diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-19 12:08:42 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-19 12:08:42 +0300 |
| commit | b76ae638462ab0f673e5915986070518dd3f9ad3 (patch) | |
| tree | bdab0533383b52873be0ec0eb4d3c66598ff8b91 /spec/controllers/groups | |
| parent | 434373eabe7b4be9593d18a585fb763f1e5f1a6f (diff) | |
Add latest changes from gitlab-org/gitlab@14-2-stable-eev14.2.0-rc42
Diffstat (limited to 'spec/controllers/groups')
5 files changed, 195 insertions, 190 deletions
diff --git a/spec/controllers/groups/clusters/applications_controller_spec.rb b/spec/controllers/groups/clusters/applications_controller_spec.rb deleted file mode 100644 index 5629e86c928..00000000000 --- a/spec/controllers/groups/clusters/applications_controller_spec.rb +++ /dev/null @@ -1,148 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -RSpec.describe Groups::Clusters::ApplicationsController do - include AccessMatchersForController - - def current_application - Clusters::Cluster::APPLICATIONS[application] - end - - shared_examples 'a secure endpoint' do - it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { subject }.to be_allowed_for(:admin) } - it('is denied for admin when admin mode is disabled') { expect { subject }.to be_denied_for(:admin) } - it { expect { subject }.to be_allowed_for(:owner).of(group) } - it { expect { subject }.to be_allowed_for(:maintainer).of(group) } - it { expect { subject }.to be_denied_for(:developer).of(group) } - it { expect { subject }.to be_denied_for(:reporter).of(group) } - it { expect { subject }.to be_denied_for(:guest).of(group) } - it { expect { subject }.to be_denied_for(:user) } - it { expect { subject }.to be_denied_for(:external) } - end - - let(:cluster) { create(:cluster, :group, :provided_by_gcp) } - let(:group) { cluster.group } - - describe 'POST create' do - subject do - post :create, params: params.merge(group_id: group) - end - - let(:application) { 'ingress' } - let(:params) { { application: application, id: cluster.id } } - - describe 'functionality' do - let(:user) { create(:user) } - - before do - group.add_maintainer(user) - sign_in(user) - end - - it 'schedule an application installation' do - expect(ClusterInstallAppWorker).to receive(:perform_async).with(application, anything).once - - expect { subject }.to change { current_application.count } - expect(response).to have_gitlab_http_status(:no_content) - expect(cluster.application_ingress).to be_scheduled - end - - context 'when cluster do not exists' do - before do - cluster.destroy! - end - - it 'return 404' do - expect { subject }.not_to change { current_application.count } - expect(response).to have_gitlab_http_status(:not_found) - end - end - - context 'when application is unknown' do - let(:application) { 'unkwnown-app' } - - it 'return 404' do - is_expected.to have_gitlab_http_status(:not_found) - end - end - - context 'when application is already installing' do - before do - create(:clusters_applications_ingress, :installing, cluster: cluster) - end - - it 'returns 400' do - is_expected.to have_gitlab_http_status(:bad_request) - end - end - end - - describe 'security' do - before do - allow(ClusterInstallAppWorker).to receive(:perform_async) - end - - it_behaves_like 'a secure endpoint' - end - end - - describe 'PATCH update' do - subject do - patch :update, params: params.merge(group_id: group) - end - - let!(:application) { create(:clusters_applications_cert_manager, :installed, cluster: cluster) } - let(:application_name) { application.name } - let(:params) { { application: application_name, id: cluster.id, email: "new-email@example.com" } } - - describe 'functionality' do - let(:user) { create(:user) } - - before do - group.add_maintainer(user) - sign_in(user) - end - - context "when cluster and app exists" do - it "schedules an application update" do - expect(ClusterPatchAppWorker).to receive(:perform_async).with(application.name, anything).once - - is_expected.to have_gitlab_http_status(:no_content) - - expect(cluster.application_cert_manager).to be_scheduled - end - end - - context 'when cluster do not exists' do - before do - cluster.destroy! - end - - it { is_expected.to have_gitlab_http_status(:not_found) } - end - - context 'when application is unknown' do - let(:application_name) { 'unkwnown-app' } - - it { is_expected.to have_gitlab_http_status(:not_found) } - end - - context 'when application is already scheduled' do - before do - application.make_scheduled! - end - - it { is_expected.to have_gitlab_http_status(:bad_request) } - end - end - - describe 'security' do - before do - allow(ClusterPatchAppWorker).to receive(:perform_async) - end - - it_behaves_like 'a secure endpoint' - end - end -end diff --git a/spec/controllers/groups/dependency_proxy_auth_controller_spec.rb b/spec/controllers/groups/dependency_proxy_auth_controller_spec.rb index f67b2022219..50e19d5b482 100644 --- a/spec/controllers/groups/dependency_proxy_auth_controller_spec.rb +++ b/spec/controllers/groups/dependency_proxy_auth_controller_spec.rb @@ -30,16 +30,31 @@ RSpec.describe Groups::DependencyProxyAuthController do end context 'with valid JWT' do - let_it_be(:user) { create(:user) } + context 'user' do + let_it_be(:user) { create(:user) } - let(:jwt) { build_jwt(user) } - let(:token_header) { "Bearer #{jwt.encoded}" } + let(:jwt) { build_jwt(user) } + let(:token_header) { "Bearer #{jwt.encoded}" } - before do - request.headers['HTTP_AUTHORIZATION'] = token_header + before do + request.headers['HTTP_AUTHORIZATION'] = token_header + end + + it { is_expected.to have_gitlab_http_status(:success) } end - it { is_expected.to have_gitlab_http_status(:success) } + context 'deploy token' do + let_it_be(:user) { create(:deploy_token) } + + let(:jwt) { build_jwt(user) } + let(:token_header) { "Bearer #{jwt.encoded}" } + + before do + request.headers['HTTP_AUTHORIZATION'] = token_header + end + + it { is_expected.to have_gitlab_http_status(:success) } + end end context 'with invalid JWT' do @@ -51,7 +66,7 @@ RSpec.describe Groups::DependencyProxyAuthController do request.headers['HTTP_AUTHORIZATION'] = token_header end - it { is_expected.to have_gitlab_http_status(:not_found) } + it { is_expected.to have_gitlab_http_status(:unauthorized) } end context 'token with no user id' do @@ -61,7 +76,7 @@ RSpec.describe Groups::DependencyProxyAuthController do request.headers['HTTP_AUTHORIZATION'] = token_header end - it { is_expected.to have_gitlab_http_status(:not_found) } + it { is_expected.to have_gitlab_http_status(:unauthorized) } end context 'expired token' do @@ -76,6 +91,32 @@ RSpec.describe Groups::DependencyProxyAuthController do it { is_expected.to have_gitlab_http_status(:unauthorized) } end + + context 'expired deploy token' do + let_it_be(:user) { create(:deploy_token, :expired) } + + let(:jwt) { build_jwt(user) } + let(:token_header) { "Bearer #{jwt.encoded}" } + + before do + request.headers['HTTP_AUTHORIZATION'] = token_header + end + + it { is_expected.to have_gitlab_http_status(:unauthorized) } + end + + context 'revoked deploy token' do + let_it_be(:user) { create(:deploy_token, :revoked) } + + let(:jwt) { build_jwt(user) } + let(:token_header) { "Bearer #{jwt.encoded}" } + + before do + request.headers['HTTP_AUTHORIZATION'] = token_header + end + + it { is_expected.to have_gitlab_http_status(:unauthorized) } + end end end end diff --git a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb index 9f30a850ca2..7415c2860c8 100644 --- a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb +++ b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb @@ -7,11 +7,12 @@ RSpec.describe Groups::DependencyProxyForContainersController do include DependencyProxyHelpers let_it_be(:user) { create(:user) } + let_it_be_with_reload(:group) { create(:group, :private) } - let(:group) { create(:group) } let(:token_response) { { status: :success, token: 'abcd1234' } } let(:jwt) { build_jwt(user) } let(:token_header) { "Bearer #{jwt.encoded}" } + let(:snowplow_gitlab_standard_context) { { namespace: group, user: user } } shared_examples 'without a token' do before do @@ -19,6 +20,8 @@ RSpec.describe Groups::DependencyProxyForContainersController do end context 'feature flag disabled' do + let_it_be(:group) { create(:group) } + before do stub_feature_flags(dependency_proxy_for_private_groups: false) end @@ -34,13 +37,12 @@ RSpec.describe Groups::DependencyProxyForContainersController do stub_feature_flags(dependency_proxy_for_private_groups: false) end - it 'redirects', :aggregate_failures do + it 'returns not found' do group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) subject - expect(response).to have_gitlab_http_status(:redirect) - expect(response.location).to end_with(new_user_session_path) + expect(response).to have_gitlab_http_status(:not_found) end end @@ -52,21 +54,52 @@ RSpec.describe Groups::DependencyProxyForContainersController do request.headers['HTTP_AUTHORIZATION'] = token_header end - it { is_expected.to have_gitlab_http_status(:not_found) } + it { is_expected.to have_gitlab_http_status(:unauthorized) } end context 'with valid user that does not have access' do - let(:group) { create(:group, :private) } - before do - user = double('bad_user', id: 999) - token_header = "Bearer #{build_jwt(user).encoded}" request.headers['HTTP_AUTHORIZATION'] = token_header end it { is_expected.to have_gitlab_http_status(:not_found) } end + context 'with deploy token from a different group,' do + let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) } + + it { is_expected.to have_gitlab_http_status(:not_found) } + end + + context 'with revoked deploy token' do + let_it_be(:user) { create(:deploy_token, :revoked, :group, :dependency_proxy_scopes) } + let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) } + + it { is_expected.to have_gitlab_http_status(:unauthorized) } + end + + context 'with expired deploy token' do + let_it_be(:user) { create(:deploy_token, :expired, :group, :dependency_proxy_scopes) } + let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) } + + it { is_expected.to have_gitlab_http_status(:unauthorized) } + end + + context 'with deploy token with insufficient scopes' do + let_it_be(:user) { create(:deploy_token, :group) } + let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) } + + it { is_expected.to have_gitlab_http_status(:not_found) } + end + + context 'when a group is not found' do + before do + expect(Group).to receive(:find_by_full_path).and_return(nil) + end + + it { is_expected.to have_gitlab_http_status(:not_found) } + end + context 'when user is not found' do before do allow(User).to receive(:find).and_return(nil) @@ -104,7 +137,7 @@ RSpec.describe Groups::DependencyProxyForContainersController do describe 'GET #manifest' do let_it_be(:manifest) { create(:dependency_proxy_manifest) } - let(:pull_response) { { status: :success, manifest: manifest } } + let(:pull_response) { { status: :success, manifest: manifest, from_cache: false } } before do allow_next_instance_of(DependencyProxy::FindOrCreateManifestService) do |instance| @@ -132,6 +165,10 @@ RSpec.describe Groups::DependencyProxyForContainersController do } end + before do + group.add_guest(user) + end + it 'proxies status from the remote token request', :aggregate_failures do subject @@ -149,6 +186,10 @@ RSpec.describe Groups::DependencyProxyForContainersController do } end + before do + group.add_guest(user) + end + it 'proxies status from the remote manifest request', :aggregate_failures do subject @@ -157,21 +198,39 @@ RSpec.describe Groups::DependencyProxyForContainersController do end end - it 'sends a file' do - expect(controller).to receive(:send_file).with(manifest.file.path, type: manifest.content_type) + context 'a valid user' do + before do + group.add_guest(user) + end - subject + it_behaves_like 'a successful manifest pull' + it_behaves_like 'a package tracking event', described_class.name, 'pull_manifest' + + context 'with a cache entry' do + let(:pull_response) { { status: :success, manifest: manifest, from_cache: true } } + + it_behaves_like 'returning response status', :success + it_behaves_like 'a package tracking event', described_class.name, 'pull_manifest_from_cache' + end end - it 'returns Content-Disposition: attachment' do - subject + context 'a valid deploy token' do + let_it_be(:user) { create(:deploy_token, :dependency_proxy_scopes, :group) } + let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) } + + it_behaves_like 'a successful manifest pull' + + context 'pulling from a subgroup' do + let_it_be_with_reload(:parent_group) { create(:group) } + let_it_be_with_reload(:group) { create(:group, parent: parent_group) } + + before do + parent_group.create_dependency_proxy_setting!(enabled: true) + group_deploy_token.update_column(:group_id, parent_group.id) + end - expect(response).to have_gitlab_http_status(:ok) - expect(response.headers['Docker-Content-Digest']).to eq(manifest.digest) - expect(response.headers['Content-Length']).to eq(manifest.size) - expect(response.headers['Docker-Distribution-Api-Version']).to eq(DependencyProxy::DISTRIBUTION_API_VERSION) - expect(response.headers['Etag']).to eq("\"#{manifest.digest}\"") - expect(response.headers['Content-Disposition']).to match(/^attachment/) + it_behaves_like 'a successful manifest pull' + end end end @@ -186,7 +245,7 @@ RSpec.describe Groups::DependencyProxyForContainersController do let_it_be(:blob) { create(:dependency_proxy_blob) } let(:blob_sha) { blob.file_name.sub('.gz', '') } - let(:blob_response) { { status: :success, blob: blob } } + let(:blob_response) { { status: :success, blob: blob, from_cache: false } } before do allow_next_instance_of(DependencyProxy::FindOrCreateBlobService) do |instance| @@ -214,6 +273,10 @@ RSpec.describe Groups::DependencyProxyForContainersController do } end + before do + group.add_guest(user) + end + it 'proxies status from the remote blob request', :aggregate_failures do subject @@ -222,17 +285,39 @@ RSpec.describe Groups::DependencyProxyForContainersController do end end - it 'sends a file' do - expect(controller).to receive(:send_file).with(blob.file.path, {}) + context 'a valid user' do + before do + group.add_guest(user) + end - subject + it_behaves_like 'a successful blob pull' + it_behaves_like 'a package tracking event', described_class.name, 'pull_blob' + + context 'with a cache entry' do + let(:blob_response) { { status: :success, blob: blob, from_cache: true } } + + it_behaves_like 'returning response status', :success + it_behaves_like 'a package tracking event', described_class.name, 'pull_blob_from_cache' + end end - it 'returns Content-Disposition: attachment', :aggregate_failures do - subject + context 'a valid deploy token' do + let_it_be(:user) { create(:deploy_token, :group, :dependency_proxy_scopes) } + let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: user, group: group) } + + it_behaves_like 'a successful blob pull' - expect(response).to have_gitlab_http_status(:ok) - expect(response.headers['Content-Disposition']).to match(/^attachment/) + context 'pulling from a subgroup' do + let_it_be_with_reload(:parent_group) { create(:group) } + let_it_be_with_reload(:group) { create(:group, parent: parent_group) } + + before do + parent_group.create_dependency_proxy_setting!(enabled: true) + group_deploy_token.update_column(:group_id, parent_group.id) + end + + it_behaves_like 'a successful blob pull' + end end end diff --git a/spec/controllers/groups/runners_controller_spec.rb b/spec/controllers/groups/runners_controller_spec.rb index 2f1c6c813cf..1808969cd60 100644 --- a/spec/controllers/groups/runners_controller_spec.rb +++ b/spec/controllers/groups/runners_controller_spec.rb @@ -15,6 +15,33 @@ RSpec.describe Groups::RunnersController do sign_in(user) end + describe '#index' do + context 'when user is owner' do + before do + group.add_owner(user) + end + + it 'renders show with 200 status code' do + get :index, params: { group_id: group } + + expect(response).to have_gitlab_http_status(:ok) + expect(response).to render_template(:index) + end + end + + context 'when user is not owner' do + before do + group.add_maintainer(user) + end + + it 'renders a 404' do + get :index, params: { group_id: group } + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end + describe '#show' do context 'when user is owner' do before do diff --git a/spec/controllers/groups/settings/integrations_controller_spec.rb b/spec/controllers/groups/settings/integrations_controller_spec.rb index ef8f9f69710..931e726850a 100644 --- a/spec/controllers/groups/settings/integrations_controller_spec.rb +++ b/spec/controllers/groups/settings/integrations_controller_spec.rb @@ -69,25 +69,25 @@ RSpec.describe Groups::Settings::IntegrationsController do group.add_owner(user) stub_jira_integration_test - put :update, params: { group_id: group, id: integration.class.to_param, service: { url: url } } + put :update, params: { group_id: group, id: integration.class.to_param, service: params } end context 'valid params' do - let(:url) { 'https://jira.gitlab-example.com' } + let(:params) { { url: 'https://jira.gitlab-example.com', password: 'password' } } it 'updates the integration' do expect(response).to have_gitlab_http_status(:found) - expect(integration.reload.url).to eq(url) + expect(integration.reload).to have_attributes(params) end end context 'invalid params' do - let(:url) { 'invalid' } + let(:params) { { url: 'invalid', password: 'password' } } it 'does not update the integration' do expect(response).to have_gitlab_http_status(:ok) expect(response).to render_template(:edit) - expect(integration.reload.url).not_to eq(url) + expect(integration.reload).not_to have_attributes(params) end end end |