diff options
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/controllers/admin/hooks_controller_spec.rb | 3 | ||||
| -rw-r--r-- | spec/controllers/projects/clusters_controller_spec.rb | 23 | ||||
| -rw-r--r-- | spec/controllers/projects/environments/prometheus_api_controller_spec.rb | 23 | ||||
| -rw-r--r-- | spec/factories/project_hooks.rb | 2 | ||||
| -rw-r--r-- | spec/helpers/hooks_helper_spec.rb | 2 | ||||
| -rw-r--r-- | spec/lib/rouge/formatters/html_gitlab_spec.rb | 21 | ||||
| -rw-r--r-- | spec/models/hooks/web_hook_spec.rb | 28 | ||||
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 46 | ||||
| -rw-r--r-- | spec/requests/api/repositories_spec.rb | 16 | ||||
| -rw-r--r-- | spec/services/web_hook_service_spec.rb | 4 |
10 files changed, 157 insertions, 11 deletions
diff --git a/spec/controllers/admin/hooks_controller_spec.rb b/spec/controllers/admin/hooks_controller_spec.rb index 4101bd7f658..4e68ffdda2a 100644 --- a/spec/controllers/admin/hooks_controller_spec.rb +++ b/spec/controllers/admin/hooks_controller_spec.rb @@ -59,6 +59,7 @@ RSpec.describe Admin::HooksController do enable_ssl_verification: false, url_variables: [ { key: 'token', value: 'some secret value' }, + { key: 'baz', value: 'qux' }, { key: 'foo', value: nil } ] } @@ -71,7 +72,7 @@ RSpec.describe Admin::HooksController do expect(flash[:notice]).to include('was updated') expect(hook).to have_attributes(hook_params.except(:url_variables)) expect(hook).to have_attributes( - url_variables: { 'token' => 'some secret value', 'baz' => 'woo' } + url_variables: { 'token' => 'some secret value', 'baz' => 'qux' } ) end end diff --git a/spec/controllers/projects/clusters_controller_spec.rb b/spec/controllers/projects/clusters_controller_spec.rb index a4f7c92f5cd..c7d2b1fa3af 100644 --- a/spec/controllers/projects/clusters_controller_spec.rb +++ b/spec/controllers/projects/clusters_controller_spec.rb @@ -7,7 +7,7 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag include GoogleApi::CloudPlatformHelpers include KubernetesHelpers - let_it_be(:project) { create(:project) } + let_it_be_with_reload(:project) { create(:project) } let(:user) { create(:user) } @@ -140,6 +140,27 @@ RSpec.describe Projects::ClustersController, feature_category: :kubernetes_manag expect(response).to redirect_to(new_user_session_path) end end + + context 'with a public project' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC) + project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + context 'with guest user' do + let(:prometheus_body) { nil } + + before do + project.add_guest(user) + end + + it 'returns 404' do + get :prometheus_proxy, params: prometheus_proxy_params + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end end end diff --git a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb index 68d50cf19f0..6b0c164e432 100644 --- a/spec/controllers/projects/environments/prometheus_api_controller_spec.rb +++ b/spec/controllers/projects/environments/prometheus_api_controller_spec.rb @@ -4,7 +4,7 @@ require 'spec_helper' RSpec.describe Projects::Environments::PrometheusApiController do let_it_be(:user) { create(:user) } - let_it_be(:project) { create(:project) } + let_it_be_with_reload(:project) { create(:project) } let_it_be(:proxyable) { create(:environment, project: project) } before do @@ -70,6 +70,27 @@ RSpec.describe Projects::Environments::PrometheusApiController do expect(response).to redirect_to(new_user_session_path) end end + + context 'with a public project' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC) + project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + context 'with guest user' do + let(:prometheus_body) { nil } + + before do + project.add_guest(user) + end + + it 'returns 404' do + get :prometheus_proxy, params: prometheus_proxy_params + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end end end end diff --git a/spec/factories/project_hooks.rb b/spec/factories/project_hooks.rb index 946b3925ee9..d84e287d765 100644 --- a/spec/factories/project_hooks.rb +++ b/spec/factories/project_hooks.rb @@ -7,7 +7,7 @@ FactoryBot.define do project trait :url_variables do - url_variables { { 'abc' => 'supers3cret' } } + url_variables { { 'abc' => 'supers3cret', 'def' => 'foobar' } } end trait :token do diff --git a/spec/helpers/hooks_helper_spec.rb b/spec/helpers/hooks_helper_spec.rb index a6cfbfe86ca..d8fa64e099a 100644 --- a/spec/helpers/hooks_helper_spec.rb +++ b/spec/helpers/hooks_helper_spec.rb @@ -26,7 +26,7 @@ RSpec.describe HooksHelper do it 'returns proper data' do expect(subject).to match( url: project_hook.url, - url_variables: Gitlab::Json.dump([{ key: 'abc' }]) + url_variables: Gitlab::Json.dump([{ key: 'abc' }, { key: 'def' }]) ) end end diff --git a/spec/lib/rouge/formatters/html_gitlab_spec.rb b/spec/lib/rouge/formatters/html_gitlab_spec.rb index 79bfdb262c0..6fc1b395fc8 100644 --- a/spec/lib/rouge/formatters/html_gitlab_spec.rb +++ b/spec/lib/rouge/formatters/html_gitlab_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe Rouge::Formatters::HTMLGitlab do +RSpec.describe Rouge::Formatters::HTMLGitlab, feature_category: :source_code_management do describe '#format' do subject { described_class.format(tokens, **options) } @@ -67,5 +67,24 @@ RSpec.describe Rouge::Formatters::HTMLGitlab do is_expected.to include(%{<span class="unicode-bidi has-tooltip" data-toggle="tooltip" title="#{message}">}).exactly(4).times end end + + context 'when space characters and zero-width spaces are used' do + let(:lang) { 'ruby' } + let(:tokens) { lexer.lex(code, continue: false) } + + let(:code) do + <<~JS + def\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u202f\u205f\u3000hello + JS + end + + it 'replaces the space characters with spaces' do + is_expected.to eq( + "<span id=\"LC1\" class=\"line\" lang=\"ruby\">" \ + "<span class=\"k\">def</span><span class=\"err\"> </span><span class=\"n\">hello</span>" \ + "</span>" + ) + end + end end end diff --git a/spec/models/hooks/web_hook_spec.rb b/spec/models/hooks/web_hook_spec.rb index 72958a54e10..ad5f01fe056 100644 --- a/spec/models/hooks/web_hook_spec.rb +++ b/spec/models/hooks/web_hook_spec.rb @@ -242,6 +242,22 @@ RSpec.describe WebHook, feature_category: :integrations do expect(hook.url_variables).to eq({}) end + it 'resets url variables if url is changed and url variables are appended' do + hook.url = 'http://suspicious.example.com/{abc}/{foo}' + hook.url_variables = hook.url_variables.merge('foo' => 'bar') + + expect(hook).not_to be_valid + expect(hook.url_variables).to eq({}) + end + + it 'resets url variables if url is changed and url variables are removed' do + hook.url = 'http://suspicious.example.com/{abc}' + hook.url_variables = hook.url_variables.except("def") + + expect(hook).not_to be_valid + expect(hook.url_variables).to eq({}) + end + it 'does not reset url variables if both url and url variables are changed' do hook.url = 'http://example.com/{one}/{two}' hook.url_variables = { 'one' => 'foo', 'two' => 'bar' } @@ -249,6 +265,18 @@ RSpec.describe WebHook, feature_category: :integrations do expect(hook).to be_valid expect(hook.url_variables).to eq({ 'one' => 'foo', 'two' => 'bar' }) end + + context 'without url variables' do + subject(:hook) { build_stubbed(:project_hook, project: project, url: 'http://example.com') } + + it 'does not reset url variables' do + hook.url = 'http://example.com/{one}/{two}' + hook.url_variables = { 'one' => 'foo', 'two' => 'bar' } + + expect(hook).to be_valid + expect(hook.url_variables).to eq({ 'one' => 'foo', 'two' => 'bar' }) + end + end end it "only consider these branch filter strategies are valid" do diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index c29446c1f38..0c359b80fb5 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -697,6 +697,39 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio end end + describe 'read_prometheus', feature_category: :metrics do + using RSpec::Parameterized::TableSyntax + + before do + project.project_feature.update!(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + let(:policy) { :read_prometheus } + + where(:project_visibility, :role, :allowed) do + :public | :anonymous | false + :public | :guest | false + :public | :reporter | true + :internal | :anonymous | false + :internal | :guest | false + :internal | :reporter | true + :private | :anonymous | false + :private | :guest | false + :private | :reporter | true + end + + with_them do + let(:current_user) { public_send(role) } + let(:project) { public_send("#{project_visibility}_project") } + + if params[:allowed] + it { is_expected.to be_allowed(policy) } + else + it { is_expected.not_to be_allowed(policy) } + end + end + end + describe 'update_max_artifacts_size' do context 'when no user' do let(:current_user) { anonymous } @@ -972,7 +1005,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { guest } it { is_expected.to be_allowed(:metrics_dashboard) } - it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_disallowed(:read_prometheus) } it { is_expected.to be_allowed(:read_deployment) } it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } @@ -982,7 +1015,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { anonymous } it { is_expected.to be_allowed(:metrics_dashboard) } - it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_disallowed(:read_prometheus) } it { is_expected.to be_allowed(:read_deployment) } it { is_expected.to be_disallowed(:read_metrics_user_starred_dashboard) } it { is_expected.to be_disallowed(:create_metrics_user_starred_dashboard) } @@ -1008,12 +1041,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { guest } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end context 'with anonymous' do let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end end @@ -1036,7 +1071,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { guest } it { is_expected.to be_allowed(:metrics_dashboard) } - it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_disallowed(:read_prometheus) } it { is_expected.to be_allowed(:read_deployment) } it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } @@ -1046,6 +1081,7 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end end end @@ -1068,12 +1104,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { guest } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end context 'with anonymous' do let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end end @@ -1092,12 +1130,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio let(:current_user) { guest } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end context 'with anonymous' do let(:current_user) { anonymous } it { is_expected.to be_disallowed(:metrics_dashboard) } + it { is_expected.to be_disallowed(:read_prometheus) } end end end diff --git a/spec/requests/api/repositories_spec.rb b/spec/requests/api/repositories_spec.rb index 555ba2bc978..be26fe24061 100644 --- a/spec/requests/api/repositories_spec.rb +++ b/spec/requests/api/repositories_spec.rb @@ -573,6 +573,22 @@ RSpec.describe API::Repositories, feature_category: :source_code_management do context 'when authenticated', 'as a developer' do it_behaves_like 'repository compare' do let(:current_user) { user } + + context 'when user does not have read access to the parent project' do + let_it_be(:group) { create(:group) } + let(:forked_project) { fork_project(project, current_user, repository: true, namespace: group) } + + before do + forked_project.add_guest(current_user) + end + + it 'returns 403 error' do + get api(route, current_user), params: { from: 'improve/awesome', to: 'feature', from_project_id: forked_project.id } + + expect(response).to have_gitlab_http_status(:forbidden) + expect(json_response['message']).to eq("403 Forbidden - You don't have access to this fork's parent project") + end + end end end diff --git a/spec/services/web_hook_service_spec.rb b/spec/services/web_hook_service_spec.rb index 5736bf885be..b4250fcf04d 100644 --- a/spec/services/web_hook_service_spec.rb +++ b/spec/services/web_hook_service_spec.rb @@ -130,8 +130,8 @@ RSpec.describe WebHookService, :request_store, :clean_gitlab_redis_shared_state, context 'there is userinfo' do before do project_hook.update!( - url: 'http://{one}:{two}@example.com', - url_variables: { 'one' => 'a', 'two' => 'b' } + url: 'http://{foo}:{bar}@example.com', + url_variables: { 'foo' => 'a', 'bar' => 'b' } ) stub_full_request('http://example.com', method: :post) end |