1 files changed, 90 insertions, 5 deletions
diff --git a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
index 615b56ff22f..39cbdfb9123 100644
--- a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
+++ b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb
@@ -3,8 +3,77 @@
 require 'spec_helper'
 
 RSpec.describe Groups::DependencyProxyForContainersController do
+  include HttpBasicAuthHelpers
+  include DependencyProxyHelpers
+
+  let_it_be(:user) { create(:user) }
   let(:group) { create(:group) }
   let(:token_response) { { status: :success, token: 'abcd1234' } }
+  let(:jwt) { build_jwt(user) }
+  let(:token_header) { "Bearer #{jwt.encoded}" }
+
+  shared_examples 'without a token' do
+    before do
+      request.headers['HTTP_AUTHORIZATION'] = nil
+    end
+
+    context 'feature flag disabled' do
+      before do
+        stub_feature_flags(dependency_proxy_for_private_groups: false)
+      end
+
+      it { is_expected.to have_gitlab_http_status(:ok) }
+    end
+
+    it { is_expected.to have_gitlab_http_status(:unauthorized) }
+  end
+
+  shared_examples 'feature flag disabled with private group' do
+    before do
+      stub_feature_flags(dependency_proxy_for_private_groups: false)
+    end
+
+    it 'redirects', :aggregate_failures do
+      group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+
+      subject
+
+      expect(response).to have_gitlab_http_status(:redirect)
+      expect(response.location).to end_with(new_user_session_path)
+    end
+  end
+
+  shared_examples 'without permission' do
+    context 'with invalid user' do
+      before do
+        user = double('bad_user', id: 999)
+        token_header = "Bearer #{build_jwt(user).encoded}"
+        request.headers['HTTP_AUTHORIZATION'] = token_header
+      end
+
+      it { is_expected.to have_gitlab_http_status(:not_found) }
+    end
+
+    context 'with valid user that does not have access' do
+      let(:group) { create(:group, :private) }
+
+      before do
+        user = double('bad_user', id: 999)
+        token_header = "Bearer #{build_jwt(user).encoded}"
+        request.headers['HTTP_AUTHORIZATION'] = token_header
+      end
+
+      it { is_expected.to have_gitlab_http_status(:not_found) }
+    end
+
+    context 'when user is not found' do
+      before do
+        allow(User).to receive(:find).and_return(nil)
+      end
+
+      it { is_expected.to have_gitlab_http_status(:unauthorized) }
+    end
+  end
 
   shared_examples 'not found when disabled' do
     context 'feature disabled' do
@@ -27,14 +96,16 @@ RSpec.describe Groups::DependencyProxyForContainersController do
     allow_next_instance_of(DependencyProxy::RequestTokenService) do |instance|
       allow(instance).to receive(:execute).and_return(token_response)
     end
+
+    request.headers['HTTP_AUTHORIZATION'] = token_header
   end
 
   describe 'GET #manifest' do
-    let(:manifest) { { foo: 'bar' }.to_json }
+    let_it_be(:manifest) { create(:dependency_proxy_manifest) }
     let(:pull_response) { { status: :success, manifest: manifest } }
 
     before do
-      allow_next_instance_of(DependencyProxy::PullManifestService) do |instance|
+      allow_next_instance_of(DependencyProxy::FindOrCreateManifestService) do |instance|
         allow(instance).to receive(:execute).and_return(pull_response)
       end
     end
@@ -46,6 +117,10 @@ RSpec.describe Groups::DependencyProxyForContainersController do
         enable_dependency_proxy
       end
 
+      it_behaves_like 'without a token'
+      it_behaves_like 'without permission'
+      it_behaves_like 'feature flag disabled with private group'
+
       context 'remote token request fails' do
         let(:token_response) do
           {
@@ -80,11 +155,17 @@ RSpec.describe Groups::DependencyProxyForContainersController do
         end
       end
 
-      it 'returns 200 with manifest file' do
+      it 'sends a file' do
+        expect(controller).to receive(:send_file).with(manifest.file.path, {})
+
+        subject
+      end
+
+      it 'returns Content-Disposition: attachment' do
         subject
 
         expect(response).to have_gitlab_http_status(:ok)
-        expect(response.body).to eq(manifest)
+        expect(response.headers['Content-Disposition']).to match(/^attachment/)
       end
     end
 
@@ -96,7 +177,7 @@ RSpec.describe Groups::DependencyProxyForContainersController do
   end
 
   describe 'GET #blob' do
-    let(:blob) { create(:dependency_proxy_blob) }
+    let_it_be(:blob) { create(:dependency_proxy_blob) }
     let(:blob_sha) { blob.file_name.sub('.gz', '') }
     let(:blob_response) { { status: :success, blob: blob } }
 
@@ -113,6 +194,10 @@ RSpec.describe Groups::DependencyProxyForContainersController do
         enable_dependency_proxy
       end
 
+      it_behaves_like 'without a token'
+      it_behaves_like 'without permission'
+      it_behaves_like 'feature flag disabled with private group'
+
       context 'remote blob request fails' do
         let(:blob_response) do
           {