debian-mirror-gitlab/spec/controllers/projects/raw_controller_spec.rb

223 lines
7.5 KiB
Ruby
Raw Normal View History

2019-07-31 22:56:46 +05:30
# frozen_string_literal: true
2015-09-25 12:07:36 +05:30
require 'spec_helper'
describe Projects::RawController do
2019-10-12 21:52:04 +05:30
include RepoHelpers
2018-11-20 20:47:30 +05:30
let(:project) { create(:project, :public, :repository) }
describe 'GET #show' do
subject do
get(:show,
2019-02-15 15:39:39 +05:30
params: {
namespace_id: project.namespace,
project_id: project,
id: filepath
})
2018-11-20 20:47:30 +05:30
end
2015-09-25 12:07:36 +05:30
context 'regular filename' do
2018-11-20 20:47:30 +05:30
let(:filepath) { 'master/README.md' }
2015-09-25 12:07:36 +05:30
2019-01-03 12:48:30 +05:30
it 'delivers ASCII file' do
subject
expect(response).to have_gitlab_http_status(200)
expect(response.header['Content-Type']).to eq('text/plain; charset=utf-8')
2019-02-15 15:39:39 +05:30
expect(response.header['Content-Disposition']).to eq('inline')
expect(response.header[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
2019-01-03 12:48:30 +05:30
expect(response.header[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with('git-blob:')
2015-09-25 12:07:36 +05:30
end
end
context 'image header' do
2018-11-20 20:47:30 +05:30
let(:filepath) { 'master/files/images/6049019_460s.jpg' }
2015-09-25 12:07:36 +05:30
2019-02-15 15:39:39 +05:30
it 'leaves image content disposition' do
2019-01-03 12:48:30 +05:30
subject
2015-09-25 12:07:36 +05:30
2019-01-03 12:48:30 +05:30
expect(response).to have_gitlab_http_status(200)
2019-02-15 15:39:39 +05:30
expect(response.header['Content-Disposition']).to eq('inline')
expect(response.header[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
2019-01-03 12:48:30 +05:30
expect(response.header[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with('git-blob:')
2015-09-25 12:07:36 +05:30
end
end
2015-12-23 02:04:40 +05:30
2019-09-04 21:01:54 +05:30
it_behaves_like 'a controller that can serve LFS files' do
2018-11-20 20:47:30 +05:30
let(:filename) { 'lfs_object.iso' }
let(:filepath) { "be93687/files/lfs/#{filename}" }
2015-12-23 02:04:40 +05:30
end
2019-10-12 21:52:04 +05:30
context 'when the endpoint receives requests above the limit', :clean_gitlab_redis_cache do
let(:file_path) { 'master/README.md' }
before do
stub_application_setting(raw_blob_request_limit: 5)
end
it 'prevents from accessing the raw file' do
execute_raw_requests(requests: 6, project: project, file_path: file_path)
2020-01-01 13:55:28 +05:30
expect(flash[:alert]).to eq(_('You cannot access the raw file. Please wait a minute.'))
2019-10-12 21:52:04 +05:30
expect(response).to have_gitlab_http_status(429)
end
it 'logs the event on auth.log' do
attributes = {
2020-01-01 13:55:28 +05:30
message: 'Application_Rate_Limiter_Request',
2019-10-12 21:52:04 +05:30
env: :raw_blob_request_limit,
2019-12-04 20:38:33 +05:30
remote_ip: '0.0.0.0',
2019-10-12 21:52:04 +05:30
request_method: 'GET',
2019-12-04 20:38:33 +05:30
path: "/#{project.full_path}/raw/#{file_path}"
2019-10-12 21:52:04 +05:30
}
expect(Gitlab::AuthLogger).to receive(:error).with(attributes).once
execute_raw_requests(requests: 6, project: project, file_path: file_path)
end
2020-01-01 13:55:28 +05:30
context 'when receiving an external storage request' do
let(:token) { 'letmein' }
before do
stub_application_setting(
static_objects_external_storage_url: 'https://cdn.gitlab.com',
static_objects_external_storage_auth_token: token
)
end
it 'does not prevent from accessing the raw file' do
request.headers['X-Gitlab-External-Storage-Token'] = token
execute_raw_requests(requests: 6, project: project, file_path: file_path)
expect(response).to have_gitlab_http_status(200)
end
end
2019-10-12 21:52:04 +05:30
context 'when the request uses a different version of a commit' do
it 'prevents from accessing the raw file' do
# 3 times with the normal sha
commit_sha = project.repository.commit.sha
file_path = "#{commit_sha}/README.md"
execute_raw_requests(requests: 3, project: project, file_path: file_path)
# 3 times with the modified version
modified_sha = commit_sha.gsub(commit_sha[0..5], commit_sha[0..5].upcase)
modified_path = "#{modified_sha}/README.md"
execute_raw_requests(requests: 3, project: project, file_path: modified_path)
2020-01-01 13:55:28 +05:30
expect(flash[:alert]).to eq(_('You cannot access the raw file. Please wait a minute.'))
2019-10-12 21:52:04 +05:30
expect(response).to have_gitlab_http_status(429)
end
end
context 'when the throttling has been disabled' do
before do
stub_application_setting(raw_blob_request_limit: 0)
end
it 'does not prevent from accessing the raw file' do
execute_raw_requests(requests: 10, project: project, file_path: file_path)
expect(response).to have_gitlab_http_status(200)
end
end
context 'with case-sensitive files' do
it 'prevents from accessing the specific file' do
create_file_in_repo(project, 'master', 'master', 'readme.md', 'Add readme.md')
create_file_in_repo(project, 'master', 'master', 'README.md', 'Add README.md')
commit_sha = project.repository.commit.sha
file_path = "#{commit_sha}/readme.md"
# Accessing downcase version of readme
execute_raw_requests(requests: 6, project: project, file_path: file_path)
2020-01-01 13:55:28 +05:30
expect(flash[:alert]).to eq(_('You cannot access the raw file. Please wait a minute.'))
2019-10-12 21:52:04 +05:30
expect(response).to have_gitlab_http_status(429)
# Accessing upcase version of readme
file_path = "#{commit_sha}/README.md"
execute_raw_requests(requests: 1, project: project, file_path: file_path)
expect(response).to have_gitlab_http_status(200)
end
end
end
2020-01-01 13:55:28 +05:30
context 'as a sessionless user' do
let_it_be(:project) { create(:project, :private, :repository) }
let_it_be(:user) { create(:user, static_object_token: 'very-secure-token') }
let_it_be(:file_path) { 'master/README.md' }
before do
project.add_developer(user)
end
context 'when no token is provided' do
it 'redirects to sign in page' do
execute_raw_requests(requests: 1, project: project, file_path: file_path)
expect(response).to have_gitlab_http_status(302)
expect(response.location).to end_with('/users/sign_in')
end
end
context 'when a token param is present' do
context 'when token is correct' do
it 'calls the action normally' do
execute_raw_requests(requests: 1, project: project, file_path: file_path, token: user.static_object_token)
expect(response).to have_gitlab_http_status(200)
end
end
context 'when token is incorrect' do
it 'redirects to sign in page' do
execute_raw_requests(requests: 1, project: project, file_path: file_path, token: 'foobar')
expect(response).to have_gitlab_http_status(302)
expect(response.location).to end_with('/users/sign_in')
end
end
end
context 'when a token header is present' do
context 'when token is correct' do
it 'calls the action normally' do
request.headers['X-Gitlab-Static-Object-Token'] = user.static_object_token
execute_raw_requests(requests: 1, project: project, file_path: file_path)
expect(response).to have_gitlab_http_status(200)
end
end
context 'when token is incorrect' do
it 'redirects to sign in page' do
request.headers['X-Gitlab-Static-Object-Token'] = 'foobar'
execute_raw_requests(requests: 1, project: project, file_path: file_path)
expect(response).to have_gitlab_http_status(302)
expect(response.location).to end_with('/users/sign_in')
end
end
end
end
2019-10-12 21:52:04 +05:30
end
2020-01-01 13:55:28 +05:30
def execute_raw_requests(requests:, project:, file_path:, **params)
2019-10-12 21:52:04 +05:30
requests.times do
get :show, params: {
namespace_id: project.namespace,
project_id: project,
id: file_path
2020-01-01 13:55:28 +05:30
}.merge(params)
2019-10-12 21:52:04 +05:30
end
2015-09-25 12:07:36 +05:30
end
end