
end
2019-07-07 11:18:12 +05:30
end
2021-01-03 14:25:43 +05:30
context 'with a non-existent snippet ID' do
let(:snippet_id) { 0 }
2020-07-28 23:09:34 +05:30
2021-01-03 14:25:43 +05:30
it 'returns 404' do
2020-07-28 23:09:34 +05:30
subject
expect(response).to have_gitlab_http_status(:not_found)
expect(json_response['message']).to eq('404 Snippet Not Found')
end
2017-09-10 17:25:29 +05:30
end
2021-01-03 14:25:43 +05:30
it_behaves_like 'snippet access with different users' do
let(:path) { "/snippets/#{snippet.id}" }
2017-09-10 17:25:29 +05:30
end
end
2017-08-17 22:00:37 +05:30
describe 'POST /snippets/' do
2020-05-24 23:13:21 +05:30
let(:base_params) do
2017-08-17 22:00:37 +05:30
{
title: 'Test Title',
2017-09-10 17:25:29 +05:30
description: 'test description',
2017-08-17 22:00:37 +05:30
visibility: 'public'
}
end
2020-10-24 23:57:45 +05:30
let(:file_path) { 'file_1.rb' }
let(:file_content) { 'puts "hello world"' }
let(:params) { base_params.merge(file_params, extra_params) }
let(:file_params) { { files: [{ file_path: file_path, content: file_content }] } }
2020-05-24 23:13:21 +05:30
let(:extra_params) { {} }
2021-01-03 14:25:43 +05:30
subject { post api("/snippets/", personal_access_token: user_token), params: params }
2017-08-17 22:00:37 +05:30
2019-10-12 21:52:04 +05:30
shared_examples 'snippet creation' do
2020-04-08 14:13:33 +05:30
let(:snippet) { Snippet.find(json_response["id"]) }
2019-10-12 21:52:04 +05:30
it 'creates a new snippet' do
expect do
2020-04-08 14:13:33 +05:30
subject
2019-10-12 21:52:04 +05:30
end.to change { PersonalSnippet.count }.by(1)
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:created)
2019-10-12 21:52:04 +05:30
expect(json_response['title']).to eq(params[:title])
expect(json_response['description']).to eq(params[:description])
2020-10-24 23:57:45 +05:30
expect(json_response['file_name']).to eq(file_path)
2020-07-28 23:09:34 +05:30
expect(json_response['files']).to eq(snippet.blobs.map { |blob| snippet_blob_file(blob) })
2019-10-12 21:52:04 +05:30
expect(json_response['visibility']).to eq(params[:visibility])
end
2020-04-08 14:13:33 +05:30
it 'creates repository' do
subject
expect(snippet.repository.exists?).to be_truthy
end
it 'commit the files to the repository' do
subject
2020-10-24 23:57:45 +05:30
blob = snippet.repository.blob_at('master', file_path)
expect(blob.data).to eq file_content
end
end
context 'with files parameter' do
it_behaves_like 'snippet creation with files parameter'
context 'with multiple files' do
let(:file_params) do
{
files: [
{ file_path: 'file_1.rb', content: 'puts "hello world"' },
{ file_path: 'file_2.rb', content: 'puts "hello world 2"' }
]
}
end
2020-04-08 14:13:33 +05:30
2020-10-24 23:57:45 +05:30
it_behaves_like 'snippet creation'
2020-04-08 14:13:33 +05:30
end
2019-10-12 21:52:04 +05:30
end
2020-10-24 23:57:45 +05:30
it_behaves_like 'snippet creation without files parameter'
2019-10-12 21:52:04 +05:30
context 'with restricted visibility settings' do
before do
stub_application_setting(restricted_visibility_levels:
[Gitlab::VisibilityLevel::INTERNAL,
Gitlab::VisibilityLevel::PRIVATE])
end
it_behaves_like 'snippet creation'
2017-08-17 22:00:37 +05:30
end
2019-10-12 21:52:04 +05:30
it_behaves_like 'snippet creation'
2020-03-28 13:19:24 +05:30
context 'with an external user' do
let(:user) { create(:user, :external) }
2021-01-03 14:25:43 +05:30
let(:user_token) { create(:personal_access_token, user: user) }
2020-03-28 13:19:24 +05:30
it 'does not create a new snippet' do
2020-05-24 23:13:21 +05:30
subject
2020-03-28 13:19:24 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:forbidden)
2020-03-28 13:19:24 +05:30
end
end
2017-08-17 22:00:37 +05:30
it 'returns 400 for missing parameters' do
params.delete(:title)
2020-05-24 23:13:21 +05:30
subject
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:bad_request)
2017-08-17 22:00:37 +05:30
end
2020-05-24 23:13:21 +05:30
it 'returns 400 if title is blank' do
params[:title] = ''
subject
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['error']).to eq 'title is empty'
end
context 'when save fails because the repository could not be created' do
before do
allow_next_instance_of(Snippets::CreateService) do |instance|
allow(instance).to receive(:create_repository).and_raise(Snippets::CreateService::CreateRepositoryError)
end
2017-08-17 22:00:37 +05:30
end
2020-05-24 23:13:21 +05:30
it 'returns 400' do
subject
expect(response).to have_gitlab_http_status(:bad_request)
end
end
context 'when the snippet is spam' do
2017-08-17 22:00:37 +05:30
before do
2020-03-13 15:44:24 +05:30
allow_next_instance_of(Spam::AkismetService) do |instance|
2020-01-01 13:55:28 +05:30
allow(instance).to receive(:spam?).and_return(true)
end
2017-08-17 22:00:37 +05:30
end
context 'when the snippet is private' do
2020-05-24 23:13:21 +05:30
let(:extra_params) { { visibility: 'private' } }
2017-08-17 22:00:37 +05:30
it 'creates the snippet' do
2020-05-24 23:13:21 +05:30
expect { subject }.to change { Snippet.count }.by(1)
2017-08-17 22:00:37 +05:30
end
end
context 'when the snippet is public' do
2020-05-24 23:13:21 +05:30
let(:extra_params) { { visibility: 'public' } }
2020-11-24 15:15:51 +05:30
it 'rejects the snippet' do
2020-05-24 23:13:21 +05:30
expect { subject }.not_to change { Snippet.count }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:bad_request)
2017-08-17 22:00:37 +05:30
expect(json_response['message']).to eq({ "error" => "Spam detected" })
end
it 'creates a spam log' do
2020-05-24 23:13:21 +05:30
expect { subject }
2019-12-21 20:55:43 +05:30
.to log_spam(title: 'Test Title', user_id: user.id, noteable_type: 'PersonalSnippet')
2017-08-17 22:00:37 +05:30
end
end
end
end
describe 'PUT /snippets/:id' do
let(:visibility_level) { Snippet::PUBLIC }
let(:snippet) do
2020-04-08 14:13:33 +05:30
create(:personal_snippet, :repository, author: user, visibility_level: visibility_level)
2017-08-17 22:00:37 +05:30
end
2020-11-24 15:15:51 +05:30
it_behaves_like 'snippet file updates'
it_behaves_like 'snippet non-file updates'
it_behaves_like 'snippet individual non-file updates'
it_behaves_like 'invalid snippet updates'
2017-08-17 22:00:37 +05:30
2020-11-24 15:15:51 +05:30
it "returns 404 for another user's snippet" do
update_snippet(requester: other_user, params: { title: 'foobar' })
2017-08-17 22:00:37 +05:30
2020-11-24 15:15:51 +05:30
expect(response).to have_gitlab_http_status(:not_found)
expect(json_response['message']).to eq('404 Snippet Not Found')
2017-08-17 22:00:37 +05:30
end
2019-10-12 21:52:04 +05:30
context 'with restricted visibility settings' do
before do
stub_application_setting(restricted_visibility_levels:
[Gitlab::VisibilityLevel::PUBLIC,
Gitlab::VisibilityLevel::PRIVATE])
end
2020-11-24 15:15:51 +05:30
it_behaves_like 'snippet non-file updates'
2020-05-24 23:13:21 +05:30
end
2020-04-08 14:13:33 +05:30
it_behaves_like 'update with repository actions' do
let(:snippet_without_repo) { create(:personal_snippet, author: user, visibility_level: visibility_level) }
end
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
context 'when the snippet is spam' do
2017-08-17 22:00:37 +05:30
before do
2020-03-13 15:44:24 +05:30
allow_next_instance_of(Spam::AkismetService) do |instance|
2020-01-01 13:55:28 +05:30
allow(instance).to receive(:spam?).and_return(true)
end
2017-08-17 22:00:37 +05:30
end
context 'when the snippet is private' do
let(:visibility_level) { Snippet::PRIVATE }
it 'updates the snippet' do
2020-04-08 14:13:33 +05:30
expect { update_snippet(params: { title: 'Foo' }) }
2017-09-10 17:25:29 +05:30
.to change { snippet.reload.title }.to('Foo')
2017-08-17 22:00:37 +05:30
end
end
context 'when the snippet is public' do
let(:visibility_level) { Snippet::PUBLIC }
2020-11-24 15:15:51 +05:30
it 'rejects the snippet' do
2020-04-08 14:13:33 +05:30
expect { update_snippet(params: { title: 'Foo' }) }
2017-09-10 17:25:29 +05:30
.not_to change { snippet.reload.title }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:bad_request)
2017-08-17 22:00:37 +05:30
expect(json_response['message']).to eq({ "error" => "Spam detected" })
end
it 'creates a spam log' do
2020-04-08 14:13:33 +05:30
expect { update_snippet(params: { title: 'Foo' }) }.to log_spam(title: 'Foo', user_id: user.id, noteable_type: 'PersonalSnippet')
2017-08-17 22:00:37 +05:30
end
end
context 'when a private snippet is made public' do
let(:visibility_level) { Snippet::PRIVATE }
it 'rejects the snippet' do
2020-04-08 14:13:33 +05:30
expect { update_snippet(params: { title: 'Foo', visibility: 'public' }) }
2017-09-10 17:25:29 +05:30
.not_to change { snippet.reload.title }
2017-08-17 22:00:37 +05:30
end
it 'creates a spam log' do
2020-04-08 14:13:33 +05:30
expect { update_snippet(params: { title: 'Foo', visibility: 'public' }) }
2019-12-21 20:55:43 +05:30
.to log_spam(title: 'Foo', user_id: user.id, noteable_type: 'PersonalSnippet')
2017-08-17 22:00:37 +05:30
end
end
end
2020-04-08 14:13:33 +05:30
2020-05-24 23:13:21 +05:30
context "when admin" do
2021-01-03 14:25:43 +05:30
let_it_be(:token) { create(:personal_access_token, user: admin, scopes: [:sudo]) }
2020-05-24 23:13:21 +05:30
subject do
2021-01-03 14:25:43 +05:30
put api("/snippets/#{snippet.id}", personal_access_token: token), params: { visibility: 'private', sudo: user.id }
2020-05-24 23:13:21 +05:30
end
context 'when sudo is defined' do
it 'returns 200 and updates snippet visibility' do
expect(snippet.visibility).not_to eq('private')
subject
expect(response).to have_gitlab_http_status(:success)
expect(json_response["visibility"]).to eq 'private'
end
it 'does not commit data' do
expect_any_instance_of(SnippetRepository).not_to receive(:multi_files_action)
subject
end
end
end
2020-04-08 14:13:33 +05:30
def update_snippet(snippet_id: snippet.id, params: {}, requester: user)
put api("/snippets/#{snippet_id}", requester), params: params
end
2017-08-17 22:00:37 +05:30
end
describe 'DELETE /snippets/:id' do
it 'deletes snippet' do
expect do
2021-01-03 14:25:43 +05:30
delete api("/snippets/#{public_snippet.id}", personal_access_token: user_token)
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:no_content)
2017-08-17 22:00:37 +05:30
end.to change { PersonalSnippet.count }.by(-1)
end
it 'returns 404 for invalid snippet id' do
2021-01-03 14:25:43 +05:30
delete api("/snippets/#{non_existing_record_id}", personal_access_token: user_token)
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:not_found)
2017-08-17 22:00:37 +05:30
expect(json_response['message']).to eq('404 Snippet Not Found')
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
2021-01-03 14:25:43 +05:30
let(:request) { api("/snippets/#{public_snippet.id}", personal_access_token: user_token) }
2018-03-17 18:26:18 +05:30
end
2017-08-17 22:00:37 +05:30
end
2017-09-10 17:25:29 +05:30
describe "GET /snippets/:id/user_agent_detail" do
2021-01-03 14:25:43 +05:30
let(:snippet) { public_snippet }
2017-09-10 17:25:29 +05:30
it 'exposes known attributes' do
2021-01-03 14:25:43 +05:30
user_agent_detail = create(:user_agent_detail, subject: snippet)
2017-09-10 17:25:29 +05:30
get api("/snippets/#{snippet.id}/user_agent_detail", admin)
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:ok)
2017-09-10 17:25:29 +05:30
expect(json_response['user_agent']).to eq(user_agent_detail.user_agent)
expect(json_response['ip_address']).to eq(user_agent_detail.ip_address)
expect(json_response['akismet_submitted']).to eq(user_agent_detail.submitted)
end
2018-11-08 19:23:39 +05:30
it "returns unauthorized for non-admin users" do
2017-09-10 17:25:29 +05:30
get api("/snippets/#{snippet.id}/user_agent_detail", user)
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:forbidden)
2017-09-10 17:25:29 +05:30
end
end
2017-08-17 22:00:37 +05:30
end