read_only_spec.rb 5.91 KB
Newer Older
1 2
# frozen_string_literal: true

3 4
require 'spec_helper'

5
RSpec.describe Gitlab::Middleware::ReadOnly do
6
  include Rack::Test::Methods
7
  using RSpec::Parameterized::TableSyntax
8 9 10 11 12 13 14 15 16 17 18

  let(:rack_stack) do
    rack = Rack::Builder.new do
      use ActionDispatch::Session::CacheStore
      use ActionDispatch::Flash
    end

    rack.run(subject)
    rack.to_app
  end

19 20 21 22 23 24 25 26 27 28 29
  let(:observe_env) do
    Module.new do
      attr_reader :env

      def call(env)
        @env = env
        super
      end
    end
  end

30 31
  let(:request) { Rack::MockRequest.new(rack_stack) }

32
  subject do
33 34 35
    described_class.new(fake_app).tap do |app|
      app.extend(observe_env)
    end
36
  end
37

38
  context 'normal requests to a read-only GitLab instance' do
39 40 41 42 43 44 45 46 47
    let(:fake_app) { lambda { |env| [200, { 'Content-Type' => 'text/plain' }, ['OK']] } }

    before do
      allow(Gitlab::Database).to receive(:read_only?) { true }
    end

    it 'expects PATCH requests to be disallowed' do
      response = request.patch('/test_request')

48
      expect(response).to be_redirect
49 50 51 52 53 54
      expect(subject).to disallow_request
    end

    it 'expects PUT requests to be disallowed' do
      response = request.put('/test_request')

55
      expect(response).to be_redirect
56 57 58 59 60 61
      expect(subject).to disallow_request
    end

    it 'expects POST requests to be disallowed' do
      response = request.post('/test_request')

62
      expect(response).to be_redirect
63 64 65 66 67 68
      expect(subject).to disallow_request
    end

    it 'expects a internal POST request to be allowed after a disallowed request' do
      response = request.post('/test_request')

69
      expect(response).to be_redirect
70 71 72

      response = request.post("/api/#{API::API.version}/internal")

73
      expect(response).not_to be_redirect
74 75 76 77 78
    end

    it 'expects DELETE requests to be disallowed' do
      response = request.delete('/test_request')

79
      expect(response).to be_redirect
80 81 82
      expect(subject).to disallow_request
    end

83
    it 'expects POST of new file that looks like an LFS batch url to be disallowed' do
84
      expect(Rails.application.routes).to receive(:recognize_path).and_call_original
85 86
      response = request.post('/root/gitlab-ce/new/master/app/info/lfs/objects/batch')

87
      expect(response).to be_redirect
88 89 90
      expect(subject).to disallow_request
    end

91 92 93 94 95 96
    it 'returns last_vistited_url for disallowed request' do
      response = request.post('/test_request')

      expect(response.location).to eq 'http://localhost/'
    end

97 98
    context 'whitelisted requests' do
      it 'expects a POST internal request to be allowed' do
99
        expect(Rails.application.routes).not_to receive(:recognize_path)
100 101
        response = request.post("/api/#{API::API.version}/internal")

102
        expect(response).not_to be_redirect
103 104 105
        expect(subject).not_to disallow_request
      end

106 107 108 109 110 111 112
      it 'expects a graphql request to be allowed' do
        response = request.post("/api/graphql")

        expect(response).not_to be_redirect
        expect(subject).not_to disallow_request
      end

113 114 115 116 117 118 119 120 121 122 123 124 125
      context 'relative URL is configured' do
        before do
          stub_config_setting(relative_url_root: '/gitlab')
        end

        it 'expects a graphql request to be allowed' do
          response = request.post("/gitlab/api/graphql")

          expect(response).not_to be_redirect
          expect(subject).not_to disallow_request
        end
      end

126 127 128 129 130 131 132 133 134 135 136
      context 'sidekiq admin requests' do
        where(:mounted_at) do
          [
            '',
            '/',
            '/gitlab',
            '/gitlab/',
            '/gitlab/gitlab',
            '/gitlab/gitlab/'
          ]
        end
137

138 139 140 141
        with_them do
          before do
            stub_config_setting(relative_url_root: mounted_at)
          end
142

143 144 145
          it 'allows requests' do
            path = File.join(mounted_at, 'admin/sidekiq')
            response = request.post(path)
146

147 148 149 150 151 152 153 154 155
            expect(response).not_to be_redirect
            expect(subject).not_to disallow_request

            response = request.get(path)

            expect(response).not_to be_redirect
            expect(subject).not_to disallow_request
          end
        end
156 157
      end

158 159 160 161 162 163 164 165
      where(:description, :path) do
        'LFS request to batch'        | '/root/rouge.git/info/lfs/objects/batch'
        'LFS request to locks verify' | '/root/rouge.git/info/lfs/locks/verify'
        'LFS request to locks create' | '/root/rouge.git/info/lfs/locks'
        'LFS request to locks unlock' | '/root/rouge.git/info/lfs/locks/1/unlock'
        'request to git-upload-pack'  | '/root/rouge.git/git-upload-pack'
        'request to git-receive-pack' | '/root/rouge.git/git-receive-pack'
      end
166

167 168 169 170
      with_them do
        it "expects a POST #{description} URL to be allowed" do
          expect(Rails.application.routes).to receive(:recognize_path).and_call_original
          response = request.post(path)
171

172
          expect(response).not_to be_redirect
173 174
          expect(subject).not_to disallow_request
        end
175
      end
176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211
    end
  end

  context 'json requests to a read-only GitLab instance' do
    let(:fake_app) { lambda { |env| [200, { 'Content-Type' => 'application/json' }, ['OK']] } }
    let(:content_json) { { 'CONTENT_TYPE' => 'application/json' } }

    before do
      allow(Gitlab::Database).to receive(:read_only?) { true }
    end

    it 'expects PATCH requests to be disallowed' do
      response = request.patch('/test_request', content_json)

      expect(response).to disallow_request_in_json
    end

    it 'expects PUT requests to be disallowed' do
      response = request.put('/test_request', content_json)

      expect(response).to disallow_request_in_json
    end

    it 'expects POST requests to be disallowed' do
      response = request.post('/test_request', content_json)

      expect(response).to disallow_request_in_json
    end

    it 'expects DELETE requests to be disallowed' do
      response = request.delete('/test_request', content_json)

      expect(response).to disallow_request_in_json
    end
  end
end