Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2019-09-28 03:06:20 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2019-09-28 03:06:20 +0300
commite08eba1838cb749b8815c7da98a504ff97bcfb98 (patch)
tree0172bc4d205f59dd6f3722b27d53e6aa8abb5825 /spec
parentd4633b0e70ec39583ce0b13f277f990b216ac0d9 (diff)
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec')
-rw-r--r--spec/controllers/projects/artifacts_controller_spec.rb19
-rw-r--r--spec/features/projects/artifacts/user_browses_artifacts_spec.rb19
-rw-r--r--spec/lib/gitlab/auth_spec.rb68
-rw-r--r--spec/lib/gitlab/lfs_token_spec.rb40
-rw-r--r--spec/models/user_spec.rb30
-rw-r--r--spec/requests/lfs_http_spec.rb827
-rw-r--r--spec/support/helpers/lfs_http_helpers.rb62
-rw-r--r--spec/support/shared_examples/lfs_http_shared_examples.rb43
8 files changed, 572 insertions, 536 deletions
diff --git a/spec/controllers/projects/artifacts_controller_spec.rb b/spec/controllers/projects/artifacts_controller_spec.rb
index c0b01e573b2..e42e35bc6e0 100644
--- a/spec/controllers/projects/artifacts_controller_spec.rb
+++ b/spec/controllers/projects/artifacts_controller_spec.rb
@@ -286,6 +286,25 @@ describe Projects::ArtifactsController do
expect(response).to render_template('projects/artifacts/file')
end
end
+
+ context 'when the project is private and pages access control is enabled' do
+ let(:private_project) { create(:project, :repository, :private) }
+ let(:pipeline) { create(:ci_pipeline, project: private_project) }
+ let(:job) { create(:ci_build, :success, :artifacts, pipeline: pipeline) }
+
+ before do
+ private_project.add_developer(user)
+
+ allow(Gitlab.config.pages).to receive(:access_control).and_return(true)
+ allow(Gitlab.config.pages).to receive(:artifacts_server).and_return(true)
+ end
+
+ it 'renders the file view' do
+ get :file, params: { namespace_id: private_project.namespace, project_id: private_project, job_id: job, path: 'ci_artifacts.txt' }
+
+ expect(response).to have_gitlab_http_status(302)
+ end
+ end
end
describe 'GET raw' do
diff --git a/spec/features/projects/artifacts/user_browses_artifacts_spec.rb b/spec/features/projects/artifacts/user_browses_artifacts_spec.rb
index ecc07181d09..d8c6ef4755d 100644
--- a/spec/features/projects/artifacts/user_browses_artifacts_spec.rb
+++ b/spec/features/projects/artifacts/user_browses_artifacts_spec.rb
@@ -114,5 +114,24 @@ describe "User browses artifacts" do
it { expect(page).to have_link("doc_sample.txt").and have_no_selector(".js-artifact-tree-external-icon") }
end
+
+ context "when the project is private and pages access control is enabled" do
+ let!(:private_project) { create(:project, :private) }
+ let(:pipeline) { create(:ci_empty_pipeline, project: private_project) }
+ let(:job) { create(:ci_build, :artifacts, pipeline: pipeline) }
+ let(:user) { create(:user) }
+
+ before do
+ private_project.add_developer(user)
+
+ allow(Gitlab.config.pages).to receive(:access_control).and_return(true)
+
+ sign_in(user)
+
+ visit(browse_project_job_artifacts_path(private_project, job, "other_artifacts_0.1.2"))
+ end
+
+ it { expect(page).to have_link("doc_sample.txt").and have_selector(".js-artifact-tree-external-icon") }
+ end
end
end
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index 0365d63ea9c..3fc45bfc920 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'
describe Gitlab::Auth do
let(:gl_auth) { described_class }
+ set(:project) { create(:project) }
describe 'constants' do
it 'API_SCOPES contains all scopes for API access' do
@@ -90,13 +91,13 @@ describe Gitlab::Auth do
end
it 'recognises user-less build' do
- expect(subject).to eq(Gitlab::Auth::Result.new(nil, build.project, :ci, build_authentication_abilities))
+ expect(subject).to eq(Gitlab::Auth::Result.new(nil, build.project, :ci, described_class.build_authentication_abilities))
end
it 'recognises user token' do
build.update(user: create(:user))
- expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities))
+ expect(subject).to eq(Gitlab::Auth::Result.new(build.user, build.project, :build, described_class.build_authentication_abilities))
end
end
@@ -117,26 +118,25 @@ describe Gitlab::Auth do
end
it 'recognizes other ci services' do
- project = create(:project)
project.create_drone_ci_service(active: true)
project.drone_ci_service.update(token: 'token')
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'drone-ci-token')
- expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(nil, project, :ci, build_authentication_abilities))
+ expect(gl_auth.find_for_git_client('drone-ci-token', 'token', project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(nil, project, :ci, described_class.build_authentication_abilities))
end
it 'recognizes master passwords' do
user = create(:user, password: 'password')
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: user.username)
- expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
+ expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, described_class.full_authentication_abilities))
end
include_examples 'user login operation with unique ip limit' do
let(:user) { create(:user, password: 'password') }
def operation
- expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
+ expect(gl_auth.find_for_git_client(user.username, 'password', project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, described_class.full_authentication_abilities))
end
end
@@ -146,7 +146,7 @@ describe Gitlab::Auth do
token = Gitlab::LfsToken.new(user).token
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: user.username)
- expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :lfs_token, full_authentication_abilities))
+ expect(gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :lfs_token, described_class.read_write_project_authentication_abilities))
end
it 'recognizes deploy key lfs tokens' do
@@ -154,7 +154,7 @@ describe Gitlab::Auth do
token = Gitlab::LfsToken.new(key).token
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: "lfs+deploy-key-#{key.id}")
- expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_only_authentication_abilities))
+ expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, described_class.read_only_authentication_abilities))
end
it 'does not try password auth before oauth' do
@@ -167,22 +167,20 @@ describe Gitlab::Auth do
end
it 'grants deploy key write permissions' do
- project = create(:project)
key = create(:deploy_key)
create(:deploy_keys_project, :write_access, deploy_key: key, project: project)
token = Gitlab::LfsToken.new(key).token
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: "lfs+deploy-key-#{key.id}")
- expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_write_authentication_abilities))
+ expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, described_class.read_write_authentication_abilities))
end
it 'does not grant deploy key write permissions' do
- project = create(:project)
key = create(:deploy_key)
token = Gitlab::LfsToken.new(key).token
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: "lfs+deploy-key-#{key.id}")
- expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_only_authentication_abilities))
+ expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, described_class.read_only_authentication_abilities))
end
end
@@ -193,7 +191,7 @@ describe Gitlab::Auth do
it 'succeeds for OAuth tokens with the `api` scope' do
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'oauth2')
- expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, full_authentication_abilities))
+ expect(gl_auth.find_for_git_client("oauth2", token_w_api_scope.token, project: nil, ip: 'ip')).to eq(Gitlab::Auth::Result.new(user, nil, :oauth, described_class.full_authentication_abilities))
end
it 'fails for OAuth tokens with other scopes' do
@@ -214,7 +212,7 @@ describe Gitlab::Auth do
it 'succeeds for personal access tokens with the `api` scope' do
personal_access_token = create(:personal_access_token, scopes: ['api'])
- expect_results_with_abilities(personal_access_token, full_authentication_abilities)
+ expect_results_with_abilities(personal_access_token, described_class.full_authentication_abilities)
end
it 'succeeds for personal access tokens with the `read_repository` scope' do
@@ -244,7 +242,7 @@ describe Gitlab::Auth do
it 'succeeds if it is an impersonation token' do
impersonation_token = create(:personal_access_token, :impersonation, scopes: ['api'])
- expect_results_with_abilities(impersonation_token, full_authentication_abilities)
+ expect_results_with_abilities(impersonation_token, described_class.full_authentication_abilities)
end
it 'limits abilities based on scope' do
@@ -267,7 +265,7 @@ describe Gitlab::Auth do
)
expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
- .to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
+ .to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, described_class.full_authentication_abilities))
end
it 'fails through oauth authentication when the username is oauth2' do
@@ -278,7 +276,7 @@ describe Gitlab::Auth do
)
expect(gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip'))
- .to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities))
+ .to eq(Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, described_class.full_authentication_abilities))
end
end
@@ -296,7 +294,6 @@ describe Gitlab::Auth do
end
context 'while using deploy tokens' do
- let(:project) { create(:project) }
let(:auth_failure) { Gitlab::Auth::Result.new(nil, nil) }
context 'when deploy token and user have the same username' do
@@ -316,7 +313,7 @@ describe Gitlab::Auth do
end
it 'succeeds for the user' do
- auth_success = Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, full_authentication_abilities)
+ auth_success = Gitlab::Auth::Result.new(user, nil, :gitlab_or_ldap, described_class.full_authentication_abilities)
expect(gl_auth.find_for_git_client(username, 'my-secret', project: project, ip: 'ip'))
.to eq(auth_success)
@@ -344,7 +341,7 @@ describe Gitlab::Auth do
end
context 'and belong to different projects' do
- let!(:read_registry) { create(:deploy_token, username: 'deployer', read_repository: false, projects: [create(:project)]) }
+ let!(:read_registry) { create(:deploy_token, username: 'deployer', read_repository: false, projects: [project]) }
let!(:read_repository) { create(:deploy_token, username: read_registry.username, read_registry: false, projects: [project]) }
it 'succeeds for the right token' do
@@ -582,37 +579,6 @@ describe Gitlab::Auth do
private
- def build_authentication_abilities
- [
- :read_project,
- :build_download_code,
- :build_read_container_image,
- :build_create_container_image,
- :build_destroy_container_image
- ]
- end
-
- def read_only_authentication_abilities
- [
- :read_project,
- :download_code,
- :read_container_image
- ]
- end
-
- def read_write_authentication_abilities
- read_only_authentication_abilities + [
- :push_code,
- :create_container_image
- ]
- end
-
- def full_authentication_abilities
- read_write_authentication_abilities + [
- :admin_container_image
- ]
- end
-
def expect_results_with_abilities(personal_access_token, abilities, success = true)
expect(gl_auth).to receive(:rate_limit!).with('ip', success: success, login: '')
expect(gl_auth.find_for_git_client('', personal_access_token&.token, project: nil, ip: 'ip'))
diff --git a/spec/lib/gitlab/lfs_token_spec.rb b/spec/lib/gitlab/lfs_token_spec.rb
index 701ed1f3a1b..b2fd7bdd307 100644
--- a/spec/lib/gitlab/lfs_token_spec.rb
+++ b/spec/lib/gitlab/lfs_token_spec.rb
@@ -115,6 +115,46 @@ describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do
expect(lfs_token.token_valid?(lfs_token.token)).to be_truthy
end
end
+
+ context 'when the actor is a regular user' do
+ context 'when the user is blocked' do
+ let(:actor) { create(:user, :blocked) }
+
+ it 'returns false' do
+ expect(lfs_token.token_valid?(lfs_token.token)).to be_falsey
+ end
+ end
+
+ context 'when the user password is expired' do
+ let(:actor) { create(:user, password_expires_at: 1.minute.ago) }
+
+ it 'returns false' do
+ expect(lfs_token.token_valid?(lfs_token.token)).to be_falsey
+ end
+ end
+ end
+
+ context 'when the actor is an ldap user' do
+ before do
+ allow(actor).to receive(:ldap_user?).and_return(true)
+ end
+
+ context 'when the user is blocked' do
+ let(:actor) { create(:user, :blocked) }
+
+ it 'returns false' do
+ expect(lfs_token.token_valid?(lfs_token.token)).to be_falsey
+ end
+ end
+
+ context 'when the user password is expired' do
+ let(:actor) { create(:user, password_expires_at: 1.minute.ago) }
+
+ it 'returns true' do
+ expect(lfs_token.token_valid?(lfs_token.token)).to be_truthy
+ end
+ end
+ end
end
end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 228d1ce9964..2b171edcfce 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -3616,4 +3616,34 @@ describe User do
end
end
end
+
+ describe '#password_expired?' do
+ let(:user) { build(:user, password_expires_at: password_expires_at) }
+
+ subject { user.password_expired? }
+
+ context 'when password_expires_at is not set' do
+ let(:password_expires_at) {}
+
+ it 'returns false' do
+ is_expected.to be_falsey
+ end
+ end
+
+ context 'when password_expires_at is in the past' do
+ let(:password_expires_at) { 1.minute.ago }
+
+ it 'returns true' do
+ is_expected.to be_truthy
+ end
+ end
+
+ context 'when password_expires_at is in the future' do
+ let(:password_expires_at) { 1.minute.from_now }
+
+ it 'returns false' do
+ is_expected.to be_falsey
+ end
+ end
+ end
end
diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb
index dc25e4d808e..ae34f7d1f87 100644
--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -1,10 +1,13 @@
+# frozen_string_literal: true
require 'spec_helper'
describe 'Git LFS API and storage' do
- include WorkhorseHelpers
+ include LfsHttpHelpers
include ProjectForksHelper
- let(:user) { create(:user) }
+ set(:project) { create(:project, :repository) }
+ set(:other_project) { create(:project, :repository) }
+ set(:user) { create(:user) }
let!(:lfs_object) { create(:lfs_object, :with_file) }
let(:headers) do
@@ -19,201 +22,163 @@ describe 'Git LFS API and storage' do
let(:sample_oid) { lfs_object.oid }
let(:sample_size) { lfs_object.size }
+ let(:sample_object) { { 'oid' => sample_oid, 'size' => sample_size } }
+ let(:non_existing_object_oid) { '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897' }
+ let(:non_existing_object_size) { 1575078 }
+ let(:non_existing_object) { { 'oid' => non_existing_object_oid, 'size' => non_existing_object_size } }
+ let(:multiple_objects) { [sample_object, non_existing_object] }
- describe 'when lfs is disabled' do
- let(:project) { create(:project) }
- let(:body) do
- {
- 'objects' => [
- { 'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
- 'size' => 1575078 },
- { 'oid' => sample_oid,
- 'size' => sample_size }
- ],
- 'operation' => 'upload'
- }
- end
+ let(:lfs_enabled) { true }
+
+ before do
+ stub_lfs_setting(enabled: lfs_enabled)
+ end
+
+ describe 'when LFS is disabled' do
+ let(:lfs_enabled) { false }
+ let(:body) { upload_body(multiple_objects) }
let(:authorization) { authorize_user }
before do
- allow(Gitlab.config.lfs).to receive(:enabled).and_return(false)
- post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects/batch", body, headers
+ post_lfs_json batch_url(project), body, headers
end
- it 'responds with 501' do
- expect(response).to have_gitlab_http_status(501)
- expect(json_response).to include('message' => 'Git LFS is not enabled on this GitLab server, contact your admin.')
- end
+ it_behaves_like 'LFS http 501 response'
end
context 'project specific LFS settings' do
- let(:project) { create(:project) }
- let(:body) do
- {
- 'objects' => [
- { 'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
- 'size' => 1575078 },
- { 'oid' => sample_oid,
- 'size' => sample_size }
- ],
- 'operation' => 'upload'
- }
- end
+ let(:body) { upload_body(sample_object) }
let(:authorization) { authorize_user }
+ before do
+ project.add_maintainer(user)
+ project.update_attribute(:lfs_enabled, project_lfs_enabled)
+
+ subject
+ end
+
context 'with LFS disabled globally' do
- before do
- project.add_maintainer(user)
- allow(Gitlab.config.lfs).to receive(:enabled).and_return(false)
- end
+ let(:lfs_enabled) { false }
describe 'LFS disabled in project' do
- before do
- project.update_attribute(:lfs_enabled, false)
- end
+ let(:project_lfs_enabled) { false }
- it 'responds with a 501 message on upload' do
- post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects/batch", body, headers
+ context 'when uploading' do
+ subject { post_lfs_json(batch_url(project), body, headers) }
- expect(response).to have_gitlab_http_status(501)
+ it_behaves_like 'LFS http 501 response'
end
- it 'responds with a 501 message on download' do
- get "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}", params: {}, headers: headers
+ context 'when downloading' do
+ subject { get(objects_url(project, sample_oid), params: {}, headers: headers) }
- expect(response).to have_gitlab_http_status(501)
+ it_behaves_like 'LFS http 501 response'
end
end
describe 'LFS enabled in project' do
- before do
- project.update_attribute(:lfs_enabled, true)
- end
+ let(:project_lfs_enabled) { true }
- it 'responds with a 501 message on upload' do
- post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects/batch", body, headers
+ context 'when uploading' do
+ subject { post_lfs_json(batch_url(project), body, headers) }
- expect(response).to have_gitlab_http_status(501)
+ it_behaves_like 'LFS http 501 response'
end
- it 'responds with a 501 message on download' do
- get "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}", params: {}, headers: headers
+ context 'when downloading' do
+ subject { get(objects_url(project, sample_oid), params: {}, headers: headers) }
- expect(response).to have_gitlab_http_status(501)
+ it_behaves_like 'LFS http 501 response'
end
end
end
context 'with LFS enabled globally' do
- before do
- project.add_maintainer(user)
- enable_lfs
- end
-
describe 'LFS disabled in project' do
- before do
- project.update_attribute(:lfs_enabled, false)
- end
+ let(:project_lfs_enabled) { false }
- it 'responds with a 403 message on upload' do
- post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects/batch", body, headers
+ context 'when uploading' do
+ subject { post_lfs_json(batch_url(project), body, headers) }
- expect(response).to have_gitlab_http_status(403)
- expect(json_response).to include('message' => 'Access forbidden. Check your access level.')
+ it_behaves_like 'LFS http 403 response'
end
- it 'responds with a 403 message on download' do
- get "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}", params: {}, headers: headers
+ context 'when downloading' do
+ subject { get(objects_url(project, sample_oid), params: {}, headers: headers) }
- expect(response).to have_gitlab_http_status(403)
- expect(json_response).to include('message' => 'Access forbidden. Check your access level.')
+ it_behaves_like 'LFS http 403 response'
end
end
describe 'LFS enabled in project' do
- before do
- project.update_attribute(:lfs_enabled, true)
- end
+ let(:project_lfs_enabled) { true }
- it 'responds with a 200 message on upload' do
- post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects/batch", body, headers
+ context 'when uploading' do
+ subject { post_lfs_json(batch_url(project), body, headers) }
- expect(response).to have_gitlab_http_status(200)
- expect(json_response['objects'].first['size']).to eq(1575078)
+ it_behaves_like 'LFS http 200 response'
end
- it 'responds with a 200 message on download' do
- get "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}", params: {}, headers: headers
+ context 'when downloading' do
+ subject { get(objects_url(project, sample_oid), params: {}, headers: headers) }
- expect(response).to have_gitlab_http_status(200)
+ it_behaves_like 'LFS http 200 response'
end
end
end
end
describe 'deprecated API' do
- let(:project) { create(:project) }
-
- before do
- enable_lfs
- end
+ let(:authorization) { authorize_user }
- shared_examples 'a deprecated' do
- it 'responds with 501' do
- expect(response).to have_gitlab_http_status(501)
+ shared_examples 'deprecated request' do
+ before do
+ subject
end
- it 'returns deprecated message' do
- expect(json_response).to include('message' => 'Server supports batch API only, please update your Git LFS client to version 1.0.1 and up.')
+ it_behaves_like 'LFS http expected response code and message' do
+ let(:response_code) { 501 }
+ let(:message) { 'Server supports batch API only, please update your Git LFS client to version 1.0.1 and up.' }
end
end
- context 'when fetching lfs object using deprecated API' do
- let(:authorization) { authorize_user }
-
- before do
- get "#{project.http_url_to_repo}/info/lfs/objects/#{sample_oid}", params: {}, headers: headers
- end
+ context 'when fetching LFS object using deprecated API' do
+ subject { get(deprecated_objects_url(project, sample_oid), params: {}, headers: headers) }
- it_behaves_like 'a deprecated'
+ it_behaves_like 'deprecated request'
end
- context 'when handling lfs request using deprecated API' do
- let(:authorization) { authorize_user }
- before do
- post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects", nil, headers
- end
+ context 'when handling LFS request using deprecated API' do
+ subject { post_lfs_json(deprecated_objects_url(project), nil, headers) }
- it_behaves_like 'a deprecated'
+ it_behaves_like 'deprecated request'
+ end
+
+ def deprecated_objects_url(project, oid = nil)
+ File.join(["#{project.http_url_to_repo}/info/lfs/objects/", oid].compact)
end
end
- describe 'when fetching lfs object' do
- let(:project) { create(:project) }
+ describe 'when fetching LFS object' do
let(:update_permissions) { }
let(:before_get) { }
before do
- enable_lfs
update_permissions
before_get
- get "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}", params: {}, headers: headers
+ get objects_url(project, sample_oid), params: {}, headers: headers
end
context 'and request comes from gitlab-workhorse' do
context 'without user being authorized' do
- it 'responds with status 401' do
- expect(response).to have_gitlab_http_status(401)
- end
+ it_behaves_like 'LFS http 401 response'
end
context 'with required headers' do
shared_examples 'responds with a file' do
let(:sendfile) { 'X-Sendfile' }
- it 'responds with status 200' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
it 'responds with the file location' do
expect(response.headers['Content-Type']).to eq('application/octet-stream')
@@ -229,9 +194,7 @@ describe 'Git LFS API and storage' do
project.lfs_objects << lfs_object
end
- it 'responds with status 404' do
- expect(response).to have_gitlab_http_status(404)
- end
+ it_behaves_like 'LFS http 404 response'
end
context 'and does have project access' do
@@ -249,9 +212,7 @@ describe 'Git LFS API and storage' do
lfs_object.file.migrate!(LfsObjectUploader::Store::REMOTE)
end
- it 'responds with redirect' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
it 'responds with the workhorse send-url' do
expect(response.headers[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with("send-url:")
@@ -288,7 +249,7 @@ describe 'Git LFS API and storage' do
it_behaves_like 'responds with a file'
end
- describe 'when using a user key' do
+ describe 'when using a user key (LFSToken)' do
let(:authorization) { authorize_user_key }
context 'when user allowed' do
@@ -298,6 +259,18 @@ describe 'Git LFS API and storage' do
end
it_behaves_like 'responds with a file'
+
+ context 'when user password is expired' do
+ let(:user) { create(:user, password_expires_at: 1.minute.ago)}
+
+ it_behaves_like 'LFS http 401 response'
+ end
+
+ context 'when user is blocked' do
+ let(:user) { create(:user, :blocked)}
+
+ it_behaves_like 'LFS http 401 response'
+ end
end
context 'when user not allowed' do
@@ -305,9 +278,7 @@ describe 'Git LFS API and storage' do
project.lfs_objects << lfs_object
end
- it 'responds with status 404' do
- expect(response).to have_gitlab_http_status(404)
- end
+ it_behaves_like 'LFS http 404 response'
end
end
@@ -337,7 +308,6 @@ describe 'Git LFS API and storage' do
end
context 'for other project' do
- let(:other_project) { create(:project) }
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
let(:update_permissions) do
@@ -361,7 +331,6 @@ describe 'Git LFS API and storage' do
end
context 'regular user' do
- let(:user) { create(:user) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
it_behaves_like 'can download LFS only from own projects' do
@@ -384,166 +353,147 @@ describe 'Git LFS API and storage' do
context 'without required headers' do
let(:authorization) { authorize_user }
- it 'responds with status 404' do
- expect(response).to have_gitlab_http_status(404)
- end
+ it_behaves_like 'LFS http 404 response'
end
end
end
- describe 'when handling lfs batch request' do
+ describe 'when handling LFS batch request' do
let(:update_lfs_permissions) { }
let(:update_user_permissions) { }
before do
- enable_lfs
update_lfs_permissions
update_user_permissions
- post_lfs_json "#{project.http_url_to_repo}/info/lfs/objects/batch", body, headers
+ post_lfs_json batch_url(project), body, headers
end
- describe 'download' do
- let(:project) { create(:project) }
- let(:body) do
- {
- 'operation' => 'download',
- 'objects' => [
- { 'oid' => sample_oid,
- 'size' => sample_size }
- ]
- }
+ shared_examples 'process authorization header' do |renew_authorization:|
+ let(:response_authorization) do
+ authorization_in_action(lfs_actions.first)
end
- shared_examples 'an authorized requests' do
- context 'when downloading an lfs object that is assigned to our project' do
- let(:update_lfs_permissions) do
- project.lfs_objects << lfs_object
+ if renew_authorization
+ context 'when the authorization comes from a user' do
+ it 'returns a new valid LFS token authorization' do
+ expect(response_authorization).not_to eq(authorization)
end
- it 'responds with status 200' do
- expect(response).to have_gitlab_http_status(200)
+ it 'returns a a valid token' do
+ username, token = ::Base64.decode64(response_authorization.split(' ', 2).last).split(':', 2)
+
+ expect(username).to eq(user.username)
+ expect(Gitlab::LfsToken.new(user).token_valid?(token)).to be_truthy
end
- it 'with href to download' do
- expect(json_response).to eq({
- 'objects' => [
- {
- 'oid' => sample_oid,
- 'size' => sample_size,
- 'actions' => {
- 'download' => {
- 'href' => "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}",
- 'header' => { 'Authorization' => authorization }
- }
- }
- }
- ]
- })
+ it 'generates only one new token per each request' do
+ authorizations = lfs_actions.map do |action|
+ authorization_in_action(action)
+ end.compact
+
+ expect(authorizations.uniq.count).to eq 1
+ end
+ end
+ else
+ context 'when the authorization comes from a token' do
+ it 'returns the same authorization header' do
+ expect(response_authorization).to eq(authorization)
end
end
+ end
+
+ def lfs_actions
+ json_response['objects'].map { |a| a['actions'] }.compact
+ end
- context 'when downloading an lfs object that is assigned to other project' do
- let(:other_project) { create(:project) }
+ def authorization_in_action(action)
+ (action['upload'] || action['download']).dig('header', 'Authorization')
+ end
+ end
+
+ describe 'download' do
+ let(:body) { download_body(sample_object) }
+
+ shared_examples 'an authorized request' do |renew_authorization:|
+ context 'when downloading an LFS object that is assigned to our project' do
let(:update_lfs_permissions) do
- other_project.lfs_objects << lfs_object
+ project.lfs_objects << lfs_object
end
- it 'responds with status 200' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
it 'with href to download' do
- expect(json_response).to eq({
- 'objects' => [
- {
- 'oid' => sample_oid,
- 'size' => sample_size,
- 'error' => {
- 'code' => 404,
- 'message' => "Object does not exist on the server or you don't have permissions to access it"
- }
- }
- ]
- })
+ expect(json_response['objects'].first).to include(sample_object)
+ expect(json_response['objects'].first['actions']['download']['href']).to eq(objects_url(project, sample_oid))
end
+
+ it_behaves_like 'process authorization header', renew_authorization: renew_authorization
end
- context 'when downloading a lfs object that does not exist' do
- let(:body) do
- {
- 'operation' => 'download',
- 'objects' => [
- { 'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
- 'size' => 1575078 }
- ]
- }
+ context 'when downloading an LFS object that is assigned to other project' do
+ let(:update_lfs_permissions) do
+ other_project.lfs_objects << lfs_object
end
- it 'responds with status 200' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
it 'with an 404 for specific object' do
- expect(json_response).to eq({
- 'objects' => [
- {
- 'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
- 'size' => 1575078,
- 'error' => {
- 'code' => 404,
- 'message' => "Object does not exist on the server or you don't have permissions to access it"
- }
- }
- ]
- })
+ expect(json_response['objects'].first).to include(sample_object)
+ expect(json_response['objects'].first['error']).to include('code' => 404, 'message' => "Object does not exist on the server or you don't have permissions to access it")
end
end
- context 'when downloading one new and one existing lfs object' do
- let(:body) do
- {
- 'operation' => 'download',
- 'objects' => [
- { 'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
- 'size' => 1575078 },
- { 'oid' => sample_oid,
- 'size' => sample_size }
- ]
- }
+ context 'when downloading a LFS object that does not exist' do
+ let(:body) { download_body(non_existing_object) }
+
+ it_behaves_like 'LFS http 200 response'
+
+ it 'with an 404 for specific object' do
+ expect(json_response['objects'].first).to include(non_existing_object)
+ expect(json_response['objects'].first['error']).to include('code' => 404, 'message' => "Object does not exist on the server or you don't have permissions to access it")
end
+ end
+ context 'when downloading one new and one existing LFS object' do
+ let(:body) { download_body(multiple_objects) }
let(:update_lfs_permissions) do
project.lfs_objects << lfs_object
end
- it 'responds with status 200' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
- it 'responds with upload hypermedia link for the new object' do
- expect(json_response).to eq({
- 'objects' => [
- {
- 'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
- 'size' => 1575078,
- 'error' => {
- 'code' => 404,
- 'message' => "Object does not exist on the server or you don't have permissions to access it"
- }
- },
- {
- 'oid' => sample_oid,
- 'size' => sample_size,
- 'actions' => {
- 'download' => {
- 'href' => "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}",
- 'header' => { 'Authorization' => authorization }
- }
- }
- }
- ]
+ it 'responds with download hypermedia link for the new object' do
+ expect(json_response['objects'].first).to include(sample_object)
+ expect(json_response['objects'].first['actions']['download']).to include('href' => objects_url(project, sample_oid))
+ expect(json_response['objects'].last).to eq({
+ 'oid' => non_existing_object_oid,
+ 'size' => non_existing_object_size,
+ 'error' => {
+ 'code' => 404,
+ 'message' => "Object does not exist on the server or you don't have permissions to access it"
+ }
})
end
+
+ it_behaves_like 'process authorization header', renew_authorization: renew_authorization
+ end
+
+ context 'when downloading two existing LFS objects' do
+ let(:body) { download_body(multiple_objects) }
+ let(:other_object) { create(:lfs_object, :with_file, oid: non_existing_object_oid, size: non_existing_object_size) }
+ let(:update_lfs_permissions) do
+ project.lfs_objects << [lfs_object, other_object]
+ end
+
+ it 'responds with the download hypermedia link for each object' do
+ expect(json_response['objects'].first).to include(sample_object)
+ expect(json_response['objects'].first['actions']['download']).to include('href' => objects_url(project, sample_oid))
+
+ expect(json_response['objects'].last).to include(non_existing_object)
+ expect(json_response['objects'].last['actions']['download']).to include('href' => objects_url(project, non_existing_object_oid))
+ end
+
+ it_behaves_like 'process authorization header', renew_authorization: renew_authorization
end
end
@@ -554,29 +504,41 @@ describe 'Git LFS API and storage' do
project.add_role(user, role)
end
- it_behaves_like 'an authorized requests' do
+ it_behaves_like 'an authorized request', renew_authorization: true do
let(:role) { :reporter }
end
context 'when user does is not member of the project' do
let(:update_user_permissions) { nil }
- it 'responds with 404' do
- expect(response).to have_gitlab_http_status(404)
- end
+ it_behaves_like 'LFS http 404 response'
end
context 'when user does not have download access' do
let(:role) { :guest }
- it 'responds with 403' do
- expect(response).to have_gitlab_http_status(403)
+ it_behaves_like 'LFS http 403 response'
+ end
+
+ context 'when user password is expired' do
+ let(:role) { :reporter}
+ let(:user) { create(:user, password_expires_at: 1.minute.ago)}
+
+ it 'with an 404 for specific object' do
+ expect(json_response['objects'].first).to include(sample_object)
+ expect(json_response['objects'].first['error']).to include('code' => 404, 'message' => "Object does not exist on the server or you don't have permissions to access it")
end
end
+
+ context 'when user is blocked' do
+ let(:role) { :reporter}
+ let(:user) { create(:user, :blocked)}
+
+ it_behaves_like 'LFS http 401 response'
+ end
end
context 'when using Deploy Tokens' do
- let(:project) { create(:project, :repository) }
let(:authorization) { authorize_deploy_token }
let(:update_user_permissions) { nil }
let(:role) { nil }
@@ -587,25 +549,19 @@ describe 'Git LFS API and storage' do
context 'when Deploy Token is valid' do
let(:deploy_token) { create(:deploy_token, projects: [project]) }
- it_behaves_like 'an authorized requests'
+ it_behaves_like 'an authorized request', renew_authorization: false
end
context 'when Deploy Token is not valid' do
let(:deploy_token) { create(:deploy_token, projects: [project], read_repository: false) }
- it 'responds with access denied' do
- expect(response).to have_gitlab_http_status(401)
- end
+ it_behaves_like 'LFS http 401 response'
end
context 'when Deploy Token is not related to the project' do
- let(:another_project) { create(:project, :repository) }
- let(:deploy_token) { create(:deploy_token, projects: [another_project]) }
+ let(:deploy_token) { create(:deploy_token, projects: [other_project]) }
- it 'responds with access forbidden' do
- # We render 404, to prevent data leakage about existence of the project
- expect(response).to have_gitlab_http_status(404)
- end
+ it_behaves_like 'LFS http 404 response'
end
end
@@ -616,7 +572,7 @@ describe 'Git LFS API and storage' do
project.lfs_objects << lfs_object
end
- shared_examples 'can download LFS only from own projects' do
+ shared_examples 'can download LFS only from own projects' do |renew_authorization:|
context 'for own project' do
let(:pipeline) { create(:ci_empty_pipeline, project: project) }
@@ -624,11 +580,10 @@ describe 'Git LFS API and storage' do
project.add_reporter(user)
end
- it_behaves_like 'an authorized requests'
+ it_behaves_like 'an authorized request', renew_authorization: renew_authorization
end
context 'for other project' do
- let(:other_project) { create(:project) }
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
it 'rejects downloading code' do
@@ -641,17 +596,16 @@ describe 'Git LFS API and storage' do
let(:user) { create(:admin) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
- it_behaves_like 'can download LFS only from own projects' do
+ it_behaves_like 'can download LFS only from own projects', renew_authorization: true do
# We render 403, because administrator does have normally access
let(:other_project_status) { 403 }
end
end
context 'regular user' do
- let(:user) { create(:user) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
- it_behaves_like 'can download LFS only from own projects' do
+ it_behaves_like 'can download LFS only from own projects', renew_authorization: true do
# We render 404, to prevent data leakage about existence of the project
let(:other_project_status) { 404 }
end
@@ -660,7 +614,7 @@ describe 'Git LFS API and storage' do
context 'does not have user' do
let(:build) { create(:ci_build, :running, pipeline: pipeline) }
- it_behaves_like 'can download LFS only from own projects' do
+ it_behaves_like 'can download LFS only from own projects', renew_authorization: false do
# We render 404, to prevent data leakage about existence of the project
let(:other_project_status) { 404 }
end
@@ -675,11 +629,9 @@ describe 'Git LFS API and storage' do
project.lfs_objects << lfs_object
end
- it 'responds with status 200 and href to download' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
- it 'responds with status 200 and href to download' do
+ it 'returns href to download' do
expect(json_response).to eq({
'objects' => [
{
@@ -688,7 +640,7 @@ describe 'Git LFS API and storage' do
'authenticated' => true,
'actions' => {
'download' => {
- 'href' => "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}",
+ 'href' => objects_url(project, sample_oid),
'header' => {}
}
}
@@ -703,37 +655,29 @@ describe 'Git LFS API and storage' do
project.lfs_objects << lfs_object
end
- it 'responds with authorization required' do
- expect(response).to have_gitlab_http_status(401)
- end
+ it_behaves_like 'LFS http 401 response'
end
end
end
describe 'upload' do
let(:project) { create(:project, :public) }
- let(:body) do
- {
- 'operation' => 'upload',
- 'objects' => [
- { 'oid' => sample_oid,
- 'size' => sample_size }
- ]
- }
- end
+ let(:body) { upload_body(sample_object) }
- shared_examples 'pushes new LFS objects' do
+ shared_examples 'pushes new LFS objects' do |renew_authorization:|
let(:sample_size) { 150.megabytes }
- let(:sample_oid) { '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897' }
+ let(:sample_oid) { non_existing_object_oid }
+
+ it_behaves_like 'LFS http 200 response'
it 'responds with upload hypermedia link' do
- expect(response).to have_gitlab_http_status(200)
expect(json_response['objects']).to be_kind_of(Array)
- expect(json_response['objects'].first['oid']).to eq(sample_oid)
- expect(json_response['objects'].first['size']).to eq(sample_size)
- expect(json_response['objects'].first['actions']['upload']['href']).to eq("#{Gitlab.config.gitlab.url}/#{project.full_path}.git/gitlab-lfs/objects/#{sample_oid}/#{sample_size}")
- expect(json_response['objects'].first['actions']['upload']['header']).to eq({ 'Authorization' => authorization, 'Content-Type' => 'application/octet-stream' })
+ expect(json_response['objects'].first).to include(sample_object)
+ expect(json_response['objects'].first['actions']['upload']['href']).to eq(objects_url(project, sample_oid, sample_size))
+ expect(json_response['objects'].first['actions']['upload']['header']).to include('Content-Type' => 'application/octet-stream')
end
+
+ it_behaves_like 'process authorization header', renew_authorization: renew_authorization
end
describe 'when request is authenticated' do
@@ -744,107 +688,80 @@ describe 'Git LFS API and storage' do
project.add_developer(user)
end
- context 'when pushing an lfs object that already exists' do
- let(:other_project) { create(:project) }
+ context 'when pushing an LFS object that already exists' do
let(:update_lfs_permissions) do
other_project.lfs_objects << lfs_object
end
- it 'responds with status 200' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
it 'responds with links the object to the project' do
expect(json_response['objects']).to be_kind_of(Array)
- expect(json_response['objects'].first['oid']).to eq(sample_oid)
- expect(json_response['objects'].first['size']).to eq(sample_size)
+ expect(json_response['objects'].first).to include(sample_object)
expect(lfs_object.projects.pluck(:id)).not_to include(project.id)
expect(lfs_object.projects.pluck(:id)).to include(other_project.id)
- expect(json_response['objects'].first['actions']['upload']['href']).to eq("#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}")
- expect(json_response['objects'].first['actions']['upload']['header']).to eq({ 'Authorization' => authorization, 'Content-Type' => 'application/octet-stream' })
+ expect(json_response['objects'].first['actions']['upload']['href']).to eq(objects_url(project, sample_oid, sample_size))
+ expect(json_response['objects'].first['actions']['upload']['header']).to include('Content-Type' => 'application/octet-stream')
end
- end
- context 'when pushing a lfs object that does not exist' do
- it_behaves_like 'pushes new LFS objects'
+ it_behaves_like 'process authorization header', renew_authorization: true
end
- context 'when pushing one new and one existing lfs object' do
- let(:body) do
- {
- 'operation' => 'upload',
- 'objects' => [
- { 'oid' => '91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897',
- 'size' => 1575078 },
- { 'oid' => sample_oid,
- 'size' => sample_size }
- ]
- }
- end
+ context 'when pushing a LFS object that does not exist' do
+ it_behaves_like 'pushes new LFS objects', renew_authorization: true
+ end
+ context 'when pushing one new and one existing LFS object' do
+ let(:body) { upload_body(multiple_objects) }
let(:update_lfs_permissions) do
project.lfs_objects << lfs_object
end
- it 'responds with status 200' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
it 'responds with upload hypermedia link for the new object' do
expect(json_response['objects']).to be_kind_of(Array)
- expect(json_response['objects'].first['oid']).to eq("91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897")
- expect(json_response['objects'].first['size']).to eq(1575078)
- expect(json_response['objects'].first['actions']['upload']['href']).to eq("#{project.http_url_to_repo}/gitlab-lfs/objects/91eff75a492a3ed0dfcb544d7f31326bc4014c8551849c192fd1e48d4dd2c897/1575078")
- expect(json_response['objects'].first['actions']['upload']['header']).to eq({ 'Authorization' => authorization, 'Content-Type' => 'application/octet-stream' })
+ expect(json_response['objects'].first).to include(sample_object)
+ expect(json_response['objects'].first).not_to have_key('actions')
- expect(json_response['objects'].last['oid']).to eq(sample_oid)
- expect(json_response['objects'].last['size']).to eq(sample_size)
- expect(json_response['objects'].last).not_to have_key('actions')
+ expect(json_response['objects'].last).to include(non_existing_object)
+ expect(json_response['objects'].last['actions']['upload']['href']).to eq(objects_url(project, non_existing_object_oid, non_existing_object_size))
+ expect(json_response['objects'].last['actions']['upload']['header']).to include('Content-Type' => 'application/octet-stream')
end
+
+ it_behaves_like 'process authorization header', renew_authorization: true
end
end
context 'when user does not have push access' do
let(:authorization) { authorize_user }
- it 'responds with 403' do
- expect(response).to have_gitlab_http_status(403)
- end
+ it_behaves_like 'LFS http 403 response'
end
context 'when build is authorized' do
let(:authorization) { authorize_ci_project }
context 'build has an user' do
- let(:user) { create(:user) }
+ let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
context 'tries to push to own project' do
- let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
-
- it 'responds with 403 (not 404 because project is public)' do
- expect(response).to have_gitlab_http_status(403)
- end
+ it_behaves_like 'LFS http 403 response'
end
context 'tries to push to other project' do
- let(:other_project) { create(:project) }
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
- let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
# I'm not sure what this tests that is different from the previous test
- it 'responds with 403 (not 404 because project is public)' do
- expect(response).to have_gitlab_http_status(403)
- end
+ it_behaves_like 'LFS http 403 response'
end
end
context 'does not have user' do
let(:build) { create(:ci_build, :running, pipeline: pipeline) }
- it 'responds with 403 (not 404 because project is public)' do
- expect(response).to have_gitlab_http_status(403)
- end
+ it_behaves_like 'LFS http 403 response'
end
end
@@ -856,7 +773,7 @@ describe 'Git LFS API and storage' do
project.deploy_keys_projects.create(deploy_key: key, can_push: true)
end
- it_behaves_like 'pushes new LFS objects'
+ it_behaves_like 'pushes new LFS objects', renew_authorization: false
end
end
@@ -866,80 +783,60 @@ describe 'Git LFS API and storage' do
project.add_maintainer(user)
end
- it 'responds with status 401' do
- expect(response).to have_gitlab_http_status(401)
- end
+ it_behaves_like 'LFS http 401 response'
end
context 'when user does not have push access' do
- it 'responds with status 401' do
- expect(response).to have_gitlab_http_status(401)
- end
+ it_behaves_like 'LFS http 401 response'
end
end
end
describe 'unsupported' do
- let(:project) { create(:project) }
let(:authorization) { authorize_user }
- let(:body) do
- {
- 'operation' => 'other',
- 'objects' => [
- { 'oid' => sample_oid,
- 'size' => sample_size }
- ]
- }
- end
+ let(:body) { request_body('other', sample_object) }
- it 'responds with status 404' do
- expect(response).to have_gitlab_http_status(404)
- end
+ it_behaves_like 'LFS http 404 response'
end
end
- describe 'when handling lfs batch request on a read-only GitLab instance' do
+ describe 'when handling LFS batch request on a read-only GitLab instance' do
let(:authorization) { authorize_user }
- let(:project) { create(:project) }
- let(:path) { "#{project.http_url_to_repo}/info/lfs/objects/batch" }
- let(:body) do
- { 'objects' => [{ 'oid' => sample_oid, 'size' => sample_size }] }
- end
+
+ subject { post_lfs_json(batch_url(project), body, headers) }
before do
allow(Gitlab::Database).to receive(:read_only?) { true }
+
project.add_maintainer(user)
- enable_lfs
+
+ subject
end
- it 'responds with a 200 message on download' do
- post_lfs_json path, body.merge('operation' => 'download'), headers
+ context 'when downloading' do
+ let(:body) { download_body(sample_object) }
- expect(response).to have_gitlab_http_status(200)
+ it_behaves_like 'LFS http 200 response'
end
- it 'responds with a 403 message on upload' do
- post_lfs_json path, body.merge('operation' => 'upload'), headers
+ context 'when uploading' do
+ let(:body) { upload_body(sample_object) }
- expect(response).to have_gitlab_http_status(403)
- expect(json_response).to include('message' => 'You cannot write to this read-only GitLab instance.')
+ it_behaves_like 'LFS http expected response code and message' do
+ let(:response_code) { 403 }
+ let(:message) { 'You cannot write to this read-only GitLab instance.' }
+ end
end
end
- describe 'when pushing a lfs object' do
- before do
- enable_lfs
- end
-
+ describe 'when pushing a LFS object' do
shared_examples 'unauthorized' do
context 'and request is sent by gitlab-workhorse to authorize the request' do
before do
put_authorize
end
- it 'responds with status 401' do
- expect(response).to have_gitlab_http_status(401)
- end
+ it_behaves_like 'LFS http 401 response'
end
context 'and request is sent by gitlab-workhorse to finalize the upload' do
@@ -947,9 +844,7 @@ describe 'Git LFS API and storage' do
put_finalize
end
- it 'responds with status 401' do
- expect(response).to have_gitlab_http_status(401)
- end
+ it_behaves_like 'LFS http 401 response'
end
context 'and request is sent with a malformed headers' do
@@ -957,9 +852,7 @@ describe 'Git LFS API and storage' do
put_finalize('/etc/passwd')
end
- it 'does not recognize it as a valid lfs command' do
- expect(response).to have_gitlab_http_status(401)
- end
+ it_behaves_like 'LFS http 401 response'
end
end
@@ -969,9 +862,7 @@ describe 'Git LFS API and storage' do
put_authorize
end
- it 'responds with 403' do
- expect(response).to have_gitlab_http_status(403)
- end
+ it_behaves_like 'LFS http 403 response'
end
context 'and request is sent by gitlab-workhorse to finalize the upload' do
@@ -979,9 +870,7 @@ describe 'Git LFS API and storage' do
put_finalize
end
- it 'responds with 403' do
- expect(response).to have_gitlab_http_status(403)
- end
+ it_behaves_like 'LFS http 403 response'
end
context 'and request is sent with a malformed headers' do
@@ -989,15 +878,11 @@ describe 'Git LFS API and storage' do
put_finalize('/etc/passwd')
end
- it 'does not recognize it as a valid lfs command' do
- expect(response).to have_gitlab_http_status(403)
- end
+ it_behaves_like 'LFS http 403 response'
end
end
describe 'to one project' do
- let(:project) { create(:project) }
-
describe 'when user is authenticated' do
let(:authorization) { authorize_user }
@@ -1018,9 +903,7 @@ describe 'Git LFS API and storage' do
put_authorize
end
- it 'responds with status 200' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
it 'uses the gitlab-workhorse content type' do
expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
@@ -1029,7 +912,7 @@ describe 'Git LFS API and storage' do
shared_examples 'a local file' do
it_behaves_like 'a valid response' do
- it 'responds with status 200, location of lfs store and object details' do
+ it 'responds with status 200, location of LFS store and object details' do
expect(json_response['TempPath']).to eq(LfsObjectUploader.workhorse_local_upload_path)
expect(json_response['RemoteObject']).to be_nil
expect(json_response['LfsOid']).to eq(sample_oid)
@@ -1049,7 +932,7 @@ describe 'Git LFS API and storage' do
end
it_behaves_like 'a valid response' do
- it 'responds with status 200, location of lfs remote store and object details' do
+ it 'responds with status 200, location of LFS remote store and object details' do
expect(json_response['TempPath']).to eq(LfsObjectUploader.workhorse_local_upload_path)
expect(json_response['RemoteObject']).to have_key('ID')
expect(json_response['RemoteObject']).to have_key('GetURL')
@@ -1077,11 +960,9 @@ describe 'Git LFS API and storage' do
put_finalize
end
- it 'responds with status 200' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
- it 'lfs object is linked to the project' do
+ it 'LFS object is linked to the project' do
expect(lfs_object.projects.pluck(:id)).to include(project.id)
end
end
@@ -1092,7 +973,7 @@ describe 'Git LFS API and storage' do
end
end
- context 'and workhorse requests upload finalize for a new lfs object' do
+ context 'and workhorse requests upload finalize for a new LFS object' do
before do
lfs_object.destroy
end
@@ -1202,33 +1083,25 @@ describe 'Git LFS API and storage' do
let(:authorization) { authorize_ci_project }
context 'build has an user' do
- let(:user) { create(:user) }
+ let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
context 'tries to push to own project' do
- let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
-
before do
project.add_developer(user)
put_authorize
end
- it 'responds with 403 (not 404 because the build user can read the project)' do
- expect(response).to have_gitlab_http_status(403)
- end
+ it_behaves_like 'LFS http 403 response'
end
context 'tries to push to other project' do
- let(:other_project) { create(:project) }
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
- let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
before do
put_authorize
end
- it 'responds with 404 (do not leak non-public project existence)' do
- expect(response).to have_gitlab_http_status(404)
- end
+ it_behaves_like 'LFS http 404 response'
end
end
@@ -1239,9 +1112,40 @@ describe 'Git LFS API and storage' do
put_authorize
end
- it 'responds with 404 (do not leak non-public project existence)' do
- expect(response).to have_gitlab_http_status(404)
+ it_behaves_like 'LFS http 404 response'
+ end
+ end
+
+ describe 'when using a user key (LFSToken)' do
+ let(:authorization) { authorize_user_key }
+
+ context 'when user allowed' do
+ before do
+ project.add_developer(user)
+ put_authorize
+ end
+
+ it_behaves_like 'LFS http 200 response'
+
+ context 'when user password is expired' do
+ let(:user) { create(:user, password_expires_at: 1.minute.ago)}
+
+ it_behaves_like 'LFS http 401 response'
+ end
+
+ context 'when user is blocked' do
+ let(:user) { create(:user, :blocked)}
+
+ it_behaves_like 'LFS http 401 response'
+ end
+ end
+
+ context 'when user not allowed' do
+ before do
+ put_authorize
end
+
+ it_behaves_like 'LFS http 404 response'
end
end
@@ -1268,11 +1172,9 @@ describe 'Git LFS API and storage' do
put_authorize
end
- it 'responds with status 200' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
- it 'with location of lfs store and object details' do
+ it 'with location of LFS store and object details' do
expect(json_response['TempPath']).to eq(LfsObjectUploader.workhorse_local_upload_path)
expect(json_response['LfsOid']).to eq(sample_oid)
expect(json_response['LfsSize']).to eq(sample_size)
@@ -1284,11 +1186,9 @@ describe 'Git LFS API and storage' do
put_finalize
end
- it 'responds with status 200' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
- it 'lfs object is linked to the source project' do
+ it 'LFS object is linked to the source project' do
expect(lfs_object.projects.pluck(:id)).to include(upstream_project.id)
end
end
@@ -1307,34 +1207,24 @@ describe 'Git LFS API and storage' do
end
context 'build has an user' do
- let(:user) { create(:user) }
+ let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
context 'tries to push to own project' do
- let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
-
- it 'responds with 403 (not 404 because project is public)' do
- expect(response).to have_gitlab_http_status(403)
- end
+ it_behaves_like 'LFS http 403 response'
end
context 'tries to push to other project' do
- let(:other_project) { create(:project) }
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
- let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
# I'm not sure what this tests that is different from the previous test
- it 'responds with 403 (not 404 because project is public)' do
- expect(response).to have_gitlab_http_status(403)
- end
+ it_behaves_like 'LFS http 403 response'
end
end
context 'does not have user' do
let(:build) { create(:ci_build, :running, pipeline: pipeline) }
- it 'responds with 403 (not 404 because project is public)' do
- expect(response).to have_gitlab_http_status(403)
- end
+ it_behaves_like 'LFS http 403 response'
end
end
@@ -1351,22 +1241,20 @@ describe 'Git LFS API and storage' do
upstream_project.lfs_objects << lfs_object
end
- context 'when pushing the same lfs object to the second project' do
+ context 'when pushing the same LFS object to the second project' do
before do
finalize_headers = headers
.merge('X-Gitlab-Lfs-Tmp' => lfs_tmp_file)
.merge(workhorse_internal_api_request_header)
- put "#{second_project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}",
- params: {},
- headers: finalize_headers
+ put objects_url(second_project, sample_oid, sample_size),
+ params: {},
+ headers: finalize_headers
end
- it 'responds with status 200' do
- expect(response).to have_gitlab_http_status(200)
- end
+ it_behaves_like 'LFS http 200 response'
- it 'links the lfs object to the project' do
+ it 'links the LFS object to the project' do
expect(lfs_object.projects.pluck(:id)).to include(second_project.id, upstream_project.id)
end
end
@@ -1377,7 +1265,7 @@ describe 'Git LFS API and storage' do
authorize_headers = headers
authorize_headers.merge!(workhorse_internal_api_request_header) if verified
- put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}/authorize", params: {}, headers: authorize_headers
+ put authorize_url(project, sample_oid, sample_size), params: {}, headers: authorize_headers
end
def put_finalize(lfs_tmp = lfs_tmp_file, with_tempfile: false, verified: true, args: {})
@@ -1401,42 +1289,11 @@ describe 'Git LFS API and storage' do
finalize_headers = headers
finalize_headers.merge!(workhorse_internal_api_request_header) if verified
- put "#{project.http_url_to_repo}/gitlab-lfs/objects/#{sample_oid}/#{sample_size}", params: args, headers: finalize_headers
+ put objects_url(project, sample_oid, sample_size), params: args, headers: finalize_headers
end
def lfs_tmp_file
"#{sample_oid}012345678"
end
end
-
- def enable_lfs
- allow(Gitlab.config.lfs).to receive(:enabled).and_return(true)
- end
-
- def authorize_ci_project
- ActionController::HttpAuthentication::Basic.encode_credentials('gitlab-ci-token', build.token)
- end
-
- def authorize_user
- ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)
- end
-
- def authorize_deploy_key
- ActionController::HttpAuthentication::Basic.encode_credentials("lfs+deploy-key-#{key.id}", Gitlab::LfsToken.new(key).token)
- end
-
- def authorize_user_key
- ActionController::HttpAuthentication::Basic.encode_credentials(user.username, Gitlab::LfsToken.new(user).token)
- end
-
- def authorize_deploy_token
- ActionController::HttpAuthentication::Basic.encode_credentials(deploy_token.username, deploy_token.token)
- end
-
- def post_lfs_json(url, body = nil, headers = nil)
- params = body.try(:to_json)
- headers = (headers || {}).merge('Content-Type' => LfsRequest::CONTENT_TYPE)
-
- post(url, params: params, headers: headers)
- end
end
diff --git a/spec/support/helpers/lfs_http_helpers.rb b/spec/support/helpers/lfs_http_helpers.rb
new file mode 100644
index 00000000000..0537b122040
--- /dev/null
+++ b/spec/support/helpers/lfs_http_helpers.rb
@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+require_relative 'workhorse_helpers'
+
+module LfsHttpHelpers
+ include WorkhorseHelpers
+
+ def authorize_ci_project
+ ActionController::HttpAuthentication::Basic.encode_credentials('gitlab-ci-token', build.token)
+ end
+
+ def authorize_user
+ ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)
+ end
+
+ def authorize_deploy_key
+ Gitlab::LfsToken.new(key).basic_encoding
+ end
+
+ def authorize_user_key
+ Gitlab::LfsToken.new(user).basic_encoding
+ end
+
+ def authorize_deploy_token
+ ActionController::HttpAuthentication::Basic.encode_credentials(deploy_token.username, deploy_token.token)
+ end
+
+ def post_lfs_json(url, body = nil, headers = nil)
+ params = body.try(:to_json)
+ headers = (headers || {}).merge('Content-Type' => LfsRequest::CONTENT_TYPE)
+
+ post(url, params: params, headers: headers)
+ end
+
+ def batch_url(project)
+ "#{project.http_url_to_repo}/info/lfs/objects/batch"
+ end
+
+ def objects_url(project, oid = nil, size = nil)
+ File.join(["#{project.http_url_to_repo}/gitlab-lfs/objects", oid, size].compact.map(&:to_s))
+ end
+
+ def authorize_url(project, oid, size)
+ File.join(objects_url(project, oid, size), 'authorize')
+ end
+
+ def download_body(objects)
+ request_body('download', objects)
+ end
+
+ def upload_body(objects)
+ request_body('upload', objects)
+ end
+
+ def request_body(operation, objects)
+ objects = [objects] unless objects.is_a?(Array)
+
+ {
+ 'operation' => operation,
+ 'objects' => objects
+ }
+ end
+end
diff --git a/spec/support/shared_examples/lfs_http_shared_examples.rb b/spec/support/shared_examples/lfs_http_shared_examples.rb
new file mode 100644
index 00000000000..bcd30fe9654
--- /dev/null
+++ b/spec/support/shared_examples/lfs_http_shared_examples.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+shared_examples 'LFS http 200 response' do
+ it_behaves_like 'LFS http expected response code and message' do
+ let(:response_code) { 200 }
+ end
+end
+
+shared_examples 'LFS http 401 response' do
+ it_behaves_like 'LFS http expected response code and message' do
+ let(:response_code) { 401 }
+ end
+end
+
+shared_examples 'LFS http 403 response' do
+ it_behaves_like 'LFS http expected response code and message' do
+ let(:response_code) { 403 }
+ let(:message) { 'Access forbidden. Check your access level.' }
+ end
+end
+
+shared_examples 'LFS http 501 response' do
+ it_behaves_like 'LFS http expected response code and message' do
+ let(:response_code) { 501 }
+ let(:message) { 'Git LFS is not enabled on this GitLab server, contact your admin.' }
+ end
+end
+
+shared_examples 'LFS http 404 response' do
+ it_behaves_like 'LFS http expected response code and message' do
+ let(:response_code) { 404 }
+ end
+end
+
+shared_examples 'LFS http expected response code and message' do
+ let(:response_code) { }
+ let(:message) { }
+
+ it 'responds with the expected response code and message' do
+ expect(response).to have_gitlab_http_status(response_code)
+ expect(json_response['message']).to eq(message) if message
+ end
+end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-10 17:10:39 +0300