debian-mirror-gitlab/spec/uploaders/object_storage/cdn/google_cdn_spec.rb

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe ObjectStorage::CDN::GoogleCDN,
  :use_clean_rails_memory_store_caching, :use_clean_rails_redis_caching, :sidekiq_inline do
  include StubRequests

  let(:key) { SecureRandom.hex }
  let(:key_name) { 'test-key' }
  let(:options) { { url: 'https://cdn.gitlab.example.com', key_name: key_name, key: Base64.urlsafe_encode64(key) } }
  let(:google_cloud_ips) { File.read(Rails.root.join('spec/fixtures/cdn/google_cloud.json')) }
  let(:headers) { { 'Content-Type' => 'application/json' } }
  let(:public_ip) { '18.245.0.42' }

  subject { described_class.new(options) }

  before do
    WebMock.stub_request(:get, GoogleCloud::FetchGoogleIpListService::GOOGLE_IP_RANGES_URL)
      .to_return(status: 200, body: google_cloud_ips, headers: headers)
  end

  describe '#use_cdn?' do
    using RSpec::Parameterized::TableSyntax

    where(:ip_address, :expected) do
      '34.80.0.1'                               | false
      '18.245.0.42'                             | true
      '2500:1900:4180:0000:0000:0000:0000:0000' | true
      '2600:1900:4180:0000:0000:0000:0000:0000' | false
      '10.10.1.5'                               | false
      'fc00:0000:0000:0000:0000:0000:0000:0000' | false
      '127.0.0.1'                               | false
      '169.254.0.0'                             | false
    end

    with_them do
      it { expect(subject.use_cdn?(ip_address)).to eq(expected) }
    end

    context 'when the key name is missing' do
      let(:options) { { url: 'https://cdn.gitlab.example.com', key: Base64.urlsafe_encode64(SecureRandom.hex) } }

      it 'returns false' do
        expect(subject.use_cdn?(public_ip)).to be false
      end
    end

    context 'when the key is missing' do
      let(:options) { { url: 'https://invalid.example.com' } }

      it 'returns false' do
        expect(subject.use_cdn?(public_ip)).to be false
      end
    end

    context 'when the key is invalid' do
      let(:options) { { key_name: key_name, key: '\0x1' } }

      it 'returns false' do
        expect(Gitlab::ErrorTracking).to receive(:log_exception).and_call_original
        expect(subject.use_cdn?(public_ip)).to be false
      end
    end

    context 'when the URL is missing' do
      let(:options) { { key: Base64.urlsafe_encode64(SecureRandom.hex) } }

      it 'returns false' do
        expect(subject.use_cdn?(public_ip)).to be false
      end
    end

    context 'when URL is a domain' do
      before do
        options[:url] = 'cdn.gitlab.example.com'
      end

      it 'returns false' do
        expect(subject.use_cdn?(public_ip)).to be false
      end
    end

    context 'when URL uses HTTP' do
      before do
        options[:url] = 'http://cdn.gitlab.example.com'
      end

      it 'returns false' do
        expect(subject.use_cdn?(public_ip)).to be false
      end
    end
  end

  describe '#signed_url', :freeze_time do
    let(:path) { '/path/to/file.txt' }
    let(:expiration) { (Time.current + 10.minutes).utc.to_i }
    let(:cdn_query_params) { "Expires=#{expiration}&KeyName=#{key_name}" }

    def verify_signature(url, unsigned_url)
      expect(url).to start_with("#{options[:url]}#{path}")

      uri = Addressable::URI.parse(url)
      query = uri.query_values
      signature = query['Signature']

      computed_signature = OpenSSL::HMAC.digest('SHA1', key, unsigned_url)

      aggregate_failures do
        expect(query['Expires'].to_i).to be > 0
        expect(query['KeyName']).to eq(key_name)
        expect(signature).to eq(Base64.urlsafe_encode64(computed_signature))
      end
    end

    context 'with default query parameters' do
      let(:url) { subject.signed_url(path) }
      let(:unsigned_url) { "#{options[:url]}#{path}?#{cdn_query_params}" }

      it 'returns a valid signed URL' do
        verify_signature(url, unsigned_url)
      end
    end

    context 'with nil query parameters' do
      let(:url) { subject.signed_url(path, params: nil) }
      let(:unsigned_url) { "#{options[:url]}#{path}?#{cdn_query_params}" }

      it 'returns a valid signed URL' do
        verify_signature(url, unsigned_url)
      end
    end

    context 'with extra query parameters' do
      let(:url) { subject.signed_url(path, params: { 'response-content-type' => 'text/plain' }) }
      let(:unsigned_url) { "#{options[:url]}#{path}?response-content-type=text%2Fplain&#{cdn_query_params}" }

      it 'returns a valid signed URL' do
        verify_signature(url, unsigned_url)
      end
    end
  end
end