summaryrefslogtreecommitdiff
path: root/spec/requests/api/ci
diff options
context:
space:
mode:
Diffstat (limited to 'spec/requests/api/ci')
-rw-r--r--spec/requests/api/ci/pipelines_spec.rb2
-rw-r--r--spec/requests/api/ci/runner/runners_post_spec.rb85
-rw-r--r--spec/requests/api/ci/runner/runners_verify_post_spec.rb24
-rw-r--r--spec/requests/api/ci/runners_reset_registration_token_spec.rb2
-rw-r--r--spec/requests/api/ci/runners_spec.rb171
-rw-r--r--spec/requests/api/ci/secure_files_spec.rb314
6 files changed, 542 insertions, 56 deletions
diff --git a/spec/requests/api/ci/pipelines_spec.rb b/spec/requests/api/ci/pipelines_spec.rb
index 13838cffd76..1b87a5e24f5 100644
--- a/spec/requests/api/ci/pipelines_spec.rb
+++ b/spec/requests/api/ci/pipelines_spec.rb
@@ -988,7 +988,7 @@ RSpec.describe API::Ci::Pipelines do
describe 'DELETE /projects/:id/pipelines/:pipeline_id' do
context 'authorized user' do
- let(:owner) { project.owner }
+ let(:owner) { project.first_owner }
it 'destroys the pipeline' do
delete api("/projects/#{project.id}/pipelines/#{pipeline.id}", owner)
diff --git a/spec/requests/api/ci/runner/runners_post_spec.rb b/spec/requests/api/ci/runner/runners_post_spec.rb
index 530b601add9..5eb5d3977a3 100644
--- a/spec/requests/api/ci/runner/runners_post_spec.rb
+++ b/spec/requests/api/ci/runner/runners_post_spec.rb
@@ -30,11 +30,11 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
post api('/runners'), params: {
token: 'valid token',
description: 'server.hostname',
- maintainer_note: 'Some maintainer notes',
+ maintenance_note: 'Some maintainer notes',
run_untagged: false,
tag_list: 'tag1, tag2',
locked: true,
- active: true,
+ paused: false,
access_level: 'ref_protected',
maximum_timeout: 9000
}
@@ -46,7 +46,7 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
allow_next_instance_of(::Ci::RegisterRunnerService) do |service|
expected_params = {
description: 'server.hostname',
- maintainer_note: 'Some maintainer notes',
+ maintenance_note: 'Some maintainer notes',
run_untagged: false,
tag_list: %w(tag1 tag2),
locked: true,
@@ -55,19 +55,33 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
maximum_timeout: 9000
}.stringify_keys
- allow(service).to receive(:execute)
+ expect(service).to receive(:execute)
.once
.with('valid token', a_hash_including(expected_params))
.and_return(new_runner)
end
end
- it 'creates runner' do
- request
+ context 'when token_expires_at is nil' do
+ it 'creates runner' do
+ request
- expect(response).to have_gitlab_http_status(:created)
- expect(json_response['id']).to eq(new_runner.id)
- expect(json_response['token']).to eq(new_runner.token)
+ expect(response).to have_gitlab_http_status(:created)
+ expect(json_response).to eq({ 'id' => new_runner.id, 'token' => new_runner.token, 'token_expires_at' => nil })
+ end
+ end
+
+ context 'when token_expires_at is a valid date' do
+ before do
+ new_runner.token_expires_at = DateTime.new(2022, 1, 11, 14, 39, 24)
+ end
+
+ it 'creates runner' do
+ request
+
+ expect(response).to have_gitlab_http_status(:created)
+ expect(json_response).to eq({ 'id' => new_runner.id, 'token' => new_runner.token, 'token_expires_at' => '2022-01-11T14:39:24.000Z' })
+ end
end
it_behaves_like 'storing arguments in the application context for the API' do
@@ -81,6 +95,59 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
end
end
+ context 'when deprecated maintainer_note field is provided' do
+ RSpec::Matchers.define_negated_matcher :excluding, :include
+
+ def request
+ post api('/runners'), params: {
+ token: 'valid token',
+ maintainer_note: 'Some maintainer notes'
+ }
+ end
+
+ let(:new_runner) { create(:ci_runner) }
+
+ it 'converts to maintenance_note param' do
+ allow_next_instance_of(::Ci::RegisterRunnerService) do |service|
+ expect(service).to receive(:execute)
+ .once
+ .with('valid token', a_hash_including('maintenance_note' => 'Some maintainer notes')
+ .and(excluding('maintainter_note' => anything)))
+ .and_return(new_runner)
+ end
+
+ request
+
+ expect(response).to have_gitlab_http_status(:created)
+ end
+ end
+
+ context 'when deprecated active parameter is provided' do
+ def request
+ post api('/runners'), params: {
+ token: 'valid token',
+ active: false
+ }
+ end
+
+ let_it_be(:new_runner) { create(:ci_runner) }
+
+ it 'uses active value in registration' do
+ expect_next_instance_of(::Ci::RegisterRunnerService) do |service|
+ expected_params = { active: false }.stringify_keys
+
+ expect(service).to receive(:execute)
+ .once
+ .with('valid token', a_hash_including(expected_params))
+ .and_return(new_runner)
+ end
+
+ request
+
+ expect(response).to have_gitlab_http_status(:created)
+ end
+ end
+
context 'calling actual register service' do
include StubGitlabCalls
diff --git a/spec/requests/api/ci/runner/runners_verify_post_spec.rb b/spec/requests/api/ci/runner/runners_verify_post_spec.rb
index 4680076acae..038e126deaa 100644
--- a/spec/requests/api/ci/runner/runners_verify_post_spec.rb
+++ b/spec/requests/api/ci/runner/runners_verify_post_spec.rb
@@ -49,6 +49,30 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
let(:expected_params) { { client_id: "runner/#{runner.id}" } }
end
end
+
+ context 'when non-expired token is provided' do
+ subject { post api('/runners/verify'), params: { token: runner.token } }
+
+ it 'verifies Runner credentials' do
+ runner["token_expires_at"] = 10.days.from_now
+ runner.save!
+ subject
+
+ expect(response).to have_gitlab_http_status(:ok)
+ end
+ end
+
+ context 'when expired token is provided' do
+ subject { post api('/runners/verify'), params: { token: runner.token } }
+
+ it 'does not verify Runner credentials' do
+ runner["token_expires_at"] = 10.days.ago
+ runner.save!
+ subject
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ end
+ end
end
end
end
diff --git a/spec/requests/api/ci/runners_reset_registration_token_spec.rb b/spec/requests/api/ci/runners_reset_registration_token_spec.rb
index df64c0bd22b..e1dc347f8dd 100644
--- a/spec/requests/api/ci/runners_reset_registration_token_spec.rb
+++ b/spec/requests/api/ci/runners_reset_registration_token_spec.rb
@@ -138,7 +138,7 @@ RSpec.describe API::Ci::Runners do
end
include_context 'when authorized', 'project' do
- let_it_be(:user) { project.owner }
+ let_it_be(:user) { project.first_owner }
def get_token
project.reload.runners_token
diff --git a/spec/requests/api/ci/runners_spec.rb b/spec/requests/api/ci/runners_spec.rb
index 305c0bd9df0..336ce70d8d2 100644
--- a/spec/requests/api/ci/runners_spec.rb
+++ b/spec/requests/api/ci/runners_spec.rb
@@ -86,14 +86,24 @@ RSpec.describe API::Ci::Runners do
expect(response).to have_gitlab_http_status(:bad_request)
end
- it 'filters runners by status' do
- create(:ci_runner, :project, :inactive, description: 'Inactive project runner', projects: [project])
+ context 'with an inactive runner' do
+ let_it_be(:runner) { create(:ci_runner, :project, :inactive, description: 'Inactive project runner', projects: [project]) }
- get api('/runners?status=paused', user)
+ it 'filters runners by paused state' do
+ get api('/runners?paused=true', user)
- expect(json_response).to match_array [
- a_hash_including('description' => 'Inactive project runner')
- ]
+ expect(json_response).to match_array [
+ a_hash_including('description' => 'Inactive project runner')
+ ]
+ end
+
+ it 'filters runners by status' do
+ get api('/runners?status=paused', user)
+
+ expect(json_response).to match_array [
+ a_hash_including('description' => 'Inactive project runner')
+ ]
+ end
end
it 'does not filter by invalid status' do
@@ -109,7 +119,7 @@ RSpec.describe API::Ci::Runners do
get api('/runners?tag_list=tag1,tag2', user)
expect(json_response).to match_array [
- a_hash_including('description' => 'Runner tagged with tag1 and tag2')
+ a_hash_including('description' => 'Runner tagged with tag1 and tag2', 'active' => true, 'paused' => false)
]
end
end
@@ -137,7 +147,7 @@ RSpec.describe API::Ci::Runners do
get api('/runners/all', admin)
expect(json_response).to match_array [
- a_hash_including('description' => 'Project runner', 'is_shared' => false, 'runner_type' => 'project_type'),
+ a_hash_including('description' => 'Project runner', 'is_shared' => false, 'active' => true, 'paused' => false, 'runner_type' => 'project_type'),
a_hash_including('description' => 'Two projects runner', 'is_shared' => false, 'runner_type' => 'project_type'),
a_hash_including('description' => 'Group runner A', 'is_shared' => false, 'runner_type' => 'group_type'),
a_hash_including('description' => 'Group runner B', 'is_shared' => false, 'runner_type' => 'group_type'),
@@ -199,14 +209,24 @@ RSpec.describe API::Ci::Runners do
expect(response).to have_gitlab_http_status(:bad_request)
end
- it 'filters runners by status' do
- create(:ci_runner, :project, :inactive, description: 'Inactive project runner', projects: [project])
+ context 'with an inactive runner' do
+ let_it_be(:runner) { create(:ci_runner, :project, :inactive, description: 'Inactive project runner', projects: [project]) }
- get api('/runners/all?status=paused', admin)
+ it 'filters runners by status' do
+ get api('/runners/all?paused=true', admin)
- expect(json_response).to match_array [
- a_hash_including('description' => 'Inactive project runner')
- ]
+ expect(json_response).to match_array [
+ a_hash_including('description' => 'Inactive project runner')
+ ]
+ end
+
+ it 'filters runners by status' do
+ get api('/runners/all?status=paused', admin)
+
+ expect(json_response).to match_array [
+ a_hash_including('description' => 'Inactive project runner')
+ ]
+ end
end
it 'does not filter by invalid status' do
@@ -255,6 +275,8 @@ RSpec.describe API::Ci::Runners do
expect(json_response['description']).to eq(shared_runner.description)
expect(json_response['maximum_timeout']).to be_nil
expect(json_response['status']).to eq("not_connected")
+ expect(json_response['active']).to eq(true)
+ expect(json_response['paused']).to eq(false)
end
end
@@ -359,6 +381,14 @@ RSpec.describe API::Ci::Runners do
expect(shared_runner.reload.active).to eq(!active)
end
+ it 'runner paused state' do
+ active = shared_runner.active
+ update_runner(shared_runner.id, admin, paused: active)
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(shared_runner.reload.active).to eq(!active)
+ end
+
it 'runner tag list' do
update_runner(shared_runner.id, admin, tag_list: ['ruby2.1', 'pgsql', 'mysql'])
@@ -500,6 +530,10 @@ RSpec.describe API::Ci::Runners do
context 'admin user' do
context 'when runner is shared' do
it 'deletes runner' do
+ expect_next_instance_of(Ci::UnregisterRunnerService, shared_runner) do |service|
+ expect(service).to receive(:execute).once.and_call_original
+ end
+
expect do
delete api("/runners/#{shared_runner.id}", admin)
@@ -514,6 +548,10 @@ RSpec.describe API::Ci::Runners do
context 'when runner is not shared' do
it 'deletes used project runner' do
+ expect_next_instance_of(Ci::UnregisterRunnerService, project_runner) do |service|
+ expect(service).to receive(:execute).once.and_call_original
+ end
+
expect do
delete api("/runners/#{project_runner.id}", admin)
@@ -523,6 +561,10 @@ RSpec.describe API::Ci::Runners do
end
it 'returns 404 if runner does not exist' do
+ allow_next_instance_of(Ci::UnregisterRunnerService) do |service|
+ expect(service).not_to receive(:execute)
+ end
+
delete api('/runners/0', admin)
expect(response).to have_gitlab_http_status(:not_found)
@@ -604,6 +646,10 @@ RSpec.describe API::Ci::Runners do
context 'unauthorized user' do
it 'does not delete project runner' do
+ allow_next_instance_of(Ci::UnregisterRunnerService) do |service|
+ expect(service).not_to receive(:execute)
+ end
+
delete api("/runners/#{project_runner.id}")
expect(response).to have_gitlab_http_status(:unauthorized)
@@ -618,7 +664,7 @@ RSpec.describe API::Ci::Runners do
post api("/runners/#{shared_runner.id}/reset_authentication_token", admin)
expect(response).to have_gitlab_http_status(:success)
- expect(json_response).to eq({ 'token' => shared_runner.reload.token })
+ expect(json_response).to eq({ 'token' => shared_runner.reload.token, 'token_expires_at' => nil })
end.to change { shared_runner.reload.token }
end
@@ -642,7 +688,7 @@ RSpec.describe API::Ci::Runners do
post api("/runners/#{project_runner.id}/reset_authentication_token", user)
expect(response).to have_gitlab_http_status(:success)
- expect(json_response).to eq({ 'token' => project_runner.reload.token })
+ expect(json_response).to eq({ 'token' => project_runner.reload.token, 'token_expires_at' => nil })
end.to change { project_runner.reload.token }
end
@@ -683,7 +729,22 @@ RSpec.describe API::Ci::Runners do
post api("/runners/#{group_runner_a.id}/reset_authentication_token", user)
expect(response).to have_gitlab_http_status(:success)
- expect(json_response).to eq({ 'token' => group_runner_a.reload.token })
+ expect(json_response).to eq({ 'token' => group_runner_a.reload.token, 'token_expires_at' => nil })
+ end.to change { group_runner_a.reload.token }
+ end
+
+ it 'resets group runner authentication token with owner access with expiration time', :freeze_time do
+ expect(group_runner_a.reload.token_expires_at).to be_nil
+
+ group.update!(runner_token_expiration_interval: 5.days)
+
+ expect do
+ post api("/runners/#{group_runner_a.id}/reset_authentication_token", user)
+ group_runner_a.reload
+
+ expect(response).to have_gitlab_http_status(:success)
+ expect(json_response).to eq({ 'token' => group_runner_a.token, 'token_expires_at' => group_runner_a.token_expires_at.iso8601(3) })
+ expect(group_runner_a.token_expires_at).to eq(5.days.from_now)
end.to change { group_runner_a.reload.token }
end
end
@@ -908,9 +969,9 @@ RSpec.describe API::Ci::Runners do
get api("/projects/#{project.id}/runners", user)
expect(json_response).to match_array [
- a_hash_including('description' => 'Project runner'),
- a_hash_including('description' => 'Two projects runner'),
- a_hash_including('description' => 'Shared runner')
+ a_hash_including('description' => 'Project runner', 'active' => true, 'paused' => false),
+ a_hash_including('description' => 'Two projects runner', 'active' => true, 'paused' => false),
+ a_hash_including('description' => 'Shared runner', 'active' => true, 'paused' => false)
]
end
@@ -946,14 +1007,24 @@ RSpec.describe API::Ci::Runners do
expect(response).to have_gitlab_http_status(:bad_request)
end
- it 'filters runners by status' do
- create(:ci_runner, :project, :inactive, description: 'Inactive project runner', projects: [project])
+ context 'with an inactive runner' do
+ let_it_be(:runner) { create(:ci_runner, :project, :inactive, description: 'Inactive project runner', projects: [project]) }
- get api("/projects/#{project.id}/runners?status=paused", user)
+ it 'filters runners by status' do
+ get api("/projects/#{project.id}/runners?paused=true", user)
- expect(json_response).to match_array [
- a_hash_including('description' => 'Inactive project runner')
- ]
+ expect(json_response).to match_array [
+ a_hash_including('description' => 'Inactive project runner')
+ ]
+ end
+
+ it 'filters runners by status' do
+ get api("/projects/#{project.id}/runners?status=paused", user)
+
+ expect(json_response).to match_array [
+ a_hash_including('description' => 'Inactive project runner')
+ ]
+ end
end
it 'does not filter by invalid status' do
@@ -980,13 +1051,14 @@ RSpec.describe API::Ci::Runners do
end
end
- shared_context 'GET /groups/:id/runners' do
+ describe 'GET /groups/:id/runners' do
context 'authorized user with maintainer privileges' do
it 'returns all runners' do
get api("/groups/#{group.id}/runners", user)
expect(json_response).to match_array([
- a_hash_including('description' => 'Group runner A')
+ a_hash_including('description' => 'Group runner A', 'active' => true, 'paused' => false),
+ a_hash_including('description' => 'Shared runner', 'active' => true, 'paused' => false)
])
end
@@ -999,6 +1071,15 @@ RSpec.describe API::Ci::Runners do
])
end
+ it 'returns instance runners when instance_type is specified' do
+ get api("/groups/#{group.id}/runners?type=instance_type", user)
+
+ expect(json_response).to match_array([
+ a_hash_including('description' => 'Shared runner')
+ ])
+ end
+
+ # TODO: Remove in %15.0 (https://gitlab.com/gitlab-org/gitlab/-/issues/351466)
it 'returns empty result when type does not match' do
get api("/groups/#{group.id}/runners?type=project_type", user)
@@ -1012,21 +1093,31 @@ RSpec.describe API::Ci::Runners do
end
end
- context 'filter runners by status' do
- it 'returns runners by valid status' do
- create(:ci_runner, :group, :inactive, description: 'Inactive group runner', groups: [group])
+ context 'with an inactive runner' do
+ let_it_be(:runner) { create(:ci_runner, :group, :inactive, description: 'Inactive group runner', groups: [group]) }
- get api("/groups/#{group.id}/runners?status=paused", user)
+ it 'returns runners by paused state' do
+ get api("/groups/#{group.id}/runners?paused=true", user)
expect(json_response).to match_array([
a_hash_including('description' => 'Inactive group runner')
])
end
- it 'does not filter by invalid status' do
- get api("/groups/#{group.id}/runners?status=bogus", user)
+ context 'filter runners by status' do
+ it 'returns runners by valid status' do
+ get api("/groups/#{group.id}/runners?status=paused", user)
- expect(response).to have_gitlab_http_status(:bad_request)
+ expect(json_response).to match_array([
+ a_hash_including('description' => 'Inactive group runner')
+ ])
+ end
+
+ it 'does not filter by invalid status' do
+ get api("/groups/#{group.id}/runners?status=bogus", user)
+
+ expect(response).to have_gitlab_http_status(:bad_request)
+ end
end
end
@@ -1048,16 +1139,6 @@ RSpec.describe API::Ci::Runners do
end
end
- it_behaves_like 'GET /groups/:id/runners'
-
- context 'when the FF ci_find_runners_by_ci_mirrors is disabled' do
- before do
- stub_feature_flags(ci_find_runners_by_ci_mirrors: false)
- end
-
- it_behaves_like 'GET /groups/:id/runners'
- end
-
describe 'POST /projects/:id/runners' do
context 'authorized user' do
let_it_be(:project_runner2) { create(:ci_runner, :project, projects: [project2]) }
diff --git a/spec/requests/api/ci/secure_files_spec.rb b/spec/requests/api/ci/secure_files_spec.rb
new file mode 100644
index 00000000000..5cf6999f60a
--- /dev/null
+++ b/spec/requests/api/ci/secure_files_spec.rb
@@ -0,0 +1,314 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe API::Ci::SecureFiles do
+ before do
+ stub_ci_secure_file_object_storage
+ stub_feature_flags(ci_secure_files: true)
+ end
+
+ let_it_be(:user) { create(:user) }
+ let_it_be(:user2) { create(:user) }
+ let_it_be(:project) { create(:project, creator_id: user.id) }
+ let_it_be(:maintainer) { create(:project_member, :maintainer, user: user, project: project) }
+ let_it_be(:developer) { create(:project_member, :developer, user: user2, project: project) }
+ let_it_be(:secure_file) { create(:ci_secure_file, project: project) }
+
+ describe 'GET /projects/:id/secure_files' do
+ context 'feature flag' do
+ it 'returns a 503 when the feature flag is disabled' do
+ stub_feature_flags(ci_secure_files: false)
+
+ get api("/projects/#{project.id}/secure_files", user)
+
+ expect(response).to have_gitlab_http_status(:service_unavailable)
+ end
+
+ it 'returns a 200 when the feature flag is enabled' do
+ get api("/projects/#{project.id}/secure_files", user)
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(json_response).to be_a(Array)
+ end
+ end
+
+ context 'authorized user with proper permissions' do
+ it 'returns project secure files' do
+ get api("/projects/#{project.id}/secure_files", user)
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(json_response).to be_a(Array)
+ end
+ end
+
+ context 'authorized user with invalid permissions' do
+ it 'does not return project secure files' do
+ get api("/projects/#{project.id}/secure_files", user2)
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ end
+ end
+
+ context 'unauthorized user' do
+ it 'does not return project secure files' do
+ get api("/projects/#{project.id}/secure_files")
+
+ expect(response).to have_gitlab_http_status(:unauthorized)
+ end
+ end
+ end
+
+ describe 'GET /projects/:id/secure_files/:secure_file_id' do
+ context 'authorized user with proper permissions' do
+ it 'returns project secure file details' do
+ get api("/projects/#{project.id}/secure_files/#{secure_file.id}", user)
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(json_response['name']).to eq(secure_file.name)
+ expect(json_response['permissions']).to eq(secure_file.permissions)
+ end
+
+ it 'responds with 404 Not Found if requesting non-existing secure file' do
+ get api("/projects/#{project.id}/secure_files/99999", user)
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+ end
+
+ context 'authorized user with invalid permissions' do
+ it 'does not return project secure file details' do
+ get api("/projects/#{project.id}/secure_files/#{secure_file.id}", user2)
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ end
+ end
+
+ context 'unauthorized user' do
+ it 'does not return project secure file details' do
+ get api("/projects/#{project.id}/secure_files/#{secure_file.id}")
+
+ expect(response).to have_gitlab_http_status(:unauthorized)
+ end
+ end
+ end
+
+ describe 'GET /projects/:id/secure_files/:secure_file_id/download' do
+ context 'authorized user with proper permissions' do
+ it 'returns a secure file' do
+ sample_file = fixture_file('ci_secure_files/upload-keystore.jks')
+ secure_file.file = CarrierWaveStringFile.new(sample_file)
+ secure_file.save!
+
+ get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download", user)
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(Base64.encode64(response.body)).to eq(Base64.encode64(sample_file))
+ end
+
+ it 'responds with 404 Not Found if requesting non-existing secure file' do
+ get api("/projects/#{project.id}/secure_files/99999/download", user)
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+ end
+
+ context 'authorized user with invalid permissions' do
+ it 'does not return project secure file details' do
+ get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download", user2)
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ end
+ end
+
+ context 'unauthorized user' do
+ it 'does not return project secure file details' do
+ get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download")
+
+ expect(response).to have_gitlab_http_status(:unauthorized)
+ end
+ end
+ end
+
+ describe 'POST /projects/:id/secure_files' do
+ context 'authorized user with proper permissions' do
+ it 'creates a secure file' do
+ params = {
+ file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'),
+ name: 'upload-keystore.jks',
+ permissions: 'execute'
+ }
+
+ expect do
+ post api("/projects/#{project.id}/secure_files", user), params: params
+ end.to change {project.secure_files.count}.by(1)
+
+ expect(response).to have_gitlab_http_status(:created)
+ expect(json_response['name']).to eq('upload-keystore.jks')
+ expect(json_response['permissions']).to eq('execute')
+ expect(json_response['checksum']).to eq(secure_file.checksum)
+ expect(json_response['checksum_algorithm']).to eq('sha256')
+
+ secure_file = Ci::SecureFile.find(json_response['id'])
+ expect(secure_file.checksum).to eq(
+ Digest::SHA256.hexdigest(fixture_file('ci_secure_files/upload-keystore.jks'))
+ )
+ expect(json_response['id']).to eq(secure_file.id)
+ end
+
+ it 'creates a secure file with read_only permissions by default' do
+ params = {
+ file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'),
+ name: 'upload-keystore.jks'
+ }
+
+ expect do
+ post api("/projects/#{project.id}/secure_files", user), params: params
+ end.to change {project.secure_files.count}.by(1)
+
+ expect(json_response['permissions']).to eq('read_only')
+ end
+
+ it 'uploads and downloads a secure file' do
+ post_params = {
+ file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'),
+ name: 'upload-keystore.jks',
+ permissions: 'read_write'
+ }
+
+ post api("/projects/#{project.id}/secure_files", user), params: post_params
+
+ secure_file_id = json_response['id']
+
+ get api("/projects/#{project.id}/secure_files/#{secure_file_id}/download", user)
+
+ expect(Base64.encode64(response.body)).to eq(Base64.encode64(fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks').read))
+ end
+
+ it 'returns an error when the file checksum fails to validate' do
+ secure_file.update!(checksum: 'foo')
+
+ get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download", user)
+
+ expect(response.code).to eq("500")
+ end
+
+ it 'returns an error when no file is uploaded' do
+ post_params = {
+ name: 'upload-keystore.jks'
+ }
+
+ post api("/projects/#{project.id}/secure_files", user), params: post_params
+
+ expect(response).to have_gitlab_http_status(:bad_request)
+ expect(json_response['error']).to eq('file is missing')
+ end
+
+ it 'returns an error when the file name is missing' do
+ post_params = {
+ file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks')
+ }
+
+ post api("/projects/#{project.id}/secure_files", user), params: post_params
+
+ expect(response).to have_gitlab_http_status(:bad_request)
+ expect(json_response['error']).to eq('name is missing')
+ end
+
+ it 'returns an error when an unexpected permission is supplied' do
+ post_params = {
+ file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'),
+ name: 'upload-keystore.jks',
+ permissions: 'foo'
+ }
+
+ post api("/projects/#{project.id}/secure_files", user), params: post_params
+
+ expect(response).to have_gitlab_http_status(:bad_request)
+ expect(json_response['error']).to eq('permissions does not have a valid value')
+ end
+
+ it 'returns an error when an unexpected validation failure happens' do
+ allow_next_instance_of(Ci::SecureFile) do |instance|
+ allow(instance).to receive(:valid?).and_return(false)
+ allow(instance).to receive_message_chain(:errors, :any?).and_return(true)
+ allow(instance).to receive_message_chain(:errors, :messages).and_return(['Error 1', 'Error 2'])
+ end
+
+ post_params = {
+ file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'),
+ name: 'upload-keystore.jks'
+ }
+
+ post api("/projects/#{project.id}/secure_files", user), params: post_params
+
+ expect(response).to have_gitlab_http_status(:bad_request)
+ end
+
+ it 'returns a 413 error when the file size is too large' do
+ allow_next_instance_of(Ci::SecureFile) do |instance|
+ allow(instance).to receive_message_chain(:file, :size).and_return(6.megabytes.to_i)
+ end
+
+ post_params = {
+ file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'),
+ name: 'upload-keystore.jks'
+ }
+
+ post api("/projects/#{project.id}/secure_files", user), params: post_params
+
+ expect(response).to have_gitlab_http_status(:payload_too_large)
+ end
+ end
+
+ context 'authorized user with invalid permissions' do
+ it 'does not create a secure file' do
+ post api("/projects/#{project.id}/secure_files", user2)
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ end
+ end
+
+ context 'unauthorized user' do
+ it 'does not create a secure file' do
+ post api("/projects/#{project.id}/secure_files")
+
+ expect(response).to have_gitlab_http_status(:unauthorized)
+ end
+ end
+ end
+
+ describe 'DELETE /projects/:id/secure_files/:secure_file_id' do
+ context 'authorized user with proper permissions' do
+ it 'deletes the secure file' do
+ expect do
+ delete api("/projects/#{project.id}/secure_files/#{secure_file.id}", user)
+
+ expect(response).to have_gitlab_http_status(:no_content)
+ end.to change {project.secure_files.count}.by(-1)
+ end
+
+ it 'responds with 404 Not Found if requesting non-existing secure_file' do
+ delete api("/projects/#{project.id}/secure_files/99999", user)
+
+ expect(response).to have_gitlab_http_status(:not_found)
+ end
+ end
+
+ context 'authorized user with invalid permissions' do
+ it 'does not delete the secure_file' do
+ delete api("/projects/#{project.id}/secure_files/#{secure_file.id}", user2)
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ end
+ end
+
+ context 'unauthorized user' do
+ it 'does not delete the secure_file' do
+ delete api("/projects/#{project.id}/secure_files/#{secure_file.id}")
+
+ expect(response).to have_gitlab_http_status(:unauthorized)
+ end
+ end
+ end
+end
View Lorry Controller Status