diff options
Diffstat (limited to 'spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb')
-rw-r--r-- | spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb | 270 |
1 files changed, 270 insertions, 0 deletions
diff --git a/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb new file mode 100644 index 00000000000..d3ad7aa0595 --- /dev/null +++ b/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb @@ -0,0 +1,270 @@ +# frozen_string_literal: true + +RSpec.shared_examples 'handling get metadata requests' do + let_it_be(:package_dependency_link1) { create(:packages_dependency_link, package: package, dependency_type: :dependencies) } + let_it_be(:package_dependency_link2) { create(:packages_dependency_link, package: package, dependency_type: :devDependencies) } + let_it_be(:package_dependency_link3) { create(:packages_dependency_link, package: package, dependency_type: :bundleDependencies) } + let_it_be(:package_dependency_link4) { create(:packages_dependency_link, package: package, dependency_type: :peerDependencies) } + + let(:params) { {} } + let(:headers) { {} } + + subject { get(url, params: params, headers: headers) } + + shared_examples 'returning the npm package info' do + it 'returns the package info' do + subject + + expect_a_valid_package_response + end + end + + shared_examples 'a package that requires auth' do + it 'denies request without oauth token' do + subject + + expect(response).to have_gitlab_http_status(:not_found) + end + + context 'with oauth token' do + let(:params) { { access_token: token.token } } + + it 'returns the package info with oauth token' do + subject + + expect_a_valid_package_response + end + end + + context 'with job token' do + let(:params) { { job_token: job.token } } + + it 'returns the package info with running job token' do + subject + + expect_a_valid_package_response + end + + it 'denies request without running job token' do + job.update!(status: :success) + + subject + + expect(response).to have_gitlab_http_status(:unauthorized) + end + end + + context 'with deploy token' do + let(:headers) { build_token_auth_header(deploy_token.token) } + + it 'returns the package info with deploy token' do + subject + + expect_a_valid_package_response + end + end + end + + context 'a public project' do + it_behaves_like 'returning the npm package info' + + context 'project path with a dot' do + before do + project.update!(path: 'foo.bar') + end + + it_behaves_like 'returning the npm package info' + end + + context 'with request forward disabled' do + before do + stub_application_setting(npm_package_requests_forwarding: false) + end + + it_behaves_like 'returning the npm package info' + + context 'with unknown package' do + let(:package_name) { 'unknown' } + + it 'returns the proper response' do + subject + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end + + context 'with request forward enabled' do + before do + stub_application_setting(npm_package_requests_forwarding: true) + end + + it_behaves_like 'returning the npm package info' + + context 'with unknown package' do + let(:package_name) { 'unknown' } + + it 'returns a redirect' do + subject + + expect(response).to have_gitlab_http_status(:found) + expect(response.headers['Location']).to eq('https://registry.npmjs.org/unknown') + end + + it_behaves_like 'a gitlab tracking event', described_class.name, 'npm_request_forward' + end + end + end + + context 'internal project' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL) + end + + it_behaves_like 'a package that requires auth' + end + + context 'private project' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + end + + it_behaves_like 'a package that requires auth' + + context 'with guest' do + let(:params) { { access_token: token.token } } + + it 'denies request when not enough permissions' do + project.add_guest(user) + + subject + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + end + + def expect_a_valid_package_response + expect(response).to have_gitlab_http_status(:ok) + expect(response.media_type).to eq('application/json') + expect(response).to match_response_schema('public_api/v4/packages/npm_package') + expect(json_response['name']).to eq(package.name) + expect(json_response['versions'][package.version]).to match_schema('public_api/v4/packages/npm_package_version') + ::Packages::Npm::PackagePresenter::NPM_VALID_DEPENDENCY_TYPES.each do |dependency_type| + expect(json_response.dig('versions', package.version, dependency_type.to_s)).to be_any + end + expect(json_response['dist-tags']).to match_schema('public_api/v4/packages/npm_package_tags') + end +end + +RSpec.shared_examples 'handling get dist tags requests' do + let_it_be(:package_tag1) { create(:packages_tag, package: package) } + let_it_be(:package_tag2) { create(:packages_tag, package: package) } + + let(:params) { {} } + + subject { get(url, params: params) } + + context 'with public project' do + context 'with authenticated user' do + let(:params) { { private_token: personal_access_token.token } } + + it_behaves_like 'returns package tags', :maintainer + it_behaves_like 'returns package tags', :developer + it_behaves_like 'returns package tags', :reporter + it_behaves_like 'returns package tags', :guest + end + + context 'with unauthenticated user' do + it_behaves_like 'returns package tags', :no_type + end + end + + context 'with private project' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + end + + context 'with authenticated user' do + let(:params) { { private_token: personal_access_token.token } } + + it_behaves_like 'returns package tags', :maintainer + it_behaves_like 'returns package tags', :developer + it_behaves_like 'returns package tags', :reporter + it_behaves_like 'rejects package tags access', :guest, :forbidden + end + + context 'with unauthenticated user' do + it_behaves_like 'rejects package tags access', :no_type, :not_found + end + end +end + +RSpec.shared_examples 'handling create dist tag requests' do + let_it_be(:tag_name) { 'test' } + + let(:params) { {} } + let(:env) { {} } + let(:version) { package.version } + + subject { put(url, env: env, params: params) } + + context 'with public project' do + context 'with authenticated user' do + let(:params) { { private_token: personal_access_token.token } } + let(:env) { { 'api.request.body': version } } + + it_behaves_like 'create package tag', :maintainer + it_behaves_like 'create package tag', :developer + it_behaves_like 'rejects package tags access', :reporter, :forbidden + it_behaves_like 'rejects package tags access', :guest, :forbidden + end + + context 'with unauthenticated user' do + it_behaves_like 'rejects package tags access', :no_type, :unauthorized + end + end +end + +RSpec.shared_examples 'handling delete dist tag requests' do + let_it_be(:package_tag) { create(:packages_tag, package: package) } + + let(:params) { {} } + let(:tag_name) { package_tag.name } + + subject { delete(url, params: params) } + + context 'with public project' do + context 'with authenticated user' do + let(:params) { { private_token: personal_access_token.token } } + + it_behaves_like 'delete package tag', :maintainer + it_behaves_like 'rejects package tags access', :developer, :forbidden + it_behaves_like 'rejects package tags access', :reporter, :forbidden + it_behaves_like 'rejects package tags access', :guest, :forbidden + end + + context 'with unauthenticated user' do + it_behaves_like 'rejects package tags access', :no_type, :unauthorized + end + end + + context 'with private project' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + end + + context 'with authenticated user' do + let(:params) { { private_token: personal_access_token.token } } + + it_behaves_like 'delete package tag', :maintainer + it_behaves_like 'rejects package tags access', :developer, :forbidden + it_behaves_like 'rejects package tags access', :reporter, :forbidden + it_behaves_like 'rejects package tags access', :guest, :forbidden + end + + context 'with unauthenticated user' do + it_behaves_like 'rejects package tags access', :no_type, :unauthorized + end + end +end |