2022-01-26 12:08:38 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
RSpec.describe API::Ci::JobArtifacts, feature_category: :build_artifacts do
|
2022-01-26 12:08:38 +05:30
|
|
|
include HttpBasicAuthHelpers
|
|
|
|
include DependencyProxyHelpers
|
2023-04-23 21:23:45 +05:30
|
|
|
include Ci::JobTokenScopeHelpers
|
2022-01-26 12:08:38 +05:30
|
|
|
|
|
|
|
include HttpIOHelpers
|
|
|
|
|
|
|
|
let_it_be(:project, reload: true) do
|
|
|
|
create(:project, :repository, public_builds: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
let_it_be(:pipeline, reload: true) do
|
|
|
|
create(:ci_pipeline, project: project,
|
|
|
|
sha: project.commit.id,
|
|
|
|
ref: project.default_branch)
|
|
|
|
end
|
|
|
|
|
|
|
|
let(:user) { create(:user) }
|
|
|
|
let(:api_user) { user }
|
|
|
|
let(:reporter) { create(:project_member, :reporter, project: project).user }
|
|
|
|
let(:guest) { create(:project_member, :guest, project: project).user }
|
|
|
|
|
|
|
|
let!(:job) do
|
2022-10-11 01:57:18 +05:30
|
|
|
create(:ci_build, :success, :tags, pipeline: pipeline, artifacts_expire_at: 1.day.since)
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
before do
|
|
|
|
project.add_developer(user)
|
|
|
|
end
|
|
|
|
|
|
|
|
shared_examples 'returns unauthorized' do
|
|
|
|
it 'returns unauthorized' do
|
|
|
|
expect(response).to have_gitlab_http_status(:unauthorized)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'DELETE /projects/:id/jobs/:job_id/artifacts' do
|
|
|
|
let!(:job) { create(:ci_build, :artifacts, pipeline: pipeline, user: api_user) }
|
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
context 'when project is not undergoing stats refresh' do
|
|
|
|
before do
|
|
|
|
delete api("/projects/#{project.id}/jobs/#{job.id}/artifacts", api_user)
|
|
|
|
end
|
2022-01-26 12:08:38 +05:30
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
context 'when user is anonymous' do
|
|
|
|
let(:api_user) { nil }
|
2022-01-26 12:08:38 +05:30
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
it 'does not delete artifacts' do
|
|
|
|
expect(job.job_artifacts.size).to eq 2
|
|
|
|
end
|
2022-01-26 12:08:38 +05:30
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
it 'returns status 401 (unauthorized)' do
|
|
|
|
expect(response).to have_gitlab_http_status(:unauthorized)
|
|
|
|
end
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
context 'with developer' do
|
|
|
|
it 'does not delete artifacts' do
|
|
|
|
expect(job.job_artifacts.size).to eq 2
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns status 403 (forbidden)' do
|
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
|
|
|
end
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
context 'with authorized user' do
|
|
|
|
let(:maintainer) { create(:project_member, :maintainer, project: project).user }
|
|
|
|
let!(:api_user) { maintainer }
|
|
|
|
|
|
|
|
it 'deletes artifacts' do
|
|
|
|
expect(job.job_artifacts.size).to eq 0
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns status 204 (no content)' do
|
|
|
|
expect(response).to have_gitlab_http_status(:no_content)
|
|
|
|
end
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
context 'when project is undergoing stats refresh' do
|
|
|
|
it_behaves_like 'preventing request because of ongoing project stats refresh' do
|
|
|
|
let(:maintainer) { create(:project_member, :maintainer, project: project).user }
|
|
|
|
let(:api_user) { maintainer }
|
|
|
|
let(:make_request) { delete api("/projects/#{project.id}/jobs/#{job.id}/artifacts", api_user) }
|
2022-01-26 12:08:38 +05:30
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
it 'does not delete artifacts' do
|
|
|
|
make_request
|
2022-01-26 12:08:38 +05:30
|
|
|
|
2022-07-23 23:45:48 +05:30
|
|
|
expect(job.job_artifacts.size).to eq 2
|
|
|
|
end
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-03-02 08:16:31 +05:30
|
|
|
describe 'DELETE /projects/:id/artifacts' do
|
|
|
|
context 'when user is anonymous' do
|
|
|
|
let(:api_user) { nil }
|
|
|
|
|
|
|
|
it 'does not execute Ci::JobArtifacts::DeleteProjectArtifactsService' do
|
|
|
|
expect(Ci::JobArtifacts::DeleteProjectArtifactsService)
|
|
|
|
.not_to receive(:new)
|
|
|
|
|
|
|
|
delete api("/projects/#{project.id}/artifacts", api_user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns status 401 (unauthorized)' do
|
|
|
|
delete api("/projects/#{project.id}/artifacts", api_user)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:unauthorized)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with developer' do
|
|
|
|
it 'does not execute Ci::JobArtifacts::DeleteProjectArtifactsService' do
|
|
|
|
expect(Ci::JobArtifacts::DeleteProjectArtifactsService)
|
|
|
|
.not_to receive(:new)
|
|
|
|
|
|
|
|
delete api("/projects/#{project.id}/artifacts", api_user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns status 403 (forbidden)' do
|
|
|
|
delete api("/projects/#{project.id}/artifacts", api_user)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with authorized user' do
|
|
|
|
let(:maintainer) { create(:project_member, :maintainer, project: project).user }
|
|
|
|
let!(:api_user) { maintainer }
|
|
|
|
|
|
|
|
it 'executes Ci::JobArtifacts::DeleteProjectArtifactsService' do
|
|
|
|
expect_next_instance_of(Ci::JobArtifacts::DeleteProjectArtifactsService, project: project) do |service|
|
|
|
|
expect(service).to receive(:execute).and_call_original
|
|
|
|
end
|
|
|
|
|
|
|
|
delete api("/projects/#{project.id}/artifacts", api_user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns status 202 (accepted)' do
|
|
|
|
delete api("/projects/#{project.id}/artifacts", api_user)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:accepted)
|
|
|
|
end
|
2022-07-23 23:45:48 +05:30
|
|
|
|
|
|
|
context 'when project is undergoing stats refresh' do
|
|
|
|
let!(:job) { create(:ci_build, :artifacts, pipeline: pipeline, user: api_user) }
|
|
|
|
|
|
|
|
it_behaves_like 'preventing request because of ongoing project stats refresh' do
|
|
|
|
let(:maintainer) { create(:project_member, :maintainer, project: project).user }
|
|
|
|
let(:api_user) { maintainer }
|
|
|
|
let(:make_request) { delete api("/projects/#{project.id}/artifacts", api_user) }
|
|
|
|
|
|
|
|
it 'does not delete artifacts' do
|
|
|
|
make_request
|
|
|
|
|
|
|
|
expect(job.job_artifacts.size).to eq 2
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2022-03-02 08:16:31 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
describe 'GET /projects/:id/jobs/:job_id/artifacts/:artifact_path' do
|
|
|
|
context 'when job has artifacts' do
|
|
|
|
let(:job) { create(:ci_build, :artifacts, pipeline: pipeline) }
|
|
|
|
|
|
|
|
let(:artifact) do
|
|
|
|
'other_artifacts_0.1.2/another-subdirectory/banana_sample.gif'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when user is anonymous' do
|
|
|
|
let(:api_user) { nil }
|
|
|
|
|
|
|
|
context 'when project is public' do
|
|
|
|
it 'allows to access artifacts' do
|
|
|
|
project.update_column(:visibility_level,
|
|
|
|
Gitlab::VisibilityLevel::PUBLIC)
|
|
|
|
project.update_column(:public_builds, true)
|
|
|
|
|
|
|
|
get_artifact_file(artifact)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when project is public with artifacts that are non public' do
|
2023-05-27 22:25:52 +05:30
|
|
|
let(:job) { create(:ci_build, :artifacts, :with_private_artifacts_config, pipeline: pipeline) }
|
2022-01-26 12:08:38 +05:30
|
|
|
|
|
|
|
it 'rejects access to artifacts' do
|
|
|
|
project.update_column(:visibility_level,
|
|
|
|
Gitlab::VisibilityLevel::PUBLIC)
|
|
|
|
project.update_column(:public_builds, true)
|
|
|
|
|
|
|
|
get_artifact_file(artifact)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with the non_public_artifacts feature flag disabled' do
|
|
|
|
before do
|
|
|
|
stub_feature_flags(non_public_artifacts: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows access to artifacts' do
|
|
|
|
project.update_column(:visibility_level,
|
|
|
|
Gitlab::VisibilityLevel::PUBLIC)
|
|
|
|
project.update_column(:public_builds, true)
|
|
|
|
|
|
|
|
get_artifact_file(artifact)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when project is public with builds access disabled' do
|
|
|
|
it 'rejects access to artifacts' do
|
|
|
|
project.update_column(:visibility_level,
|
|
|
|
Gitlab::VisibilityLevel::PUBLIC)
|
|
|
|
project.update_column(:public_builds, false)
|
|
|
|
|
|
|
|
get_artifact_file(artifact)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when project is private' do
|
|
|
|
it 'rejects access and hides existence of artifacts' do
|
|
|
|
project.update_column(:visibility_level,
|
|
|
|
Gitlab::VisibilityLevel::PRIVATE)
|
|
|
|
project.update_column(:public_builds, true)
|
|
|
|
|
|
|
|
get_artifact_file(artifact)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when user is authorized' do
|
|
|
|
it 'returns a specific artifact file for a valid path' do
|
|
|
|
expect(Gitlab::Workhorse)
|
|
|
|
.to receive(:send_artifacts_entry)
|
|
|
|
.and_call_original
|
|
|
|
|
|
|
|
get_artifact_file(artifact)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response.headers.to_h)
|
|
|
|
.to include('Content-Type' => 'application/json',
|
|
|
|
'Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
|
2022-06-21 17:19:12 +05:30
|
|
|
expect(response.headers.to_h)
|
|
|
|
.not_to include('Gitlab-Workhorse-Detect-Content-Type' => 'true')
|
2022-01-26 12:08:38 +05:30
|
|
|
expect(response.parsed_body).to be_empty
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when artifacts are locked' do
|
|
|
|
it 'allows access to expired artifact' do
|
|
|
|
pipeline.artifacts_locked!
|
|
|
|
job.update!(artifacts_expire_at: Time.now - 7.days)
|
|
|
|
|
|
|
|
get_artifact_file(artifact)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when job does not have artifacts' do
|
|
|
|
it 'does not return job artifact file' do
|
|
|
|
get_artifact_file('some/artifact')
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_artifact_file(artifact_path)
|
|
|
|
get api("/projects/#{project.id}/jobs/#{job.id}/" \
|
|
|
|
"artifacts/#{artifact_path}", api_user)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'GET /projects/:id/jobs/:job_id/artifacts' do
|
|
|
|
shared_examples 'downloads artifact' do
|
|
|
|
let(:download_headers) do
|
|
|
|
{ 'Content-Transfer-Encoding' => 'binary',
|
|
|
|
'Content-Disposition' => %q(attachment; filename="ci_build_artifacts.zip"; filename*=UTF-8''ci_build_artifacts.zip) }
|
|
|
|
end
|
|
|
|
|
2022-07-16 23:28:13 +05:30
|
|
|
let(:expected_params) { { artifact_size: job.artifacts_file.size } }
|
|
|
|
let(:subject_proc) { proc { subject } }
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
it 'returns specific job artifacts' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response.headers.to_h).to include(download_headers)
|
|
|
|
expect(response.body).to match_file(job.artifacts_file.file.file)
|
|
|
|
end
|
2022-07-16 23:28:13 +05:30
|
|
|
|
|
|
|
it_behaves_like 'storing arguments in the application context'
|
|
|
|
it_behaves_like 'not executing any extra queries for the application context'
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
context 'normal authentication' do
|
|
|
|
context 'job with artifacts' do
|
|
|
|
context 'when artifacts are stored locally' do
|
2023-04-23 21:23:45 +05:30
|
|
|
let(:job) { create(:ci_build, :artifacts, pipeline: pipeline, project: project) }
|
2022-01-26 12:08:38 +05:30
|
|
|
|
|
|
|
subject { get api("/projects/#{project.id}/jobs/#{job.id}/artifacts", api_user) }
|
|
|
|
|
|
|
|
context 'authorized user' do
|
|
|
|
it_behaves_like 'downloads artifact'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when job token is used' do
|
|
|
|
let(:other_job) { create(:ci_build, :running, user: user) }
|
|
|
|
|
|
|
|
subject { get api("/projects/#{project.id}/jobs/#{job.id}/artifacts", job_token: other_job.token) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
stub_licensed_features(cross_project_pipelines: true)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when job token scope is enabled' do
|
|
|
|
before do
|
2023-04-23 21:23:45 +05:30
|
|
|
other_job.project.ci_cd_settings.update!(
|
|
|
|
job_token_scope_enabled: true,
|
|
|
|
inbound_job_token_scope_enabled: true
|
|
|
|
)
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not allow downloading artifacts' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when project is added to the job token scope' do
|
2023-04-23 21:23:45 +05:30
|
|
|
before do
|
|
|
|
make_project_fully_accessible(other_job.project, job.project)
|
|
|
|
end
|
2022-01-26 12:08:38 +05:30
|
|
|
|
|
|
|
it_behaves_like 'downloads artifact'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'unauthorized user' do
|
|
|
|
let(:api_user) { nil }
|
|
|
|
|
|
|
|
it 'does not return specific job artifacts' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when artifacts are stored remotely' do
|
|
|
|
let(:proxy_download) { false }
|
|
|
|
let(:job) { create(:ci_build, pipeline: pipeline) }
|
|
|
|
let(:artifact) { create(:ci_job_artifact, :archive, :remote_store, job: job) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
stub_artifacts_object_storage(proxy_download: proxy_download)
|
|
|
|
|
|
|
|
artifact
|
|
|
|
job.reload
|
|
|
|
|
|
|
|
get api("/projects/#{project.id}/jobs/#{job.id}/artifacts", api_user)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when proxy download is enabled' do
|
|
|
|
let(:proxy_download) { true }
|
|
|
|
|
|
|
|
it 'responds with the workhorse send-url' do
|
|
|
|
expect(response.headers[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with("send-url:")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when proxy download is disabled' do
|
|
|
|
it 'returns location redirect' do
|
|
|
|
expect(response).to have_gitlab_http_status(:found)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2023-01-13 00:05:48 +05:30
|
|
|
context 'when Google CDN is configured' do
|
2022-11-25 23:54:43 +05:30
|
|
|
let(:cdn_config) do
|
|
|
|
{
|
|
|
|
'provider' => 'Google',
|
|
|
|
'url' => 'https://cdn.example.org',
|
|
|
|
'key_name' => 'stanhu-key',
|
|
|
|
'key' => Base64.urlsafe_encode64(SecureRandom.hex)
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
before do
|
|
|
|
stub_object_storage_uploader(config: Gitlab.config.artifacts.object_store,
|
|
|
|
uploader: JobArtifactUploader,
|
|
|
|
proxy_download: proxy_download,
|
|
|
|
cdn: cdn_config)
|
|
|
|
allow(Gitlab::ApplicationContext).to receive(:push).and_call_original
|
|
|
|
end
|
|
|
|
|
|
|
|
subject { get api("/projects/#{project.id}/jobs/#{job.id}/artifacts", api_user), env: { 'REMOTE_ADDR': '18.245.0.1' } }
|
|
|
|
|
|
|
|
it 'returns CDN-signed URL' do
|
|
|
|
expect(Gitlab::ApplicationContext).to receive(:push).with(artifact_used_cdn: true).and_call_original
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response.redirect_url).to start_with("https://cdn.example.org/#{artifact.file.path}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-01-26 12:08:38 +05:30
|
|
|
context 'authorized user' do
|
|
|
|
it 'returns the file remote URL' do
|
|
|
|
expect(response).to redirect_to(artifact.file.url)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'unauthorized user' do
|
|
|
|
let(:api_user) { nil }
|
|
|
|
|
|
|
|
it 'does not return specific job artifacts' do
|
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when public project guest and artifacts are non public' do
|
|
|
|
let(:api_user) { guest }
|
2023-05-27 22:25:52 +05:30
|
|
|
let(:job) { create(:ci_build, :artifacts, :with_private_artifacts_config, pipeline: pipeline) }
|
2022-01-26 12:08:38 +05:30
|
|
|
|
|
|
|
before do
|
|
|
|
project.update_column(:visibility_level,
|
|
|
|
Gitlab::VisibilityLevel::PUBLIC)
|
|
|
|
project.update_column(:public_builds, true)
|
|
|
|
get api("/projects/#{project.id}/jobs/#{job.id}/artifacts", api_user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'rejects access and hides existence of artifacts' do
|
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with the non_public_artifacts feature flag disabled' do
|
|
|
|
before do
|
|
|
|
stub_feature_flags(non_public_artifacts: false)
|
|
|
|
get api("/projects/#{project.id}/jobs/#{job.id}/artifacts", api_user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows access to artifacts' do
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not return job artifacts if not uploaded' do
|
|
|
|
get api("/projects/#{project.id}/jobs/#{job.id}/artifacts", api_user)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'GET /projects/:id/artifacts/:ref_name/download?job=name' do
|
|
|
|
let(:api_user) { reporter }
|
|
|
|
let(:job) { create(:ci_build, :artifacts, pipeline: pipeline, user: api_user) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
stub_artifacts_object_storage
|
|
|
|
job.success
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_for_ref(ref = pipeline.ref, job_name = job.name)
|
|
|
|
get api("/projects/#{project.id}/jobs/artifacts/#{ref}/download", api_user), params: { job: job_name }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when not logged in' do
|
|
|
|
let(:api_user) { nil }
|
|
|
|
|
|
|
|
before do
|
|
|
|
get_for_ref
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not find a resource in a private project' do
|
|
|
|
expect(project).to be_private
|
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when logging as guest' do
|
|
|
|
let(:api_user) { guest }
|
|
|
|
|
|
|
|
before do
|
|
|
|
get_for_ref
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'gives 403' do
|
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'non-existing job' do
|
|
|
|
shared_examples 'not found' do
|
|
|
|
it { expect(response).to have_gitlab_http_status(:not_found) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'has no such ref' do
|
|
|
|
before do
|
|
|
|
get_for_ref('TAIL')
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'not found'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'has no such job' do
|
|
|
|
before do
|
|
|
|
get_for_ref(pipeline.ref, 'NOBUILD')
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'not found'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'find proper job' do
|
|
|
|
let(:job_with_artifacts) { job }
|
|
|
|
|
|
|
|
shared_examples 'a valid file' do
|
|
|
|
context 'when artifacts are stored locally', :sidekiq_might_not_need_inline do
|
|
|
|
let(:download_headers) do
|
|
|
|
{ 'Content-Transfer-Encoding' => 'binary',
|
|
|
|
'Content-Disposition' =>
|
|
|
|
%Q(attachment; filename="#{job_with_artifacts.artifacts_file.filename}"; filename*=UTF-8''#{job.artifacts_file.filename}) }
|
|
|
|
end
|
|
|
|
|
|
|
|
it { expect(response).to have_gitlab_http_status(:ok) }
|
|
|
|
it { expect(response.headers.to_h).to include(download_headers) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when artifacts are stored remotely' do
|
|
|
|
let(:job) { create(:ci_build, pipeline: pipeline, user: api_user) }
|
|
|
|
let!(:artifact) { create(:ci_job_artifact, :archive, :remote_store, job: job) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
job.reload
|
|
|
|
|
|
|
|
get api("/projects/#{project.id}/jobs/#{job.id}/artifacts", api_user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns location redirect' do
|
|
|
|
expect(response).to have_gitlab_http_status(:found)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with regular branch' do
|
|
|
|
before do
|
|
|
|
pipeline.reload
|
2022-10-11 01:57:18 +05:30
|
|
|
pipeline.update!(ref: 'master', sha: project.commit('master').sha)
|
2022-01-26 12:08:38 +05:30
|
|
|
|
|
|
|
get_for_ref('master')
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'a valid file'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with branch name containing slash' do
|
|
|
|
before do
|
|
|
|
pipeline.reload
|
|
|
|
pipeline.update!(ref: 'improve/awesome', sha: project.commit('improve/awesome').sha)
|
|
|
|
get_for_ref('improve/awesome')
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'a valid file'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with job name in a child pipeline' do
|
|
|
|
let(:child_pipeline) { create(:ci_pipeline, child_of: pipeline) }
|
|
|
|
let!(:child_job) { create(:ci_build, :artifacts, :success, name: 'rspec', pipeline: child_pipeline) }
|
|
|
|
let(:job_with_artifacts) { child_job }
|
|
|
|
|
|
|
|
before do
|
|
|
|
get_for_ref('master', child_job.name)
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'a valid file'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'GET id/jobs/artifacts/:ref_name/raw/*artifact_path?job=name' do
|
|
|
|
context 'when job has artifacts' do
|
|
|
|
let(:job) { create(:ci_build, :artifacts, pipeline: pipeline, user: api_user) }
|
|
|
|
let(:artifact) { 'other_artifacts_0.1.2/another-subdirectory/banana_sample.gif' }
|
|
|
|
let(:visibility_level) { Gitlab::VisibilityLevel::PUBLIC }
|
|
|
|
let(:public_builds) { true }
|
|
|
|
|
|
|
|
before do
|
|
|
|
stub_artifacts_object_storage
|
|
|
|
job.success
|
|
|
|
|
2022-10-11 01:57:18 +05:30
|
|
|
project.update!(visibility_level: visibility_level, public_builds: public_builds)
|
2022-01-26 12:08:38 +05:30
|
|
|
|
|
|
|
get_artifact_file(artifact)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when user is anonymous' do
|
|
|
|
let(:api_user) { nil }
|
|
|
|
|
|
|
|
context 'when project is public' do
|
|
|
|
let(:visibility_level) { Gitlab::VisibilityLevel::PUBLIC }
|
|
|
|
let(:public_builds) { true }
|
|
|
|
|
|
|
|
it 'allows to access artifacts', :sidekiq_might_not_need_inline do
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response.headers.to_h)
|
|
|
|
.to include('Content-Type' => 'application/json',
|
2022-07-16 23:28:13 +05:30
|
|
|
'Gitlab-Workhorse-Send-Data' => /artifacts-entry/,
|
|
|
|
'Gitlab-Workhorse-Detect-Content-Type' => 'true')
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when project is public with builds access disabled' do
|
|
|
|
let(:visibility_level) { Gitlab::VisibilityLevel::PUBLIC }
|
|
|
|
let(:public_builds) { false }
|
|
|
|
|
|
|
|
it 'rejects access to artifacts' do
|
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
|
|
|
expect(json_response).to have_key('message')
|
|
|
|
expect(response.headers.to_h)
|
|
|
|
.not_to include('Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when project is public with non public artifacts' do
|
2023-05-27 22:25:52 +05:30
|
|
|
let(:job) { create(:ci_build, :artifacts, :with_private_artifacts_config, pipeline: pipeline, user: api_user) }
|
2022-01-26 12:08:38 +05:30
|
|
|
let(:visibility_level) { Gitlab::VisibilityLevel::PUBLIC }
|
|
|
|
let(:public_builds) { true }
|
|
|
|
|
|
|
|
it 'rejects access and hides existence of artifacts', :sidekiq_might_not_need_inline do
|
|
|
|
get_artifact_file(artifact)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
|
|
|
expect(json_response).to have_key('message')
|
|
|
|
expect(response.headers.to_h)
|
|
|
|
.not_to include('Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with the non_public_artifacts feature flag disabled' do
|
|
|
|
before do
|
|
|
|
stub_feature_flags(non_public_artifacts: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows access to artifacts', :sidekiq_might_not_need_inline do
|
|
|
|
get_artifact_file(artifact)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when project is private' do
|
|
|
|
let(:visibility_level) { Gitlab::VisibilityLevel::PRIVATE }
|
|
|
|
let(:public_builds) { true }
|
|
|
|
|
|
|
|
it 'rejects access and hides existence of artifacts' do
|
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
|
|
|
expect(json_response).to have_key('message')
|
|
|
|
expect(response.headers.to_h)
|
|
|
|
.not_to include('Gitlab-Workhorse-Send-Data' => /artifacts-entry/)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when user is authorized' do
|
|
|
|
let(:visibility_level) { Gitlab::VisibilityLevel::PRIVATE }
|
|
|
|
let(:public_builds) { true }
|
|
|
|
|
|
|
|
it 'returns a specific artifact file for a valid path', :sidekiq_might_not_need_inline do
|
|
|
|
expect(Gitlab::Workhorse)
|
|
|
|
.to receive(:send_artifacts_entry)
|
|
|
|
.and_call_original
|
|
|
|
|
|
|
|
get_artifact_file(artifact)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response.headers.to_h)
|
|
|
|
.to include('Content-Type' => 'application/json',
|
2022-07-16 23:28:13 +05:30
|
|
|
'Gitlab-Workhorse-Send-Data' => /artifacts-entry/,
|
|
|
|
'Gitlab-Workhorse-Detect-Content-Type' => 'true')
|
2022-01-26 12:08:38 +05:30
|
|
|
expect(response.parsed_body).to be_empty
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with branch name containing slash' do
|
|
|
|
before do
|
|
|
|
pipeline.reload
|
2022-10-11 01:57:18 +05:30
|
|
|
pipeline.update!(ref: 'improve/awesome', sha: project.commit('improve/awesome').sha)
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns a specific artifact file for a valid path', :sidekiq_might_not_need_inline do
|
|
|
|
get_artifact_file(artifact, 'improve/awesome')
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response.headers.to_h)
|
|
|
|
.to include('Content-Type' => 'application/json',
|
2022-07-16 23:28:13 +05:30
|
|
|
'Gitlab-Workhorse-Send-Data' => /artifacts-entry/,
|
|
|
|
'Gitlab-Workhorse-Detect-Content-Type' => 'true')
|
2022-01-26 12:08:38 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'non-existing job' do
|
|
|
|
shared_examples 'not found' do
|
|
|
|
it { expect(response).to have_gitlab_http_status(:not_found) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'has no such ref' do
|
|
|
|
before do
|
|
|
|
get_artifact_file('some/artifact', 'wrong-ref')
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'not found'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'has no such job' do
|
|
|
|
before do
|
|
|
|
get_artifact_file('some/artifact', pipeline.ref, 'wrong-job-name')
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'not found'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when job does not have artifacts' do
|
|
|
|
let(:job) { create(:ci_build, pipeline: pipeline, user: api_user) }
|
|
|
|
|
|
|
|
it 'does not return job artifact file' do
|
|
|
|
get_artifact_file('some/artifact')
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_artifact_file(artifact_path, ref = pipeline.ref, job_name = job.name)
|
|
|
|
get api("/projects/#{project.id}/jobs/artifacts/#{ref}/raw/#{artifact_path}", api_user), params: { job: job_name }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'POST /projects/:id/jobs/:job_id/artifacts/keep' do
|
|
|
|
before do
|
|
|
|
post api("/projects/#{project.id}/jobs/#{job.id}/artifacts/keep", user)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'artifacts did not expire' do
|
|
|
|
let(:job) do
|
|
|
|
create(:ci_build, :trace_artifact, :artifacts, :success,
|
|
|
|
project: project, pipeline: pipeline, artifacts_expire_at: Time.now + 7.days)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'keeps artifacts' do
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(job.reload.artifacts_expire_at).to be_nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'no artifacts' do
|
|
|
|
let(:job) { create(:ci_build, project: project, pipeline: pipeline) }
|
|
|
|
|
|
|
|
it 'responds with not found' do
|
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|