199 lines
7.9 KiB
Ruby
199 lines
7.9 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'spec_helper'
|
|
|
|
RSpec.describe API::NpmGroupPackages, feature_category: :package_registry do
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
include_context 'npm api setup'
|
|
|
|
describe 'GET /api/v4/groups/:id/-/packages/npm/*package_name' do
|
|
let(:url) { api("/groups/#{group.id}/-/packages/npm/#{package_name}") }
|
|
|
|
it_behaves_like 'handling get metadata requests', scope: :group
|
|
|
|
context 'with a duplicate package name in another project' do
|
|
subject { get(url) }
|
|
|
|
before do
|
|
group.add_developer(user)
|
|
end
|
|
|
|
let_it_be(:project2) { create(:project, :public, namespace: namespace) }
|
|
let_it_be(:package2) do
|
|
create(:npm_package,
|
|
project: project2,
|
|
name: "@#{group.path}/scoped_package",
|
|
version: '1.2.0')
|
|
end
|
|
|
|
it 'includes all matching package versions in the response' do
|
|
subject
|
|
|
|
expect(json_response['versions'].keys).to match_array([package.version, package2.version])
|
|
end
|
|
|
|
context 'with the feature flag disabled' do
|
|
before do
|
|
stub_feature_flags(npm_allow_packages_in_multiple_projects: false)
|
|
end
|
|
|
|
it 'returns matching package versions from only one project' do
|
|
subject
|
|
|
|
expect(json_response['versions'].keys).to match_array([package2.version])
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'with mixed group and project visibilities' do
|
|
subject { get(url, headers: headers) }
|
|
|
|
where(:auth, :group_visibility, :project_visibility, :user_role, :expected_status) do
|
|
nil | :public | :public | nil | :ok
|
|
nil | :public | :internal | nil | :not_found
|
|
nil | :public | :private | nil | :not_found
|
|
nil | :internal | :internal | nil | :not_found
|
|
nil | :internal | :private | nil | :not_found
|
|
nil | :private | :private | nil | :not_found
|
|
|
|
:oauth | :public | :public | :guest | :ok
|
|
:oauth | :public | :internal | :guest | :ok
|
|
:oauth | :public | :private | :guest | :forbidden
|
|
:oauth | :internal | :internal | :guest | :ok
|
|
:oauth | :internal | :private | :guest | :forbidden
|
|
:oauth | :private | :private | :guest | :forbidden
|
|
:oauth | :public | :public | :reporter | :ok
|
|
:oauth | :public | :internal | :reporter | :ok
|
|
:oauth | :public | :private | :reporter | :ok
|
|
:oauth | :internal | :internal | :reporter | :ok
|
|
:oauth | :internal | :private | :reporter | :ok
|
|
:oauth | :private | :private | :reporter | :ok
|
|
|
|
:personal_access_token | :public | :public | :guest | :ok
|
|
:personal_access_token | :public | :internal | :guest | :ok
|
|
:personal_access_token | :public | :private | :guest | :forbidden
|
|
:personal_access_token | :internal | :internal | :guest | :ok
|
|
:personal_access_token | :internal | :private | :guest | :forbidden
|
|
:personal_access_token | :private | :private | :guest | :forbidden
|
|
:personal_access_token | :public | :public | :reporter | :ok
|
|
:personal_access_token | :public | :internal | :reporter | :ok
|
|
:personal_access_token | :public | :private | :reporter | :ok
|
|
:personal_access_token | :internal | :internal | :reporter | :ok
|
|
:personal_access_token | :internal | :private | :reporter | :ok
|
|
:personal_access_token | :private | :private | :reporter | :ok
|
|
|
|
:job_token | :public | :public | :developer | :ok
|
|
:job_token | :public | :internal | :developer | :ok
|
|
:job_token | :public | :private | :developer | :ok
|
|
:job_token | :internal | :internal | :developer | :ok
|
|
:job_token | :internal | :private | :developer | :ok
|
|
:job_token | :private | :private | :developer | :ok
|
|
|
|
:deploy_token | :public | :public | nil | :ok
|
|
:deploy_token | :public | :internal | nil | :ok
|
|
:deploy_token | :public | :private | nil | :ok
|
|
:deploy_token | :internal | :internal | nil | :ok
|
|
:deploy_token | :internal | :private | nil | :ok
|
|
:deploy_token | :private | :private | nil | :ok
|
|
end
|
|
|
|
with_them do
|
|
let(:headers) do
|
|
case auth
|
|
when :oauth
|
|
build_token_auth_header(token.plaintext_token)
|
|
when :personal_access_token
|
|
build_token_auth_header(personal_access_token.token)
|
|
when :job_token
|
|
build_token_auth_header(job.token)
|
|
when :deploy_token
|
|
build_token_auth_header(deploy_token.token)
|
|
else
|
|
{}
|
|
end
|
|
end
|
|
|
|
before do
|
|
project.update!(visibility: project_visibility.to_s)
|
|
project.send("add_#{user_role}", user) if user_role
|
|
group.update!(visibility: group_visibility.to_s)
|
|
group.send("add_#{user_role}", user) if user_role
|
|
end
|
|
|
|
it_behaves_like 'returning response status', params[:expected_status]
|
|
end
|
|
end
|
|
|
|
context 'when user is a reporter of project but is not a direct member of group' do
|
|
subject { get(url, headers: headers) }
|
|
|
|
where(:group_visibility, :project_visibility, :expected_status) do
|
|
:public | :public | :ok
|
|
:public | :internal | :ok
|
|
:public | :private | :ok
|
|
:internal | :internal | :ok
|
|
:internal | :private | :ok
|
|
:private | :private | :ok
|
|
end
|
|
|
|
with_them do
|
|
let(:headers) { build_token_auth_header(personal_access_token.token) }
|
|
|
|
before do
|
|
project.update!(visibility: project_visibility.to_s)
|
|
project.add_reporter(user)
|
|
|
|
group.update!(visibility: group_visibility.to_s)
|
|
end
|
|
|
|
it_behaves_like 'returning response status', params[:expected_status]
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'GET /api/v4/packages/npm/-/package/*package_name/dist-tags' do
|
|
let(:url) { api("/groups/#{group.id}/-/packages/npm/-/package/#{package_name}/dist-tags") }
|
|
|
|
subject { get(url) }
|
|
|
|
it_behaves_like 'returning response status', :not_found
|
|
end
|
|
|
|
describe 'PUT /api/v4/packages/npm/-/package/*package_name/dist-tags/:tag' do
|
|
let(:tag_name) { 'test' }
|
|
let(:headers) { build_token_auth_header(personal_access_token.token) }
|
|
let(:url) { api("/groups/#{group.id}/-/packages/npm/-/package/#{package_name}/dist-tags/#{tag_name}") }
|
|
|
|
subject { put(url, headers: headers) }
|
|
|
|
it_behaves_like 'returning response status', :not_found
|
|
end
|
|
|
|
describe 'DELETE /api/v4/packages/npm/-/package/*package_name/dist-tags/:tag' do
|
|
let(:tag_name) { 'test' }
|
|
let(:headers) { build_token_auth_header(personal_access_token.token) }
|
|
let(:url) { api("/groups/#{group.id}/-/packages/npm/-/package/#{package_name}/dist-tags/#{tag_name}") }
|
|
|
|
subject { delete(url, headers: headers) }
|
|
|
|
it_behaves_like 'returning response status', :not_found
|
|
end
|
|
|
|
describe 'POST /api/v4/groups/:id/-/packages/npm/-/npm/v1/security/advisories/bulk' do
|
|
let(:url) { api("/groups/#{group.id}/-/packages/npm/-/npm/v1/security/advisories/bulk") }
|
|
|
|
subject { post(url) }
|
|
|
|
it_behaves_like 'returning response status', :not_found
|
|
end
|
|
|
|
describe 'POST /api/v4/groups/:id/-/packages/npm/-/npm/v1/security/audits/quick' do
|
|
let(:url) { api("/groups/#{group.id}/-/packages/npm/-/npm/v1/security/audits/quick") }
|
|
|
|
subject { post(url) }
|
|
|
|
it_behaves_like 'returning response status', :not_found
|
|
end
|
|
end
|