1 files changed, 59 insertions, 15 deletions

diff --git a/spec/requests/api/maven_packages_spec.rb b/spec/requests/api/maven_packages_spec.rb
index 0a23aed109b..37748fe5ea7 100644
--- a/spec/requests/api/maven_packages_spec.rb
+++ b/spec/requests/api/maven_packages_spec.rb
@@ -15,10 +15,13 @@ RSpec.describe API::MavenPackages do
   let_it_be(:job, reload: true) { create(:ci_build, user: user, status: :running) }
   let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
   let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
+  let_it_be(:deploy_token_for_group) { create(:deploy_token, :group, read_package_registry: true, write_package_registry: true) }
+  let_it_be(:group_deploy_token) { create(:group_deploy_token, deploy_token: deploy_token_for_group, group: group) }
 
   let(:workhorse_token) { JWT.encode({ 'iss' => 'gitlab-workhorse' }, Gitlab::Workhorse.secret, 'HS256') }
   let(:headers) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => workhorse_token } }
   let(:headers_with_token) { headers.merge('Private-Token' => personal_access_token.token) }
+  let(:group_deploy_token_headers) { { Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => deploy_token_for_group.token } }
 
   let(:headers_with_deploy_token) do
     headers.merge(
@@ -36,7 +39,7 @@ RSpec.describe API::MavenPackages do
     context 'with jar file' do
       let_it_be(:package_file) { jar_file }
 
-      it_behaves_like 'a gitlab tracking event', described_class.name, 'pull_package'
+      it_behaves_like 'a package tracking event', described_class.name, 'pull_package'
     end
   end
 
@@ -342,6 +345,17 @@ RSpec.describe API::MavenPackages do
       it_behaves_like 'downloads with a job token'
 
       it_behaves_like 'downloads with a deploy token'
+
+      context 'with group deploy token' do
+        subject { download_file_with_token(package_file.file_name, {}, group_deploy_token_headers) }
+
+        it 'returns the file' do
+          subject
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response.media_type).to eq('application/octet-stream')
+        end
+      end
     end
 
     def download_file(file_name, params = {}, request_headers = headers)
@@ -548,7 +562,7 @@ RSpec.describe API::MavenPackages do
             allow(uploaded_file).to receive(:size).and_return(project.actual_limits.maven_max_file_size + 1)
           end
 
-          upload_file_with_token(params)
+          upload_file_with_token(params: params)
 
           expect(response).to have_gitlab_http_status(:bad_request)
         end
@@ -563,19 +577,19 @@ RSpec.describe API::MavenPackages do
       context 'without workhorse header' do
         let(:workhorse_header) { {} }
 
-        subject { upload_file_with_token(params) }
+        subject { upload_file_with_token(params: params) }
 
         it_behaves_like 'package workhorse uploads'
       end
 
       context 'event tracking' do
-        subject { upload_file_with_token(params) }
+        subject { upload_file_with_token(params: params) }
 
-        it_behaves_like 'a gitlab tracking event', described_class.name, 'push_package'
+        it_behaves_like 'a package tracking event', described_class.name, 'push_package'
       end
 
       it 'creates package and stores package file' do
-        expect { upload_file_with_token(params) }.to change { project.packages.count }.by(1)
+        expect { upload_file_with_token(params: params) }.to change { project.packages.count }.by(1)
           .and change { Packages::Maven::Metadatum.count }.by(1)
           .and change { Packages::PackageFile.count }.by(1)
 
@@ -584,7 +598,7 @@ RSpec.describe API::MavenPackages do
       end
 
       it 'allows upload with running job token' do
-        upload_file(params.merge(job_token: job.token))
+        upload_file(params: params.merge(job_token: job.token))
 
         expect(response).to have_gitlab_http_status(:ok)
         expect(project.reload.packages.last.build_info.pipeline).to eq job.pipeline
@@ -592,13 +606,13 @@ RSpec.describe API::MavenPackages do
 
       it 'rejects upload without running job token' do
         job.update!(status: :failed)
-        upload_file(params.merge(job_token: job.token))
+        upload_file(params: params.merge(job_token: job.token))
 
         expect(response).to have_gitlab_http_status(:unauthorized)
       end
 
       it 'allows upload with deploy token' do
-        upload_file(params, headers_with_deploy_token)
+        upload_file(params: params, request_headers: headers_with_deploy_token)
 
         expect(response).to have_gitlab_http_status(:ok)
       end
@@ -612,7 +626,10 @@ RSpec.describe API::MavenPackages do
         # We force the id of the deploy token and the user to be the same
         unauthorized_deploy_token.update!(id: another_user.id)
 
-        upload_file(params, headers.merge(Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => unauthorized_deploy_token.token))
+        upload_file(
+          params: params,
+          request_headers: headers.merge(Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => unauthorized_deploy_token.token)
+        )
 
         expect(response).to have_gitlab_http_status(:forbidden)
       end
@@ -621,16 +638,43 @@ RSpec.describe API::MavenPackages do
         let(:version) { '$%123' }
 
         it 'rejects request' do
-          expect { upload_file_with_token(params) }.not_to change { project.packages.count }
+          expect { upload_file_with_token(params: params) }.not_to change { project.packages.count }
 
           expect(response).to have_gitlab_http_status(:bad_request)
           expect(json_response['message']).to include('Validation failed')
         end
       end
+
+      context 'for sha1 file' do
+        let(:dummy_package) { double(Packages::Package) }
+
+        it 'checks the sha1' do
+          # The sha verification done by the maven api is between:
+          # - the sha256 set by workhorse helpers
+          # - the sha256 of the sha1 of the uploaded package file
+          # We're going to send `file_upload` for the sha1 and stub the sha1 of the package file so that
+          # both sha256 being the same
+          expect(::Packages::PackageFileFinder).to receive(:new).and_return(double(execute!: dummy_package))
+          expect(dummy_package).to receive(:file_sha1).and_return(File.read(file_upload.path))
+
+          upload_file_with_token(params: params, file_extension: 'jar.sha1')
+
+          expect(response).to have_gitlab_http_status(:no_content)
+        end
+      end
+
+      context 'for md5 file' do
+        it 'returns an empty body' do
+          upload_file_with_token(params: params, file_extension: 'jar.md5')
+
+          expect(response.body).to eq('')
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
     end
 
-    def upload_file(params = {}, request_headers = headers)
-      url = "/projects/#{project.id}/packages/maven/com/example/my-app/#{version}/my-app-1.0-20180724.124855-1.jar"
+    def upload_file(params: {}, request_headers: headers, file_extension: 'jar')
+      url = "/projects/#{project.id}/packages/maven/com/example/my-app/#{version}/my-app-1.0-20180724.124855-1.#{file_extension}"
       workhorse_finalize(
         api(url),
         method: :put,
@@ -641,8 +685,8 @@ RSpec.describe API::MavenPackages do
       )
     end
 
-    def upload_file_with_token(params = {}, request_headers = headers_with_token)
-      upload_file(params, request_headers)
+    def upload_file_with_token(params: {}, request_headers: headers_with_token, file_extension: 'jar')
+      upload_file(params: params, request_headers: request_headers, file_extension: file_extension)
     end
   end
 end