Add CI Job token support to Maven packages API

a3a3c2ff · Dmitriy Zaporozhets · Kamil Trzciński · 586fc584 · a3a3c2ff · a3a3c2ff
Commit a3a3c2ff authored Sep 06, 2018 by Dmitriy Zaporozhets Committed by Kamil Trzciński Sep 06, 2018
3 changed files
--- a/ee/changelogs/unreleased/dz-maven-packages-api-ci-job-token.yml
+++ b/ee/changelogs/unreleased/dz-maven-packages-api-ci-job-token.yml
+---
+title: Add CI Job token support to Maven packages API
+merge_request: 7249
+author:
+type: changed
--- a/ee/lib/api/maven_packages.rb
+++ b/ee/lib/api/maven_packages.rb
@@ -65,6 +65,7 @@ module API
        requires :path, type: String, desc: 'Package path'
        requires :file_name, type: String, desc: 'Package file name'
      end
+      route_setting :authentication, job_token_allowed: true
      get ':id/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
        authorize_download_package!
@@ -93,6 +94,7 @@ module API
        requires :path, type: String, desc: 'Package path'
        requires :file_name, type: String, desc: 'Package file name'
      end
+      route_setting :authentication, job_token_allowed: true
      put ':id/packages/maven/*path/:file_name/authorize', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
        authorize_create_package!
@@ -118,6 +120,7 @@ module API
        optional 'file.sha1', type: String, desc: %q(sha1 checksum of the file (generated by Workhorse))
        optional 'file.sha256', type: String, desc: %q(sha256 checksum of the file (generated by Workhorse))
      end
+      route_setting :authentication, job_token_allowed: true
      put ':id/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
        authorize_create_package!
        require_gitlab_workhorse!

--- a/ee/spec/requests/api/maven_packages_spec.rb
+++ b/ee/spec/requests/api/maven_packages_spec.rb
@@ -8,6 +8,7 @@ describe API::MavenPackages do
  let(:jwt_token) { JWT.encode({ 'iss' => 'gitlab-workhorse' }, Gitlab::Workhorse.secret, 'HS256') }
  let(:headers) { { 'GitLab-Workhorse' => '1.0', Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => jwt_token } }
  let(:headers_with_token) { headers.merge('Private-Token' => personal_access_token.token) }
+  let(:job) { create(:ci_build, user: user) }
  before do
    project.add_developer(user)
@@ -61,6 +62,13 @@ describe API::MavenPackages do
        expect(response).to have_gitlab_http_status(404)
      end
+      it 'allows download with job token' do
+        download_file(package_file_xml.file_name, job_token: job.token)
+        expect(response).to have_gitlab_http_status(200)
+        expect(response.content_type.to_s).to eq('application/octet-stream')
+      end
    end
    it 'rejects request if feature is not in the license' do
@@ -114,6 +122,12 @@ describe API::MavenPackages do
      expect(response).to have_gitlab_http_status(500)
    end
+    it 'authorizes upload with job token' do
+      authorize_upload(job_token: job.token)
+      expect(response).to have_gitlab_http_status(200)
+    end
    def authorize_upload(params = {}, request_headers = headers)
      put api("/projects/#{project.id}/packages/maven/com/example/my-app/1.0-SNAPSHOT/maven-metadata.xml/authorize"), params, request_headers
    end
@@ -169,6 +183,12 @@ describe API::MavenPackages do
        expect(response).to have_gitlab_http_status(200)
        expect(package_file.file_name).to eq(file_upload.original_filename)
      end
+      it 'allows upload with job token' do
+        upload_file(params.merge(job_token: job.token))
+        expect(response).to have_gitlab_http_status(200)
+      end
    end
    def upload_file(params = {}, request_headers = headers)