Add latest changes from gitlab-org/gitlab@13-3-stable-ee

2 files changed, 263 insertions, 3 deletions

diff --git a/spec/lib/object_storage/config_spec.rb b/spec/lib/object_storage/config_spec.rb
new file mode 100644
index 00000000000..a48b5100065
--- /dev/null
+++ b/spec/lib/object_storage/config_spec.rb
@@ -0,0 +1,179 @@
+# frozen_string_literal: true
+
+require 'fast_spec_helper'
+require 'rspec-parameterized'
+
+RSpec.describe ObjectStorage::Config do
+  using RSpec::Parameterized::TableSyntax
+
+  let(:region) { 'us-east-1' }
+  let(:bucket_name) { 'test-bucket' }
+  let(:credentials) do
+    {
+      provider: 'AWS',
+      aws_access_key_id: 'AWS_ACCESS_KEY_ID',
+      aws_secret_access_key: 'AWS_SECRET_ACCESS_KEY',
+      region: region
+    }
+  end
+
+  let(:storage_options) do
+    {
+      server_side_encryption: 'AES256',
+      server_side_encryption_kms_key_id: 'arn:aws:12345'
+    }
+  end
+
+  let(:raw_config) do
+    {
+      enabled: true,
+      connection: credentials,
+      remote_directory: bucket_name,
+      storage_options: storage_options
+    }
+  end
+
+  subject { described_class.new(raw_config.as_json) }
+
+  describe '#credentials' do
+    it { expect(subject.credentials).to eq(credentials) }
+  end
+
+  describe '#storage_options' do
+    it { expect(subject.storage_options).to eq(storage_options) }
+  end
+
+  describe '#enabled?' do
+    it { expect(subject.enabled?).to eq(true) }
+  end
+
+  describe '#bucket' do
+    it { expect(subject.bucket).to eq(bucket_name) }
+  end
+
+  describe '#use_iam_profile' do
+    it { expect(subject.use_iam_profile?).to be false }
+  end
+
+  describe '#use_path_style' do
+    it { expect(subject.use_path_style?).to be false }
+  end
+
+  context 'with unconsolidated settings' do
+    describe 'consolidated_settings? returns false' do
+      it { expect(subject.consolidated_settings?).to be false }
+    end
+  end
+
+  context 'with consolidated settings' do
+    before do
+      raw_config[:consolidated_settings] = true
+    end
+
+    describe 'consolidated_settings? returns true' do
+      it { expect(subject.consolidated_settings?).to be true }
+    end
+  end
+
+  context 'with IAM profile configured' do
+    where(:value, :expected) do
+      true    | true
+      "true"  | true
+      "yes"   | true
+      false   | false
+      "false" | false
+      "no"    | false
+      nil     | false
+    end
+
+    with_them do
+      before do
+        credentials[:use_iam_profile] = value
+      end
+
+      it 'coerces the value to a boolean' do
+        expect(subject.use_iam_profile?).to be expected
+      end
+    end
+  end
+
+  context 'with path style configured' do
+    where(:value, :expected) do
+      true    | true
+      "true"  | true
+      "yes"   | true
+      false   | false
+      "false" | false
+      "no"    | false
+      nil     | false
+    end
+
+    with_them do
+      before do
+        credentials[:path_style] = value
+      end
+
+      it 'coerces the value to a boolean' do
+        expect(subject.use_path_style?).to be expected
+      end
+    end
+  end
+
+  context 'with hostname style access' do
+    it '#use_path_style? returns false' do
+      expect(subject.use_path_style?).to be false
+    end
+  end
+
+  context 'with AWS credentials' do
+    it { expect(subject.provider).to eq('AWS') }
+    it { expect(subject.aws?).to be true }
+    it { expect(subject.google?).to be false }
+  end
+
+  context 'with Google credentials' do
+    let(:credentials) do
+      {
+        provider: 'Google',
+        google_client_email: 'foo@gcp-project.example.com',
+        google_json_key_location: '/path/to/gcp.json'
+      }
+    end
+
+    it { expect(subject.provider).to eq('Google') }
+    it { expect(subject.aws?).to be false }
+    it { expect(subject.google?).to be true }
+    it { expect(subject.fog_attributes).to eq({}) }
+  end
+
+  context 'with SSE-KMS enabled' do
+    it { expect(subject.server_side_encryption).to eq('AES256') }
+    it { expect(subject.server_side_encryption_kms_key_id).to eq('arn:aws:12345') }
+    it { expect(subject.fog_attributes.keys).to match_array(%w(x-amz-server-side-encryption x-amz-server-side-encryption-aws-kms-key-id)) }
+  end
+
+  context 'with only server side encryption enabled' do
+    let(:storage_options) { { server_side_encryption: 'AES256' } }
+
+    it { expect(subject.server_side_encryption).to eq('AES256') }
+    it { expect(subject.server_side_encryption_kms_key_id).to be_nil }
+    it { expect(subject.fog_attributes).to eq({ 'x-amz-server-side-encryption' => 'AES256' }) }
+  end
+
+  context 'without encryption enabled' do
+    let(:storage_options) { {} }
+
+    it { expect(subject.server_side_encryption).to be_nil }
+    it { expect(subject.server_side_encryption_kms_key_id).to be_nil }
+    it { expect(subject.fog_attributes).to eq({}) }
+  end
+
+  context 'with object storage disabled' do
+    before do
+      raw_config['enabled'] = false
+    end
+
+    it { expect(subject.enabled?).to be false }
+    it { expect(subject.fog_attributes).to eq({}) }
+  end
+end
diff --git a/spec/lib/object_storage/direct_upload_spec.rb b/spec/lib/object_storage/direct_upload_spec.rb
index 1c1455e2456..b11926aeb49 100644
--- a/spec/lib/object_storage/direct_upload_spec.rb
+++ b/spec/lib/object_storage/direct_upload_spec.rb
@@ -18,13 +18,25 @@ RSpec.describe ObjectStorage::DirectUpload do
     }
   end
 
+  let(:storage_options) { {} }
+  let(:raw_config) do
+    {
+      enabled: true,
+      connection: credentials,
+      remote_directory: bucket_name,
+      storage_options: storage_options,
+      consolidated_settings: consolidated_settings
+    }
+  end
+
+  let(:config) { ObjectStorage::Config.new(raw_config) }
   let(:storage_url) { 'https://uploads.s3.amazonaws.com/' }
 
   let(:bucket_name) { 'uploads' }
   let(:object_name) { 'tmp/uploads/my-file' }
   let(:maximum_size) { 1.gigabyte }
 
-  let(:direct_upload) { described_class.new(credentials, bucket_name, object_name, has_length: has_length, maximum_size: maximum_size, consolidated_settings: consolidated_settings) }
+  let(:direct_upload) { described_class.new(config, object_name, has_length: has_length, maximum_size: maximum_size) }
 
   before do
     Fog.unmock!
@@ -62,7 +74,7 @@ RSpec.describe ObjectStorage::DirectUpload do
   end
 
   describe '#get_url' do
-    subject { described_class.new(credentials, bucket_name, object_name, has_length: true) }
+    subject { described_class.new(config, object_name, has_length: true) }
 
     context 'when AWS is used' do
       it 'calls the proper method' do
@@ -93,7 +105,7 @@ RSpec.describe ObjectStorage::DirectUpload do
     end
   end
 
-  describe '#to_hash' do
+  describe '#to_hash', :aggregate_failures do
     subject { direct_upload.to_hash }
 
     shared_examples 'a valid S3 upload' do
@@ -111,6 +123,7 @@ RSpec.describe ObjectStorage::DirectUpload do
         expect(s3_config[:Region]).to eq(region)
         expect(s3_config[:PathStyle]).to eq(path_style)
         expect(s3_config[:UseIamProfile]).to eq(use_iam_profile)
+        expect(s3_config.keys).not_to include(%i(ServerSideEncryption SSEKMSKeyID))
       end
 
       context 'when feature flag is disabled' do
@@ -150,6 +163,33 @@ RSpec.describe ObjectStorage::DirectUpload do
           expect(subject[:UseWorkhorseClient]).to be true
         end
       end
+
+      context 'when only server side encryption is used' do
+        let(:storage_options) { { server_side_encryption: 'AES256' } }
+
+        it 'sends server side encryption settings' do
+          s3_config = subject[:ObjectStorage][:S3Config]
+
+          expect(s3_config[:ServerSideEncryption]).to eq('AES256')
+          expect(s3_config.keys).not_to include(:SSEKMSKeyID)
+        end
+      end
+
+      context 'when SSE-KMS is used' do
+        let(:storage_options) do
+          {
+            server_side_encryption: 'AES256',
+            server_side_encryption_kms_key_id: 'arn:aws:12345'
+          }
+        end
+
+        it 'sends server side encryption settings' do
+          s3_config = subject[:ObjectStorage][:S3Config]
+
+          expect(s3_config[:ServerSideEncryption]).to eq('AES256')
+          expect(s3_config[:SSEKMSKeyID]).to eq('arn:aws:12345')
+        end
+      end
     end
 
     shared_examples 'a valid Google upload' do
@@ -160,6 +200,21 @@ RSpec.describe ObjectStorage::DirectUpload do
       end
     end
 
+    shared_examples 'a valid AzureRM upload' do
+      before do
+        require 'fog/azurerm'
+      end
+
+      it_behaves_like 'a valid upload'
+
+      it 'enables the Workhorse client' do
+        expect(subject[:UseWorkhorseClient]).to be true
+        expect(subject[:RemoteTempObjectID]).to eq(object_name)
+        expect(subject[:ObjectStorage][:Provider]).to eq('AzureRM')
+        expect(subject[:ObjectStorage][:GoCloudConfig]).to eq({ URL: "azblob://#{bucket_name}" })
+      end
+    end
+
     shared_examples 'a valid upload' do
       it "returns valid structure" do
         expect(subject).to have_key(:Timeout)
@@ -330,5 +385,31 @@ RSpec.describe ObjectStorage::DirectUpload do
         it_behaves_like 'a valid upload without multipart data'
       end
     end
+
+    context 'when AzureRM is used' do
+      let(:credentials) do
+        {
+          provider: 'AzureRM',
+          azure_storage_account_name: 'azuretest',
+          azure_storage_access_key: 'ABCD1234'
+        }
+      end
+
+      let(:storage_url) { 'https://azuretest.blob.core.windows.net' }
+
+      context 'when length is known' do
+        let(:has_length) { true }
+
+        it_behaves_like 'a valid AzureRM upload'
+        it_behaves_like 'a valid upload without multipart data'
+      end
+
+      context 'when length is unknown' do
+        let(:has_length) { false }
+
+        it_behaves_like 'a valid AzureRM upload'
+        it_behaves_like 'a valid upload without multipart data'
+      end
+    end
   end
 end