spec/requests/import/gitlab_projects_controller_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Import::GitlabProjectsController do
  include WorkhorseHelpers

  let(:workhorse_token) { JWT.encode({ 'iss' => 'gitlab-workhorse' }, Gitlab::Workhorse.secret, 'HS256') }
  let(:workhorse_headers) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => workhorse_token } }

  let_it_be(:namespace) { create(:namespace) }
  let_it_be(:user) { namespace.owner }

  before do
    login_as(user)
  end

  describe 'POST create' do
    subject { upload_archive(file_upload, workhorse_headers, params) }

    let(:file) { File.join('spec', 'features', 'projects', 'import_export', 'test_project_export.tar.gz') }
    let(:file_upload) { fixture_file_upload(file) }
    let(:params) { { namespace_id: namespace.id, path: 'test' } }

    before do
      allow(ImportExportUploader).to receive(:workhorse_upload_path).and_return('/')
    end

    context 'with a valid path' do
      it 'schedules an import and redirects to the new project path' do
        stub_import(namespace)

        subject

        expect(flash[:notice]).to include('is being imported')
        expect(response).to have_gitlab_http_status(:found)
      end
    end

    context 'with an invalid path' do
      ['/test', '../test'].each do |invalid_path|
        it "redirects with an error when path is `#{invalid_path}`" do
          params[:path] = invalid_path

          subject

          expect(flash[:alert]).to start_with('Project could not be imported')
          expect(response).to have_gitlab_http_status(:found)
        end
      end
    end

    context 'when request exceeds the rate limit' do
      before do
        allow(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).and_return(true)
      end

      it 'prevents users from importing projects' do
        subject

        expect(flash[:alert]).to eq('This endpoint has been requested too many times. Try again later.')
        expect(response).to have_gitlab_http_status(:found)
      end
    end

    def upload_archive(file, headers = {}, params = {})
      workhorse_finalize(
        import_gitlab_project_path,
        method: :post,
        file_key: :file,
        params: params.merge(file: file),
        headers: headers,
        send_rewritten_field: true
      )
    end

    def stub_import(namespace)
      expect_any_instance_of(ProjectImportState).to receive(:schedule)
      expect(::Projects::CreateService)
        .to receive(:new)
        .with(user, instance_of(ActionController::Parameters))
        .and_call_original
    end
  end

  describe 'POST authorize' do
    subject { post authorize_import_gitlab_project_path, headers: workhorse_headers }

    it 'authorizes importing project with workhorse header' do
      subject

      expect(response).to have_gitlab_http_status(:ok)
      expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
      expect(json_response['TempPath']).to eq(ImportExportUploader.workhorse_local_upload_path)
    end

    it 'rejects requests that bypassed gitlab-workhorse' do
      workhorse_headers.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER)

      expect { subject }.to raise_error(JWT::DecodeError)
    end

    context 'when using remote storage' do
      context 'when direct upload is enabled' do
        before do
          stub_uploads_object_storage(ImportExportUploader, enabled: true, direct_upload: true)
        end

        it 'responds with status 200, location of file remote store and object details' do
          subject

          expect(response).to have_gitlab_http_status(:ok)
          expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
          expect(json_response).not_to have_key('TempPath')
          expect(json_response['RemoteObject']).to have_key('ID')
          expect(json_response['RemoteObject']).to have_key('GetURL')
          expect(json_response['RemoteObject']).to have_key('StoreURL')
          expect(json_response['RemoteObject']).to have_key('DeleteURL')
          expect(json_response['RemoteObject']).to have_key('MultipartUpload')
        end
      end

      context 'when direct upload is disabled' do
        before do
          stub_uploads_object_storage(ImportExportUploader, enabled: true, direct_upload: false)
        end

        it 'handles as a local file' do
          subject

          expect(response).to have_gitlab_http_status(:ok)
          expect(response.content_type.to_s).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
          expect(json_response['TempPath']).to eq(ImportExportUploader.workhorse_local_upload_path)
          expect(json_response['RemoteObject']).to be_nil
        end
      end
    end
  end
end