diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-07-19 17:16:28 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-07-19 17:16:28 +0300 |
commit | e4384360a16dd9a19d4d2d25d0ef1f2b862ed2a6 (patch) | |
tree | 2fcdfa7dcdb9db8f5208b2562f4b4e803d671243 /spec/requests/api/ml_model_packages_spec.rb | |
parent | ffda4e7bcac36987f936b4ba515995a6698698f0 (diff) |
Add latest changes from gitlab-org/gitlab@16-2-stable-eev16.2.0-rc42
Diffstat (limited to 'spec/requests/api/ml_model_packages_spec.rb')
-rw-r--r-- | spec/requests/api/ml_model_packages_spec.rb | 146 |
1 files changed, 115 insertions, 31 deletions
diff --git a/spec/requests/api/ml_model_packages_spec.rb b/spec/requests/api/ml_model_packages_spec.rb index 9c19f522e46..3166298b430 100644 --- a/spec/requests/api/ml_model_packages_spec.rb +++ b/spec/requests/api/ml_model_packages_spec.rb @@ -75,6 +75,48 @@ RSpec.describe ::API::MlModelPackages, feature_category: :mlops do :private | :developer | true | :deploy_token | true | :success :private | :developer | true | :deploy_token | false | :unauthorized end + + # :visibility, :user_role, :member, :token_type, :valid_token, :expected_status + def download_permissions_tables + :public | :developer | true | :personal_access_token | true | :success + :public | :guest | true | :personal_access_token | true | :success + :public | :developer | true | :personal_access_token | false | :unauthorized + :public | :guest | true | :personal_access_token | false | :unauthorized + :public | :developer | false | :personal_access_token | true | :success + :public | :guest | false | :personal_access_token | true | :success + :public | :developer | false | :personal_access_token | false | :unauthorized + :public | :guest | false | :personal_access_token | false | :unauthorized + :public | :anonymous | false | :personal_access_token | true | :success + :private | :developer | true | :personal_access_token | true | :success + :private | :guest | true | :personal_access_token | true | :forbidden + :private | :developer | true | :personal_access_token | false | :unauthorized + :private | :guest | true | :personal_access_token | false | :unauthorized + :private | :developer | false | :personal_access_token | true | :not_found + :private | :guest | false | :personal_access_token | true | :not_found + :private | :developer | false | :personal_access_token | false | :unauthorized + :private | :guest | false | :personal_access_token | false | :unauthorized + :private | :anonymous | false | :personal_access_token | true | :not_found + :public | :developer | true | :job_token | true | :success + :public | :guest | true | :job_token | true | :success + :public | :developer | true | :job_token | false | :unauthorized + :public | :guest | true | :job_token | false | :unauthorized + :public | :developer | false | :job_token | true | :success + :public | :guest | false | :job_token | true | :success + :public | :developer | false | :job_token | false | :unauthorized + :public | :guest | false | :job_token | false | :unauthorized + :private | :developer | true | :job_token | true | :success + :private | :guest | true | :job_token | true | :forbidden + :private | :developer | true | :job_token | false | :unauthorized + :private | :guest | true | :job_token | false | :unauthorized + :private | :developer | false | :job_token | true | :not_found + :private | :guest | false | :job_token | true | :not_found + :private | :developer | false | :job_token | false | :unauthorized + :private | :guest | false | :job_token | false | :unauthorized + :public | :developer | true | :deploy_token | true | :success + :public | :developer | true | :deploy_token | false | :unauthorized + :private | :developer | true | :deploy_token | true | :success + :private | :developer | true | :deploy_token | false | :unauthorized + end # rubocop:enable Metrics/AbcSize end @@ -82,18 +124,23 @@ RSpec.describe ::API::MlModelPackages, feature_category: :mlops do project.send("add_#{user_role}", user) if member && user_role != :anonymous end - subject(:api_response) do - request - response - end - - describe 'PUT /api/v4/projects/:id/packages/ml_models/:package_name/:package_version/:file_name/authorize' do + describe 'PUT /api/v4/projects/:id/packages/ml_models/:model_name/:model_version/:file_name/authorize' do include_context 'ml model authorize permissions table' let(:token) { tokens[:personal_access_token] } let(:user_headers) { { 'HTTP_AUTHORIZATION' => token } } let(:headers) { user_headers.merge(workhorse_headers) } let(:request) { authorize_upload_file(headers) } + let(:model_name) { 'my_package' } + let(:file_name) { 'myfile.tar.gz' } + + subject(:api_response) do + url = "/projects/#{project.id}/packages/ml_models/#{model_name}/0.0.1/#{file_name}/authorize" + + put api(url), headers: headers + + response + end describe 'user access' do where(:visibility, :user_role, :member, :token_type, :valid_token, :expected_status) do @@ -115,16 +162,14 @@ RSpec.describe ::API::MlModelPackages, feature_category: :mlops do end describe 'application security' do - where(:param_name, :param_value) do - :package_name | 'my-package/../' - :package_name | 'my-package%2f%2e%2e%2f' - :file_name | '../.ssh%2fauthorized_keys' - :file_name | '%2e%2e%2f.ssh%2fauthorized_keys' + where(:model_name, :file_name) do + 'my-package/../' | 'myfile.tar.gz' + 'my-package%2f%2e%2e%2f' | 'myfile.tar.gz' + 'my_package' | '../.ssh%2fauthorized_keys' + 'my_package' | '%2e%2e%2f.ssh%2fauthorized_keys' end with_them do - let(:request) { authorize_upload_file(headers, param_name => param_value) } - it 'rejects malicious request' do is_expected.to have_gitlab_http_status(:bad_request) end @@ -132,7 +177,7 @@ RSpec.describe ::API::MlModelPackages, feature_category: :mlops do end end - describe 'PUT /api/v4/projects/:id/packages/ml_models/:package_name/:package_version/:file_name' do + describe 'PUT /api/v4/projects/:id/packages/ml_models/:model_name/:model_version/:file_name' do include_context 'ml model authorize permissions table' let_it_be(:file_name) { 'model.md5' } @@ -143,9 +188,21 @@ RSpec.describe ::API::MlModelPackages, feature_category: :mlops do let(:params) { { file: temp_file(file_name) } } let(:file_key) { :file } let(:send_rewritten_field) { true } + let(:model_name) { 'my_package' } + + subject(:api_response) do + url = "/projects/#{project.id}/packages/ml_models/#{model_name}/0.0.1/#{file_name}" - let(:request) do - upload_file(headers) + workhorse_finalize( + api(url), + method: :put, + file_key: file_key, + params: params, + headers: headers, + send_rewritten_field: send_rewritten_field + ) + + response end describe 'success' do @@ -179,22 +236,49 @@ RSpec.describe ::API::MlModelPackages, feature_category: :mlops do end end - def authorize_upload_file(request_headers, package_name: 'mypackage', file_name: 'myfile.tar.gz') - url = "/projects/#{project.id}/packages/ml_models/#{package_name}/0.0.1/#{file_name}/authorize" + describe 'GET /api/v4/projects/:project_id/packages/ml_models/:model_name/:model_version/:file_name' do + include_context 'ml model authorize permissions table' - put api(url), headers: request_headers - end + let_it_be(:package) { create(:ml_model_package, project: project, name: 'model', version: '0.0.1') } + let_it_be(:package_file) { create(:package_file, :generic, package: package, file_name: 'model.md5') } - def upload_file(request_headers, package_name: 'mypackage') - url = "/projects/#{project.id}/packages/ml_models/#{package_name}/0.0.1/#{file_name}" - - workhorse_finalize( - api(url), - method: :put, - file_key: file_key, - params: params, - headers: request_headers, - send_rewritten_field: send_rewritten_field - ) + let(:model_name) { package.name } + let(:model_version) { package.version } + let(:file_name) { package_file.file_name } + + let(:token) { tokens[:personal_access_token] } + let(:user_headers) { { 'HTTP_AUTHORIZATION' => token } } + let(:headers) { user_headers.merge(workhorse_headers) } + + subject(:api_response) do + url = "/projects/#{project.id}/packages/ml_models/#{model_name}/#{model_version}/#{file_name}" + + get api(url), headers: headers + + response + end + + describe 'user access' do + where(:visibility, :user_role, :member, :token_type, :valid_token, :expected_status) do + download_permissions_tables + end + + with_them do + let(:token) { valid_token ? tokens[token_type] : 'invalid-token123' } + let(:user_headers) { user_role == :anonymous ? {} : { 'HTTP_AUTHORIZATION' => token } } + + before do + project.update_column(:visibility_level, Gitlab::VisibilityLevel.level_value(visibility.to_s)) + end + + if params[:expected_status] == :success + it_behaves_like 'process ml model package download' + else + it { is_expected.to have_gitlab_http_status(expected_status) } + end + end + + it_behaves_like 'Endpoint not found if read_model_registry not available' + end end end |