debian-mirror-gitlab/spec/requests/api/ci/secure_files_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

451 lines
16 KiB
Ruby
Raw Normal View History

2022-04-04 11:22:00 +05:30
# frozen_string_literal: true
require 'spec_helper'
2023-03-04 22:38:38 +05:30
RSpec.describe API::Ci::SecureFiles, feature_category: :pipeline_authoring do
2022-04-04 11:22:00 +05:30
before do
stub_ci_secure_file_object_storage
stub_feature_flags(ci_secure_files: true)
2022-06-21 17:19:12 +05:30
stub_feature_flags(ci_secure_files_read_only: false)
2022-04-04 11:22:00 +05:30
end
2022-05-07 20:08:51 +05:30
let_it_be(:maintainer) { create(:user) }
let_it_be(:developer) { create(:user) }
let_it_be(:guest) { create(:user) }
let_it_be(:anonymous) { create(:user) }
2022-06-21 17:19:12 +05:30
let_it_be(:unconfirmed) { create(:user, :unconfirmed) }
2022-05-07 20:08:51 +05:30
let_it_be(:project) { create(:project, creator_id: maintainer.id) }
2022-04-04 11:22:00 +05:30
let_it_be(:secure_file) { create(:ci_secure_file, project: project) }
2022-06-21 17:19:12 +05:30
let(:file_params) do
{
file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'),
name: 'upload-keystore.jks'
}
end
2022-05-07 20:08:51 +05:30
before_all do
project.add_maintainer(maintainer)
project.add_developer(developer)
project.add_guest(guest)
end
2022-04-04 11:22:00 +05:30
describe 'GET /projects/:id/secure_files' do
2022-06-21 17:19:12 +05:30
context 'ci_secure_files_read_only feature flag' do
context 'when the flag is enabled' do
before do
stub_feature_flags(ci_secure_files_read_only: true)
end
it 'returns a 503 when attempting to upload a file' do
stub_feature_flags(ci_secure_files_read_only: true)
expect do
post api("/projects/#{project.id}/secure_files", maintainer), params: file_params
2022-08-27 11:52:29 +05:30
end.not_to change { project.secure_files.count }
2022-06-21 17:19:12 +05:30
expect(response).to have_gitlab_http_status(:service_unavailable)
end
it 'returns a 200 when downloading a file' do
stub_feature_flags(ci_secure_files_read_only: true)
get api("/projects/#{project.id}/secure_files", developer)
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).to be_a(Array)
end
end
context 'when the flag is disabled' do
it 'returns a 201 when uploading a file when the ci_secure_files_read_only feature flag is disabled' do
expect do
post api("/projects/#{project.id}/secure_files", maintainer), params: file_params
2022-08-27 11:52:29 +05:30
end.to change { project.secure_files.count }.by(1)
2022-06-21 17:19:12 +05:30
expect(response).to have_gitlab_http_status(:created)
end
end
end
2022-05-07 20:08:51 +05:30
context 'authenticated user with admin permissions' do
it 'returns project secure files' do
get api("/projects/#{project.id}/secure_files", maintainer)
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).to be_a(Array)
end
end
2022-05-07 20:08:51 +05:30
context 'authenticated user with read permissions' do
2022-04-04 11:22:00 +05:30
it 'returns project secure files' do
2022-05-07 20:08:51 +05:30
get api("/projects/#{project.id}/secure_files", developer)
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).to be_a(Array)
end
end
2022-05-07 20:08:51 +05:30
context 'authenticated user with guest permissions' do
2022-04-04 11:22:00 +05:30
it 'does not return project secure files' do
2022-05-07 20:08:51 +05:30
get api("/projects/#{project.id}/secure_files", guest)
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:forbidden)
end
end
2022-05-07 20:08:51 +05:30
context 'authenticated user with no permissions' do
it 'does not return project secure files' do
get api("/projects/#{project.id}/secure_files", anonymous)
expect(response).to have_gitlab_http_status(:not_found)
end
end
2022-06-21 17:19:12 +05:30
context 'unconfirmed user' do
it 'does not return project secure files' do
get api("/projects/#{project.id}/secure_files", unconfirmed)
expect(response).to have_gitlab_http_status(:not_found)
end
end
2022-05-07 20:08:51 +05:30
context 'unauthenticated user' do
2022-04-04 11:22:00 +05:30
it 'does not return project secure files' do
get api("/projects/#{project.id}/secure_files")
expect(response).to have_gitlab_http_status(:unauthorized)
end
end
end
describe 'GET /projects/:id/secure_files/:secure_file_id' do
2022-05-07 20:08:51 +05:30
context 'authenticated user with admin permissions' do
2022-04-04 11:22:00 +05:30
it 'returns project secure file details' do
2022-05-07 20:08:51 +05:30
get api("/projects/#{project.id}/secure_files/#{secure_file.id}", maintainer)
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['name']).to eq(secure_file.name)
2023-01-13 00:05:48 +05:30
expect(json_response['expires_at']).to be nil
expect(json_response['metadata']).to be nil
end
it 'returns project secure file details with metadata when supported' do
secure_file_with_metadata = create(:ci_secure_file_with_metadata, project: project)
get api("/projects/#{project.id}/secure_files/#{secure_file_with_metadata.id}", maintainer)
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['name']).to eq(secure_file_with_metadata.name)
expect(json_response['expires_at']).to eq('2022-04-26T19:20:40.000Z')
expect(json_response['metadata'].keys).to match_array(%w[id issuer subject expires_at])
2022-04-04 11:22:00 +05:30
end
it 'responds with 404 Not Found if requesting non-existing secure file' do
2022-05-07 20:08:51 +05:30
get api("/projects/#{project.id}/secure_files/#{non_existing_record_id}", maintainer)
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:not_found)
end
end
2022-05-07 20:08:51 +05:30
context 'authenticated user with read permissions' do
it 'returns project secure file details' do
get api("/projects/#{project.id}/secure_files/#{secure_file.id}", developer)
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['name']).to eq(secure_file.name)
end
end
context 'authenticated user with no permissions' do
2022-04-04 11:22:00 +05:30
it 'does not return project secure file details' do
2022-05-07 20:08:51 +05:30
get api("/projects/#{project.id}/secure_files/#{secure_file.id}", anonymous)
2022-04-04 11:22:00 +05:30
2022-05-07 20:08:51 +05:30
expect(response).to have_gitlab_http_status(:not_found)
2022-04-04 11:22:00 +05:30
end
end
2022-06-21 17:19:12 +05:30
context 'unconfirmed user' do
it 'does not return project secure file details' do
get api("/projects/#{project.id}/secure_files/#{secure_file.id}", unconfirmed)
expect(response).to have_gitlab_http_status(:not_found)
end
end
2022-05-07 20:08:51 +05:30
context 'unauthenticated user' do
2022-04-04 11:22:00 +05:30
it 'does not return project secure file details' do
get api("/projects/#{project.id}/secure_files/#{secure_file.id}")
expect(response).to have_gitlab_http_status(:unauthorized)
end
end
end
describe 'GET /projects/:id/secure_files/:secure_file_id/download' do
2022-05-07 20:08:51 +05:30
context 'authenticated user with admin permissions' do
2022-04-04 11:22:00 +05:30
it 'returns a secure file' do
sample_file = fixture_file('ci_secure_files/upload-keystore.jks')
secure_file.file = CarrierWaveStringFile.new(sample_file)
secure_file.save!
2022-05-07 20:08:51 +05:30
get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download", maintainer)
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:ok)
expect(Base64.encode64(response.body)).to eq(Base64.encode64(sample_file))
end
it 'responds with 404 Not Found if requesting non-existing secure file' do
2022-05-07 20:08:51 +05:30
get api("/projects/#{project.id}/secure_files/#{non_existing_record_id}/download", maintainer)
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:not_found)
end
end
2022-05-07 20:08:51 +05:30
context 'authenticated user with read permissions' do
it 'returns a secure file' do
sample_file = fixture_file('ci_secure_files/upload-keystore.jks')
secure_file.file = CarrierWaveStringFile.new(sample_file)
secure_file.save!
get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download", developer)
expect(response).to have_gitlab_http_status(:ok)
expect(Base64.encode64(response.body)).to eq(Base64.encode64(sample_file))
end
end
context 'authenticated user with no permissions' do
2022-04-04 11:22:00 +05:30
it 'does not return project secure file details' do
2022-05-07 20:08:51 +05:30
get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download", anonymous)
2022-04-04 11:22:00 +05:30
2022-05-07 20:08:51 +05:30
expect(response).to have_gitlab_http_status(:not_found)
2022-04-04 11:22:00 +05:30
end
end
2022-06-21 17:19:12 +05:30
context 'unconfirmed user' do
it 'does not return project secure file details' do
get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download", unconfirmed)
expect(response).to have_gitlab_http_status(:not_found)
end
end
2022-05-07 20:08:51 +05:30
context 'unauthenticated user' do
2022-04-04 11:22:00 +05:30
it 'does not return project secure file details' do
get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download")
expect(response).to have_gitlab_http_status(:unauthorized)
end
end
end
describe 'POST /projects/:id/secure_files' do
2022-05-07 20:08:51 +05:30
context 'authenticated user with admin permissions' do
2022-04-04 11:22:00 +05:30
it 'creates a secure file' do
expect do
2022-07-16 23:28:13 +05:30
post api("/projects/#{project.id}/secure_files", maintainer), params: file_params
2022-08-27 11:52:29 +05:30
end.to change { project.secure_files.count }.by(1)
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:created)
expect(json_response['name']).to eq('upload-keystore.jks')
expect(json_response['checksum']).to eq(secure_file.checksum)
expect(json_response['checksum_algorithm']).to eq('sha256')
secure_file = Ci::SecureFile.find(json_response['id'])
expect(secure_file.checksum).to eq(
Digest::SHA256.hexdigest(fixture_file('ci_secure_files/upload-keystore.jks'))
)
expect(json_response['id']).to eq(secure_file.id)
2022-05-07 20:08:51 +05:30
expect(Time.parse(json_response['created_at'])).to be_like_time(secure_file.created_at)
2022-04-04 11:22:00 +05:30
end
it 'uploads and downloads a secure file' do
2022-06-21 17:19:12 +05:30
post api("/projects/#{project.id}/secure_files", maintainer), params: file_params
2022-04-04 11:22:00 +05:30
secure_file_id = json_response['id']
2022-05-07 20:08:51 +05:30
get api("/projects/#{project.id}/secure_files/#{secure_file_id}/download", maintainer)
2022-04-04 11:22:00 +05:30
expect(Base64.encode64(response.body)).to eq(Base64.encode64(fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks').read))
end
it 'returns an error when the file checksum fails to validate' do
secure_file.update!(checksum: 'foo')
2022-05-07 20:08:51 +05:30
expect do
get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download", maintainer)
end.not_to change { project.secure_files.count }
2022-04-04 11:22:00 +05:30
expect(response.code).to eq("500")
end
it 'returns an error when no file is uploaded' do
2022-05-07 20:08:51 +05:30
expect do
2022-06-21 17:19:12 +05:30
post api("/projects/#{project.id}/secure_files", maintainer), params: { name: 'upload-keystore.jks' }
2022-05-07 20:08:51 +05:30
end.not_to change { project.secure_files.count }
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['error']).to eq('file is missing')
end
it 'returns an error when the file name is missing' do
2022-06-21 17:19:12 +05:30
expect do
post api("/projects/#{project.id}/secure_files", maintainer), params: { file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks') }
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['error']).to eq('name is missing')
end
it 'returns an error when the file name has already been used' do
2022-04-04 11:22:00 +05:30
post_params = {
2022-06-21 17:19:12 +05:30
name: secure_file.name,
2022-04-04 11:22:00 +05:30
file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks')
}
2022-05-07 20:08:51 +05:30
expect do
post api("/projects/#{project.id}/secure_files", maintainer), params: post_params
end.not_to change { project.secure_files.count }
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:bad_request)
2022-06-21 17:19:12 +05:30
expect(json_response['message']['name']).to include('has already been taken')
2022-04-04 11:22:00 +05:30
end
it 'returns an error when an unexpected validation failure happens' do
allow_next_instance_of(Ci::SecureFile) do |instance|
allow(instance).to receive(:valid?).and_return(false)
allow(instance).to receive_message_chain(:errors, :any?).and_return(true)
allow(instance).to receive_message_chain(:errors, :messages).and_return(['Error 1', 'Error 2'])
end
2022-05-07 20:08:51 +05:30
expect do
2022-06-21 17:19:12 +05:30
post api("/projects/#{project.id}/secure_files", maintainer), params: file_params
2022-05-07 20:08:51 +05:30
end.not_to change { project.secure_files.count }
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:bad_request)
end
it 'returns a 413 error when the file size is too large' do
allow_next_instance_of(Ci::SecureFile) do |instance|
allow(instance).to receive_message_chain(:file, :size).and_return(6.megabytes.to_i)
end
2022-05-07 20:08:51 +05:30
expect do
2022-06-21 17:19:12 +05:30
post api("/projects/#{project.id}/secure_files", maintainer), params: file_params
2022-05-07 20:08:51 +05:30
end.not_to change { project.secure_files.count }
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:payload_too_large)
end
2022-11-25 23:54:43 +05:30
it 'returns an error when and invalid file name is supplied' do
params = file_params.merge(name: '../../upload-keystore.jks')
expect do
post api("/projects/#{project.id}/secure_files", maintainer), params: params
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:internal_server_error)
end
2022-04-04 11:22:00 +05:30
end
2022-05-07 20:08:51 +05:30
context 'authenticated user with read permissions' do
2022-04-04 11:22:00 +05:30
it 'does not create a secure file' do
2022-05-07 20:08:51 +05:30
expect do
post api("/projects/#{project.id}/secure_files", developer)
end.not_to change { project.secure_files.count }
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:forbidden)
end
end
2022-05-07 20:08:51 +05:30
context 'authenticated user with no permissions' do
2022-04-04 11:22:00 +05:30
it 'does not create a secure file' do
2022-05-07 20:08:51 +05:30
expect do
post api("/projects/#{project.id}/secure_files", anonymous)
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:not_found)
end
end
2022-06-21 17:19:12 +05:30
context 'unconfirmed user' do
it 'does not create a secure file' do
expect do
post api("/projects/#{project.id}/secure_files", unconfirmed)
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:not_found)
end
end
2022-05-07 20:08:51 +05:30
context 'unauthenticated user' do
it 'does not create a secure file' do
expect do
post api("/projects/#{project.id}/secure_files")
end.not_to change { project.secure_files.count }
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:unauthorized)
end
end
end
describe 'DELETE /projects/:id/secure_files/:secure_file_id' do
2022-05-07 20:08:51 +05:30
context 'authenticated user with admin permissions' do
2022-04-04 11:22:00 +05:30
it 'deletes the secure file' do
expect do
2022-05-07 20:08:51 +05:30
delete api("/projects/#{project.id}/secure_files/#{secure_file.id}", maintainer)
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:no_content)
2022-05-07 20:08:51 +05:30
end.to change { project.secure_files.count }
2022-04-04 11:22:00 +05:30
end
it 'responds with 404 Not Found if requesting non-existing secure_file' do
2022-05-07 20:08:51 +05:30
expect do
delete api("/projects/#{project.id}/secure_files/#{non_existing_record_id}", maintainer)
end.not_to change { project.secure_files.count }
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:not_found)
end
end
2022-05-07 20:08:51 +05:30
context 'authenticated user with read permissions' do
2022-04-04 11:22:00 +05:30
it 'does not delete the secure_file' do
2022-05-07 20:08:51 +05:30
expect do
delete api("/projects/#{project.id}/secure_files/#{secure_file.id}", developer)
end.not_to change { project.secure_files.count }
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:forbidden)
end
end
2022-05-07 20:08:51 +05:30
context 'authenticated user with no permissions' do
2022-04-04 11:22:00 +05:30
it 'does not delete the secure_file' do
2022-05-07 20:08:51 +05:30
expect do
delete api("/projects/#{project.id}/secure_files/#{secure_file.id}", anonymous)
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:not_found)
end
end
2022-06-21 17:19:12 +05:30
context 'unconfirmed user' do
it 'does not delete the secure_file' do
expect do
delete api("/projects/#{project.id}/secure_files#{secure_file.id}", unconfirmed)
end.not_to change { project.secure_files.count }
expect(response).to have_gitlab_http_status(:not_found)
end
end
2022-05-07 20:08:51 +05:30
context 'unauthenticated user' do
it 'does not delete the secure_file' do
expect do
delete api("/projects/#{project.id}/secure_files/#{secure_file.id}")
end.not_to change { project.secure_files.count }
2022-04-04 11:22:00 +05:30
expect(response).to have_gitlab_http_status(:unauthorized)
end
end
end
end