2022-10-11 01:57:18 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
|
|
|
RSpec.describe ObjectStorage::CDN::GoogleCDN,
|
|
|
|
:use_clean_rails_memory_store_caching, :use_clean_rails_redis_caching, :sidekiq_inline do
|
|
|
|
include StubRequests
|
|
|
|
|
|
|
|
let(:key) { SecureRandom.hex }
|
|
|
|
let(:key_name) { 'test-key' }
|
|
|
|
let(:options) { { url: 'https://cdn.gitlab.example.com', key_name: key_name, key: Base64.urlsafe_encode64(key) } }
|
|
|
|
let(:google_cloud_ips) { File.read(Rails.root.join('spec/fixtures/cdn/google_cloud.json')) }
|
|
|
|
let(:headers) { { 'Content-Type' => 'application/json' } }
|
|
|
|
let(:public_ip) { '18.245.0.42' }
|
|
|
|
|
|
|
|
subject { described_class.new(options) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
WebMock.stub_request(:get, GoogleCloud::FetchGoogleIpListService::GOOGLE_IP_RANGES_URL)
|
|
|
|
.to_return(status: 200, body: google_cloud_ips, headers: headers)
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#use_cdn?' do
|
|
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
|
|
|
|
where(:ip_address, :expected) do
|
|
|
|
'34.80.0.1' | false
|
|
|
|
'18.245.0.42' | true
|
|
|
|
'2500:1900:4180:0000:0000:0000:0000:0000' | true
|
|
|
|
'2600:1900:4180:0000:0000:0000:0000:0000' | false
|
|
|
|
'10.10.1.5' | false
|
|
|
|
'fc00:0000:0000:0000:0000:0000:0000:0000' | false
|
2022-11-25 23:54:43 +05:30
|
|
|
'127.0.0.1' | false
|
|
|
|
'169.254.0.0' | false
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
it { expect(subject.use_cdn?(ip_address)).to eq(expected) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the key name is missing' do
|
|
|
|
let(:options) { { url: 'https://cdn.gitlab.example.com', key: Base64.urlsafe_encode64(SecureRandom.hex) } }
|
|
|
|
|
|
|
|
it 'returns false' do
|
|
|
|
expect(subject.use_cdn?(public_ip)).to be false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the key is missing' do
|
|
|
|
let(:options) { { url: 'https://invalid.example.com' } }
|
|
|
|
|
|
|
|
it 'returns false' do
|
|
|
|
expect(subject.use_cdn?(public_ip)).to be false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the key is invalid' do
|
|
|
|
let(:options) { { key_name: key_name, key: '\0x1' } }
|
|
|
|
|
|
|
|
it 'returns false' do
|
|
|
|
expect(Gitlab::ErrorTracking).to receive(:log_exception).and_call_original
|
|
|
|
expect(subject.use_cdn?(public_ip)).to be false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the URL is missing' do
|
|
|
|
let(:options) { { key: Base64.urlsafe_encode64(SecureRandom.hex) } }
|
|
|
|
|
|
|
|
it 'returns false' do
|
|
|
|
expect(subject.use_cdn?(public_ip)).to be false
|
|
|
|
end
|
|
|
|
end
|
2022-11-25 23:54:43 +05:30
|
|
|
|
|
|
|
context 'when URL is a domain' do
|
|
|
|
before do
|
|
|
|
options[:url] = 'cdn.gitlab.example.com'
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns false' do
|
|
|
|
expect(subject.use_cdn?(public_ip)).to be false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when URL uses HTTP' do
|
|
|
|
before do
|
|
|
|
options[:url] = 'http://cdn.gitlab.example.com'
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns false' do
|
|
|
|
expect(subject.use_cdn?(public_ip)).to be false
|
|
|
|
end
|
|
|
|
end
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
|
2023-01-13 00:05:48 +05:30
|
|
|
describe '#signed_url', :freeze_time do
|
2022-10-11 01:57:18 +05:30
|
|
|
let(:path) { '/path/to/file.txt' }
|
2023-01-13 00:05:48 +05:30
|
|
|
let(:expiration) { (Time.current + 10.minutes).utc.to_i }
|
|
|
|
let(:cdn_query_params) { "Expires=#{expiration}&KeyName=#{key_name}" }
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2023-01-13 00:05:48 +05:30
|
|
|
def verify_signature(url, unsigned_url)
|
2022-10-11 01:57:18 +05:30
|
|
|
expect(url).to start_with("#{options[:url]}#{path}")
|
|
|
|
|
|
|
|
uri = Addressable::URI.parse(url)
|
2023-01-13 00:05:48 +05:30
|
|
|
query = uri.query_values
|
|
|
|
signature = query['Signature']
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2023-01-13 00:05:48 +05:30
|
|
|
computed_signature = OpenSSL::HMAC.digest('SHA1', key, unsigned_url)
|
2022-10-11 01:57:18 +05:30
|
|
|
|
|
|
|
aggregate_failures do
|
2023-01-13 00:05:48 +05:30
|
|
|
expect(query['Expires'].to_i).to be > 0
|
|
|
|
expect(query['KeyName']).to eq(key_name)
|
2022-10-11 01:57:18 +05:30
|
|
|
expect(signature).to eq(Base64.urlsafe_encode64(computed_signature))
|
|
|
|
end
|
|
|
|
end
|
2023-01-13 00:05:48 +05:30
|
|
|
|
|
|
|
context 'with default query parameters' do
|
|
|
|
let(:url) { subject.signed_url(path) }
|
|
|
|
let(:unsigned_url) { "#{options[:url]}#{path}?#{cdn_query_params}" }
|
|
|
|
|
|
|
|
it 'returns a valid signed URL' do
|
|
|
|
verify_signature(url, unsigned_url)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with nil query parameters' do
|
|
|
|
let(:url) { subject.signed_url(path, params: nil) }
|
|
|
|
let(:unsigned_url) { "#{options[:url]}#{path}?#{cdn_query_params}" }
|
|
|
|
|
|
|
|
it 'returns a valid signed URL' do
|
|
|
|
verify_signature(url, unsigned_url)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with extra query parameters' do
|
|
|
|
let(:url) { subject.signed_url(path, params: { 'response-content-type' => 'text/plain' }) }
|
|
|
|
let(:unsigned_url) { "#{options[:url]}#{path}?response-content-type=text%2Fplain&#{cdn_query_params}" }
|
|
|
|
|
|
|
|
it 'returns a valid signed URL' do
|
|
|
|
verify_signature(url, unsigned_url)
|
|
|
|
end
|
|
|
|
end
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
end
|