diff options
Diffstat (limited to 'spec/lib/gitlab/ci/pipeline/chain/validate/external_spec.rb')
| -rw-r--r-- | spec/lib/gitlab/ci/pipeline/chain/validate/external_spec.rb | 201 |
1 files changed, 183 insertions, 18 deletions
diff --git a/spec/lib/gitlab/ci/pipeline/chain/validate/external_spec.rb b/spec/lib/gitlab/ci/pipeline/chain/validate/external_spec.rb index e55281f9705..caf3a053c4e 100644 --- a/spec/lib/gitlab/ci/pipeline/chain/validate/external_spec.rb +++ b/spec/lib/gitlab/ci/pipeline/chain/validate/external_spec.rb @@ -3,8 +3,8 @@ require 'spec_helper' RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::External do - let(:project) { create(:project) } - let(:user) { create(:user) } + let_it_be(:project) { create(:project) } + let_it_be(:user) { create(:user) } let(:pipeline) { build(:ci_empty_pipeline, user: user, project: project) } let!(:step) { described_class.new(pipeline, command) } @@ -42,6 +42,7 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::External do end let(:save_incompleted) { true } + let(:dot_com) { true } let(:command) do Gitlab::Ci::Pipeline::Chain::Command.new( project: project, current_user: user, yaml_processor_result: yaml_processor_result, save_incompleted: save_incompleted @@ -51,11 +52,79 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::External do describe '#perform!' do subject(:perform!) { step.perform! } - context 'when validation returns true' do + let(:validation_service_url) { 'https://validation-service.external/' } + + before do + stub_env('EXTERNAL_VALIDATION_SERVICE_URL', validation_service_url) + allow(Gitlab).to receive(:com?).and_return(dot_com) + allow(Labkit::Correlation::CorrelationId).to receive(:current_id).and_return('correlation-id') + end + + context 'with configuration values in ApplicationSetting' do + let(:alternate_validation_service_url) { 'https://alternate-validation-service.external/' } + let(:validation_service_token) { 'SECURE_TOKEN' } + let(:shorter_timeout) { described_class::DEFAULT_VALIDATION_REQUEST_TIMEOUT - 1 } + before do - allow(step).to receive(:validate_external).and_return(true) + stub_env('EXTERNAL_VALIDATION_SERVICE_TOKEN', 'TOKEN_IN_ENV') + allow(Gitlab::CurrentSettings.current_application_settings).to receive(:external_pipeline_validation_service_timeout).and_return(shorter_timeout) + allow(Gitlab::CurrentSettings.current_application_settings).to receive(:external_pipeline_validation_service_token).and_return(validation_service_token) + allow(Gitlab::CurrentSettings.current_application_settings).to receive(:external_pipeline_validation_service_url).and_return(alternate_validation_service_url) + end + + it 'uses those values rather than env vars or defaults' do + expect(::Gitlab::HTTP).to receive(:post) do |url, params| + expect(url).to eq(alternate_validation_service_url) + expect(params[:timeout]).to eq(shorter_timeout) + expect(params[:headers]).to include('X-Gitlab-Token' => validation_service_token) + expect(params[:timeout]).to eq(shorter_timeout) + end + + perform! + end + end + + it 'respects the defined payload schema' do + expect(::Gitlab::HTTP).to receive(:post) do |_url, params| + expect(params[:body]).to match_schema('/external_validation') + expect(params[:timeout]).to eq(described_class::DEFAULT_VALIDATION_REQUEST_TIMEOUT) + expect(params[:headers]).to eq({ 'X-Gitlab-Correlation-id' => 'correlation-id' }) + end + + perform! + end + + context 'with EXTERNAL_VALIDATION_SERVICE_TIMEOUT defined' do + before do + stub_env('EXTERNAL_VALIDATION_SERVICE_TIMEOUT', validation_service_timeout) + end + + context 'with valid value' do + let(:validation_service_timeout) { '1' } + + it 'uses defined timeout' do + expect(::Gitlab::HTTP).to receive(:post) do |_url, params| + expect(params[:timeout]).to eq(1) + end + + perform! + end + end + + context 'with invalid value' do + let(:validation_service_timeout) { '??' } + + it 'uses default timeout' do + expect(::Gitlab::HTTP).to receive(:post) do |_url, params| + expect(params[:timeout]).to eq(described_class::DEFAULT_VALIDATION_REQUEST_TIMEOUT) + end + + perform! + end end + end + shared_examples 'successful external authorization' do it 'does not drop the pipeline' do perform! @@ -76,9 +145,117 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::External do end end - context 'when validation return false' do + context 'when EXTERNAL_VALIDATION_SERVICE_TOKEN is set' do + before do + stub_env('EXTERNAL_VALIDATION_SERVICE_TOKEN', '123') + end + + it 'passes token in X-Gitlab-Token header' do + expect(::Gitlab::HTTP).to receive(:post) do |_url, params| + expect(params[:headers]).to include({ 'X-Gitlab-Token' => '123' }) + end + + perform! + end + end + + context 'when validation returns 200 OK' do + before do + stub_request(:post, validation_service_url).to_return(status: 200, body: "{}") + end + + it_behaves_like 'successful external authorization' + end + + context 'when validation returns 404 Not Found' do before do - allow(step).to receive(:validate_external).and_return(false) + stub_request(:post, validation_service_url).to_return(status: 404, body: "{}") + end + + it_behaves_like 'successful external authorization' + end + + context 'when validation returns 500 Internal Server Error' do + before do + stub_request(:post, validation_service_url).to_return(status: 500, body: "{}") + end + + it_behaves_like 'successful external authorization' + end + + context 'when validation raises exceptions' do + before do + stub_request(:post, validation_service_url).to_raise(Net::OpenTimeout) + end + + it_behaves_like 'successful external authorization' + + it 'logs exceptions' do + expect(Gitlab::ErrorTracking).to receive(:track_exception) + .with(instance_of(Net::OpenTimeout), { project_id: project.id }) + + perform! + end + end + + context 'when the feature flag is disabled' do + before do + stub_feature_flags(ci_external_validation_service: false) + stub_request(:post, validation_service_url) + end + + it 'does not drop the pipeline' do + perform! + + expect(pipeline.status).not_to eq('failed') + expect(pipeline.errors).to be_empty + end + + it 'does not break the chain' do + perform! + + expect(step.break?).to be false + end + + it 'does not make requests' do + perform! + + expect(WebMock).not_to have_requested(:post, validation_service_url) + end + end + + context 'when not on .com' do + let(:dot_com) { false } + + before do + stub_feature_flags(ci_external_validation_service: false) + stub_request(:post, validation_service_url).to_return(status: 404, body: "{}") + end + + it 'drops the pipeline' do + perform! + + expect(pipeline.status).to eq('failed') + expect(pipeline).to be_persisted + expect(pipeline.errors.to_a).to include('External validation failed') + end + + it 'breaks the chain' do + perform! + + expect(step.break?).to be true + end + + it 'logs the authorization' do + expect(Gitlab::AppLogger).to receive(:info).with(message: 'Pipeline not authorized', project_id: project.id, user_id: user.id) + + perform! + end + end + + context 'when validation returns 406 Not Acceptable' do + before do + stub_request(:post, validation_service_url).to_return(status: 406, body: "{}") end it 'drops the pipeline' do @@ -126,16 +303,4 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::External do end end end - - describe '#validation_service_payload' do - subject(:validation_service_payload) { step.send(:validation_service_payload, pipeline, command.yaml_processor_result.stages_attributes) } - - it 'respects the defined schema' do - expect(validation_service_payload).to match_schema('/external_validation') - end - - it 'does not fire sql queries' do - expect { validation_service_payload }.not_to exceed_query_limit(1) - end - end end |