2020-11-11 07:09:06 -05:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
|
|
|
RSpec.describe API::NpmProjectPackages do
|
|
|
|
include_context 'npm api setup'
|
|
|
|
|
|
|
|
describe 'GET /api/v4/projects/:id/packages/npm/*package_name' do
|
2021-02-11 10:09:11 -05:00
|
|
|
it_behaves_like 'handling get metadata requests', scope: :project do
|
2020-11-11 07:09:06 -05:00
|
|
|
let(:url) { api("/projects/#{project.id}/packages/npm/#{package_name}") }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'GET /api/v4/projects/:id/packages/npm/-/package/*package_name/dist-tags' do
|
2021-02-11 10:09:11 -05:00
|
|
|
it_behaves_like 'handling get dist tags requests', scope: :project do
|
2020-11-11 07:09:06 -05:00
|
|
|
let(:url) { api("/projects/#{project.id}/packages/npm/-/package/#{package_name}/dist-tags") }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'PUT /api/v4/projects/:id/packages/npm/-/package/*package_name/dist-tags/:tag' do
|
2021-02-11 10:09:11 -05:00
|
|
|
it_behaves_like 'handling create dist tag requests', scope: :project do
|
2020-11-11 07:09:06 -05:00
|
|
|
let(:url) { api("/projects/#{project.id}/packages/npm/-/package/#{package_name}/dist-tags/#{tag_name}") }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'DELETE /api/v4/projects/:id/packages/npm/-/package/*package_name/dist-tags/:tag' do
|
2021-02-11 10:09:11 -05:00
|
|
|
it_behaves_like 'handling delete dist tag requests', scope: :project do
|
2020-11-11 07:09:06 -05:00
|
|
|
let(:url) { api("/projects/#{project.id}/packages/npm/-/package/#{package_name}/dist-tags/#{tag_name}") }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'GET /api/v4/projects/:id/packages/npm/*package_name/-/*file_name' do
|
2022-07-04 08:09:33 -04:00
|
|
|
let(:snowplow_gitlab_standard_context) { { project: project, namespace: project.namespace } }
|
2021-02-17 13:09:19 -05:00
|
|
|
let(:package_file) { package.package_files.first }
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-02-11 10:09:11 -05:00
|
|
|
let(:headers) { {} }
|
|
|
|
let(:url) { api("/projects/#{project.id}/packages/npm/#{package.name}/-/#{package_file.file_name}") }
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-02-11 10:09:11 -05:00
|
|
|
subject { get(url, headers: headers) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
project.add_developer(user)
|
|
|
|
end
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-04-19 05:09:30 -04:00
|
|
|
shared_examples 'successfully downloads the file' do
|
|
|
|
it 'returns the file' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(response.media_type).to eq('application/octet-stream')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-11-11 07:09:06 -05:00
|
|
|
shared_examples 'a package file that requires auth' do
|
|
|
|
it 'denies download with no token' do
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:not_found)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with access token' do
|
2021-02-11 10:09:11 -05:00
|
|
|
let(:headers) { build_token_auth_header(token.token) }
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-04-19 05:09:30 -04:00
|
|
|
it_behaves_like 'successfully downloads the file'
|
2022-07-04 08:09:33 -04:00
|
|
|
it_behaves_like 'a package tracking event', 'API::NpmPackages', 'pull_package'
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'with job token' do
|
2021-02-11 10:09:11 -05:00
|
|
|
let(:headers) { build_token_auth_header(job.token) }
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-04-19 05:09:30 -04:00
|
|
|
it_behaves_like 'successfully downloads the file'
|
2022-07-04 08:09:33 -04:00
|
|
|
it_behaves_like 'a package tracking event', 'API::NpmPackages', 'pull_package'
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'a public project' do
|
2021-04-19 05:09:30 -04:00
|
|
|
it_behaves_like 'successfully downloads the file'
|
|
|
|
it_behaves_like 'a package tracking event', 'API::NpmPackages', 'pull_package'
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-04-19 05:09:30 -04:00
|
|
|
context 'with a job token for a different user' do
|
|
|
|
let_it_be(:other_user) { create(:user) }
|
2021-07-29 17:10:10 -04:00
|
|
|
let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user) }
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-04-19 05:09:30 -04:00
|
|
|
let(:headers) { build_token_auth_header(other_job.token) }
|
|
|
|
|
|
|
|
it_behaves_like 'successfully downloads the file'
|
|
|
|
end
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'private project' do
|
|
|
|
before do
|
|
|
|
project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'a package file that requires auth'
|
|
|
|
|
|
|
|
context 'with guest' do
|
2021-02-11 10:09:11 -05:00
|
|
|
let(:headers) { build_token_auth_header(token.token) }
|
2020-11-11 07:09:06 -05:00
|
|
|
|
|
|
|
it 'denies download when not enough permissions' do
|
|
|
|
project.add_guest(user)
|
|
|
|
|
|
|
|
subject
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'internal project' do
|
|
|
|
before do
|
|
|
|
project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'a package file that requires auth'
|
2022-07-04 08:09:33 -04:00
|
|
|
|
|
|
|
context 'with a job token for a different user' do
|
|
|
|
let_it_be(:other_user) { create(:user) }
|
|
|
|
let_it_be_with_reload(:other_job) { create(:ci_build, :running, user: other_user) }
|
|
|
|
|
|
|
|
let(:headers) { build_token_auth_header(other_job.token) }
|
|
|
|
|
|
|
|
it_behaves_like 'successfully downloads the file'
|
|
|
|
end
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'PUT /api/v4/projects/:id/packages/npm/:package_name' do
|
2021-02-11 10:09:11 -05:00
|
|
|
before do
|
|
|
|
project.add_developer(user)
|
|
|
|
end
|
|
|
|
|
2021-09-14 14:12:06 -04:00
|
|
|
subject(:upload_package_with_token) { upload_with_token(package_name, params) }
|
|
|
|
|
2021-02-11 10:09:11 -05:00
|
|
|
shared_examples 'handling invalid record with 400 error' do
|
2020-11-11 07:09:06 -05:00
|
|
|
it 'handles an ActiveRecord::RecordInvalid exception with 400 error' do
|
2021-09-14 14:12:06 -04:00
|
|
|
expect { upload_package_with_token }
|
2020-11-11 07:09:06 -05:00
|
|
|
.not_to change { project.packages.count }
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:bad_request)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when params are correct' do
|
|
|
|
context 'invalid package record' do
|
|
|
|
context 'invalid package name' do
|
|
|
|
let(:package_name) { "@#{group.path}/my_inv@@lid_package_name" }
|
|
|
|
let(:params) { upload_params(package_name: package_name) }
|
|
|
|
|
|
|
|
it_behaves_like 'handling invalid record with 400 error'
|
2021-09-14 14:12:06 -04:00
|
|
|
it_behaves_like 'not a package tracking event'
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'invalid package version' do
|
|
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
|
|
|
|
let(:package_name) { "@#{group.path}/my_package_name" }
|
|
|
|
|
|
|
|
where(:version) do
|
|
|
|
[
|
|
|
|
'1',
|
|
|
|
'1.2',
|
|
|
|
'1./2.3',
|
|
|
|
'../../../../../1.2.3',
|
|
|
|
'%2e%2e%2f1.2.3'
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
let(:params) { upload_params(package_name: package_name, package_version: version) }
|
|
|
|
|
|
|
|
it_behaves_like 'handling invalid record with 400 error'
|
2021-09-14 14:12:06 -04:00
|
|
|
it_behaves_like 'not a package tracking event'
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-08-11 05:10:00 -04:00
|
|
|
context 'valid package params' do
|
|
|
|
let_it_be(:version) { '1.2.3' }
|
|
|
|
|
|
|
|
let(:params) { upload_params(package_name: package_name, package_version: version) }
|
2021-06-07 08:10:00 -04:00
|
|
|
let(:snowplow_gitlab_standard_context) { { project: project, namespace: project.namespace, user: user } }
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-02-17 13:09:19 -05:00
|
|
|
shared_examples 'handling upload with different authentications' do
|
|
|
|
context 'with access token' do
|
|
|
|
it_behaves_like 'a package tracking event', 'API::NpmPackages', 'push_package'
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-02-17 13:09:19 -05:00
|
|
|
it 'creates npm package with file' do
|
|
|
|
expect { subject }
|
|
|
|
.to change { project.packages.count }.by(1)
|
|
|
|
.and change { Packages::PackageFile.count }.by(1)
|
|
|
|
.and change { Packages::Tag.count }.by(1)
|
2021-11-10 13:12:35 -05:00
|
|
|
.and change { Packages::Npm::Metadatum.count }.by(1)
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-02-17 13:09:19 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'creates npm package with file with job token' do
|
2021-09-14 14:12:06 -04:00
|
|
|
expect { upload_with_job_token(package_name, params) }
|
2020-11-11 07:09:06 -05:00
|
|
|
.to change { project.packages.count }.by(1)
|
|
|
|
.and change { Packages::PackageFile.count }.by(1)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
end
|
|
|
|
|
2021-02-17 13:09:19 -05:00
|
|
|
context 'with an authenticated job token' do
|
|
|
|
let!(:job) { create(:ci_build, user: user) }
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-02-17 13:09:19 -05:00
|
|
|
before do
|
|
|
|
Grape::Endpoint.before_each do |endpoint|
|
|
|
|
expect(endpoint).to receive(:current_authenticated_job) { job }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
after do
|
|
|
|
Grape::Endpoint.before_each nil
|
|
|
|
end
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-02-17 13:09:19 -05:00
|
|
|
it 'creates the package metadata' do
|
2021-09-14 14:12:06 -04:00
|
|
|
upload_package_with_token
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-02-17 13:09:19 -05:00
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
expect(project.reload.packages.find(json_response['id']).original_build_info.pipeline).to eq job.pipeline
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
|
|
|
end
|
2021-02-17 13:09:19 -05:00
|
|
|
end
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-08-11 05:10:00 -04:00
|
|
|
shared_examples 'uploading the package' do
|
|
|
|
it 'uploads the package' do
|
2021-09-14 14:12:06 -04:00
|
|
|
expect { upload_package_with_token }
|
2021-08-11 05:10:00 -04:00
|
|
|
.to change { project.packages.count }.by(1)
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-02-17 13:09:19 -05:00
|
|
|
context 'with a scoped name' do
|
|
|
|
let(:package_name) { "@#{group.path}/my_package_name" }
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-02-17 13:09:19 -05:00
|
|
|
it_behaves_like 'handling upload with different authentications'
|
|
|
|
end
|
2020-11-11 07:09:06 -05:00
|
|
|
|
2021-02-17 13:09:19 -05:00
|
|
|
context 'with any scoped name' do
|
|
|
|
let(:package_name) { "@any_scope/my_package_name" }
|
|
|
|
|
|
|
|
it_behaves_like 'handling upload with different authentications'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with an unscoped name' do
|
|
|
|
let(:package_name) { "my_unscoped_package_name" }
|
|
|
|
|
|
|
|
it_behaves_like 'handling upload with different authentications'
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
2021-08-06 11:10:05 -04:00
|
|
|
|
|
|
|
context 'with an existing package' do
|
|
|
|
let_it_be(:second_project) { create(:project, namespace: namespace) }
|
|
|
|
|
|
|
|
context 'following the naming convention' do
|
2021-08-11 05:10:00 -04:00
|
|
|
let_it_be(:second_package) { create(:npm_package, project: second_project, name: "@#{group.path}/test", version: version) }
|
2021-08-06 11:10:05 -04:00
|
|
|
|
|
|
|
let(:package_name) { "@#{group.path}/test" }
|
|
|
|
|
|
|
|
it_behaves_like 'handling invalid record with 400 error'
|
2021-09-14 14:12:06 -04:00
|
|
|
it_behaves_like 'not a package tracking event'
|
2021-08-11 05:10:00 -04:00
|
|
|
|
|
|
|
context 'with a new version' do
|
|
|
|
let_it_be(:version) { '4.5.6' }
|
|
|
|
|
|
|
|
it_behaves_like 'uploading the package'
|
|
|
|
end
|
2021-08-06 11:10:05 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'not following the naming convention' do
|
2021-08-11 05:10:00 -04:00
|
|
|
let_it_be(:second_package) { create(:npm_package, project: second_project, name: "@any_scope/test", version: version) }
|
2021-08-06 11:10:05 -04:00
|
|
|
|
|
|
|
let(:package_name) { "@any_scope/test" }
|
|
|
|
|
2021-08-11 05:10:00 -04:00
|
|
|
it_behaves_like 'uploading the package'
|
2021-08-06 11:10:05 -04:00
|
|
|
end
|
|
|
|
end
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'package creation fails' do
|
|
|
|
let(:package_name) { "@#{group.path}/my_package_name" }
|
|
|
|
let(:params) { upload_params(package_name: package_name) }
|
|
|
|
|
2021-09-14 14:12:06 -04:00
|
|
|
before do
|
2020-11-11 07:09:06 -05:00
|
|
|
create(:npm_package, project: project, version: '1.0.1', name: "@#{group.path}/my_package_name")
|
2021-09-14 14:12:06 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'not a package tracking event'
|
|
|
|
|
|
|
|
it 'returns an error if the package already exists' do
|
|
|
|
expect { upload_package_with_token }
|
2020-11-11 07:09:06 -05:00
|
|
|
.not_to change { project.packages.count }
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:forbidden)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with dependencies' do
|
|
|
|
let(:package_name) { "@#{group.path}/my_package_name" }
|
|
|
|
let(:params) { upload_params(package_name: package_name, file: 'npm/payload_with_duplicated_packages.json') }
|
|
|
|
|
|
|
|
it 'creates npm package with file and dependencies' do
|
2021-09-14 14:12:06 -04:00
|
|
|
expect { upload_package_with_token }
|
2020-11-11 07:09:06 -05:00
|
|
|
.to change { project.packages.count }.by(1)
|
|
|
|
.and change { Packages::PackageFile.count }.by(1)
|
2022-07-29 14:08:58 -04:00
|
|
|
.and change { Packages::Dependency.count }.by(4)
|
|
|
|
.and change { Packages::DependencyLink.count }.by(6)
|
2020-11-11 07:09:06 -05:00
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:ok)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with existing dependencies' do
|
|
|
|
before do
|
|
|
|
name = "@#{group.path}/existing_package"
|
2021-09-14 14:12:06 -04:00
|
|
|
upload_with_token(name, upload_params(package_name: name, file: 'npm/payload_with_duplicated_packages.json'))
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'reuses them' do
|
2021-09-14 14:12:06 -04:00
|
|
|
expect { upload_package_with_token }
|
2020-11-11 07:09:06 -05:00
|
|
|
.to change { project.packages.count }.by(1)
|
|
|
|
.and change { Packages::PackageFile.count }.by(1)
|
2022-07-29 14:08:58 -04:00
|
|
|
.and not_change { Packages::Dependency.count }
|
|
|
|
.and change { Packages::DependencyLink.count }.by(6)
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2021-11-10 13:12:35 -05:00
|
|
|
|
|
|
|
context 'with a too large metadata structure' do
|
|
|
|
let(:package_name) { "@#{group.path}/my_package_name" }
|
|
|
|
let(:params) do
|
|
|
|
upload_params(package_name: package_name, package_version: '1.2.3').tap do |h|
|
|
|
|
h['versions']['1.2.3']['test'] = 'test' * 10000
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
it_behaves_like 'not a package tracking event'
|
|
|
|
|
|
|
|
it 'returns an error' do
|
|
|
|
expect { upload_package_with_token }
|
|
|
|
.not_to change { project.packages.count }
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(:bad_request)
|
|
|
|
expect(response.body).to include('Validation failed: Package json structure is too large')
|
|
|
|
end
|
|
|
|
end
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def upload_package(package_name, params = {})
|
2021-02-11 10:09:11 -05:00
|
|
|
token = params.delete(:access_token) || params.delete(:job_token)
|
|
|
|
headers = build_token_auth_header(token)
|
|
|
|
put api("/projects/#{project.id}/packages/npm/#{package_name.sub('/', '%2f')}"), params: params, headers: headers
|
2020-11-11 07:09:06 -05:00
|
|
|
end
|
|
|
|
|
2021-09-14 14:12:06 -04:00
|
|
|
def upload_with_token(package_name, params = {})
|
2020-11-11 07:09:06 -05:00
|
|
|
upload_package(package_name, params.merge(access_token: token.token))
|
|
|
|
end
|
|
|
|
|
2021-09-14 14:12:06 -04:00
|
|
|
def upload_with_job_token(package_name, params = {})
|
2020-11-11 07:09:06 -05:00
|
|
|
upload_package(package_name, params.merge(job_token: job.token))
|
|
|
|
end
|
|
|
|
|
|
|
|
def upload_params(package_name:, package_version: '1.0.1', file: 'npm/payload.json')
|
|
|
|
Gitlab::Json.parse(fixture_file("packages/#{file}")
|
|
|
|
.gsub('@root/npm-test', package_name)
|
|
|
|
.gsub('1.0.1', package_version))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|