diff options
Diffstat (limited to 'spec/requests/api/maven_packages_spec.rb')
| -rw-r--r-- | spec/requests/api/maven_packages_spec.rb | 724 |
1 files changed, 536 insertions, 188 deletions
diff --git a/spec/requests/api/maven_packages_spec.rb b/spec/requests/api/maven_packages_spec.rb index 7f0e4f18e3b..3a015e98fb1 100644 --- a/spec/requests/api/maven_packages_spec.rb +++ b/spec/requests/api/maven_packages_spec.rb @@ -47,7 +47,21 @@ RSpec.describe API::MavenPackages do end end - shared_examples 'processing HEAD requests' do + shared_examples 'rejecting the request for non existing maven path' do |expected_status: :not_found| + before do + if Feature.enabled?(:check_maven_path_first) + expect(::Packages::Maven::PackageFinder).not_to receive(:new) + end + end + + it 'rejects the request' do + subject + + expect(response).to have_gitlab_http_status(expected_status) + end + end + + shared_examples 'processing HEAD requests' do |instance_level: false| subject { head api(url) } before do @@ -92,6 +106,12 @@ RSpec.describe API::MavenPackages do subject end + + context 'with a non existing maven path' do + let(:path) { 'foo/bar/1.2.3' } + + it_behaves_like 'rejecting the request for non existing maven path', expected_status: instance_level ? :forbidden : :not_found + end end end @@ -99,9 +119,8 @@ RSpec.describe API::MavenPackages do context 'successful download' do subject do download_file( - package_file.file_name, - {}, - Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => deploy_token.token + file_name: package_file.file_name, + request_headers: { Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => deploy_token.token } ) end @@ -126,7 +145,7 @@ RSpec.describe API::MavenPackages do shared_examples 'downloads with a job token' do context 'with a running job' do it 'allows download with job token' do - download_file(package_file.file_name, job_token: job.token) + download_file(file_name: package_file.file_name, params: { job_token: job.token }) expect(response).to have_gitlab_http_status(:ok) expect(response.media_type).to eq('application/octet-stream') @@ -139,7 +158,7 @@ RSpec.describe API::MavenPackages do end it 'returns unauthorized error' do - download_file(package_file.file_name, job_token: job.token) + download_file(file_name: package_file.file_name, params: { job_token: job.token }) expect(response).to have_gitlab_http_status(:unauthorized) end @@ -147,133 +166,217 @@ RSpec.describe API::MavenPackages do end describe 'GET /api/v4/packages/maven/*path/:file_name' do - context 'a public project' do - subject { download_file(package_file.file_name) } + shared_examples 'handling all conditions' do + context 'a public project' do + subject { download_file(file_name: package_file.file_name) } - it_behaves_like 'tracking the file download event' + it_behaves_like 'tracking the file download event' - it 'returns the file' do - subject + it 'returns the file' do + subject - expect(response).to have_gitlab_http_status(:ok) - expect(response.media_type).to eq('application/octet-stream') - end + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('application/octet-stream') + end - it 'returns sha1 of the file' do - download_file(package_file.file_name + '.sha1') + it 'returns sha1 of the file' do + download_file(file_name: package_file.file_name + '.sha1') - expect(response).to have_gitlab_http_status(:ok) - expect(response.media_type).to eq('text/plain') - expect(response.body).to eq(package_file.file_sha1) - end - end + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('text/plain') + expect(response.body).to eq(package_file.file_sha1) + end - context 'internal project' do - before do - project.team.truncate - project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL) + context 'with a non existing maven path' do + subject { download_file(file_name: package_file.file_name, path: 'foo/bar/1.2.3') } + + it_behaves_like 'rejecting the request for non existing maven path', expected_status: :forbidden + end end - subject { download_file_with_token(package_file.file_name) } + context 'internal project' do + before do + project.team.truncate + project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL) + end - it_behaves_like 'tracking the file download event' + subject { download_file_with_token(file_name: package_file.file_name) } - it 'returns the file' do - subject + it_behaves_like 'tracking the file download event' - expect(response).to have_gitlab_http_status(:ok) - expect(response.media_type).to eq('application/octet-stream') - end + it 'returns the file' do + subject - it 'denies download when no private token' do - download_file(package_file.file_name) + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('application/octet-stream') + end - expect(response).to have_gitlab_http_status(:forbidden) - end + it 'denies download when no private token' do + download_file(file_name: package_file.file_name) - it_behaves_like 'downloads with a job token' + expect(response).to have_gitlab_http_status(:forbidden) + end - it_behaves_like 'downloads with a deploy token' - end + it_behaves_like 'downloads with a job token' - context 'private project' do - subject { download_file_with_token(package_file.file_name) } + it_behaves_like 'downloads with a deploy token' - before do - project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + context 'with a non existing maven path' do + subject { download_file_with_token(file_name: package_file.file_name, path: 'foo/bar/1.2.3') } + + it_behaves_like 'rejecting the request for non existing maven path', expected_status: :forbidden + end end - it_behaves_like 'tracking the file download event' + context 'private project' do + subject { download_file_with_token(file_name: package_file.file_name) } - it 'returns the file' do - subject + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + end - expect(response).to have_gitlab_http_status(:ok) - expect(response.media_type).to eq('application/octet-stream') - end + it_behaves_like 'tracking the file download event' - it 'denies download when not enough permissions' do - project.add_guest(user) + it 'returns the file' do + subject - subject + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('application/octet-stream') + end - expect(response).to have_gitlab_http_status(:forbidden) - end + it 'denies download when not enough permissions' do + project.add_guest(user) + + subject - it 'denies download when no private token' do - download_file(package_file.file_name) + expect(response).to have_gitlab_http_status(:forbidden) + end - expect(response).to have_gitlab_http_status(:forbidden) - end + it 'denies download when no private token' do + download_file(file_name: package_file.file_name) - it_behaves_like 'downloads with a job token' + expect(response).to have_gitlab_http_status(:forbidden) + end - it_behaves_like 'downloads with a deploy token' + it_behaves_like 'downloads with a job token' - it 'does not allow download by a unauthorized deploy token with same id as a user with access' do - unauthorized_deploy_token = create(:deploy_token, read_package_registry: true, write_package_registry: true) + it_behaves_like 'downloads with a deploy token' - another_user = create(:user) - project.add_developer(another_user) + it 'does not allow download by a unauthorized deploy token with same id as a user with access' do + unauthorized_deploy_token = create(:deploy_token, read_package_registry: true, write_package_registry: true) - # We force the id of the deploy token and the user to be the same - unauthorized_deploy_token.update!(id: another_user.id) + another_user = create(:user) + project.add_developer(another_user) - download_file( - package_file.file_name, - {}, - Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => unauthorized_deploy_token.token - ) + # We force the id of the deploy token and the user to be the same + unauthorized_deploy_token.update!(id: another_user.id) - expect(response).to have_gitlab_http_status(:forbidden) + download_file( + file_name: package_file.file_name, + request_headers: { Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => unauthorized_deploy_token.token } + ) + + expect(response).to have_gitlab_http_status(:forbidden) + end + + context 'with a non existing maven path' do + subject { download_file_with_token(file_name: package_file.file_name, path: 'foo/bar/1.2.3') } + + it_behaves_like 'rejecting the request for non existing maven path', expected_status: :forbidden + end + end + + context 'project name is different from a package name' do + before do + maven_metadatum.update!(path: "wrong_name/#{package.version}") + end + + it 'rejects request' do + download_file(file_name: package_file.file_name) + + expect(response).to have_gitlab_http_status(:forbidden) + end end end - context 'project name is different from a package name' do + context 'with maven_packages_group_level_improvements enabled' do before do - maven_metadatum.update!(path: "wrong_name/#{package.version}") + stub_feature_flags(maven_packages_group_level_improvements: true) end - it 'rejects request' do - download_file(package_file.file_name) + it_behaves_like 'handling all conditions' + end - expect(response).to have_gitlab_http_status(:forbidden) + context 'with maven_packages_group_level_improvements disabled' do + before do + stub_feature_flags(maven_packages_group_level_improvements: false) end + + it_behaves_like 'handling all conditions' end - def download_file(file_name, params = {}, request_headers = headers) - get api("/packages/maven/#{maven_metadatum.path}/#{file_name}"), params: params, headers: request_headers + context 'with check_maven_path_first enabled' do + before do + stub_feature_flags(check_maven_path_first: true) + end + + it_behaves_like 'handling all conditions' + end + + context 'with check_maven_path_first disabled' do + before do + stub_feature_flags(check_maven_path_first: false) + end + + it_behaves_like 'handling all conditions' end - def download_file_with_token(file_name, params = {}, request_headers = headers_with_token) - download_file(file_name, params, request_headers) + def download_file(file_name:, params: {}, request_headers: headers, path: maven_metadatum.path) + get api("/packages/maven/#{path}/#{file_name}"), params: params, headers: request_headers + end + + def download_file_with_token(file_name:, params: {}, request_headers: headers_with_token, path: maven_metadatum.path) + download_file(file_name: file_name, params: params, request_headers: request_headers, path: path) end end describe 'HEAD /api/v4/packages/maven/*path/:file_name' do - let(:url) { "/packages/maven/#{package.maven_metadatum.path}/#{package_file.file_name}" } + let(:path) { package.maven_metadatum.path } + let(:url) { "/packages/maven/#{path}/#{package_file.file_name}" } + + it_behaves_like 'processing HEAD requests', instance_level: true - it_behaves_like 'processing HEAD requests' + context 'with maven_packages_group_level_improvements enabled' do + before do + stub_feature_flags(maven_packages_group_level_improvements: true) + end + + it_behaves_like 'processing HEAD requests', instance_level: true + end + + context 'with maven_packages_group_level_improvements disabled' do + before do + stub_feature_flags(maven_packages_group_level_improvements: false) + end + + it_behaves_like 'processing HEAD requests', instance_level: true + end + + context 'with check_maven_path_first enabled' do + before do + stub_feature_flags(check_maven_path_first: true) + end + + it_behaves_like 'processing HEAD requests', instance_level: true + end + + context 'with check_maven_path_first disabled' do + before do + stub_feature_flags(check_maven_path_first: false) + end + + it_behaves_like 'processing HEAD requests', instance_level: true + end end describe 'GET /api/v4/groups/:id/-/packages/maven/*path/:file_name' do @@ -282,91 +385,299 @@ RSpec.describe API::MavenPackages do group.add_developer(user) end - context 'a public project' do - subject { download_file(package_file.file_name) } + shared_examples 'handling all conditions' do + context 'a public project' do + subject { download_file(file_name: package_file.file_name) } - it_behaves_like 'tracking the file download event' + it_behaves_like 'tracking the file download event' - it 'returns the file' do - subject + it 'returns the file' do + subject - expect(response).to have_gitlab_http_status(:ok) - expect(response.media_type).to eq('application/octet-stream') + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('application/octet-stream') + end + + it 'returns sha1 of the file' do + download_file(file_name: package_file.file_name + '.sha1') + + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('text/plain') + expect(response.body).to eq(package_file.file_sha1) + end + + context 'with a non existing maven path' do + subject { download_file(file_name: package_file.file_name, path: 'foo/bar/1.2.3') } + + it_behaves_like 'rejecting the request for non existing maven path' + end end - it 'returns sha1 of the file' do - download_file(package_file.file_name + '.sha1') + context 'internal project' do + before do + group.group_member(user).destroy! + project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL) + end + + subject { download_file_with_token(file_name: package_file.file_name) } - expect(response).to have_gitlab_http_status(:ok) - expect(response.media_type).to eq('text/plain') - expect(response.body).to eq(package_file.file_sha1) + it_behaves_like 'tracking the file download event' + + it 'returns the file' do + subject + + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('application/octet-stream') + end + + it 'denies download when no private token' do + download_file(file_name: package_file.file_name) + + expect(response).to have_gitlab_http_status(:not_found) + end + + it_behaves_like 'downloads with a job token' + + it_behaves_like 'downloads with a deploy token' + + context 'with a non existing maven path' do + subject { download_file_with_token(file_name: package_file.file_name, path: 'foo/bar/1.2.3') } + + it_behaves_like 'rejecting the request for non existing maven path' + end end - end - context 'internal project' do - before do - group.group_member(user).destroy! - project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL) + context 'private project' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + end + + subject { download_file_with_token(file_name: package_file.file_name) } + + it_behaves_like 'tracking the file download event' + + it 'returns the file' do + subject + + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('application/octet-stream') + end + + it 'denies download when not enough permissions' do + group.add_guest(user) + + subject + + status = Feature.enabled?(:maven_packages_group_level_improvements, default_enabled: :yaml) ? :not_found : :forbidden + expect(response).to have_gitlab_http_status(status) + end + + it 'denies download when no private token' do + download_file(file_name: package_file.file_name) + + expect(response).to have_gitlab_http_status(:not_found) + end + + it_behaves_like 'downloads with a job token' + + it_behaves_like 'downloads with a deploy token' + + context 'with a non existing maven path' do + subject { download_file_with_token(file_name: package_file.file_name, path: 'foo/bar/1.2.3') } + + it_behaves_like 'rejecting the request for non existing maven path' + end + + context 'with group deploy token' do + subject { download_file_with_token(file_name: package_file.file_name, request_headers: group_deploy_token_headers) } + + it 'returns the file' do + subject + + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('application/octet-stream') + end + + it 'returns the file with only write_package_registry scope' do + deploy_token_for_group.update!(read_package_registry: false) + + subject + + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('application/octet-stream') + end + + context 'with a non existing maven path' do + subject { download_file_with_token(file_name: package_file.file_name, path: 'foo/bar/1.2.3', request_headers: group_deploy_token_headers) } + + it_behaves_like 'rejecting the request for non existing maven path' + end + end + + context 'with a reporter from a subgroup accessing the root group' do + let_it_be(:root_group) { create(:group, :private) } + let_it_be(:group) { create(:group, :private, parent: root_group) } + + subject { download_file_with_token(file_name: package_file.file_name, request_headers: headers_with_token, group_id: root_group.id) } + + before do + project.update!(namespace: group) + group.add_reporter(user) + end + + it 'returns the file' do + subject + + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('application/octet-stream') + end + + context 'with a non existing maven path' do + subject { download_file_with_token(file_name: package_file.file_name, path: 'foo/bar/1.2.3', request_headers: headers_with_token, group_id: root_group.id) } + + it_behaves_like 'rejecting the request for non existing maven path' + end + end end - subject { download_file_with_token(package_file.file_name) } + context 'maven metadata file' do + let_it_be(:sub_group1) { create(:group, parent: group) } + let_it_be(:sub_group2) { create(:group, parent: group) } + let_it_be(:project1) { create(:project, :private, group: sub_group1) } + let_it_be(:project2) { create(:project, :private, group: sub_group2) } + let_it_be(:project3) { create(:project, :private, group: sub_group1) } + let_it_be(:package_name) { 'foo' } + let_it_be(:package1) { create(:maven_package, project: project1, name: package_name, version: nil) } + let_it_be(:package_file1) { create(:package_file, :xml, package: package1, file_name: 'maven-metadata.xml') } + let_it_be(:package2) { create(:maven_package, project: project2, name: package_name, version: nil) } + let_it_be(:package_file2) { create(:package_file, :xml, package: package2, file_name: 'maven-metadata.xml') } + let_it_be(:package3) { create(:maven_package, project: project3, name: package_name, version: nil) } + let_it_be(:package_file3) { create(:package_file, :xml, package: package3, file_name: 'maven-metadata.xml') } - it_behaves_like 'tracking the file download event' + let(:maven_metadatum) { package3.maven_metadatum } - it 'returns the file' do - subject + subject { download_file_with_token(file_name: package_file3.file_name) } - expect(response).to have_gitlab_http_status(:ok) - expect(response.media_type).to eq('application/octet-stream') + before do + sub_group1.add_developer(user) + sub_group2.add_developer(user) + # the package with the most recently published file should be returned + create(:package_file, :xml, package: package2) + end + + context 'in multiple versionless packages' do + it 'downloads the file' do + expect(::Packages::PackageFileFinder) + .to receive(:new).with(package2, 'maven-metadata.xml').and_call_original + + subject + end + end + + context 'in multiple snapshot packages' do + before do + version = '1.0.0-SNAPSHOT' + [package1, package2, package3].each do |pkg| + pkg.update!(version: version) + + pkg.maven_metadatum.update!(path: "#{pkg.name}/#{pkg.version}") + end + end + + it 'downloads the file' do + expect(::Packages::PackageFileFinder) + .to receive(:new).with(package3, 'maven-metadata.xml').and_call_original + + subject + end + end + end + end + + context 'with maven_packages_group_level_improvements enabled' do + before do + stub_feature_flags(maven_packages_group_level_improvements: true) end - it 'denies download when no private token' do - download_file(package_file.file_name) + it_behaves_like 'handling all conditions' + end - expect(response).to have_gitlab_http_status(:not_found) + context 'with maven_packages_group_level_improvements disabled' do + before do + stub_feature_flags(maven_packages_group_level_improvements: false) end - it_behaves_like 'downloads with a job token' + it_behaves_like 'handling all conditions' + end + + context 'with check_maven_path_first enabled' do + before do + stub_feature_flags(check_maven_path_first: true) + end - it_behaves_like 'downloads with a deploy token' + it_behaves_like 'handling all conditions' end - context 'private project' do + context 'with check_maven_path_first disabled' do before do - project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + stub_feature_flags(check_maven_path_first: false) end - subject { download_file_with_token(package_file.file_name) } + it_behaves_like 'handling all conditions' + end - it_behaves_like 'tracking the file download event' + def download_file(file_name:, params: {}, request_headers: headers, path: maven_metadatum.path, group_id: group.id) + get api("/groups/#{group_id}/-/packages/maven/#{path}/#{file_name}"), params: params, headers: request_headers + end - it 'returns the file' do - subject + def download_file_with_token(file_name:, params: {}, request_headers: headers_with_token, path: maven_metadatum.path, group_id: group.id) + download_file(file_name: file_name, params: params, request_headers: request_headers, path: path, group_id: group_id) + end + end - expect(response).to have_gitlab_http_status(:ok) - expect(response.media_type).to eq('application/octet-stream') + describe 'HEAD /api/v4/groups/:id/-/packages/maven/*path/:file_name' do + let(:path) { package.maven_metadatum.path } + let(:url) { "/groups/#{group.id}/-/packages/maven/#{path}/#{package_file.file_name}" } + + context 'with maven_packages_group_level_improvements enabled' do + before do + stub_feature_flags(maven_packages_group_level_improvements: true) end - it 'denies download when not enough permissions' do - group.add_guest(user) + it_behaves_like 'processing HEAD requests' + end - subject + context 'with maven_packages_group_level_improvements disabled' do + before do + stub_feature_flags(maven_packages_group_level_improvements: false) + end - expect(response).to have_gitlab_http_status(:forbidden) + it_behaves_like 'processing HEAD requests' + end + + context 'with check_maven_path_first enabled' do + before do + stub_feature_flags(check_maven_path_first: true) end - it 'denies download when no private token' do - download_file(package_file.file_name) + it_behaves_like 'processing HEAD requests' + end - expect(response).to have_gitlab_http_status(:not_found) + context 'with check_maven_path_first disabled' do + before do + stub_feature_flags(check_maven_path_first: false) end - it_behaves_like 'downloads with a job token' + it_behaves_like 'processing HEAD requests' + end + end - it_behaves_like 'downloads with a deploy token' + describe 'GET /api/v4/projects/:id/packages/maven/*path/:file_name' do + shared_examples 'handling all conditions' do + context 'a public project' do + subject { download_file(file_name: package_file.file_name) } - context 'with group deploy token' do - subject { download_file_with_token(package_file.file_name, {}, group_deploy_token_headers) } + it_behaves_like 'tracking the file download event' it 'returns the file' do subject @@ -375,108 +686,145 @@ RSpec.describe API::MavenPackages do expect(response.media_type).to eq('application/octet-stream') end - it 'returns the file with only write_package_registry scope' do - deploy_token_for_group.update!(read_package_registry: false) + it 'returns sha1 of the file' do + download_file(file_name: package_file.file_name + '.sha1') + + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('text/plain') + expect(response.body).to eq(package_file.file_sha1) + end + + context 'with a non existing maven path' do + subject { download_file(file_name: package_file.file_name, path: 'foo/bar/1.2.3') } + + it_behaves_like 'rejecting the request for non existing maven path' + end + end + + context 'private project' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + end + + subject { download_file_with_token(file_name: package_file.file_name) } + + it_behaves_like 'tracking the file download event' + it 'returns the file' do subject expect(response).to have_gitlab_http_status(:ok) expect(response.media_type).to eq('application/octet-stream') end - end - end - def download_file(file_name, params = {}, request_headers = headers) - get api("/groups/#{group.id}/-/packages/maven/#{maven_metadatum.path}/#{file_name}"), params: params, headers: request_headers - end + it 'denies download when not enough permissions' do + project.add_guest(user) - def download_file_with_token(file_name, params = {}, request_headers = headers_with_token) - download_file(file_name, params, request_headers) - end - end - - describe 'HEAD /api/v4/groups/:id/-/packages/maven/*path/:file_name' do - let(:url) { "/groups/#{group.id}/-/packages/maven/#{package.maven_metadatum.path}/#{package_file.file_name}" } + subject - it_behaves_like 'processing HEAD requests' - end + expect(response).to have_gitlab_http_status(:forbidden) + end - describe 'GET /api/v4/projects/:id/packages/maven/*path/:file_name' do - context 'a public project' do - subject { download_file(package_file.file_name) } + it 'denies download when no private token' do + download_file(file_name: package_file.file_name) - it_behaves_like 'tracking the file download event' + expect(response).to have_gitlab_http_status(:not_found) + end - it 'returns the file' do - subject + it_behaves_like 'downloads with a job token' - expect(response).to have_gitlab_http_status(:ok) - expect(response.media_type).to eq('application/octet-stream') - end + it_behaves_like 'downloads with a deploy token' - it 'returns sha1 of the file' do - download_file(package_file.file_name + '.sha1') + context 'with a non existing maven path' do + subject { download_file_with_token(file_name: package_file.file_name, path: 'foo/bar/1.2.3') } - expect(response).to have_gitlab_http_status(:ok) - expect(response.media_type).to eq('text/plain') - expect(response.body).to eq(package_file.file_sha1) + it_behaves_like 'rejecting the request for non existing maven path' + end end end - context 'private project' do + context 'with maven_packages_group_level_improvements enabled' do before do - project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + stub_feature_flags(maven_packages_group_level_improvements: true) end - subject { download_file_with_token(package_file.file_name) } - - it_behaves_like 'tracking the file download event' - - it 'returns the file' do - subject + it_behaves_like 'handling all conditions' + end - expect(response).to have_gitlab_http_status(:ok) - expect(response.media_type).to eq('application/octet-stream') + context 'with maven_packages_group_level_improvements disabled' do + before do + stub_feature_flags(maven_packages_group_level_improvements: false) end - it 'denies download when not enough permissions' do - project.add_guest(user) - - subject + it_behaves_like 'handling all conditions' + end - expect(response).to have_gitlab_http_status(:forbidden) + context 'with check_maven_path_first enabled' do + before do + stub_feature_flags(check_maven_path_first: true) end - it 'denies download when no private token' do - download_file(package_file.file_name) + it_behaves_like 'handling all conditions' + end - expect(response).to have_gitlab_http_status(:not_found) + context 'with check_maven_path_first disabled' do + before do + stub_feature_flags(check_maven_path_first: false) end - it_behaves_like 'downloads with a job token' - - it_behaves_like 'downloads with a deploy token' + it_behaves_like 'handling all conditions' end - def download_file(file_name, params = {}, request_headers = headers) + def download_file(file_name:, params: {}, request_headers: headers, path: maven_metadatum.path) get api("/projects/#{project.id}/packages/maven/" \ - "#{maven_metadatum.path}/#{file_name}"), params: params, headers: request_headers + "#{path}/#{file_name}"), params: params, headers: request_headers end - def download_file_with_token(file_name, params = {}, request_headers = headers_with_token) - download_file(file_name, params, request_headers) + def download_file_with_token(file_name:, params: {}, request_headers: headers_with_token, path: maven_metadatum.path) + download_file(file_name: file_name, params: params, request_headers: request_headers, path: path) end end describe 'HEAD /api/v4/projects/:id/packages/maven/*path/:file_name' do - let(:url) { "/projects/#{project.id}/packages/maven/#{package.maven_metadatum.path}/#{package_file.file_name}" } + let(:path) { package.maven_metadatum.path } + let(:url) { "/projects/#{project.id}/packages/maven/#{path}/#{package_file.file_name}" } + + context 'with maven_packages_group_level_improvements enabled' do + before do + stub_feature_flags(maven_packages_group_level_improvements: true) + end + + it_behaves_like 'processing HEAD requests' + end + + context 'with maven_packages_group_level_improvements disabled' do + before do + stub_feature_flags(maven_packages_group_level_improvements: false) + end + + it_behaves_like 'processing HEAD requests' + end + + context 'with check_maven_path_first enabled' do + before do + stub_feature_flags(check_maven_path_first: true) + end + + it_behaves_like 'processing HEAD requests' + end - it_behaves_like 'processing HEAD requests' + context 'with check_maven_path_first disabled' do + before do + stub_feature_flags(check_maven_path_first: false) + end + + it_behaves_like 'processing HEAD requests' + end end describe 'PUT /api/v4/projects/:id/packages/maven/*path/:file_name/authorize' do it 'rejects a malicious request' do - put api("/projects/#{project.id}/packages/maven/com/example/my-app/#{version}/%2e%2e%2F.ssh%2Fauthorized_keys/authorize"), params: {}, headers: headers_with_token + put api("/projects/#{project.id}/packages/maven/com/example/my-app/#{version}/%2e%2e%2F.ssh%2Fauthorized_keys/authorize"), headers: headers_with_token expect(response).to have_gitlab_http_status(:bad_request) end |