Merge branch 'static-objects-external-storage' into 'master'

Enable serving static objects from an external storage

See merge request gitlab-org/gitlab-ce!31025

2 files changed, 150 insertions, 0 deletions

diff --git a/spec/controllers/concerns/static_object_external_storage_spec.rb b/spec/controllers/concerns/static_object_external_storage_spec.rb
new file mode 100644
index 00000000000..3a0219ddaa1
--- /dev/null
+++ b/spec/controllers/concerns/static_object_external_storage_spec.rb
@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe StaticObjectExternalStorage do
+  controller(Projects::ApplicationController) do
+    include StaticObjectExternalStorage # rubocop:disable RSpec/DescribedClass
+
+    before_action :redirect_to_external_storage, if: :static_objects_external_storage_enabled?
+
+    def show
+      head :ok
+    end
+  end
+
+  let(:project) { create(:project, :public) }
+  let(:user) { create(:user, static_object_token: 'hunter1') }
+
+  before do
+    project.add_developer(user)
+    sign_in(user)
+  end
+
+  context 'when external storage is not configured' do
+    it 'calls the action normally' do
+      expect(Gitlab::CurrentSettings.static_objects_external_storage_url).to be_blank
+
+      do_request
+
+      expect(response).to have_gitlab_http_status(200)
+    end
+  end
+
+  context 'when external storage is configured' do
+    before do
+      allow_any_instance_of(ApplicationSetting).to receive(:static_objects_external_storage_url).and_return('https://cdn.gitlab.com')
+      allow_any_instance_of(ApplicationSetting).to receive(:static_objects_external_storage_auth_token).and_return('letmein')
+
+      routes.draw { get '/:namespace_id/:id' => 'projects/application#show' }
+    end
+
+    context 'when external storage token is empty' do
+      let(:base_redirect_url) { "https://cdn.gitlab.com/#{project.namespace.to_param}/#{project.to_param}" }
+
+      context 'when project is public' do
+        it 'redirects to external storage URL without adding a token parameter' do
+          do_request
+
+          expect(response).to redirect_to(base_redirect_url)
+        end
+      end
+
+      context 'when project is not public' do
+        let(:project) { create(:project, :private) }
+
+        it 'redirects to external storage URL a token parameter added' do
+          do_request
+
+          expect(response).to redirect_to("#{base_redirect_url}?token=#{user.static_object_token}")
+        end
+
+        context 'when path includes extra parameters' do
+          it 'includes the parameters in the redirect URL' do
+            do_request(foo: 'bar')
+
+            expect(response.location).to eq("#{base_redirect_url}?foo=bar&token=#{user.static_object_token}")
+          end
+        end
+      end
+    end
+
+    context 'when external storage token is present' do
+      context 'when token is correct' do
+        it 'calls the action normally' do
+          request.headers['X-Gitlab-External-Storage-Token'] = 'letmein'
+          do_request
+
+          expect(response).to have_gitlab_http_status(200)
+        end
+      end
+
+      context 'when token is incorrect' do
+        it 'return 403' do
+          request.headers['X-Gitlab-External-Storage-Token'] = 'donotletmein'
+          do_request
+
+          expect(response).to have_gitlab_http_status(403)
+        end
+      end
+    end
+  end
+
+  def do_request(extra_params = {})
+    get :show, params: { namespace_id: project.namespace, id: project }.merge(extra_params)
+  end
+end
diff --git a/spec/controllers/projects/repositories_controller_spec.rb b/spec/controllers/projects/repositories_controller_spec.rb
index fcab4d73dca..084644484c5 100644
--- a/spec/controllers/projects/repositories_controller_spec.rb
+++ b/spec/controllers/projects/repositories_controller_spec.rb
@@ -125,5 +125,59 @@ describe Projects::RepositoriesController do
         end
       end
     end
+
+    context 'as a sessionless user' do
+      let(:user) { create(:user) }
+
+      before do
+        project.add_developer(user)
+      end
+
+      context 'when no token is provided' do
+        it 'redirects to sign in page' do
+          get :archive, params: { namespace_id: project.namespace, project_id: project, id: 'master' }, format: 'zip'
+
+          expect(response).to have_gitlab_http_status(302)
+        end
+      end
+
+      context 'when a token param is present' do
+        context 'when token is correct' do
+          it 'calls the action normally' do
+            get :archive, params: { namespace_id: project.namespace, project_id: project, id: 'master', token: user.static_object_token }, format: 'zip'
+
+            expect(response).to have_gitlab_http_status(200)
+          end
+        end
+
+        context 'when token is incorrect' do
+          it 'redirects to sign in page' do
+            get :archive, params: { namespace_id: project.namespace, project_id: project, id: 'master', token: 'foobar' }, format: 'zip'
+
+            expect(response).to have_gitlab_http_status(302)
+          end
+        end
+      end
+
+      context 'when a token header is present' do
+        context 'when token is correct' do
+          it 'calls the action normally' do
+            request.headers['X-Gitlab-Static-Object-Token'] = user.static_object_token
+            get :archive, params: { namespace_id: project.namespace, project_id: project, id: 'master' }, format: 'zip'
+
+            expect(response).to have_gitlab_http_status(200)
+          end
+        end
+
+        context 'when token is incorrect' do
+          it 'redirects to sign in page' do
+            request.headers['X-Gitlab-Static-Object-Token'] = 'foobar'
+            get :archive, params: { namespace_id: project.namespace, project_id: project, id: 'master' }, format: 'zip'
+
+            expect(response).to have_gitlab_http_status(302)
+          end
+        end
+      end
+    end
   end
 end