Refactor package storage support in multipart middleware

Package storage support should only happen with a EE instance

Refactor package storage support in multipart middleware
Package storage support should only happen with a EE instance
5cb7d9a0 · David Fernandez · 346c493e · 5cb7d9a0 · 5cb7d9a0 · 5cb7d9a0
Commit 5cb7d9a0 authored Mar 11, 2020 by David Fernandez
5 changed files
--- a/ee/lib/ee/gitlab/middleware/multipart/handler.rb
+++ b/ee/lib/ee/gitlab/middleware/multipart/handler.rb
+# frozen_string_literal: true
+
+module EE
+  module Gitlab
+    module Middleware
+      module Multipart
+        module Handler
+          extend ::Gitlab::Utils::Override
+
+          private
+
+          override :allowed_paths
+          def allowed_paths
+            paths = super
+            packages_config = ::Gitlab.config.packages
+            if allow_packages_storage_path?(packages_config)
+              paths << ::Packages::PackageFileUploader.workhorse_upload_path
+            end
+
+            paths
+          end
+
+          def allow_packages_storage_path?(packages_config)
+            return unless packages_config.enabled
+            return unless packages_config['storage_path']
+            return if packages_config.object_store.enabled && packages_config.object_store.direct_upload
+
+            true
+          end
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/lib/gitlab/middleware/multipart_spec.rb
+++ b/ee/spec/lib/gitlab/middleware/multipart_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+require 'tempfile'
+
+describe Gitlab::Middleware::Multipart do
+  include_context 'multipart middleware context'
+
+  describe '#call' do
+    context 'with packages storage' do
+      using RSpec::Parameterized::TableSyntax
+
+      let(:storage_path) { 'shared/packages' }
+
+      RSpec.shared_examples 'allowing the multipart upload' do
+        it 'allows files to be uploaded' do
+          with_tmp_dir('tmp/uploads', storage_path) do |dir, env|
+            allow(Packages::PackageFileUploader).to receive(:root).and_return(File.join(dir, storage_path))
+
+            expect(app).to receive(:call) do |env|
+              expect(get_params(env)['file']).to be_a(::UploadedFile)
+            end
+
+            middleware.call(env)
+          end
+        end
+      end
+
+      RSpec.shared_examples 'not allowing the multipart upload' do
+        it 'does not allow files to be uploaded' do
+          with_tmp_dir('tmp/uploads', storage_path) do |dir, env|
+            allow(Packages::PackageFileUploader).to receive(:root).and_return(File.join(dir, storage_path))
+
+            expect { middleware.call(env) }.to raise_error(UploadedFile::InvalidPathError)
+          end
+        end
+      end
+
+      RSpec.shared_examples 'adding package storage to multipart allowed paths' do
+        before do
+          expect(::Packages::PackageFileUploader).to receive(:workhorse_upload_path).and_call_original
+        end
+
+        it_behaves_like 'allowing the multipart upload'
+      end
+
+      RSpec.shared_examples 'not adding package storage to multipart allowed paths' do
+        before do
+          expect(::Packages::PackageFileUploader).not_to receive(:workhorse_upload_path)
+        end
+
+        it_behaves_like 'not allowing the multipart upload'
+      end
+
+      where(:object_storage_enabled, :direct_upload_enabled, :example_name) do
+        false | true  | 'adding package storage to multipart allowed paths'
+        false | false | 'adding package storage to multipart allowed paths'
+        true  | true  | 'not adding package storage to multipart allowed paths'
+        true  | false | 'adding package storage to multipart allowed paths'
+      end
+
+      with_them do
+        before do
+          stub_config(packages: {
+            enabled: true,
+            object_store: {
+              enabled: object_storage_enabled,
+              direct_upload: direct_upload_enabled
+            },
+            storage_path: storage_path
+          })
+        end
+
+        it_behaves_like params[:example_name]
+      end
+    end
+  end
+end
--- a/ee/spec/support/shared_contexts/lib/gitlab/middleware/multipart_shared_contexts.rb
+++ b/ee/spec/support/shared_contexts/lib/gitlab/middleware/multipart_shared_contexts.rb
+# frozen_string_literal: true
+
+RSpec.shared_context 'multipart middleware context' do
+  let(:app) { double(:app) }
+  let(:middleware) { described_class.new(app) }
+  let(:original_filename) { 'filename' }
+
+  # Rails 5 doesn't combine the GET/POST parameters in
+  # ActionDispatch::HTTP::Parameters if action_dispatch.request.parameters is set:
+  # https://github.com/rails/rails/blob/aea6423f013ca48f7704c70deadf2cd6ac7d70a1/actionpack/lib/action_dispatch/http/parameters.rb#L41
+  def get_params(env)
+    req = ActionDispatch::Request.new(env)
+    req.GET.merge(req.POST)
+  end
+
+  def post_env(rewritten_fields, params, secret, issuer)
+    token = JWT.encode({ 'iss' => issuer, 'rewritten_fields' => rewritten_fields }, secret, 'HS256')
+    Rack::MockRequest.env_for(
+      '/',
+      method: 'post',
+      params: params,
+      described_class::RACK_ENV_KEY => token
+    )
+  end
+
+  def with_tmp_dir(uploads_sub_dir, storage_path = '')
+    Dir.mktmpdir do |dir|
+      upload_dir = File.join(dir, storage_path, uploads_sub_dir)
+      FileUtils.mkdir_p(upload_dir)
+
+      allow(Rails).to receive(:root).and_return(dir)
+      allow(Dir).to receive(:tmpdir).and_return(File.join(Dir.tmpdir, 'tmpsubdir'))
+      allow(GitlabUploader).to receive(:root).and_return(File.join(dir, storage_path))
+
+      Tempfile.open('top-level', upload_dir) do |tempfile|
+        env = post_env({ 'file' => tempfile.path }, { 'file.name' => original_filename, 'file.path' => tempfile.path }, Gitlab::Workhorse.secret, 'gitlab-workhorse')
+
+        yield dir, env
+      end
+    end
+  end
+end
--- a/lib/gitlab/middleware/multipart.rb
+++ b/lib/gitlab/middleware/multipart.rb
@@ -84,17 +84,6 @@ module Gitlab
        end

        def open_file(params, key)
-          allowed_paths = [
-            ::FileUploader.root,
-            Gitlab.config.uploads.storage_path,
-            File.join(Rails.root, 'public/uploads/tmp')
-          ]
-
-          packages_config = Gitlab.config.packages
-          if allow_packages_storage_path?(packages_config)
-            allowed_paths << File.join(packages_config.storage_path, 'tmp/uploads')
-          end
-
          ::UploadedFile.from_params(params, key, allowed_paths)
        end

@@ -114,12 +103,12 @@ module Gitlab

        private

-        def allow_packages_storage_path?(packages_config)
-          return unless packages_config.enabled
-          return unless packages_config['storage_path']
-          return if packages_config.object_store.enabled && packages_config.object_store.direct_upload
-
-          true
+        def allowed_paths
+          [
+            ::FileUploader.root,
+            Gitlab.config.uploads.storage_path,
+            File.join(Rails.root, 'public/uploads/tmp')
+          ]
        end
      end

@@ -140,3 +129,5 @@ module Gitlab
    end
  end
 end
+
+::Gitlab::Middleware::Multipart::Handler.prepend_if_ee('EE::Gitlab::Middleware::Multipart::Handler')
--- a/spec/lib/gitlab/middleware/multipart_spec.rb
+++ b/spec/lib/gitlab/middleware/multipart_spec.rb
@@ -5,9 +5,7 @@ require 'spec_helper'
 require 'tempfile'

 describe Gitlab::Middleware::Multipart do
-  let(:app) { double(:app) }
-  let(:middleware) { described_class.new(app) }
-  let(:original_filename) { 'filename' }
+  include_context 'multipart middleware context'

  shared_examples_for 'multipart upload files' do
    it 'opens top-level files' do
@@ -82,102 +80,12 @@ describe Gitlab::Middleware::Multipart do
  end

  it 'allows files in uploads/tmp directory' do
-    Dir.mktmpdir do |dir|
-      uploads_dir = File.join(dir, 'public/uploads/tmp')
-      FileUtils.mkdir_p(uploads_dir)
-
-      allow(Rails).to receive(:root).and_return(dir)
-      allow(Dir).to receive(:tmpdir).and_return(File.join(Dir.tmpdir, 'tmpsubdir'))
-
-      Tempfile.open('top-level', uploads_dir) do |tempfile|
-        env = post_env({ 'file' => tempfile.path }, { 'file.name' => original_filename, 'file.path' => tempfile.path }, Gitlab::Workhorse.secret, 'gitlab-workhorse')
-
-        expect(app).to receive(:call) do |env|
-          expect(get_params(env)['file']).to be_a(::UploadedFile)
-        end
-
-        middleware.call(env)
-      end
-    end
-  end
-
-  context 'with packages storage' do
-    let(:storage_path) { 'shared/packages' }
-
-    RSpec.shared_examples 'allowing the upload' do
-      it 'allows files to be uploaded' do
-        Dir.mktmpdir do |dir|
-          packages_upload_dir = File.join(dir, storage_path, 'tmp/uploads')
-          FileUtils.mkdir_p(packages_upload_dir)
-
-          Tempfile.open('top-level', packages_upload_dir) do |tempfile|
-            env = post_env({ 'file' => tempfile.path }, { 'file.name' => original_filename, 'file.path' => tempfile.path }, Gitlab::Workhorse.secret, 'gitlab-workhorse')
-
-            expect(app).to receive(:call) do |env|
-              expect(get_params(env)['file']).to be_a(::UploadedFile)
-            end
-
-            middleware.call(env)
-          end
-        end
-      end
-    end
-
-    context 'with object storage disabled' do
-      before do
-        stub_config(packages: {
-          enabled: true,
-          object_store: {
-            enabled: false
-          },
-          storage_path: storage_path
-        })
-      end
-
-      it_behaves_like 'allowing the upload' do
-        before do
-          expect(Gitlab.config.packages).to receive(:storage_path).and_return(storage_path)
-        end
-      end
-    end
-
-    context 'with object storage enabled' do
-      context 'with direct upload enabled' do
-        before do
-          stub_config(packages: {
-            enabled: true,
-            object_store: {
-              enabled: true,
-              direct_upload: true
-            }
-          })
-        end
-
-        it_behaves_like 'allowing the upload' do
-          before do
-            expect(Gitlab.config.packages).not_to receive(:storage_path)
-          end
-        end
+    with_tmp_dir('public/uploads/tmp') do |dir, env|
+      expect(app).to receive(:call) do |env|
+        expect(get_params(env)['file']).to be_a(::UploadedFile)
      end

-      context 'with direct upload disabled' do
-        before do
-          stub_config(packages: {
-            enabled: true,
-            object_store: {
-              enabled: true,
-              direct_upload: false
-            },
-            storage_path: storage_path
-          })
-        end
-
-        it_behaves_like 'allowing the upload' do
-          before do
-            expect(Gitlab.config.packages).to receive(:storage_path).and_return(storage_path)
-          end
-        end
-      end
+      middleware.call(env)
    end
  end

@@ -207,22 +115,4 @@ describe Gitlab::Middleware::Multipart do
      middleware.call(env)
    end
  end
-
-  # Rails 5 doesn't combine the GET/POST parameters in
-  # ActionDispatch::HTTP::Parameters if action_dispatch.request.parameters is set:
-  # https://github.com/rails/rails/blob/aea6423f013ca48f7704c70deadf2cd6ac7d70a1/actionpack/lib/action_dispatch/http/parameters.rb#L41
-  def get_params(env)
-    req = ActionDispatch::Request.new(env)
-    req.GET.merge(req.POST)
-  end
-
-  def post_env(rewritten_fields, params, secret, issuer)
-    token = JWT.encode({ 'iss' => issuer, 'rewritten_fields' => rewritten_fields }, secret, 'HS256')
-    Rack::MockRequest.env_for(
-      '/',
-      method: 'post',
-      params: params,
-      described_class::RACK_ENV_KEY => token
-    )
-  end
 end