diff options
Diffstat (limited to 'spec/requests/api/ci')
-rw-r--r-- | spec/requests/api/ci/pipelines_spec.rb | 2 | ||||
-rw-r--r-- | spec/requests/api/ci/runner/runners_post_spec.rb | 85 | ||||
-rw-r--r-- | spec/requests/api/ci/runner/runners_verify_post_spec.rb | 24 | ||||
-rw-r--r-- | spec/requests/api/ci/runners_reset_registration_token_spec.rb | 2 | ||||
-rw-r--r-- | spec/requests/api/ci/runners_spec.rb | 171 | ||||
-rw-r--r-- | spec/requests/api/ci/secure_files_spec.rb | 314 |
6 files changed, 542 insertions, 56 deletions
diff --git a/spec/requests/api/ci/pipelines_spec.rb b/spec/requests/api/ci/pipelines_spec.rb index 13838cffd76..1b87a5e24f5 100644 --- a/spec/requests/api/ci/pipelines_spec.rb +++ b/spec/requests/api/ci/pipelines_spec.rb @@ -988,7 +988,7 @@ RSpec.describe API::Ci::Pipelines do describe 'DELETE /projects/:id/pipelines/:pipeline_id' do context 'authorized user' do - let(:owner) { project.owner } + let(:owner) { project.first_owner } it 'destroys the pipeline' do delete api("/projects/#{project.id}/pipelines/#{pipeline.id}", owner) diff --git a/spec/requests/api/ci/runner/runners_post_spec.rb b/spec/requests/api/ci/runner/runners_post_spec.rb index 530b601add9..5eb5d3977a3 100644 --- a/spec/requests/api/ci/runner/runners_post_spec.rb +++ b/spec/requests/api/ci/runner/runners_post_spec.rb @@ -30,11 +30,11 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do post api('/runners'), params: { token: 'valid token', description: 'server.hostname', - maintainer_note: 'Some maintainer notes', + maintenance_note: 'Some maintainer notes', run_untagged: false, tag_list: 'tag1, tag2', locked: true, - active: true, + paused: false, access_level: 'ref_protected', maximum_timeout: 9000 } @@ -46,7 +46,7 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do allow_next_instance_of(::Ci::RegisterRunnerService) do |service| expected_params = { description: 'server.hostname', - maintainer_note: 'Some maintainer notes', + maintenance_note: 'Some maintainer notes', run_untagged: false, tag_list: %w(tag1 tag2), locked: true, @@ -55,19 +55,33 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do maximum_timeout: 9000 }.stringify_keys - allow(service).to receive(:execute) + expect(service).to receive(:execute) .once .with('valid token', a_hash_including(expected_params)) .and_return(new_runner) end end - it 'creates runner' do - request + context 'when token_expires_at is nil' do + it 'creates runner' do + request - expect(response).to have_gitlab_http_status(:created) - expect(json_response['id']).to eq(new_runner.id) - expect(json_response['token']).to eq(new_runner.token) + expect(response).to have_gitlab_http_status(:created) + expect(json_response).to eq({ 'id' => new_runner.id, 'token' => new_runner.token, 'token_expires_at' => nil }) + end + end + + context 'when token_expires_at is a valid date' do + before do + new_runner.token_expires_at = DateTime.new(2022, 1, 11, 14, 39, 24) + end + + it 'creates runner' do + request + + expect(response).to have_gitlab_http_status(:created) + expect(json_response).to eq({ 'id' => new_runner.id, 'token' => new_runner.token, 'token_expires_at' => '2022-01-11T14:39:24.000Z' }) + end end it_behaves_like 'storing arguments in the application context for the API' do @@ -81,6 +95,59 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do end end + context 'when deprecated maintainer_note field is provided' do + RSpec::Matchers.define_negated_matcher :excluding, :include + + def request + post api('/runners'), params: { + token: 'valid token', + maintainer_note: 'Some maintainer notes' + } + end + + let(:new_runner) { create(:ci_runner) } + + it 'converts to maintenance_note param' do + allow_next_instance_of(::Ci::RegisterRunnerService) do |service| + expect(service).to receive(:execute) + .once + .with('valid token', a_hash_including('maintenance_note' => 'Some maintainer notes') + .and(excluding('maintainter_note' => anything))) + .and_return(new_runner) + end + + request + + expect(response).to have_gitlab_http_status(:created) + end + end + + context 'when deprecated active parameter is provided' do + def request + post api('/runners'), params: { + token: 'valid token', + active: false + } + end + + let_it_be(:new_runner) { create(:ci_runner) } + + it 'uses active value in registration' do + expect_next_instance_of(::Ci::RegisterRunnerService) do |service| + expected_params = { active: false }.stringify_keys + + expect(service).to receive(:execute) + .once + .with('valid token', a_hash_including(expected_params)) + .and_return(new_runner) + end + + request + + expect(response).to have_gitlab_http_status(:created) + end + end + context 'calling actual register service' do include StubGitlabCalls diff --git a/spec/requests/api/ci/runner/runners_verify_post_spec.rb b/spec/requests/api/ci/runner/runners_verify_post_spec.rb index 4680076acae..038e126deaa 100644 --- a/spec/requests/api/ci/runner/runners_verify_post_spec.rb +++ b/spec/requests/api/ci/runner/runners_verify_post_spec.rb @@ -49,6 +49,30 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do let(:expected_params) { { client_id: "runner/#{runner.id}" } } end end + + context 'when non-expired token is provided' do + subject { post api('/runners/verify'), params: { token: runner.token } } + + it 'verifies Runner credentials' do + runner["token_expires_at"] = 10.days.from_now + runner.save! + subject + + expect(response).to have_gitlab_http_status(:ok) + end + end + + context 'when expired token is provided' do + subject { post api('/runners/verify'), params: { token: runner.token } } + + it 'does not verify Runner credentials' do + runner["token_expires_at"] = 10.days.ago + runner.save! + subject + + expect(response).to have_gitlab_http_status(:forbidden) + end + end end end end diff --git a/spec/requests/api/ci/runners_reset_registration_token_spec.rb b/spec/requests/api/ci/runners_reset_registration_token_spec.rb index df64c0bd22b..e1dc347f8dd 100644 --- a/spec/requests/api/ci/runners_reset_registration_token_spec.rb +++ b/spec/requests/api/ci/runners_reset_registration_token_spec.rb @@ -138,7 +138,7 @@ RSpec.describe API::Ci::Runners do end include_context 'when authorized', 'project' do - let_it_be(:user) { project.owner } + let_it_be(:user) { project.first_owner } def get_token project.reload.runners_token diff --git a/spec/requests/api/ci/runners_spec.rb b/spec/requests/api/ci/runners_spec.rb index 305c0bd9df0..336ce70d8d2 100644 --- a/spec/requests/api/ci/runners_spec.rb +++ b/spec/requests/api/ci/runners_spec.rb @@ -86,14 +86,24 @@ RSpec.describe API::Ci::Runners do expect(response).to have_gitlab_http_status(:bad_request) end - it 'filters runners by status' do - create(:ci_runner, :project, :inactive, description: 'Inactive project runner', projects: [project]) + context 'with an inactive runner' do + let_it_be(:runner) { create(:ci_runner, :project, :inactive, description: 'Inactive project runner', projects: [project]) } - get api('/runners?status=paused', user) + it 'filters runners by paused state' do + get api('/runners?paused=true', user) - expect(json_response).to match_array [ - a_hash_including('description' => 'Inactive project runner') - ] + expect(json_response).to match_array [ + a_hash_including('description' => 'Inactive project runner') + ] + end + + it 'filters runners by status' do + get api('/runners?status=paused', user) + + expect(json_response).to match_array [ + a_hash_including('description' => 'Inactive project runner') + ] + end end it 'does not filter by invalid status' do @@ -109,7 +119,7 @@ RSpec.describe API::Ci::Runners do get api('/runners?tag_list=tag1,tag2', user) expect(json_response).to match_array [ - a_hash_including('description' => 'Runner tagged with tag1 and tag2') + a_hash_including('description' => 'Runner tagged with tag1 and tag2', 'active' => true, 'paused' => false) ] end end @@ -137,7 +147,7 @@ RSpec.describe API::Ci::Runners do get api('/runners/all', admin) expect(json_response).to match_array [ - a_hash_including('description' => 'Project runner', 'is_shared' => false, 'runner_type' => 'project_type'), + a_hash_including('description' => 'Project runner', 'is_shared' => false, 'active' => true, 'paused' => false, 'runner_type' => 'project_type'), a_hash_including('description' => 'Two projects runner', 'is_shared' => false, 'runner_type' => 'project_type'), a_hash_including('description' => 'Group runner A', 'is_shared' => false, 'runner_type' => 'group_type'), a_hash_including('description' => 'Group runner B', 'is_shared' => false, 'runner_type' => 'group_type'), @@ -199,14 +209,24 @@ RSpec.describe API::Ci::Runners do expect(response).to have_gitlab_http_status(:bad_request) end - it 'filters runners by status' do - create(:ci_runner, :project, :inactive, description: 'Inactive project runner', projects: [project]) + context 'with an inactive runner' do + let_it_be(:runner) { create(:ci_runner, :project, :inactive, description: 'Inactive project runner', projects: [project]) } - get api('/runners/all?status=paused', admin) + it 'filters runners by status' do + get api('/runners/all?paused=true', admin) - expect(json_response).to match_array [ - a_hash_including('description' => 'Inactive project runner') - ] + expect(json_response).to match_array [ + a_hash_including('description' => 'Inactive project runner') + ] + end + + it 'filters runners by status' do + get api('/runners/all?status=paused', admin) + + expect(json_response).to match_array [ + a_hash_including('description' => 'Inactive project runner') + ] + end end it 'does not filter by invalid status' do @@ -255,6 +275,8 @@ RSpec.describe API::Ci::Runners do expect(json_response['description']).to eq(shared_runner.description) expect(json_response['maximum_timeout']).to be_nil expect(json_response['status']).to eq("not_connected") + expect(json_response['active']).to eq(true) + expect(json_response['paused']).to eq(false) end end @@ -359,6 +381,14 @@ RSpec.describe API::Ci::Runners do expect(shared_runner.reload.active).to eq(!active) end + it 'runner paused state' do + active = shared_runner.active + update_runner(shared_runner.id, admin, paused: active) + + expect(response).to have_gitlab_http_status(:ok) + expect(shared_runner.reload.active).to eq(!active) + end + it 'runner tag list' do update_runner(shared_runner.id, admin, tag_list: ['ruby2.1', 'pgsql', 'mysql']) @@ -500,6 +530,10 @@ RSpec.describe API::Ci::Runners do context 'admin user' do context 'when runner is shared' do it 'deletes runner' do + expect_next_instance_of(Ci::UnregisterRunnerService, shared_runner) do |service| + expect(service).to receive(:execute).once.and_call_original + end + expect do delete api("/runners/#{shared_runner.id}", admin) @@ -514,6 +548,10 @@ RSpec.describe API::Ci::Runners do context 'when runner is not shared' do it 'deletes used project runner' do + expect_next_instance_of(Ci::UnregisterRunnerService, project_runner) do |service| + expect(service).to receive(:execute).once.and_call_original + end + expect do delete api("/runners/#{project_runner.id}", admin) @@ -523,6 +561,10 @@ RSpec.describe API::Ci::Runners do end it 'returns 404 if runner does not exist' do + allow_next_instance_of(Ci::UnregisterRunnerService) do |service| + expect(service).not_to receive(:execute) + end + delete api('/runners/0', admin) expect(response).to have_gitlab_http_status(:not_found) @@ -604,6 +646,10 @@ RSpec.describe API::Ci::Runners do context 'unauthorized user' do it 'does not delete project runner' do + allow_next_instance_of(Ci::UnregisterRunnerService) do |service| + expect(service).not_to receive(:execute) + end + delete api("/runners/#{project_runner.id}") expect(response).to have_gitlab_http_status(:unauthorized) @@ -618,7 +664,7 @@ RSpec.describe API::Ci::Runners do post api("/runners/#{shared_runner.id}/reset_authentication_token", admin) expect(response).to have_gitlab_http_status(:success) - expect(json_response).to eq({ 'token' => shared_runner.reload.token }) + expect(json_response).to eq({ 'token' => shared_runner.reload.token, 'token_expires_at' => nil }) end.to change { shared_runner.reload.token } end @@ -642,7 +688,7 @@ RSpec.describe API::Ci::Runners do post api("/runners/#{project_runner.id}/reset_authentication_token", user) expect(response).to have_gitlab_http_status(:success) - expect(json_response).to eq({ 'token' => project_runner.reload.token }) + expect(json_response).to eq({ 'token' => project_runner.reload.token, 'token_expires_at' => nil }) end.to change { project_runner.reload.token } end @@ -683,7 +729,22 @@ RSpec.describe API::Ci::Runners do post api("/runners/#{group_runner_a.id}/reset_authentication_token", user) expect(response).to have_gitlab_http_status(:success) - expect(json_response).to eq({ 'token' => group_runner_a.reload.token }) + expect(json_response).to eq({ 'token' => group_runner_a.reload.token, 'token_expires_at' => nil }) + end.to change { group_runner_a.reload.token } + end + + it 'resets group runner authentication token with owner access with expiration time', :freeze_time do + expect(group_runner_a.reload.token_expires_at).to be_nil + + group.update!(runner_token_expiration_interval: 5.days) + + expect do + post api("/runners/#{group_runner_a.id}/reset_authentication_token", user) + group_runner_a.reload + + expect(response).to have_gitlab_http_status(:success) + expect(json_response).to eq({ 'token' => group_runner_a.token, 'token_expires_at' => group_runner_a.token_expires_at.iso8601(3) }) + expect(group_runner_a.token_expires_at).to eq(5.days.from_now) end.to change { group_runner_a.reload.token } end end @@ -908,9 +969,9 @@ RSpec.describe API::Ci::Runners do get api("/projects/#{project.id}/runners", user) expect(json_response).to match_array [ - a_hash_including('description' => 'Project runner'), - a_hash_including('description' => 'Two projects runner'), - a_hash_including('description' => 'Shared runner') + a_hash_including('description' => 'Project runner', 'active' => true, 'paused' => false), + a_hash_including('description' => 'Two projects runner', 'active' => true, 'paused' => false), + a_hash_including('description' => 'Shared runner', 'active' => true, 'paused' => false) ] end @@ -946,14 +1007,24 @@ RSpec.describe API::Ci::Runners do expect(response).to have_gitlab_http_status(:bad_request) end - it 'filters runners by status' do - create(:ci_runner, :project, :inactive, description: 'Inactive project runner', projects: [project]) + context 'with an inactive runner' do + let_it_be(:runner) { create(:ci_runner, :project, :inactive, description: 'Inactive project runner', projects: [project]) } - get api("/projects/#{project.id}/runners?status=paused", user) + it 'filters runners by status' do + get api("/projects/#{project.id}/runners?paused=true", user) - expect(json_response).to match_array [ - a_hash_including('description' => 'Inactive project runner') - ] + expect(json_response).to match_array [ + a_hash_including('description' => 'Inactive project runner') + ] + end + + it 'filters runners by status' do + get api("/projects/#{project.id}/runners?status=paused", user) + + expect(json_response).to match_array [ + a_hash_including('description' => 'Inactive project runner') + ] + end end it 'does not filter by invalid status' do @@ -980,13 +1051,14 @@ RSpec.describe API::Ci::Runners do end end - shared_context 'GET /groups/:id/runners' do + describe 'GET /groups/:id/runners' do context 'authorized user with maintainer privileges' do it 'returns all runners' do get api("/groups/#{group.id}/runners", user) expect(json_response).to match_array([ - a_hash_including('description' => 'Group runner A') + a_hash_including('description' => 'Group runner A', 'active' => true, 'paused' => false), + a_hash_including('description' => 'Shared runner', 'active' => true, 'paused' => false) ]) end @@ -999,6 +1071,15 @@ RSpec.describe API::Ci::Runners do ]) end + it 'returns instance runners when instance_type is specified' do + get api("/groups/#{group.id}/runners?type=instance_type", user) + + expect(json_response).to match_array([ + a_hash_including('description' => 'Shared runner') + ]) + end + + # TODO: Remove in %15.0 (https://gitlab.com/gitlab-org/gitlab/-/issues/351466) it 'returns empty result when type does not match' do get api("/groups/#{group.id}/runners?type=project_type", user) @@ -1012,21 +1093,31 @@ RSpec.describe API::Ci::Runners do end end - context 'filter runners by status' do - it 'returns runners by valid status' do - create(:ci_runner, :group, :inactive, description: 'Inactive group runner', groups: [group]) + context 'with an inactive runner' do + let_it_be(:runner) { create(:ci_runner, :group, :inactive, description: 'Inactive group runner', groups: [group]) } - get api("/groups/#{group.id}/runners?status=paused", user) + it 'returns runners by paused state' do + get api("/groups/#{group.id}/runners?paused=true", user) expect(json_response).to match_array([ a_hash_including('description' => 'Inactive group runner') ]) end - it 'does not filter by invalid status' do - get api("/groups/#{group.id}/runners?status=bogus", user) + context 'filter runners by status' do + it 'returns runners by valid status' do + get api("/groups/#{group.id}/runners?status=paused", user) - expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response).to match_array([ + a_hash_including('description' => 'Inactive group runner') + ]) + end + + it 'does not filter by invalid status' do + get api("/groups/#{group.id}/runners?status=bogus", user) + + expect(response).to have_gitlab_http_status(:bad_request) + end end end @@ -1048,16 +1139,6 @@ RSpec.describe API::Ci::Runners do end end - it_behaves_like 'GET /groups/:id/runners' - - context 'when the FF ci_find_runners_by_ci_mirrors is disabled' do - before do - stub_feature_flags(ci_find_runners_by_ci_mirrors: false) - end - - it_behaves_like 'GET /groups/:id/runners' - end - describe 'POST /projects/:id/runners' do context 'authorized user' do let_it_be(:project_runner2) { create(:ci_runner, :project, projects: [project2]) } diff --git a/spec/requests/api/ci/secure_files_spec.rb b/spec/requests/api/ci/secure_files_spec.rb new file mode 100644 index 00000000000..5cf6999f60a --- /dev/null +++ b/spec/requests/api/ci/secure_files_spec.rb @@ -0,0 +1,314 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe API::Ci::SecureFiles do + before do + stub_ci_secure_file_object_storage + stub_feature_flags(ci_secure_files: true) + end + + let_it_be(:user) { create(:user) } + let_it_be(:user2) { create(:user) } + let_it_be(:project) { create(:project, creator_id: user.id) } + let_it_be(:maintainer) { create(:project_member, :maintainer, user: user, project: project) } + let_it_be(:developer) { create(:project_member, :developer, user: user2, project: project) } + let_it_be(:secure_file) { create(:ci_secure_file, project: project) } + + describe 'GET /projects/:id/secure_files' do + context 'feature flag' do + it 'returns a 503 when the feature flag is disabled' do + stub_feature_flags(ci_secure_files: false) + + get api("/projects/#{project.id}/secure_files", user) + + expect(response).to have_gitlab_http_status(:service_unavailable) + end + + it 'returns a 200 when the feature flag is enabled' do + get api("/projects/#{project.id}/secure_files", user) + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to be_a(Array) + end + end + + context 'authorized user with proper permissions' do + it 'returns project secure files' do + get api("/projects/#{project.id}/secure_files", user) + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to be_a(Array) + end + end + + context 'authorized user with invalid permissions' do + it 'does not return project secure files' do + get api("/projects/#{project.id}/secure_files", user2) + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'unauthorized user' do + it 'does not return project secure files' do + get api("/projects/#{project.id}/secure_files") + + expect(response).to have_gitlab_http_status(:unauthorized) + end + end + end + + describe 'GET /projects/:id/secure_files/:secure_file_id' do + context 'authorized user with proper permissions' do + it 'returns project secure file details' do + get api("/projects/#{project.id}/secure_files/#{secure_file.id}", user) + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response['name']).to eq(secure_file.name) + expect(json_response['permissions']).to eq(secure_file.permissions) + end + + it 'responds with 404 Not Found if requesting non-existing secure file' do + get api("/projects/#{project.id}/secure_files/99999", user) + + expect(response).to have_gitlab_http_status(:not_found) + end + end + + context 'authorized user with invalid permissions' do + it 'does not return project secure file details' do + get api("/projects/#{project.id}/secure_files/#{secure_file.id}", user2) + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'unauthorized user' do + it 'does not return project secure file details' do + get api("/projects/#{project.id}/secure_files/#{secure_file.id}") + + expect(response).to have_gitlab_http_status(:unauthorized) + end + end + end + + describe 'GET /projects/:id/secure_files/:secure_file_id/download' do + context 'authorized user with proper permissions' do + it 'returns a secure file' do + sample_file = fixture_file('ci_secure_files/upload-keystore.jks') + secure_file.file = CarrierWaveStringFile.new(sample_file) + secure_file.save! + + get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download", user) + + expect(response).to have_gitlab_http_status(:ok) + expect(Base64.encode64(response.body)).to eq(Base64.encode64(sample_file)) + end + + it 'responds with 404 Not Found if requesting non-existing secure file' do + get api("/projects/#{project.id}/secure_files/99999/download", user) + + expect(response).to have_gitlab_http_status(:not_found) + end + end + + context 'authorized user with invalid permissions' do + it 'does not return project secure file details' do + get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download", user2) + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'unauthorized user' do + it 'does not return project secure file details' do + get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download") + + expect(response).to have_gitlab_http_status(:unauthorized) + end + end + end + + describe 'POST /projects/:id/secure_files' do + context 'authorized user with proper permissions' do + it 'creates a secure file' do + params = { + file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'), + name: 'upload-keystore.jks', + permissions: 'execute' + } + + expect do + post api("/projects/#{project.id}/secure_files", user), params: params + end.to change {project.secure_files.count}.by(1) + + expect(response).to have_gitlab_http_status(:created) + expect(json_response['name']).to eq('upload-keystore.jks') + expect(json_response['permissions']).to eq('execute') + expect(json_response['checksum']).to eq(secure_file.checksum) + expect(json_response['checksum_algorithm']).to eq('sha256') + + secure_file = Ci::SecureFile.find(json_response['id']) + expect(secure_file.checksum).to eq( + Digest::SHA256.hexdigest(fixture_file('ci_secure_files/upload-keystore.jks')) + ) + expect(json_response['id']).to eq(secure_file.id) + end + + it 'creates a secure file with read_only permissions by default' do + params = { + file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'), + name: 'upload-keystore.jks' + } + + expect do + post api("/projects/#{project.id}/secure_files", user), params: params + end.to change {project.secure_files.count}.by(1) + + expect(json_response['permissions']).to eq('read_only') + end + + it 'uploads and downloads a secure file' do + post_params = { + file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'), + name: 'upload-keystore.jks', + permissions: 'read_write' + } + + post api("/projects/#{project.id}/secure_files", user), params: post_params + + secure_file_id = json_response['id'] + + get api("/projects/#{project.id}/secure_files/#{secure_file_id}/download", user) + + expect(Base64.encode64(response.body)).to eq(Base64.encode64(fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks').read)) + end + + it 'returns an error when the file checksum fails to validate' do + secure_file.update!(checksum: 'foo') + + get api("/projects/#{project.id}/secure_files/#{secure_file.id}/download", user) + + expect(response.code).to eq("500") + end + + it 'returns an error when no file is uploaded' do + post_params = { + name: 'upload-keystore.jks' + } + + post api("/projects/#{project.id}/secure_files", user), params: post_params + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['error']).to eq('file is missing') + end + + it 'returns an error when the file name is missing' do + post_params = { + file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks') + } + + post api("/projects/#{project.id}/secure_files", user), params: post_params + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['error']).to eq('name is missing') + end + + it 'returns an error when an unexpected permission is supplied' do + post_params = { + file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'), + name: 'upload-keystore.jks', + permissions: 'foo' + } + + post api("/projects/#{project.id}/secure_files", user), params: post_params + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['error']).to eq('permissions does not have a valid value') + end + + it 'returns an error when an unexpected validation failure happens' do + allow_next_instance_of(Ci::SecureFile) do |instance| + allow(instance).to receive(:valid?).and_return(false) + allow(instance).to receive_message_chain(:errors, :any?).and_return(true) + allow(instance).to receive_message_chain(:errors, :messages).and_return(['Error 1', 'Error 2']) + end + + post_params = { + file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'), + name: 'upload-keystore.jks' + } + + post api("/projects/#{project.id}/secure_files", user), params: post_params + + expect(response).to have_gitlab_http_status(:bad_request) + end + + it 'returns a 413 error when the file size is too large' do + allow_next_instance_of(Ci::SecureFile) do |instance| + allow(instance).to receive_message_chain(:file, :size).and_return(6.megabytes.to_i) + end + + post_params = { + file: fixture_file_upload('spec/fixtures/ci_secure_files/upload-keystore.jks'), + name: 'upload-keystore.jks' + } + + post api("/projects/#{project.id}/secure_files", user), params: post_params + + expect(response).to have_gitlab_http_status(:payload_too_large) + end + end + + context 'authorized user with invalid permissions' do + it 'does not create a secure file' do + post api("/projects/#{project.id}/secure_files", user2) + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'unauthorized user' do + it 'does not create a secure file' do + post api("/projects/#{project.id}/secure_files") + + expect(response).to have_gitlab_http_status(:unauthorized) + end + end + end + + describe 'DELETE /projects/:id/secure_files/:secure_file_id' do + context 'authorized user with proper permissions' do + it 'deletes the secure file' do + expect do + delete api("/projects/#{project.id}/secure_files/#{secure_file.id}", user) + + expect(response).to have_gitlab_http_status(:no_content) + end.to change {project.secure_files.count}.by(-1) + end + + it 'responds with 404 Not Found if requesting non-existing secure_file' do + delete api("/projects/#{project.id}/secure_files/99999", user) + + expect(response).to have_gitlab_http_status(:not_found) + end + end + + context 'authorized user with invalid permissions' do + it 'does not delete the secure_file' do + delete api("/projects/#{project.id}/secure_files/#{secure_file.id}", user2) + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'unauthorized user' do + it 'does not delete the secure_file' do + delete api("/projects/#{project.id}/secure_files/#{secure_file.id}") + + expect(response).to have_gitlab_http_status(:unauthorized) + end + end + end +end |