Added missing LFS specs

1954cb80 · Kamil Trzcinski · a387ff7b · 1954cb80
Commit 1954cb80 authored Sep 16, 2016 by Kamil Trzcinski
Show whitespace changes
Inline Side-by-side

Showing with 213 additions and 22 deletions

spec/requests/lfs_http_spec.rb spec/requests/lfs_http_spec.rb +213 -22

No files found.
--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -15,7 +15,6 @@ describe 'Git LFS API and storage' do
  let(:authorization) { }
  let(:sendfile) { }
  let(:pipeline) { create(:ci_empty_pipeline, project: project) }
-  let(:build) { create(:ci_build, :running, pipeline: pipeline) }
  let(:sample_oid) { lfs_object.oid }
  let(:sample_size) { lfs_object.size }
@@ -258,15 +257,64 @@ describe 'Git LFS API and storage' do
          it_behaves_like 'responds with a file'
        end
-        context 'when build is authorized' do
+        context 'when build is authorized as' do
          let(:authorization) { authorize_ci_project }
+          shared_examples 'can download LFS only from own projects' do
+            context 'for own project' do
+              let(:pipeline) { create(:ci_empty_pipeline, project: project) }
              let(:update_permissions) do
+                project.team << [user, :reporter]
                project.lfs_objects << lfs_object
              end
              it_behaves_like 'responds with a file'
            end
+            context 'for other project' do
+              let(:other_project) { create(:empty_project) }
+              let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
+              let(:update_permissions) do
+                project.lfs_objects << lfs_object
+              end
+              it 'rejects downloading code' do
+                expect(response).to have_http_status(other_project_status)
+              end
+            end
+          end
+          context 'administrator' do
+            let(:user) { create(:admin) }
+            let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
+            it_behaves_like 'can download LFS only from own projects' do
+              # We render 403, because administrator does have normally access
+              let(:other_project_status) { 403 }
+            end
+          end
+          context 'regular user' do
+            let(:user) { create(:user) }
+            let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
+            it_behaves_like 'can download LFS only from own projects' do
+              # We render 404, to prevent data leakage about existence of the project
+              let(:other_project_status) { 404 }
+            end
+          end
+          context 'does not have user' do
+            let(:build) { create(:ci_build, :running, pipeline: pipeline) }
+            it_behaves_like 'can download LFS only from own projects' do
+              # We render 401, to prevent data leakage about existence of the project
+              let(:other_project_status) { 401 }
+            end
+          end
+        end
      end
      context 'without required headers' do
@@ -445,12 +493,64 @@ describe 'Git LFS API and storage' do
        end
      end
-      context 'when CI is authorized' do
+      context 'when build is authorized as' do
        let(:authorization) { authorize_ci_project }
+        let(:update_lfs_permissions) do
+          project.lfs_objects << lfs_object
+        end
+        shared_examples 'can download LFS only from own projects' do
+          context 'for own project' do
+            let(:pipeline) { create(:ci_empty_pipeline, project: project) }
+            let(:update_user_permissions) do
+              project.team << [user, :reporter]
+            end
            it_behaves_like 'an authorized requests'
          end
+          context 'for other project' do
+            let(:other_project) { create(:empty_project) }
+            let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
+            it 'rejects downloading code' do
+              expect(response).to have_http_status(other_project_status)
+            end
+          end
+        end
+        context 'administrator' do
+          let(:user) { create(:admin) }
+          let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
+          it_behaves_like 'can download LFS only from own projects' do
+            # We render 403, because administrator does have normally access
+            let(:other_project_status) { 403 }
+          end
+        end
+        context 'regular user' do
+          let(:user) { create(:user) }
+          let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
+          it_behaves_like 'can download LFS only from own projects' do
+            # We render 404, to prevent data leakage about existence of the project
+            let(:other_project_status) { 404 }
+          end
+        end
+        context 'does not have user' do
+          let(:build) { create(:ci_build, :running, pipeline: pipeline) }
+          it_behaves_like 'can download LFS only from own projects' do
+            # We render 401, to prevent data leakage about existence of the project
+            let(:other_project_status) { 401 }
+          end
+        end
+      end
      context 'when user is not authenticated' do
        describe 'is accessing public project' do
          let(:project) { create(:project, :public) }
@@ -597,14 +697,40 @@ describe 'Git LFS API and storage' do
          end
        end
-        context 'when CI is authorized' do
+        context 'when build is authorized' do
          let(:authorization) { authorize_ci_project }
+          context 'build has an user' do
+            let(:user) { create(:user) }
+            context 'tries to push to own project' do
+              let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
+              it 'responds with 403' do
+                expect(response).to have_http_status(403)
+              end
+            end
+            context 'tries to push to other project' do
+              let(:other_project) { create(:empty_project) }
+              let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
+              let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
+              it 'responds with 403' do
+                expect(response).to have_http_status(403)
+              end
+            end
+          end
+          context 'does not have user' do
+            let(:build) { create(:ci_build, :running, pipeline: pipeline) }
            it 'responds with 401' do
              expect(response).to have_http_status(401)
            end
          end
        end
+      end
      context 'when user is not authenticated' do
        context 'when user has push access' do
@@ -623,14 +749,6 @@ describe 'Git LFS API and storage' do
          end
        end
      end
-      context 'when CI is authorized' do
-        let(:authorization) { authorize_ci_project }
-        it 'responds with status 401' do
-          expect(response).to have_http_status(401)
-        end
-      end
    end
    describe 'unsupported' do
@@ -793,10 +911,51 @@ describe 'Git LFS API and storage' do
        end
      end
-      context 'when CI is authenticated' do
+      context 'when build is authorized' do
        let(:authorization) { authorize_ci_project }
-        it_behaves_like 'unauthorized'
+        context 'build has an user' do
+          let(:user) { create(:user) }
+          context 'tries to push to own project' do
+            let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
+            before do
+              project.team << [user, :developer]
+              put_authorize
+            end
+            it 'responds with 403' do
+              expect(response).to have_http_status(403)
+            end
+          end
+          context 'tries to push to other project' do
+            let(:other_project) { create(:empty_project) }
+            let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
+            let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
+            before do
+              put_authorize
+            end
+            it 'responds with 404' do
+              expect(response).to have_http_status(404)
+            end
+          end
+        end
+        context 'does not have user' do
+          let(:build) { create(:ci_build, :running, pipeline: pipeline) }
+          before do
+            put_authorize
+          end
+          it 'responds with 401' do
+            expect(response).to have_http_status(401)
+          end
+        end
      end
      context 'for unauthenticated' do
@@ -853,10 +1012,42 @@ describe 'Git LFS API and storage' do
        end
      end
-      context 'when CI is authenticated' do
+      context 'when build is authorized' do
        let(:authorization) { authorize_ci_project }
-        it_behaves_like 'unauthorized'
+        before do
+          put_authorize
+        end
+        context 'build has an user' do
+          let(:user) { create(:user) }
+          context 'tries to push to own project' do
+            let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
+            it 'responds with 403' do
+              expect(response).to have_http_status(403)
+            end
+          end
+          context 'tries to push to other project' do
+            let(:other_project) { create(:empty_project) }
+            let(:pipeline) { create(:ci_empty_pipeline, project: other_project) }
+            let(:build) { create(:ci_build, :running, pipeline: pipeline, user: user) }
+            it 'responds with 403' do
+              expect(response).to have_http_status(403)
+            end
+          end
+        end
+        context 'does not have user' do
+          let(:build) { create(:ci_build, :running, pipeline: pipeline) }
+          it 'responds with 401' do
+            expect(response).to have_http_status(401)
+          end
+        end
      end
      context 'for unauthenticated' do