Add GitlabImportsController for user to provide credentials

- In order to add Group Import V2 using API first step is to add an ability for user to provide auth credentials for GitLab to use in order to authenticate with source GitLab later on

Add GitlabImportsController for user to provide credentials
- In order to add Group Import V2 using API first step is to add an ability for user to provide auth credentials for GitLab to use in order to authenticate with source GitLab later on
f1a6b883 · George Koltsov · 1f21a463 · f1a6b883 · f1a6b883 · f1a6b883
Commit f1a6b883 authored Sep 18, 2020 by George Koltsov
5 changed files
--- a/app/controllers/import/bulk_imports_controller.rb
+++ b/app/controllers/import/bulk_imports_controller.rb
+# frozen_string_literal: true
+
+class Import::BulkImportsController < ApplicationController
+  before_action :ensure_group_import_enabled
+  before_action :verify_blocked_uri, only: :status
+
+  def configure
+    session[access_token_key] = params[access_token_key]&.strip
+    session[url_key] = params[url_key]
+
+    redirect_to status_import_bulk_import_url
+  end
+
+  private
+
+  def import_params
+    params.permit(access_token_key, url_key)
+  end
+
+  def ensure_group_import_enabled
+    render_404 unless Feature.enabled?(:bulk_import)
+  end
+
+  def access_token_key
+    :bulk_import_gitlab_access_token
+  end
+
+  def url_key
+    :bulk_import_gitlab_url
+  end
+
+  def verify_blocked_uri
+    Gitlab::UrlBlocker.validate!(
+      session[url_key],
+      **{
+        allow_localhost: allow_local_requests?,
+        allow_local_network: allow_local_requests?,
+        schemes: %w(http https)
+      }
+    )
+  rescue Gitlab::UrlBlocker::BlockedUrlError => e
+    session[access_token_key] = nil
+    session[url_key] = nil
+
+    redirect_to new_group_path, alert: _('Specified URL cannot be used: "%{reason}"') % { reason: e.message }
+  end
+
+  def allow_local_requests?
+    Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?
+  end
+end
--- a/app/views/import/bulk_imports/status.html.haml
+++ b/app/views/import/bulk_imports/status.html.haml
+- page_title 'Bulk Import'
--- a/config/feature_flags/development/bulk_import.yml
+++ b/config/feature_flags/development/bulk_import.yml
+---
+name: bulk_import
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/42704
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/255310
+group: group::import
+type: development
+default_enabled: false
--- a/config/routes/import.rb
+++ b/config/routes/import.rb
@@ -69,6 +69,11 @@ namespace :import do
    post :authorize
  end

+  resource :bulk_import, only: [:create] do
+    post :configure
+    get :status
+  end
+
  resource :manifest, only: [:create, :new], controller: :manifest do
    get :status
    get :realtime_changes

--- a/spec/controllers/import/bulk_imports_controller_spec.rb
+++ b/spec/controllers/import/bulk_imports_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Import::BulkImportsController do
+  let_it_be(:user) { create(:user) }
+
+  before do
+    sign_in(user)
+  end
+
+  context 'when user is signed in' do
+    context 'when bulk_import feature flag is enabled' do
+      before do
+        stub_feature_flags(bulk_import: true)
+      end
+
+      describe 'POST configure' do
+        context 'when no params are passed in' do
+          it 'clears out existing session' do
+            post :configure
+
+            expect(session[:bulk_import_gitlab_access_token]).to be_nil
+            expect(session[:bulk_import_gitlab_url]).to be_nil
+
+            expect(response).to have_gitlab_http_status(:found)
+            expect(response).to redirect_to(status_import_bulk_import_url)
+          end
+        end
+
+        it 'sets the session variables' do
+          token = 'token'
+          url = 'https://gitlab.example'
+
+          post :configure, params: { bulk_import_gitlab_access_token: token, bulk_import_gitlab_url: url }
+
+          expect(session[:bulk_import_gitlab_access_token]).to eq(token)
+          expect(session[:bulk_import_gitlab_url]).to eq(url)
+          expect(response).to have_gitlab_http_status(:found)
+          expect(response).to redirect_to(status_import_bulk_import_url)
+        end
+
+        it 'strips access token with spaces' do
+          token = 'token'
+
+          post :configure, params: { bulk_import_gitlab_access_token: "  #{token} " }
+
+          expect(session[:bulk_import_gitlab_access_token]).to eq(token)
+          expect(controller).to redirect_to(status_import_bulk_import_url)
+        end
+      end
+
+      describe 'GET status' do
+        context 'when host url is local or not http' do
+          %w[https://localhost:3000 http://192.168.0.1 ftp://testing].each do |url|
+            before do
+              stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
+
+              session[:bulk_import_gitlab_access_token] = 'test'
+              session[:bulk_import_gitlab_url] = url
+            end
+
+            it 'denies network request' do
+              get :status
+
+              expect(controller).to redirect_to(new_group_path)
+              expect(flash[:alert]).to eq('Specified URL cannot be used: "Only allowed schemes are http, https"')
+            end
+          end
+
+          context 'when local requests are allowed' do
+            %w[https://localhost:3000 http://192.168.0.1].each do |url|
+              before do
+                stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
+
+                session[:bulk_import_gitlab_access_token] = 'test'
+                session[:bulk_import_gitlab_url] = url
+              end
+
+              it 'allows network request' do
+                get :status
+
+                expect(response).to have_gitlab_http_status(:ok)
+              end
+            end
+          end
+        end
+      end
+    end
+
+    context 'when gitlab_api_imports feature flag is disabled' do
+      before do
+        stub_feature_flags(bulk_import: false)
+      end
+
+      context 'POST configure' do
+        it 'returns 404' do
+          post :configure
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'GET status' do
+        it 'returns 404' do
+          get :status
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+  end
+
+  context 'when user is signed out' do
+    before do
+      sign_out(user)
+    end
+
+    context 'POST configure' do
+      it 'redirects to sign in page' do
+        post :configure
+
+        expect(response).to have_gitlab_http_status(:found)
+        expect(response).to redirect_to(new_user_session_path)
+      end
+    end
+
+    context 'GET status' do
+      it 'redirects to sign in page' do
+        get :status
+
+        expect(response).to have_gitlab_http_status(:found)
+        expect(response).to redirect_to(new_user_session_path)
+      end
+    end
+  end
+end