Added builds_spec and git_http_specs
This commit is contained in:
parent
5f45ddc545
commit
ac6412d076
|
@ -117,7 +117,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
|
||||||
|
|
||||||
case auth_result.type
|
case auth_result.type
|
||||||
when :ci
|
when :ci
|
||||||
if download_request?
|
if auth_result.project == project && download_request?
|
||||||
@ci = true
|
@ci = true
|
||||||
else
|
else
|
||||||
return false
|
return false
|
||||||
|
|
|
@ -254,7 +254,8 @@ describe Ci::API::API do
|
||||||
let(:get_url) { ci_api("/builds/#{build.id}/artifacts") }
|
let(:get_url) { ci_api("/builds/#{build.id}/artifacts") }
|
||||||
let(:jwt_token) { JWT.encode({ 'iss' => 'gitlab-workhorse' }, Gitlab::Workhorse.secret, 'HS256') }
|
let(:jwt_token) { JWT.encode({ 'iss' => 'gitlab-workhorse' }, Gitlab::Workhorse.secret, 'HS256') }
|
||||||
let(:headers) { { "GitLab-Workhorse" => "1.0", Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => jwt_token } }
|
let(:headers) { { "GitLab-Workhorse" => "1.0", Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => jwt_token } }
|
||||||
let(:headers_with_token) { headers.merge(Ci::API::Helpers::BUILD_TOKEN_HEADER => build.token) }
|
let(:token) { build.token }
|
||||||
|
let(:headers_with_token) { headers.merge(Ci::API::Helpers::BUILD_TOKEN_HEADER => token) }
|
||||||
|
|
||||||
before { build.run! }
|
before { build.run! }
|
||||||
|
|
||||||
|
@ -274,6 +275,13 @@ describe Ci::API::API do
|
||||||
expect(json_response["TempPath"]).not_to be_nil
|
expect(json_response["TempPath"]).not_to be_nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "using runners token" do
|
||||||
|
post authorize_url, { token: build.project.runners_token }, headers
|
||||||
|
expect(response).to have_http_status(200)
|
||||||
|
expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
|
||||||
|
expect(json_response["TempPath"]).not_to be_nil
|
||||||
|
end
|
||||||
|
|
||||||
it "reject requests that did not go through gitlab-workhorse" do
|
it "reject requests that did not go through gitlab-workhorse" do
|
||||||
headers.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER)
|
headers.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER)
|
||||||
post authorize_url, { token: build.token }, headers
|
post authorize_url, { token: build.token }, headers
|
||||||
|
@ -358,6 +366,16 @@ describe Ci::API::API do
|
||||||
|
|
||||||
it_behaves_like 'successful artifacts upload'
|
it_behaves_like 'successful artifacts upload'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'when using runners token' do
|
||||||
|
let(:token) { build.project.runners_token }
|
||||||
|
|
||||||
|
before do
|
||||||
|
upload_artifacts(file_upload, headers_with_token)
|
||||||
|
end
|
||||||
|
|
||||||
|
it_behaves_like 'successful artifacts upload'
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'posts artifacts file and metadata file' do
|
context 'posts artifacts file and metadata file' do
|
||||||
|
@ -497,19 +515,40 @@ describe Ci::API::API do
|
||||||
|
|
||||||
before do
|
before do
|
||||||
delete delete_url, token: build.token
|
delete delete_url, token: build.token
|
||||||
build.reload
|
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'removes build artifacts' do
|
shared_examples 'having removable artifacts' do
|
||||||
expect(response).to have_http_status(200)
|
it 'removes build artifacts' do
|
||||||
expect(build.artifacts_file.exists?).to be_falsy
|
build.reload
|
||||||
expect(build.artifacts_metadata.exists?).to be_falsy
|
|
||||||
expect(build.artifacts_size).to be_nil
|
expect(response).to have_http_status(200)
|
||||||
|
expect(build.artifacts_file.exists?).to be_falsy
|
||||||
|
expect(build.artifacts_metadata.exists?).to be_falsy
|
||||||
|
expect(build.artifacts_size).to be_nil
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when using build token' do
|
||||||
|
before do
|
||||||
|
delete delete_url, token: build.token
|
||||||
|
end
|
||||||
|
|
||||||
|
it_behaves_like 'having removable artifacts'
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when using runnners token' do
|
||||||
|
before do
|
||||||
|
delete delete_url, token: build.project.runners_token
|
||||||
|
end
|
||||||
|
|
||||||
|
it_behaves_like 'having removable artifacts'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'GET /builds/:id/artifacts' do
|
describe 'GET /builds/:id/artifacts' do
|
||||||
before { get get_url, token: build.token }
|
before do
|
||||||
|
get get_url, token: token
|
||||||
|
end
|
||||||
|
|
||||||
context 'build has artifacts' do
|
context 'build has artifacts' do
|
||||||
let(:build) { create(:ci_build, :artifacts) }
|
let(:build) { create(:ci_build, :artifacts) }
|
||||||
|
@ -518,13 +557,29 @@ describe Ci::API::API do
|
||||||
'Content-Disposition' => 'attachment; filename=ci_build_artifacts.zip' }
|
'Content-Disposition' => 'attachment; filename=ci_build_artifacts.zip' }
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'downloads artifact' do
|
shared_examples 'having downloadable artifacts' do
|
||||||
expect(response).to have_http_status(200)
|
it 'download artifacts' do
|
||||||
expect(response.headers).to include download_headers
|
expect(response).to have_http_status(200)
|
||||||
|
expect(response.headers).to include download_headers
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when using build token' do
|
||||||
|
let(:token) { build.token }
|
||||||
|
|
||||||
|
it_behaves_like 'having downloadable artifacts'
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when using runnners token' do
|
||||||
|
let(:token) { build.project.runners_token }
|
||||||
|
|
||||||
|
it_behaves_like 'having downloadable artifacts'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'build does not has artifacts' do
|
context 'build does not has artifacts' do
|
||||||
|
let(:token) { build.token }
|
||||||
|
|
||||||
it 'responds with not found' do
|
it 'responds with not found' do
|
||||||
expect(response).to have_http_status(404)
|
expect(response).to have_http_status(404)
|
||||||
end
|
end
|
||||||
|
|
|
@ -302,22 +302,77 @@ describe 'Git HTTP requests', lib: true do
|
||||||
context "when a gitlab ci token is provided" do
|
context "when a gitlab ci token is provided" do
|
||||||
let(:build) { create(:ci_build, :running) }
|
let(:build) { create(:ci_build, :running) }
|
||||||
let(:project) { build.project }
|
let(:project) { build.project }
|
||||||
|
let(:other_project) { create(:empty_project) }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
project.project_feature.update_attributes(builds_access_level: ProjectFeature::ENABLED)
|
project.project_feature.update_attributes(builds_access_level: ProjectFeature::ENABLED)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "downloads get status 200" do
|
context 'when build created by system is authenticated' do
|
||||||
clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
it "downloads get status 200" do
|
||||||
|
clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
||||||
|
|
||||||
expect(response).to have_http_status(200)
|
expect(response).to have_http_status(200)
|
||||||
expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
|
expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "uploads get status 401 (no project existence information leak)" do
|
||||||
|
push_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
||||||
|
|
||||||
|
expect(response).to have_http_status(401)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "downloads from other project get status 401" do
|
||||||
|
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
||||||
|
|
||||||
|
expect(response).to have_http_status(401)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it "uploads get status 401 (no project existence information leak)" do
|
context 'and build created by' do
|
||||||
push_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
before do
|
||||||
|
build.update(user: user)
|
||||||
|
project.team << [user, :reporter]
|
||||||
|
end
|
||||||
|
|
||||||
expect(response).to have_http_status(401)
|
shared_examples 'can download code only from own projects' do
|
||||||
|
it 'downloads get status 200' do
|
||||||
|
clone_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
||||||
|
|
||||||
|
expect(response).to have_http_status(200)
|
||||||
|
expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'uploads get status 403' do
|
||||||
|
push_get "#{project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
||||||
|
|
||||||
|
expect(response).to have_http_status(403)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'administrator' do
|
||||||
|
let(:user) { create(:admin) }
|
||||||
|
|
||||||
|
it_behaves_like 'can download code only from own projects'
|
||||||
|
|
||||||
|
it 'downloads from other project get status 403' do
|
||||||
|
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
||||||
|
|
||||||
|
expect(response).to have_http_status(403)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'regular user' do
|
||||||
|
let(:user) { create(:user) }
|
||||||
|
|
||||||
|
it_behaves_like 'can download code only from own projects'
|
||||||
|
|
||||||
|
it 'downloads from other project get status 404' do
|
||||||
|
clone_get "#{other_project.path_with_namespace}.git", user: 'gitlab-ci-token', password: build.token
|
||||||
|
|
||||||
|
expect(response).to have_http_status(404)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -45,7 +45,7 @@ describe JwtController do
|
||||||
|
|
||||||
context 'using User login' do
|
context 'using User login' do
|
||||||
let(:user) { create(:user) }
|
let(:user) { create(:user) }
|
||||||
let(:headers) { { authorization: credentials(user.username , user.password) } }
|
let(:headers) { { authorization: credentials(user.username, user.password) } }
|
||||||
|
|
||||||
subject! { get '/jwt/auth', parameters, headers }
|
subject! { get '/jwt/auth', parameters, headers }
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue