root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2021-07-07 21:08:10 +00:00
parent 59776dd803
commit c608e2662b
17 changed files with 493 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
GITALY_SERVER_VERSION
View File

@ -1 +1 @@
747d61c17a51f361cc883c9d4700e174219088a5
8cc6bb1ffb6830fa416c8d0e32f9edebf6573730

2
app/assets/javascripts/pages/shared/wikis/components/wiki_form.vue
View File

@ -461,7 +461,7 @@ export default {
</markdown-field>
<div v-if="isContentEditorActive">
<gl-alert class="gl-mb-6" variant="tip" :dismissable="false">
<gl-alert class="gl-mb-6" variant="tip" :dismissible="false">
<gl-sprintf :message="$options.i18n.contentEditor.feedbackTip">
<template
#link="// eslint-disable-next-line vue/no-template-shadow

2
app/models/packages/helm.rb
View File

@ -2,6 +2,8 @@
module Packages
module Helm
TEMPORARY_PACKAGE_NAME = 'Helm.Temporary.Package'
def self.table_name_prefix
'packages_helm_'
end

21
config/metrics/counts_all/20210625095025_package_events_i_package_helm_push_package.yml Normal file
View File

@ -0,0 +1,21 @@
---
key_path: counts.package_events_i_package_helm_push_package
description: The total count of Helm packages that have been published.
product_section: ops
product_stage: package
product_group: group::package
product_category: package_registry
value_type: number
status: implemented
milestone: "14.1"
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/64814
time_frame: all
data_source: redis
data_category: Optional
distribution:
- ce
- ee
tier:
- free
- premium
- ultimate

2
config/metrics/license/20210201124932_recorded_at.yml
View File

@ -1,5 +1,5 @@
---
data_category: Optional
data_category: Standard
key_path: recorded_at
description: When the Usage Ping computation was started
product_section: growth

2
config/metrics/license/20210204124938_recording_ce_finished_at.yml
View File

@ -1,5 +1,5 @@
---
data_category: Optional
data_category: Standard
key_path: recording_ce_finished_at
description: When the core features were computed
product_section: growth

37
doc/development/documentation/site_architecture/global_nav.md
View File

@ -12,21 +12,40 @@ description: "Learn how GitLab docs' global navigation works and how to add new
> - [Per-project](https://gitlab.com/gitlab-org/gitlab-docs/-/merge_requests/498) navigation added in GitLab 12.2.
> - [Unified global navigation](https://gitlab.com/gitlab-org/gitlab-docs/-/merge_requests/1482) added in GitLab 13.11.
Global navigation (the left-most pane in our three pane documentation) provides:
Global navigation is the left-most pane in the documentation. You can use the
"global nav" to browse the content.
- A high-level grouped view of product features.
- The ability to discover new features by browsing the menu structure.
- A way to allow the reader to focus on product areas.
- The ability to refine landing pages, so they don't have to do all the work of surfacing
every page contained within the documentation.
Research shows that people use Google to search for GitLab product documentation. When they land on a result,
we want them to find topics nearby that are related to the content they're reading. The global nav provides this information.
## Adding new items
At the highest level, our global nav is workflow-based. Navigation needs to help users build a mental model of how to use GitLab.
The levels under each of the higher workflow-based topics are the names of features.
For example:
**Use GitLab** (_workflow_) **> Build your application** (_workflow_) **> CI/CD** (_feature_) **> Pipelines** (_feature)
## Choose the right words for your navigation entry
Before you add an item to the left nav, choose the parts of speech you want to use.
The nav entry should match the page title. However, if the title is too long,
when you shorten the phrase, use either:
- A noun, like **Merge requests**.
- An active verb, like **Install GitLab** or **Get started with runners**.
Use a phrase that clearly indicates what the page is for. For example, **Get started** is not
as helpful as **Get started with runners**.
## Add a navigation entry
All topics should be included in the left nav.
To add a topic to the global nav, edit
[`navigation.yaml`](https://gitlab.com/gitlab-org/gitlab-docs/blob/main/content/_data/navigation.yaml)
and add your item.
All new pages need a new navigation item. Without a navigation, the page becomes "orphaned". That
All new pages need a navigation item. Without a navigation, the page becomes "orphaned." That
is:
- The navigation shuts when the page is opened, and the reader loses their place.
@ -93,7 +112,7 @@ for clarity.
To see the improvements planned, check the
[global nav epic](https://gitlab.com/groups/gitlab-org/-/epics/1599).
**Do not** [add items](#adding-new-items) to the global nav without
**Do not** [add items](#add-a-navigation-entry) to the global nav without
the consent of one of the technical writers.
## Composition

18
doc/development/usage_ping/dictionary.md
View File

@ -4346,6 +4346,18 @@ Status: `implemented`
Tiers: `free`, `premium`, `ultimate`
### `counts.package_events_i_package_helm_push_package`
The total count of Helm packages that have been published.
[YAML definition](https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/metrics/counts_all/20210625095025_package_events_i_package_helm_push_package.yml)
Group: `group::package`
Status: `implemented`
Tiers: `free`, `premium`, `ultimate`
### `counts.package_events_i_package_maven_delete_package`
A count of Maven packages that have been deleted
@ -8974,7 +8986,7 @@ When the Usage Ping computation was started
Group: `group::product intelligence`
Data Category: `Optional`
Data Category: `Standard`
Status: `data_available`
@ -8988,7 +9000,7 @@ When the core features were computed
Group: `group::product intelligence`
Data Category: `Optional`
Data Category: `Standard`
Status: `data_available`
@ -9002,7 +9014,7 @@ When the EE-specific features were computed
Group: `group::product intelligence`
Data Category: `Subscription`
Data Category: `Standard`
Status: `data_available`

50
lib/api/helm_packages.rb
View File

@ -10,6 +10,7 @@ module API
feature_category :package_registry
PACKAGE_FILENAME = 'package.tgz'
FILE_NAME_REQUIREMENTS = {
file_name: API::NO_SLASH_URL_PART_REGEX
}.freeze
@ -75,6 +76,55 @@ module API
present_carrierwave_file!(package_file.file)
end
desc 'Authorize a chart upload from workhorse' do
detail 'This feature was introduced in GitLab 14.0'
end
params do
requires :channel, type: String, desc: 'Helm channel', regexp: Gitlab::Regex.helm_channel_regex
end
post "api/:channel/charts/authorize" do
authorize_workhorse!(
subject: authorized_user_project,
has_length: false,
maximum_size: authorized_user_project.actual_limits.helm_max_file_size
)
end
desc 'Upload a chart' do
detail 'This feature was introduced in GitLab 14.0'
end
params do
requires :channel, type: String, desc: 'Helm channel', regexp: Gitlab::Regex.helm_channel_regex
requires :chart, type: ::API::Validations::Types::WorkhorseFile, desc: 'The chart file to be published (generated by Multipart middleware)'
end
post "api/:channel/charts" do
authorize_upload!(authorized_user_project)
bad_request!('File is too large') if authorized_user_project.actual_limits.exceeded?(:helm_max_file_size, params[:chart].size)
package = ::Packages::CreateTemporaryPackageService.new(
authorized_user_project, current_user, declared_params.merge(build: current_authenticated_job)
).execute(:helm, name: ::Packages::Helm::TEMPORARY_PACKAGE_NAME)
chart_params = {
file: params[:chart],
file_name: PACKAGE_FILENAME
}
chart_package_file = ::Packages::CreatePackageFileService.new(
package, chart_params.merge(build: current_authenticated_job)
).execute
track_package_event('push_package', :helm, project: authorized_user_project, namespace: authorized_user_project.namespace)
::Packages::Helm::ExtractionWorker.perform_async(params[:channel], chart_package_file.id) # rubocop:disable CodeReuse/Worker
created!
rescue ObjectStorage::RemoteStoreError => e
Gitlab::ErrorTracking.track_exception(e, extra: { channel: params[:channel], project_id: authorized_user_project.id })
forbidden!
end
end
end
end

8
lib/gitlab/database/migration_helpers.rb
View File

@ -217,11 +217,12 @@ module Gitlab
# source - The source table containing the foreign key.
# target - The target table the key points to.
# column - The name of the column to create the foreign key on.
# target_column - The name of the referenced column, defaults to "id".
# on_delete - The action to perform when associated data is removed,
# defaults to "CASCADE".
# name - The name of the foreign key.
#
def add_concurrent_foreign_key(source, target, column:, on_delete: :cascade, name: nil, validate: true)
def add_concurrent_foreign_key(source, target, column:, on_delete: :cascade, target_column: :id, name: nil, validate: true)
# Transactions would result in ALTER TABLE locks being held for the
# duration of the transaction, defeating the purpose of this method.
if transaction_open?
@ -231,7 +232,8 @@ module Gitlab
options = {
column: column,
on_delete: on_delete,
name: name.presence || concurrent_foreign_key_name(source, column)
name: name.presence || concurrent_foreign_key_name(source, column),
primary_key: target_column
}
if foreign_key_exists?(source, target, **options)
@ -252,7 +254,7 @@ module Gitlab
ALTER TABLE #{source}
ADD CONSTRAINT #{options[:name]}
FOREIGN KEY (#{options[:column]})
REFERENCES #{target} (id)
REFERENCES #{target} (#{target_column})
#{on_delete_statement(options[:on_delete])}
NOT VALID;
EOF

1
lib/gitlab/usage_data_counters/counter_events/package_events.yml
View File

@ -22,6 +22,7 @@
- i_package_golang_pull_package
- i_package_golang_push_package
- i_package_helm_pull_package
- i_package_helm_push_package
- i_package_maven_delete_package
- i_package_maven_pull_package
- i_package_maven_push_package

22
spec/features/projects/pipelines/pipeline_spec.rb
View File

@ -7,7 +7,8 @@ RSpec.describe 'Pipeline', :js do
include ProjectForksHelper
include ::ExclusiveLeaseHelpers
let(:project) { create(:project) }
let_it_be(:project) { create(:project) }
let(:user) { create(:user) }
let(:role) { :developer }
@ -59,8 +60,9 @@ RSpec.describe 'Pipeline', :js do
describe 'GET /:project/-/pipelines/:id' do
include_context 'pipeline builds'
let(:group) { create(:group) }
let(:project) { create(:project, :repository, group: group) }
let_it_be(:group) { create(:group) }
let_it_be(:project, reload: true) { create(:project, :repository, group: group) }
let(:pipeline) { create(:ci_pipeline, project: project, ref: 'master', sha: project.commit.id, user: user) }
subject(:visit_pipeline) { visit project_pipeline_path(project, pipeline) }
@ -246,6 +248,8 @@ RSpec.describe 'Pipeline', :js do
end
context 'when pipeline has a delayed job' do
let(:project) { create(:project, :repository, group: group) }
it 'shows the scheduled icon and an unschedule action for the delayed job' do
page.within('#ci-badge-delayed-job') do
expect(page).to have_selector('.js-ci-status-icon-scheduled')
@ -550,6 +554,7 @@ RSpec.describe 'Pipeline', :js do
end
context 'when pipeline is merge request pipeline' do
let(:project) { create(:project, :repository, group: group) }
let(:source_project) { project }
let(:target_project) { project }
@ -634,7 +639,8 @@ RSpec.describe 'Pipeline', :js do
describe 'GET /:project/-/pipelines/:id' do
include_context 'pipeline builds'
let(:project) { create(:project, :repository) }
let_it_be(:project) { create(:project, :repository) }
let(:pipeline) { create(:ci_pipeline, project: project, ref: 'master', sha: project.commit.id, user: user) }
before do
@ -997,7 +1003,8 @@ RSpec.describe 'Pipeline', :js do
describe 'GET /:project/-/pipelines/:id/builds' do
include_context 'pipeline builds'
let(:project) { create(:project, :repository) }
let_it_be(:project) { create(:project, :repository) }
let(:pipeline) { create(:ci_pipeline, project: project, ref: 'master', sha: project.commit.id) }
before do
@ -1234,7 +1241,8 @@ RSpec.describe 'Pipeline', :js do
describe 'GET /:project/-/pipelines/:id/dag' do
include_context 'pipeline builds'
let(:project) { create(:project, :repository) }
let_it_be(:project) { create(:project, :repository) }
let(:pipeline) { create(:ci_pipeline, project: project, ref: 'master', sha: project.commit.id) }
before do
@ -1263,7 +1271,7 @@ RSpec.describe 'Pipeline', :js do
end
context 'when user sees pipeline flags in a pipeline detail page' do
let(:project) { create(:project, :repository) }
let_it_be(:project) { create(:project, :repository) }
context 'when pipeline is latest' do
include_context 'pipeline builds'

50
spec/lib/gitlab/database/migration_helpers_spec.rb
View File

@ -379,6 +379,37 @@ RSpec.describe Gitlab::Database::MigrationHelpers do
allow(model).to receive(:transaction_open?).and_return(false)
end
context 'target column' do
it 'defaults to (id) when no custom target column is provided' do
expect(model).to receive(:with_lock_retries).and_call_original
expect(model).to receive(:disable_statement_timeout).and_call_original
expect(model).to receive(:statement_timeout_disabled?).and_return(false)
expect(model).to receive(:execute).with(/statement_timeout/)
expect(model).to receive(:execute).ordered.with(/VALIDATE CONSTRAINT/)
expect(model).to receive(:execute).ordered.with(/RESET ALL/)
expect(model).to receive(:execute).with(/REFERENCES users \(id\)/)
model.add_concurrent_foreign_key(:projects, :users,
column: :user_id)
end
it 'references the custom taget column when provided' do
expect(model).to receive(:with_lock_retries).and_call_original
expect(model).to receive(:disable_statement_timeout).and_call_original
expect(model).to receive(:statement_timeout_disabled?).and_return(false)
expect(model).to receive(:execute).with(/statement_timeout/)
expect(model).to receive(:execute).ordered.with(/VALIDATE CONSTRAINT/)
expect(model).to receive(:execute).ordered.with(/RESET ALL/)
expect(model).to receive(:execute).with(/REFERENCES users \(id_convert_to_bigint\)/)
model.add_concurrent_foreign_key(:projects, :users,
column: :user_id,
target_column: :id_convert_to_bigint)
end
end
context 'ON DELETE statements' do
context 'on_delete: :nullify' do
it 'appends ON DELETE SET NULL statement' do
@ -450,7 +481,8 @@ RSpec.describe Gitlab::Database::MigrationHelpers do
expect(model).to receive(:foreign_key_exists?).with(:projects, :users,
column: :user_id,
on_delete: :cascade,
name: name).and_return(true)
name: name,
primary_key: :id).and_return(true)
expect(model).not_to receive(:execute).with(/ADD CONSTRAINT/)
expect(model).to receive(:execute).with(/VALIDATE CONSTRAINT/)
@ -479,6 +511,7 @@ RSpec.describe Gitlab::Database::MigrationHelpers do
it 'does not create a new foreign key' do
expect(model).to receive(:foreign_key_exists?).with(:projects, :users,
name: :foo,
primary_key: :id,
on_delete: :cascade,
column: :user_id).and_return(true)
@ -583,7 +616,15 @@ RSpec.describe Gitlab::Database::MigrationHelpers do
describe '#foreign_key_exists?' do
before do
key = ActiveRecord::ConnectionAdapters::ForeignKeyDefinition.new(:projects, :users, { column: :non_standard_id, name: :fk_projects_users_non_standard_id, on_delete: :cascade })
key = ActiveRecord::ConnectionAdapters::ForeignKeyDefinition.new(
:projects, :users,
{
column: :non_standard_id,
name: :fk_projects_users_non_standard_id,
on_delete: :cascade,
primary_key: :id
}
)
allow(model).to receive(:foreign_keys).with(:projects).and_return([key])
end
@ -612,6 +653,11 @@ RSpec.describe Gitlab::Database::MigrationHelpers do
expect(model.foreign_key_exists?(:projects, target_table, column: :user_id)).to be_falsey
end
it 'compares by target column name if given' do
expect(model.foreign_key_exists?(:projects, target_table, primary_key: :user_id)).to be_falsey
expect(model.foreign_key_exists?(:projects, target_table, primary_key: :id)).to be_truthy
end
it 'compares by foreign key name if given' do
expect(model.foreign_key_exists?(:projects, target_table, name: :non_existent_foreign_key_name)).to be_falsey
end

2
spec/lib/gitlab/usage_data_counters/package_event_counter_spec.rb
View File

@ -14,7 +14,7 @@ RSpec.describe Gitlab::UsageDataCounters::PackageEventCounter, :clean_gitlab_red
end
it 'includes the right events' do
expect(described_class::KNOWN_EVENTS.size).to eq 52
expect(described_class::KNOWN_EVENTS.size).to eq 53
end
described_class::KNOWN_EVENTS.each do |event|

163
spec/requests/api/helm_packages_spec.rb
View File

@ -20,47 +20,160 @@ RSpec.describe API::HelmPackages do
describe 'GET /api/v4/projects/:id/packages/helm/:channel/charts/:file_name.tgz' do
let(:url) { "/projects/#{project.id}/packages/helm/#{package.package_files.first.helm_channel}/charts/#{package.name}-#{package.version}.tgz" }
subject { get api(url) }
subject { get api(url), headers: headers }
context 'with valid project' do
where(:visibility, :user_role, :member, :user_token, :shared_examples_name, :expected_status) do
:public | :developer | true | true | 'process helm download content request' | :success
:public | :guest | true | true | 'process helm download content request' | :success
:public | :developer | true | false | 'rejects helm packages access' | :unauthorized
:public | :guest | true | false | 'rejects helm packages access' | :unauthorized
:public | :developer | false | true | 'process helm download content request' | :success
:public | :guest | false | true | 'process helm download content request' | :success
:public | :developer | false | false | 'rejects helm packages access' | :unauthorized
:public | :guest | false | false | 'rejects helm packages access' | :unauthorized
:public | :anonymous | false | true | 'process helm download content request' | :success
:private | :developer | true | true | 'process helm download content request' | :success
:private | :guest | true | true | 'rejects helm packages access' | :forbidden
:private | :developer | true | false | 'rejects helm packages access' | :unauthorized
:private | :guest | true | false | 'rejects helm packages access' | :unauthorized
:private | :developer | false | true | 'rejects helm packages access' | :not_found
:private | :guest | false | true | 'rejects helm packages access' | :not_found
:private | :developer | false | false | 'rejects helm packages access' | :unauthorized
:private | :guest | false | false | 'rejects helm packages access' | :unauthorized
:private | :anonymous | false | true | 'rejects helm packages access' | :unauthorized
where(:visibility, :user_role, :shared_examples_name, :expected_status) do
:public | :guest | 'process helm download content request' | :success
:public | :not_a_member | 'process helm download content request' | :success
:public | :anonymous | 'process helm download content request' | :success
:private | :reporter | 'process helm download content request' | :success
:private | :guest | 'rejects helm packages access' | :forbidden
:private | :not_a_member | 'rejects helm packages access' | :not_found
:private | :anonymous | 'rejects helm packages access' | :unauthorized
end
with_them do
let(:token) { user_token ? personal_access_token.token : 'wrong' }
let(:headers) { user_role == :anonymous ? {} : basic_auth_header(user.username, token) }
let(:headers) { user_role == :anonymous ? {} : basic_auth_header(user.username, personal_access_token.token) }
let(:snowplow_gitlab_standard_context) { { project: project, namespace: project.namespace } }
subject { get api(url), headers: headers }
before do
project.update!(visibility: visibility.to_s)
end
it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status], params[:member]
it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status]
end
end
context 'when an invalid token is passed' do
let(:headers) { basic_auth_header(user.username, 'wrong') }
it_behaves_like 'returning response status', :unauthorized
end
it_behaves_like 'deploy token for package GET requests'
end
describe 'POST /api/v4/projects/:id/packages/helm/api/:channel/charts/authorize' do
include_context 'workhorse headers'
let(:channel) { 'stable' }
let(:url) { "/projects/#{project.id}/packages/helm/api/#{channel}/charts/authorize" }
let(:headers) { {} }
subject { post api(url), headers: headers }
context 'with valid project' do
where(:visibility_level, :user_role, :shared_examples_name, :expected_status) do
:public | :developer | 'process helm workhorse authorization' | :success
:public | :reporter | 'rejects helm packages access' | :forbidden
:public | :not_a_member | 'rejects helm packages access' | :forbidden
:public | :anonymous | 'rejects helm packages access' | :unauthorized
:private | :developer | 'process helm workhorse authorization' | :success
:private | :reporter | 'rejects helm packages access' | :forbidden
:private | :not_a_member | 'rejects helm packages access' | :not_found
:private | :anonymous | 'rejects helm packages access' | :unauthorized
end
with_them do
let(:user_headers) { user_role == :anonymous ? {} : basic_auth_header(user.username, personal_access_token.token) }
let(:headers) { user_headers.merge(workhorse_headers) }
before do
project.update_column(:visibility_level, Gitlab::VisibilityLevel.level_value(visibility_level.to_s))
end
it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status]
end
end
context 'when an invalid token is passed' do
let(:headers) { basic_auth_header(user.username, 'wrong') }
it_behaves_like 'returning response status', :unauthorized
end
it_behaves_like 'deploy token for package uploads'
it_behaves_like 'job token for package uploads', authorize_endpoint: true, accept_invalid_username: true do
let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
end
it_behaves_like 'rejects helm access with unknown project id'
end
describe 'POST /api/v4/projects/:id/packages/helm/api/:channel/charts' do
include_context 'workhorse headers'
let_it_be(:file_name) { 'package.tgz' }
let(:channel) { 'stable' }
let(:url) { "/projects/#{project.id}/packages/helm/api/#{channel}/charts" }
let(:headers) { {} }
let(:params) { { chart: temp_file(file_name) } }
let(:file_key) { :chart }
let(:send_rewritten_field) { true }
let(:snowplow_gitlab_standard_context) { { project: project, namespace: project.namespace } }
subject do
workhorse_finalize(
api(url),
method: :post,
file_key: file_key,
params: params,
headers: headers,
send_rewritten_field: send_rewritten_field
)
end
context 'with valid project' do
where(:visibility_level, :user_role, :shared_examples_name, :expected_status) do
:public | :developer | 'process helm upload' | :created
:public | :reporter | 'rejects helm packages access' | :forbidden
:public | :not_a_member | 'rejects helm packages access' | :forbidden
:public | :anonymous | 'rejects helm packages access' | :unauthorized
:private | :developer | 'process helm upload' | :created
:private | :guest | 'rejects helm packages access' | :forbidden
:private | :not_a_member | 'rejects helm packages access' | :not_found
:private | :anonymous | 'rejects helm packages access' | :unauthorized
end
with_them do
let(:user_headers) { user_role == :anonymous ? {} : basic_auth_header(user.username, personal_access_token.token) }
let(:headers) { user_headers.merge(workhorse_headers) }
before do
project.update_column(:visibility_level, Gitlab::VisibilityLevel.level_value(visibility_level.to_s))
end
it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status]
end
end
context 'when an invalid token is passed' do
let(:headers) { basic_auth_header(user.username, 'wrong') }
it_behaves_like 'returning response status', :unauthorized
end
it_behaves_like 'deploy token for package uploads'
it_behaves_like 'job token for package uploads', accept_invalid_username: true do
let_it_be(:job) { create(:ci_build, :running, user: user, project: project) }
end
it_behaves_like 'rejects helm access with unknown project id'
context 'file size above maximum limit' do
let(:headers) { basic_auth_header(deploy_token.username, deploy_token.token).merge(workhorse_headers) }
before do
allow_next_instance_of(UploadedFile) do |uploaded_file|
allow(uploaded_file).to receive(:size).and_return(project.actual_limits.helm_max_file_size + 1)
end
end
it_behaves_like 'returning response status', :bad_request
end
end
end

218
spec/support/shared_examples/requests/api/helm_packages_shared_examples.rb
View File

@ -1,9 +1,9 @@
# frozen_string_literal: true
RSpec.shared_examples 'rejects helm packages access' do |user_type, status, add_member = true|
RSpec.shared_examples 'rejects helm packages access' do |user_type, status|
context "for user type #{user_type}" do
before do
project.send("add_#{user_type}", user) if add_member && user_type != :anonymous
project.send("add_#{user_type}", user) if user_type != :anonymous && user_type != :not_a_member
end
it_behaves_like 'returning response status', status
@ -18,17 +18,17 @@ RSpec.shared_examples 'rejects helm packages access' do |user_type, status, add_
end
end
RSpec.shared_examples 'process helm service index request' do |user_type, status, add_member = true|
RSpec.shared_examples 'process helm service index request' do |user_type, status|
context "for user type #{user_type}" do
before do
project.send("add_#{user_type}", user) if add_member && user_type != :anonymous
project.send("add_#{user_type}", user) if user_type != :anonymous && user_type != :not_a_member
end
it_behaves_like 'returning response status', status
it 'returns a valid YAML response', :aggregate_failures do
subject
expect(response).to have_gitlab_http_status(status)
expect(response.media_type).to eq('text/yaml')
expect(response.body).to start_with("---\napiVersion: v1\nentries:\n")
@ -49,19 +49,139 @@ RSpec.shared_examples 'process helm service index request' do |user_type, status
end
end
RSpec.shared_examples 'process helm download content request' do |user_type, status, add_member = true|
RSpec.shared_examples 'process helm workhorse authorization' do |user_type, status, test_bypass: false|
context "for user type #{user_type}" do
before do
project.send("add_#{user_type}", user) if add_member && user_type != :anonymous
project.send("add_#{user_type}", user) if user_type != :anonymous && user_type != :not_a_member
end
it_behaves_like 'returning response status', status
it 'has the proper status and content type' do
subject
expect(response).to have_gitlab_http_status(status)
expect(response.media_type).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
end
context 'with a request that bypassed gitlab-workhorse' do
let(:headers) do
basic_auth_header(user.username, personal_access_token.token)
.merge(workhorse_headers)
.tap { |h| h.delete(Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER) }
end
before do
project.add_maintainer(user)
end
it_behaves_like 'returning response status', :forbidden
end
end
end
RSpec.shared_examples 'process helm upload' do |user_type, status|
shared_examples 'creates helm package files' do
it 'creates package files' do
expect(::Packages::Helm::ExtractionWorker).to receive(:perform_async).once
expect { subject }
.to change { project.packages.count }.by(1)
.and change { Packages::PackageFile.count }.by(1)
expect(response).to have_gitlab_http_status(status)
package_file = project.packages.last.package_files.reload.last
expect(package_file.file_name).to eq('package.tgz')
end
end
context "for user type #{user_type}" do
before do
project.send("add_#{user_type}", user) if user_type != :anonymous && user_type != :not_a_member
end
context 'with object storage disabled' do
before do
stub_package_file_object_storage(enabled: false)
end
context 'without a file from workhorse' do
let(:send_rewritten_field) { false }
it_behaves_like 'returning response status', :bad_request
end
context 'with correct params' do
it_behaves_like 'package workhorse uploads'
it_behaves_like 'creates helm package files'
it_behaves_like 'a package tracking event', 'API::HelmPackages', 'push_package'
end
end
context 'with object storage enabled' do
let(:tmp_object) do
fog_connection.directories.new(key: 'packages').files.create( # rubocop:disable Rails/SaveBang
key: "tmp/uploads/#{file_name}",
body: 'content'
)
end
let(:fog_file) { fog_to_uploaded_file(tmp_object) }
let(:params) { { chart: fog_file, 'chart.remote_id' => file_name } }
context 'and direct upload enabled' do
let(:fog_connection) do
stub_package_file_object_storage(direct_upload: true)
end
it_behaves_like 'creates helm package files'
['123123', '../../123123'].each do |remote_id|
context "with invalid remote_id: #{remote_id}" do
let(:params) do
{
chart: fog_file,
'chart.remote_id' => remote_id
}
end
it_behaves_like 'returning response status', :forbidden
end
end
end
context 'and direct upload disabled' do
context 'and background upload disabled' do
let(:fog_connection) do
stub_package_file_object_storage(direct_upload: false, background_upload: false)
end
it_behaves_like 'creates helm package files'
end
context 'and background upload enabled' do
let(:fog_connection) do
stub_package_file_object_storage(direct_upload: false, background_upload: true)
end
it_behaves_like 'creates helm package files'
end
end
end
it_behaves_like 'background upload schedules a file migration'
end
end
RSpec.shared_examples 'process helm download content request' do |user_type, status|
context "for user type #{user_type}" do
before do
project.send("add_#{user_type}", user) if user_type != :anonymous && user_type != :not_a_member
end
it_behaves_like 'a package tracking event', 'API::HelmPackages', 'pull_package'
it 'returns a valid package archive' do
it 'returns expected status and a valid package archive' do
subject
expect(response).to have_gitlab_http_status(status)
expect(response.media_type).to eq('application/octet-stream')
end
end
@ -83,81 +203,61 @@ RSpec.shared_examples 'rejects helm access with unknown project id' do
end
end
RSpec.shared_examples 'handling helm chart index requests' do |anonymous_requests_example_name: 'process helm service index request', anonymous_requests_status: :success|
RSpec.shared_examples 'handling helm chart index requests' do
context 'with valid project' do
subject { get api(url), headers: headers }
using RSpec::Parameterized::TableSyntax
context 'personal token' do
where(:visibility, :user_role, :member, :user_token, :shared_examples_name, :expected_status) do
:public | :developer | true | true | 'process helm service index request' | :success
:public | :guest | true | true | 'process helm service index request' | :success
:public | :developer | true | false | 'rejects helm packages access' | :unauthorized
:public | :guest | true | false | 'rejects helm packages access' | :unauthorized
:public | :developer | false | true | 'process helm service index request' | :success
:public | :guest | false | true | 'process helm service index request' | :success
:public | :developer | false | false | 'rejects helm packages access' | :unauthorized
:public | :guest | false | false | 'rejects helm packages access' | :unauthorized
:public | :anonymous | false | true | anonymous_requests_example_name | anonymous_requests_status
:private | :developer | true | true | 'process helm service index request' | :success
:private | :guest | true | true | 'rejects helm packages access' | :forbidden
:private | :developer | true | false | 'rejects helm packages access' | :unauthorized
:private | :guest | true | false | 'rejects helm packages access' | :unauthorized
:private | :developer | false | true | 'rejects helm packages access' | :not_found
:private | :guest | false | true | 'rejects helm packages access' | :not_found
:private | :developer | false | false | 'rejects helm packages access' | :unauthorized
:private | :guest | false | false | 'rejects helm packages access' | :unauthorized
:private | :anonymous | false | true | 'rejects helm packages access' | :unauthorized
where(:visibility, :user_role, :shared_examples_name, :expected_status) do
:public | :guest | 'process helm service index request' | :success
:public | :not_a_member | 'process helm service index request' | :success
:public | :anonymous | 'process helm service index request' | :success
:private | :reporter | 'process helm service index request' | :success
:private | :guest | 'rejects helm packages access' | :forbidden
:private | :not_a_member | 'rejects helm packages access' | :not_found
:private | :anonymous | 'rejects helm packages access' | :unauthorized
end
with_them do
let(:token) { user_token ? personal_access_token.token : 'wrong' }
let(:headers) { user_role == :anonymous ? {} : basic_auth_header(user.username, token) }
subject { get api(url), headers: headers }
let(:headers) { user_role == :anonymous ? {} : basic_auth_header(user.username, personal_access_token.token) }
before do
project.update!(visibility: visibility.to_s)
end
it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status], params[:member]
it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status]
end
end
context 'when an invalid token is passed' do
let(:headers) { basic_auth_header(user.username, 'wrong') }
it_behaves_like 'returning response status', :unauthorized
end
context 'with job token' do
where(:visibility, :user_role, :member, :user_token, :shared_examples_name, :expected_status) do
:public | :developer | true | true | 'process helm service index request' | :success
:public | :guest | true | true | 'process helm service index request' | :success
:public | :developer | true | false | 'rejects helm packages access' | :unauthorized
:public | :guest | true | false | 'rejects helm packages access' | :unauthorized
:public | :developer | false | true | 'process helm service index request' | :success
:public | :guest | false | true | 'process helm service index request' | :success
:public | :developer | false | false | 'rejects helm packages access' | :unauthorized
:public | :guest | false | false | 'rejects helm packages access' | :unauthorized
:public | :anonymous | false | true | anonymous_requests_example_name | anonymous_requests_status
:private | :developer | true | true | 'process helm service index request' | :success
:private | :guest | true | true | 'rejects helm packages access' | :forbidden
:private | :developer | true | false | 'rejects helm packages access' | :unauthorized
:private | :guest | true | false | 'rejects helm packages access' | :unauthorized
:private | :developer | false | true | 'rejects helm packages access' | :not_found
:private | :guest | false | true | 'rejects helm packages access' | :not_found
:private | :developer | false | false | 'rejects helm packages access' | :unauthorized
:private | :guest | false | false | 'rejects helm packages access' | :unauthorized
:private | :anonymous | false | true | 'rejects helm packages access' | :unauthorized
where(:visibility, :user_role, :shared_examples_name, :expected_status) do
:public | :guest | 'process helm service index request' | :success
:public | :not_a_member | 'process helm service index request' | :success
:public | :anonymous | 'process helm service index request' | :success
:private | :reporter | 'process helm service index request' | :success
:private | :guest | 'rejects helm packages access' | :forbidden
:private | :not_a_member | 'rejects helm packages access' | :not_found
:private | :anonymous | 'rejects helm packages access' | :unauthorized
end
with_them do
let_it_be(:ci_build) { create(:ci_build, project: project, user: user, status: :running) }
let(:job) { user_token ? ci_build : double(token: 'wrong') }
let(:headers) { user_role == :anonymous ? {} : job_basic_auth_header(job) }
subject { get api(url), headers: headers }
let(:headers) { user_role == :anonymous ? {} : job_basic_auth_header(ci_build) }
before do
project.update!(visibility: visibility.to_s)
end
it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status], params[:member]
it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status]
end
end
end

8
spec/support/shared_examples/requests/api/packages_shared_examples.rb
View File

@ -100,7 +100,7 @@ RSpec.shared_examples 'job token for package GET requests' do
end
end
RSpec.shared_examples 'job token for package uploads' do |authorize_endpoint: false|
RSpec.shared_examples 'job token for package uploads' do |authorize_endpoint: false, accept_invalid_username: false|
context 'with job token headers' do
let(:headers) { basic_auth_header(::Gitlab::Auth::CI_JOB_USER, job.token).merge(workhorse_headers) }
@ -133,7 +133,11 @@ RSpec.shared_examples 'job token for package uploads' do |authorize_endpoint: fa
context 'invalid user' do
let(:headers) { basic_auth_header('foo', job.token).merge(workhorse_headers) }
it_behaves_like 'returning response status', :unauthorized
if accept_invalid_username
it_behaves_like 'returning response status', :success
else
it_behaves_like 'returning response status', :unauthorized
end
end
end
end