1 files changed, 153 insertions, 0 deletions

diff --git a/spec/controllers/projects/design_management/designs/raw_images_controller_spec.rb b/spec/controllers/projects/design_management/designs/raw_images_controller_spec.rb
new file mode 100644
index 00000000000..30d2b79a92f
--- /dev/null
+++ b/spec/controllers/projects/design_management/designs/raw_images_controller_spec.rb
@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Projects::DesignManagement::Designs::RawImagesController do
+  include DesignManagementTestHelpers
+
+  let_it_be(:project) { create(:project, :private) }
+  let_it_be(:issue) { create(:issue, project: project) }
+  let_it_be(:viewer) { issue.author }
+  let(:design_id) { design.id }
+  let(:sha) { design.versions.first.sha }
+  let(:filename) { design.filename }
+
+  before do
+    enable_design_management
+  end
+
+  describe 'GET #show' do
+    subject do
+      get(:show,
+        params: {
+          namespace_id: project.namespace,
+          project_id: project,
+          design_id: design_id,
+          sha: sha
+      })
+    end
+
+    before do
+      sign_in(viewer)
+    end
+
+    context 'when the design is not an LFS file' do
+      let_it_be(:design) { create(:design, :with_file, issue: issue, versions_count: 2) }
+
+      # For security, .svg images should only ever be served with Content-Disposition: attachment.
+      # If this specs ever fails we must assess whether we should be serving svg images.
+      # See https://gitlab.com/gitlab-org/gitlab/issues/12771
+      it 'serves files with `Content-Disposition: attachment`' do
+        subject
+
+        expect(response.header['Content-Disposition']).to eq('attachment')
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+
+      it 'serves files with Workhorse' do
+        subject
+
+        expect(response.header[Gitlab::Workhorse::DETECT_HEADER]).to eq "true"
+        expect(response.header[Gitlab::Workhorse::SEND_DATA_HEADER]).to start_with('git-blob:')
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+
+      it_behaves_like 'project cache control headers'
+
+      context 'when the user does not have permission' do
+        let_it_be(:viewer) { create(:user) }
+
+        specify do
+          subject
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'when design does not exist' do
+        let(:design_id) { 'foo' }
+
+        specify do
+          subject
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      describe 'sha param' do
+        let(:newest_version) { design.versions.ordered.first }
+        let(:oldest_version) { design.versions.ordered.last }
+
+        shared_examples 'a successful request for sha' do
+          it do
+            expect_next_instance_of(DesignManagement::Repository) do |repository|
+              expect(repository).to receive(:blob_at).with(expected_ref, design.full_path).and_call_original
+            end
+
+            subject
+
+            expect(response).to have_gitlab_http_status(:ok)
+          end
+        end
+
+        specify { expect(newest_version.sha).not_to eq(oldest_version.sha) }
+
+        context 'when sha is the newest version sha' do
+          let(:sha) { newest_version.sha }
+          let(:expected_ref) { sha }
+
+          it_behaves_like 'a successful request for sha'
+        end
+
+        context 'when sha is the oldest version sha' do
+          let(:sha) { oldest_version.sha }
+          let(:expected_ref) { sha }
+
+          it_behaves_like 'a successful request for sha'
+        end
+
+        context 'when sha is nil' do
+          let(:sha) { nil }
+          let(:expected_ref) { 'master' }
+
+          it_behaves_like 'a successful request for sha'
+        end
+      end
+    end
+
+    context 'when the design is an LFS file' do
+      let_it_be(:design) { create(:design, :with_lfs_file, issue: issue) }
+
+      # For security, .svg images should only ever be served with Content-Disposition: attachment.
+      # If this specs ever fails we must assess whether we should be serving svg images.
+      # See https://gitlab.com/gitlab-org/gitlab/issues/12771
+      it 'serves files with `Content-Disposition: attachment`' do
+        subject
+
+        expect(response.header['Content-Disposition']).to eq(%Q(attachment; filename=\"#{filename}\"; filename*=UTF-8''#{filename}))
+      end
+
+      it 'sets appropriate caching headers' do
+        subject
+
+        expect(response.header['ETag']).to be_present
+        expect(response.header['Cache-Control']).to eq("max-age=60, private")
+      end
+    end
+
+    # Pass `skip_lfs_disabled_tests: true` to this shared example to disable
+    # the test scenarios for when LFS is disabled globally.
+    #
+    # When LFS is disabled then the design management feature also becomes disabled.
+    # When the feature is disabled, the `authorize :read_design` check within the
+    # controller will never authorize the user. Therefore #show will return a 403 and
+    # we cannot test the data that it serves.
+    it_behaves_like 'a controller that can serve LFS files', skip_lfs_disabled_tests: true do
+      let(:file) { fixture_file_upload('spec/fixtures/dk.png', '`/png') }
+      let(:lfs_pointer) { Gitlab::Git::LfsPointerFile.new(file.read) }
+      let(:design) { create(:design, :with_lfs_file, file: lfs_pointer.pointer, issue: issue) }
+      let(:lfs_oid) { project.design_repository.blob_at('HEAD', design.full_path).lfs_oid }
+      let(:filepath) { design.full_path }
+    end
+  end
+end