Commit 9d78f835 authored by Michael Kozono's avatar Michael Kozono

Specify new Git-LFS-over-HTTP behavior

Changes to `GitHttpClientController`’s authentication logic caused this behavior change.

The old 401 Unauthorized statuses didn’t cause any harm, but they weren’t quite as accurate as the new behavior.
parent bad08fbe
...@@ -759,8 +759,8 @@ describe 'Git LFS API and storage' do ...@@ -759,8 +759,8 @@ describe 'Git LFS API and storage' do
context 'tries to push to own project' do context 'tries to push to own project' do
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) } let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
it 'responds with 401' do it 'responds with 403 (not 404 because project is public)' do
expect(response).to have_http_status(401) expect(response).to have_http_status(403)
end end
end end
...@@ -769,8 +769,9 @@ describe 'Git LFS API and storage' do ...@@ -769,8 +769,9 @@ describe 'Git LFS API and storage' do
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) } let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) } let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
it 'responds with 401' do # I'm not sure what this tests that is different from the previous test
expect(response).to have_http_status(401) it 'responds with 403 (not 404 because project is public)' do
expect(response).to have_http_status(403)
end end
end end
end end
...@@ -778,8 +779,8 @@ describe 'Git LFS API and storage' do ...@@ -778,8 +779,8 @@ describe 'Git LFS API and storage' do
context 'does not have user' do context 'does not have user' do
let(:build) { create(:ci_build, :running, pipeline: pipeline) } let(:build) { create(:ci_build, :running, pipeline: pipeline) }
it 'responds with 401' do it 'responds with 403 (not 404 because project is public)' do
expect(response).to have_http_status(401) expect(response).to have_http_status(403)
end end
end end
end end
...@@ -979,8 +980,8 @@ describe 'Git LFS API and storage' do ...@@ -979,8 +980,8 @@ describe 'Git LFS API and storage' do
put_authorize put_authorize
end end
it 'responds with 401' do it 'responds with 403 (not 404 because the build user can read the project)' do
expect(response).to have_http_status(401) expect(response).to have_http_status(403)
end end
end end
...@@ -993,8 +994,8 @@ describe 'Git LFS API and storage' do ...@@ -993,8 +994,8 @@ describe 'Git LFS API and storage' do
put_authorize put_authorize
end end
it 'responds with 401' do it 'responds with 404 (do not leak non-public project existence)' do
expect(response).to have_http_status(401) expect(response).to have_http_status(404)
end end
end end
end end
...@@ -1006,8 +1007,8 @@ describe 'Git LFS API and storage' do ...@@ -1006,8 +1007,8 @@ describe 'Git LFS API and storage' do
put_authorize put_authorize
end end
it 'responds with 401' do it 'responds with 404 (do not leak non-public project existence)' do
expect(response).to have_http_status(401) expect(response).to have_http_status(404)
end end
end end
end end
...@@ -1079,8 +1080,8 @@ describe 'Git LFS API and storage' do ...@@ -1079,8 +1080,8 @@ describe 'Git LFS API and storage' do
context 'tries to push to own project' do context 'tries to push to own project' do
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) } let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
it 'responds with 401' do it 'responds with 403 (not 404 because project is public)' do
expect(response).to have_http_status(401) expect(response).to have_http_status(403)
end end
end end
...@@ -1089,8 +1090,9 @@ describe 'Git LFS API and storage' do ...@@ -1089,8 +1090,9 @@ describe 'Git LFS API and storage' do
let(:pipeline) { create(:ci_empty_pipeline, project: other_project) } let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) } let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
it 'responds with 401' do # I'm not sure what this tests that is different from the previous test
expect(response).to have_http_status(401) it 'responds with 403 (not 404 because project is public)' do
expect(response).to have_http_status(403)
end end
end end
end end
...@@ -1098,8 +1100,8 @@ describe 'Git LFS API and storage' do ...@@ -1098,8 +1100,8 @@ describe 'Git LFS API and storage' do
context 'does not have user' do context 'does not have user' do
let(:build) { create(:ci_build, :running, pipeline: pipeline) } let(:build) { create(:ci_build, :running, pipeline: pipeline) }
it 'responds with 401' do it 'responds with 403 (not 404 because project is public)' do
expect(response).to have_http_status(401) expect(response).to have_http_status(403)
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment