diff options
Diffstat (limited to 'spec/requests/api/npm_group_packages_spec.rb')
-rw-r--r-- | spec/requests/api/npm_group_packages_spec.rb | 186 |
1 files changed, 186 insertions, 0 deletions
diff --git a/spec/requests/api/npm_group_packages_spec.rb b/spec/requests/api/npm_group_packages_spec.rb new file mode 100644 index 00000000000..d97c7682b4b --- /dev/null +++ b/spec/requests/api/npm_group_packages_spec.rb @@ -0,0 +1,186 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe API::NpmGroupPackages, feature_category: :package_registry do + using RSpec::Parameterized::TableSyntax + + include_context 'npm api setup' + + describe 'GET /api/v4/groups/:id/-/packages/npm/*package_name' do + let(:url) { api("/groups/#{group.id}/-/packages/npm/#{package_name}") } + + it_behaves_like 'handling get metadata requests', scope: :group + + context 'with a duplicate package name in another project' do + subject { get(url) } + + before do + group.add_developer(user) + end + + let_it_be(:project2) { create(:project, :public, namespace: namespace) } + let_it_be(:package2) do + create(:npm_package, + project: project2, + name: "@#{group.path}/scoped_package", + version: '1.2.0') + end + + it_behaves_like 'rejects invalid package names' + + it 'includes all matching package versions in the response' do + subject + + expect(json_response['versions'].keys).to match_array([package.version, package2.version]) + end + + context 'with the feature flag disabled' do + before do + stub_feature_flags(npm_allow_packages_in_multiple_projects: false) + end + + it 'returns matching package versions from only one project' do + subject + + expect(json_response['versions'].keys).to match_array([package2.version]) + end + end + end + + context 'with mixed group and project visibilities' do + subject { get(url, headers: headers) } + + where(:auth, :group_visibility, :project_visibility, :user_role, :expected_status) do + nil | :public | :public | nil | :ok + nil | :public | :internal | nil | :not_found + nil | :public | :private | nil | :not_found + nil | :internal | :internal | nil | :not_found + nil | :internal | :private | nil | :not_found + nil | :private | :private | nil | :not_found + + :oauth | :public | :public | :guest | :ok + :oauth | :public | :internal | :guest | :ok + :oauth | :public | :private | :guest | :forbidden + :oauth | :internal | :internal | :guest | :ok + :oauth | :internal | :private | :guest | :forbidden + :oauth | :private | :private | :guest | :forbidden + :oauth | :public | :public | :reporter | :ok + :oauth | :public | :internal | :reporter | :ok + :oauth | :public | :private | :reporter | :ok + :oauth | :internal | :internal | :reporter | :ok + :oauth | :internal | :private | :reporter | :ok + :oauth | :private | :private | :reporter | :ok + + :personal_access_token | :public | :public | :guest | :ok + :personal_access_token | :public | :internal | :guest | :ok + :personal_access_token | :public | :private | :guest | :forbidden + :personal_access_token | :internal | :internal | :guest | :ok + :personal_access_token | :internal | :private | :guest | :forbidden + :personal_access_token | :private | :private | :guest | :forbidden + :personal_access_token | :public | :public | :reporter | :ok + :personal_access_token | :public | :internal | :reporter | :ok + :personal_access_token | :public | :private | :reporter | :ok + :personal_access_token | :internal | :internal | :reporter | :ok + :personal_access_token | :internal | :private | :reporter | :ok + :personal_access_token | :private | :private | :reporter | :ok + + :job_token | :public | :public | :developer | :ok + :job_token | :public | :internal | :developer | :ok + :job_token | :public | :private | :developer | :ok + :job_token | :internal | :internal | :developer | :ok + :job_token | :internal | :private | :developer | :ok + :job_token | :private | :private | :developer | :ok + + :deploy_token | :public | :public | nil | :ok + :deploy_token | :public | :internal | nil | :ok + :deploy_token | :public | :private | nil | :ok + :deploy_token | :internal | :internal | nil | :ok + :deploy_token | :internal | :private | nil | :ok + :deploy_token | :private | :private | nil | :ok + end + + with_them do + let(:headers) do + case auth + when :oauth + build_token_auth_header(token.plaintext_token) + when :personal_access_token + build_token_auth_header(personal_access_token.token) + when :job_token + build_token_auth_header(job.token) + when :deploy_token + build_token_auth_header(deploy_token.token) + else + {} + end + end + + before do + project.update!(visibility: project_visibility.to_s) + project.send("add_#{user_role}", user) if user_role + group.update!(visibility: group_visibility.to_s) + group.send("add_#{user_role}", user) if user_role + end + + it_behaves_like 'returning response status', params[:expected_status] + end + end + + context 'when user is a reporter of project but is not a direct member of group' do + subject { get(url, headers: headers) } + + where(:group_visibility, :project_visibility, :expected_status) do + :public | :public | :ok + :public | :internal | :ok + :public | :private | :ok + :internal | :internal | :ok + :internal | :private | :ok + :private | :private | :ok + end + + with_them do + let(:headers) { build_token_auth_header(personal_access_token.token) } + + before do + project.update!(visibility: project_visibility.to_s) + project.add_reporter(user) + + group.update!(visibility: group_visibility.to_s) + end + + it_behaves_like 'returning response status', params[:expected_status] + end + end + end + + describe 'GET /api/v4/packages/npm/-/package/*package_name/dist-tags' do + it_behaves_like 'handling get dist tags requests', scope: :group do + let(:url) { api("/groups/#{group.id}/-/packages/npm/-/package/#{package_name}/dist-tags") } + end + end + + describe 'PUT /api/v4/packages/npm/-/package/*package_name/dist-tags/:tag' do + it_behaves_like 'handling create dist tag requests', scope: :group do + let(:url) { api("/groups/#{group.id}/-/packages/npm/-/package/#{package_name}/dist-tags/#{tag_name}") } + end + end + + describe 'DELETE /api/v4/packages/npm/-/package/*package_name/dist-tags/:tag' do + it_behaves_like 'handling delete dist tag requests', scope: :group do + let(:url) { api("/groups/#{group.id}/-/packages/npm/-/package/#{package_name}/dist-tags/#{tag_name}") } + end + end + + describe 'POST /api/v4/groups/:id/-/packages/npm/-/npm/v1/security/advisories/bulk' do + it_behaves_like 'handling audit request', path: 'advisories/bulk', scope: :group do + let(:url) { api("/groups/#{group.id}/-/packages/npm/-/npm/v1/security/advisories/bulk") } + end + end + + describe 'POST /api/v4/groups/:id/-/packages/npm/-/npm/v1/security/audits/quick' do + it_behaves_like 'handling audit request', path: 'audits/quick', scope: :group do + let(:url) { api("/groups/#{group.id}/-/packages/npm/-/npm/v1/security/audits/quick") } + end + end +end |