1 files changed, 95 insertions, 0 deletions
diff --git a/spec/uploaders/object_storage/cdn/google_cdn_spec.rb b/spec/uploaders/object_storage/cdn/google_cdn_spec.rb
new file mode 100644
index 00000000000..b72f6d66d69
--- /dev/null
+++ b/spec/uploaders/object_storage/cdn/google_cdn_spec.rb
@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ObjectStorage::CDN::GoogleCDN,
+  :use_clean_rails_memory_store_caching, :use_clean_rails_redis_caching, :sidekiq_inline do
+  include StubRequests
+
+  let(:key) { SecureRandom.hex }
+  let(:key_name) { 'test-key' }
+  let(:options) { { url: 'https://cdn.gitlab.example.com', key_name: key_name, key: Base64.urlsafe_encode64(key) } }
+  let(:google_cloud_ips) { File.read(Rails.root.join('spec/fixtures/cdn/google_cloud.json')) }
+  let(:headers) { { 'Content-Type' => 'application/json' } }
+  let(:public_ip) { '18.245.0.42' }
+
+  subject { described_class.new(options) }
+
+  before do
+    WebMock.stub_request(:get, GoogleCloud::FetchGoogleIpListService::GOOGLE_IP_RANGES_URL)
+      .to_return(status: 200, body: google_cloud_ips, headers: headers)
+  end
+
+  describe '#use_cdn?' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:ip_address, :expected) do
+      '34.80.0.1'                               | false
+      '18.245.0.42'                             | true
+      '2500:1900:4180:0000:0000:0000:0000:0000' | true
+      '2600:1900:4180:0000:0000:0000:0000:0000' | false
+      '10.10.1.5'                               | false
+      'fc00:0000:0000:0000:0000:0000:0000:0000' | false
+    end
+
+    with_them do
+      it { expect(subject.use_cdn?(ip_address)).to eq(expected) }
+    end
+
+    context 'when the key name is missing' do
+      let(:options) { { url: 'https://cdn.gitlab.example.com', key: Base64.urlsafe_encode64(SecureRandom.hex) } }
+
+      it 'returns false' do
+        expect(subject.use_cdn?(public_ip)).to be false
+      end
+    end
+
+    context 'when the key is missing' do
+      let(:options) { { url: 'https://invalid.example.com' } }
+
+      it 'returns false' do
+        expect(subject.use_cdn?(public_ip)).to be false
+      end
+    end
+
+    context 'when the key is invalid' do
+      let(:options) { { key_name: key_name, key: '\0x1' } }
+
+      it 'returns false' do
+        expect(Gitlab::ErrorTracking).to receive(:log_exception).and_call_original
+        expect(subject.use_cdn?(public_ip)).to be false
+      end
+    end
+
+    context 'when the URL is missing' do
+      let(:options) { { key: Base64.urlsafe_encode64(SecureRandom.hex) } }
+
+      it 'returns false' do
+        expect(subject.use_cdn?(public_ip)).to be false
+      end
+    end
+  end
+
+  describe '#signed_url' do
+    let(:path) { '/path/to/file.txt' }
+
+    it 'returns a valid signed URL' do
+      url = subject.signed_url(path)
+
+      expect(url).to start_with("#{options[:url]}#{path}")
+
+      uri = Addressable::URI.parse(url)
+      parsed_query = Rack::Utils.parse_nested_query(uri.query)
+      signature = parsed_query.delete('Signature')
+
+      signed_url = "#{options[:url]}#{path}?Expires=#{parsed_query['Expires']}&KeyName=#{key_name}"
+      computed_signature = OpenSSL::HMAC.digest('SHA1', key, signed_url)
+
+      aggregate_failures do
+        expect(parsed_query['Expires'].to_i).to be > 0
+        expect(parsed_query['KeyName']).to eq(key_name)
+        expect(signature).to eq(Base64.urlsafe_encode64(computed_signature))
+      end
+    end
+  end
+end