92413041bd
- https://github.com/NYTimes/gziphandler doesn't seems to be maintained anymore and Forgejo already includes https://github.com/klauspost/compress which provides a maintained and faster gzip handler fork. - Enables Jitter to prevent BREACH attacks, as this *seems* to be possible in the context of Forgejo. (cherry picked from commit cc2847241d82001babd8d40c87d03169f21c14cd) (cherry picked from commit 99ba56a8761dd08e08d9499cab2ded1a6b7b970f) Conflicts: go.sum https://codeberg.org/forgejo/forgejo/pulls/1581 (cherry picked from commit 711638193daa2311e2ead6249a47dcec47b4e335) (cherry picked from commit 9c12a37fde6fa84414bf332ff4a066facdb92d38) (cherry picked from commit d13065345431a499f9e0b7a3c2043d7487b8aa5b) (cherry picked from commit 45a16f8c3c6f7d5e4aab8fdde6a621cf36e4801c) (cherry picked from commit a497acb31f76d580c8b0567f9461274bd78080f4) (cherry picked from commit fe87fd828973945192b98310c5c3b2001c6e0f86) (cherry picked from commit 6ac12e6693cf45cb12109028dabd868957c4b74c) (cherry picked from commit 981ec37e1e72ab19c20067ff4d2a7e20a60d3305) (cherry picked from commit 5d6892ec10086f0ba63f26693faa82d0fd4e3f4a) (cherry picked from commit 9df7968f4fc72de9788d84ca3f349e4c98ee630e) (cherry picked from commit 7d588d183329cd760053663ea2e1e82e62958409) Conflicts: routers/web/web.go https://codeberg.org/forgejo/forgejo/pulls/2075 (cherry picked from commit defb101281f5a6ba410abc763674bafa7b63dffd) (cherry picked from commit 5830f204a17767fda3e45d16dbf3af8c32e7f387) (cherry picked from commit 029f4e98636a7776f430684e9d7142d69a444f96) (cherry picked from commit 816fe558126d0ecce969fdf2a196fa6afdcca792) Conflicts: go.sum https://codeberg.org/forgejo/forgejo/pulls/2249 (cherry picked from commit 99866d804560b415b6158371eb0efd17d097cfe0)
227 lines
6.8 KiB
Go
227 lines
6.8 KiB
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"archive/zip"
|
|
"bytes"
|
|
"io"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"code.gitea.io/gitea/models/auth"
|
|
"code.gitea.io/gitea/models/db"
|
|
git_model "code.gitea.io/gitea/models/git"
|
|
repo_model "code.gitea.io/gitea/models/repo"
|
|
"code.gitea.io/gitea/modules/json"
|
|
"code.gitea.io/gitea/modules/lfs"
|
|
"code.gitea.io/gitea/modules/setting"
|
|
"code.gitea.io/gitea/tests"
|
|
|
|
"github.com/klauspost/compress/gzhttp"
|
|
gzipp "github.com/klauspost/compress/gzip"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string {
|
|
pointer, err := lfs.GeneratePointer(bytes.NewReader(*content))
|
|
assert.NoError(t, err)
|
|
|
|
_, err = git_model.NewLFSMetaObject(db.DefaultContext, repositoryID, pointer)
|
|
assert.NoError(t, err)
|
|
contentStore := lfs.NewContentStore()
|
|
exist, err := contentStore.Exists(pointer)
|
|
assert.NoError(t, err)
|
|
if !exist {
|
|
err := contentStore.Put(pointer, bytes.NewReader(*content))
|
|
assert.NoError(t, err)
|
|
}
|
|
return pointer.Oid
|
|
}
|
|
|
|
func storeAndGetLfsToken(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int, ts ...auth.AccessTokenScope) *httptest.ResponseRecorder {
|
|
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
|
|
assert.NoError(t, err)
|
|
oid := storeObjectInRepo(t, repo.ID, content)
|
|
defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid)
|
|
|
|
token := getUserToken(t, "user2", ts...)
|
|
|
|
// Request OID
|
|
req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test")
|
|
req.Header.Set("Accept-Encoding", "gzip")
|
|
req.SetBasicAuth("user2", token)
|
|
if extraHeader != nil {
|
|
for key, values := range *extraHeader {
|
|
for _, value := range values {
|
|
req.Header.Add(key, value)
|
|
}
|
|
}
|
|
}
|
|
|
|
resp := MakeRequest(t, req, expectedStatus)
|
|
|
|
return resp
|
|
}
|
|
|
|
func storeAndGetLfs(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
|
|
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
|
|
assert.NoError(t, err)
|
|
oid := storeObjectInRepo(t, repo.ID, content)
|
|
defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid)
|
|
|
|
session := loginUser(t, "user2")
|
|
|
|
// Request OID
|
|
req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test")
|
|
req.Header.Set("Accept-Encoding", "gzip")
|
|
if extraHeader != nil {
|
|
for key, values := range *extraHeader {
|
|
for _, value := range values {
|
|
req.Header.Add(key, value)
|
|
}
|
|
}
|
|
}
|
|
|
|
resp := session.MakeRequest(t, req, expectedStatus)
|
|
|
|
return resp
|
|
}
|
|
|
|
func checkResponseTestContentEncoding(t *testing.T, content *[]byte, resp *httptest.ResponseRecorder, expectGzip bool) {
|
|
contentEncoding := resp.Header().Get("Content-Encoding")
|
|
if !expectGzip || !setting.EnableGzip {
|
|
assert.NotContains(t, contentEncoding, "gzip")
|
|
|
|
result := resp.Body.Bytes()
|
|
assert.Equal(t, *content, result)
|
|
} else {
|
|
assert.Contains(t, contentEncoding, "gzip")
|
|
gzippReader, err := gzipp.NewReader(resp.Body)
|
|
assert.NoError(t, err)
|
|
result, err := io.ReadAll(gzippReader)
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, *content, result)
|
|
}
|
|
}
|
|
|
|
func TestGetLFSSmall(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
content := []byte("A very small file\n")
|
|
|
|
resp := storeAndGetLfs(t, &content, nil, http.StatusOK)
|
|
checkResponseTestContentEncoding(t, &content, resp, false)
|
|
}
|
|
|
|
func TestGetLFSSmallToken(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
content := []byte("A very small file\n")
|
|
|
|
resp := storeAndGetLfsToken(t, &content, nil, http.StatusOK, auth.AccessTokenScopePublicOnly, auth.AccessTokenScopeReadRepository)
|
|
checkResponseTestContentEncoding(t, &content, resp, false)
|
|
}
|
|
|
|
func TestGetLFSSmallTokenFail(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
content := []byte("A very small file\n")
|
|
|
|
storeAndGetLfsToken(t, &content, nil, http.StatusForbidden, auth.AccessTokenScopeReadNotification)
|
|
}
|
|
|
|
func TestGetLFSLarge(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
content := make([]byte, gzhttp.DefaultMinSize*10)
|
|
for i := range content {
|
|
content[i] = byte(i % 256)
|
|
}
|
|
|
|
resp := storeAndGetLfs(t, &content, nil, http.StatusOK)
|
|
checkResponseTestContentEncoding(t, &content, resp, true)
|
|
}
|
|
|
|
func TestGetLFSGzip(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
b := make([]byte, gzhttp.DefaultMinSize*10)
|
|
for i := range b {
|
|
b[i] = byte(i % 256)
|
|
}
|
|
outputBuffer := bytes.NewBuffer([]byte{})
|
|
gzippWriter := gzipp.NewWriter(outputBuffer)
|
|
gzippWriter.Write(b)
|
|
gzippWriter.Close()
|
|
content := outputBuffer.Bytes()
|
|
|
|
resp := storeAndGetLfs(t, &content, nil, http.StatusOK)
|
|
checkResponseTestContentEncoding(t, &content, resp, false)
|
|
}
|
|
|
|
func TestGetLFSZip(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
b := make([]byte, gzhttp.DefaultMinSize*10)
|
|
for i := range b {
|
|
b[i] = byte(i % 256)
|
|
}
|
|
outputBuffer := bytes.NewBuffer([]byte{})
|
|
zipWriter := zip.NewWriter(outputBuffer)
|
|
fileWriter, err := zipWriter.Create("default")
|
|
assert.NoError(t, err)
|
|
fileWriter.Write(b)
|
|
zipWriter.Close()
|
|
content := outputBuffer.Bytes()
|
|
|
|
resp := storeAndGetLfs(t, &content, nil, http.StatusOK)
|
|
checkResponseTestContentEncoding(t, &content, resp, false)
|
|
}
|
|
|
|
func TestGetLFSRangeNo(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
content := []byte("123456789\n")
|
|
|
|
resp := storeAndGetLfs(t, &content, nil, http.StatusOK)
|
|
assert.Equal(t, content, resp.Body.Bytes())
|
|
}
|
|
|
|
func TestGetLFSRange(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
content := []byte("123456789\n")
|
|
|
|
tests := []struct {
|
|
in string
|
|
out string
|
|
status int
|
|
}{
|
|
{"bytes=0-0", "1", http.StatusPartialContent},
|
|
{"bytes=0-1", "12", http.StatusPartialContent},
|
|
{"bytes=1-1", "2", http.StatusPartialContent},
|
|
{"bytes=1-3", "234", http.StatusPartialContent},
|
|
{"bytes=1-", "23456789\n", http.StatusPartialContent},
|
|
// end-range smaller than start-range is ignored
|
|
{"bytes=1-0", "23456789\n", http.StatusPartialContent},
|
|
{"bytes=0-10", "123456789\n", http.StatusPartialContent},
|
|
// end-range bigger than length-1 is ignored
|
|
{"bytes=0-11", "123456789\n", http.StatusPartialContent},
|
|
{"bytes=11-", "Requested Range Not Satisfiable", http.StatusRequestedRangeNotSatisfiable},
|
|
// incorrect header value cause whole header to be ignored
|
|
{"bytes=-", "123456789\n", http.StatusOK},
|
|
{"foobar", "123456789\n", http.StatusOK},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.in, func(t *testing.T) {
|
|
h := http.Header{
|
|
"Range": []string{tt.in},
|
|
}
|
|
resp := storeAndGetLfs(t, &content, &h, tt.status)
|
|
if tt.status == http.StatusPartialContent || tt.status == http.StatusOK {
|
|
assert.Equal(t, tt.out, resp.Body.String())
|
|
} else {
|
|
var er lfs.ErrorResponse
|
|
err := json.Unmarshal(resp.Body.Bytes(), &er)
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, tt.out, er.Message)
|
|
}
|
|
})
|
|
}
|
|
}
|