diff options
Diffstat (limited to 'spec/requests/rack_attack_global_spec.rb')
-rw-r--r-- | spec/requests/rack_attack_global_spec.rb | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb index 6491c9ab65a..35ce942ed7e 100644 --- a/spec/requests/rack_attack_global_spec.rb +++ b/spec/requests/rack_attack_global_spec.rb @@ -483,6 +483,67 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac end end + describe 'dependency proxy' do + include DependencyProxyHelpers + + let_it_be_with_reload(:group) { create(:group) } + let_it_be_with_reload(:other_group) { create(:group) } + let_it_be(:user) { create(:user) } + let_it_be(:other_user) { create(:user) } + + let(:throttle_setting_prefix) { 'throttle_authenticated_web' } + let(:jwt_token) { build_jwt(user) } + let(:other_jwt_token) { build_jwt(other_user) } + let(:request_args) { [path, headers: jwt_token_authorization_headers(jwt_token)] } + let(:other_user_request_args) { [other_path, headers: jwt_token_authorization_headers(other_jwt_token)] } + + before do + group.add_owner(user) + group.create_dependency_proxy_setting!(enabled: true) + other_group.add_owner(other_user) + other_group.create_dependency_proxy_setting!(enabled: true) + + allow(Gitlab.config.dependency_proxy) + .to receive(:enabled).and_return(true) + token_response = { status: :success, token: 'abcd1234' } + allow_next_instance_of(DependencyProxy::RequestTokenService) do |instance| + allow(instance).to receive(:execute).and_return(token_response) + end + end + + context 'getting a manifest' do + let_it_be(:manifest) { create(:dependency_proxy_manifest) } + + let(:path) { "/v2/#{group.path}/dependency_proxy/containers/alpine/manifests/latest" } + let(:other_path) { "/v2/#{other_group.path}/dependency_proxy/containers/alpine/manifests/latest" } + let(:pull_response) { { status: :success, manifest: manifest, from_cache: false } } + + before do + allow_next_instance_of(DependencyProxy::FindOrCreateManifestService) do |instance| + allow(instance).to receive(:execute).and_return(pull_response) + end + end + + it_behaves_like 'rate-limited token-authenticated requests' + end + + context 'getting a blob' do + let_it_be(:blob) { create(:dependency_proxy_blob) } + + let(:path) { "/v2/#{group.path}/dependency_proxy/containers/alpine/blobs/sha256:a0d0a0d46f8b52473982a3c466318f479767577551a53ffc9074c9fa7035982e" } + let(:other_path) { "/v2/#{other_group.path}/dependency_proxy/containers/alpine/blobs/sha256:a0d0a0d46f8b52473982a3c466318f479767577551a53ffc9074c9fa7035982e" } + let(:blob_response) { { status: :success, blob: blob, from_cache: false } } + + before do + allow_next_instance_of(DependencyProxy::FindOrCreateBlobService) do |instance| + allow(instance).to receive(:execute).and_return(blob_response) + end + end + + it_behaves_like 'rate-limited token-authenticated requests' + end + end + describe 'authenticated git lfs requests', :api do let_it_be(:project) { create(:project, :internal) } let_it_be(:user) { create(:user) } |