Commit bf2a91f6 authored by Stan Hu's avatar Stan Hu

Merge branch '10io-return-empty-string-for-md5-maven-upload-requests' into 'master'

Fix maven packages md5 uploads

See merge request gitlab-org/gitlab!45271
parents ae6bce57 92e4fd7b
---
title: Fix the maven md5 upload endpoint
merge_request: 45271
author:
type: fixed
...@@ -32,10 +32,10 @@ module API ...@@ -32,10 +32,10 @@ module API
end end
def verify_package_file(package_file, uploaded_file) def verify_package_file(package_file, uploaded_file)
stored_sha1 = Digest::SHA256.hexdigest(package_file.file_sha1) stored_sha256 = Digest::SHA256.hexdigest(package_file.file_sha1)
expected_sha1 = uploaded_file.sha256 expected_sha256 = uploaded_file.sha256
if stored_sha1 == expected_sha1 if stored_sha256 == expected_sha256
no_content! no_content!
else else
conflict! conflict!
...@@ -231,7 +231,7 @@ module API ...@@ -231,7 +231,7 @@ module API
verify_package_file(package_file, params[:file]) verify_package_file(package_file, params[:file])
when 'md5' when 'md5'
nil ''
else else
track_package_event('push_package', :maven) if jar_file?(format) track_package_event('push_package', :maven) if jar_file?(format)
......
...@@ -25,5 +25,31 @@ RSpec.describe 'Upload a maven package', :api, :js do ...@@ -25,5 +25,31 @@ RSpec.describe 'Upload a maven package', :api, :js do
it { expect(subject.code).to eq(200) } it { expect(subject.code).to eq(200) }
end end
RSpec.shared_examples 'for a maven sha1' do
let(:dummy_package) { double(Packages::Package) }
let(:api_path) { "/projects/#{project.id}/packages/maven/com/example/my-app/1.0/my-app-1.0-20180724.124855-1.jar.sha1" }
before do
# The sha verification done by the maven api is between:
# - the sha256 set by workhorse
# - the sha256 of the sha1 of the uploaded package file
# We're going to send `file` for the sha1 and stub the sha1 of the package file so that
# both sha256 being the same
expect(::Packages::PackageFileFinder).to receive(:new).and_return(double(execute!: dummy_package))
expect(dummy_package).to receive(:file_sha1).and_return(File.read(file.path))
end
it { expect(subject.code).to eq(204) }
end
RSpec.shared_examples 'for a maven md5' do
let(:api_path) { "/projects/#{project.id}/packages/maven/com/example/my-app/1.0/my-app-1.0-20180724.124855-1.jar.md5" }
let(:file) { StringIO.new('dummy_package') }
it { expect(subject.code).to eq(200) }
end
it_behaves_like 'handling file uploads', 'for a maven package' it_behaves_like 'handling file uploads', 'for a maven package'
it_behaves_like 'handling file uploads', 'for a maven sha1'
it_behaves_like 'handling file uploads', 'for a maven md5'
end end
...@@ -562,7 +562,7 @@ RSpec.describe API::MavenPackages do ...@@ -562,7 +562,7 @@ RSpec.describe API::MavenPackages do
allow(uploaded_file).to receive(:size).and_return(project.actual_limits.maven_max_file_size + 1) allow(uploaded_file).to receive(:size).and_return(project.actual_limits.maven_max_file_size + 1)
end end
upload_file_with_token(params) upload_file_with_token(params: params)
expect(response).to have_gitlab_http_status(:bad_request) expect(response).to have_gitlab_http_status(:bad_request)
end end
...@@ -577,19 +577,19 @@ RSpec.describe API::MavenPackages do ...@@ -577,19 +577,19 @@ RSpec.describe API::MavenPackages do
context 'without workhorse header' do context 'without workhorse header' do
let(:workhorse_header) { {} } let(:workhorse_header) { {} }
subject { upload_file_with_token(params) } subject { upload_file_with_token(params: params) }
it_behaves_like 'package workhorse uploads' it_behaves_like 'package workhorse uploads'
end end
context 'event tracking' do context 'event tracking' do
subject { upload_file_with_token(params) } subject { upload_file_with_token(params: params) }
it_behaves_like 'a package tracking event', described_class.name, 'push_package' it_behaves_like 'a package tracking event', described_class.name, 'push_package'
end end
it 'creates package and stores package file' do it 'creates package and stores package file' do
expect { upload_file_with_token(params) }.to change { project.packages.count }.by(1) expect { upload_file_with_token(params: params) }.to change { project.packages.count }.by(1)
.and change { Packages::Maven::Metadatum.count }.by(1) .and change { Packages::Maven::Metadatum.count }.by(1)
.and change { Packages::PackageFile.count }.by(1) .and change { Packages::PackageFile.count }.by(1)
...@@ -598,7 +598,7 @@ RSpec.describe API::MavenPackages do ...@@ -598,7 +598,7 @@ RSpec.describe API::MavenPackages do
end end
it 'allows upload with running job token' do it 'allows upload with running job token' do
upload_file(params.merge(job_token: job.token)) upload_file(params: params.merge(job_token: job.token))
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(project.reload.packages.last.build_info.pipeline).to eq job.pipeline expect(project.reload.packages.last.build_info.pipeline).to eq job.pipeline
...@@ -606,13 +606,13 @@ RSpec.describe API::MavenPackages do ...@@ -606,13 +606,13 @@ RSpec.describe API::MavenPackages do
it 'rejects upload without running job token' do it 'rejects upload without running job token' do
job.update!(status: :failed) job.update!(status: :failed)
upload_file(params.merge(job_token: job.token)) upload_file(params: params.merge(job_token: job.token))
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:unauthorized)
end end
it 'allows upload with deploy token' do it 'allows upload with deploy token' do
upload_file(params, headers_with_deploy_token) upload_file(params: params, request_headers: headers_with_deploy_token)
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
end end
...@@ -626,7 +626,10 @@ RSpec.describe API::MavenPackages do ...@@ -626,7 +626,10 @@ RSpec.describe API::MavenPackages do
# We force the id of the deploy token and the user to be the same # We force the id of the deploy token and the user to be the same
unauthorized_deploy_token.update!(id: another_user.id) unauthorized_deploy_token.update!(id: another_user.id)
upload_file(params, headers.merge(Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => unauthorized_deploy_token.token)) upload_file(
params: params,
request_headers: headers.merge(Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => unauthorized_deploy_token.token)
)
expect(response).to have_gitlab_http_status(:forbidden) expect(response).to have_gitlab_http_status(:forbidden)
end end
...@@ -635,16 +638,43 @@ RSpec.describe API::MavenPackages do ...@@ -635,16 +638,43 @@ RSpec.describe API::MavenPackages do
let(:version) { '$%123' } let(:version) { '$%123' }
it 'rejects request' do it 'rejects request' do
expect { upload_file_with_token(params) }.not_to change { project.packages.count } expect { upload_file_with_token(params: params) }.not_to change { project.packages.count }
expect(response).to have_gitlab_http_status(:bad_request) expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['message']).to include('Validation failed') expect(json_response['message']).to include('Validation failed')
end end
end end
context 'for sha1 file' do
let(:dummy_package) { double(Packages::Package) }
it 'checks the sha1' do
# The sha verification done by the maven api is between:
# - the sha256 set by workhorse helpers
# - the sha256 of the sha1 of the uploaded package file
# We're going to send `file_upload` for the sha1 and stub the sha1 of the package file so that
# both sha256 being the same
expect(::Packages::PackageFileFinder).to receive(:new).and_return(double(execute!: dummy_package))
expect(dummy_package).to receive(:file_sha1).and_return(File.read(file_upload.path))
upload_file_with_token(params: params, file_extension: 'jar.sha1')
expect(response).to have_gitlab_http_status(:no_content)
end
end
context 'for md5 file' do
it 'returns an empty body' do
upload_file_with_token(params: params, file_extension: 'jar.md5')
expect(response.body).to eq('')
expect(response).to have_gitlab_http_status(:ok)
end
end
end end
def upload_file(params = {}, request_headers = headers) def upload_file(params: {}, request_headers: headers, file_extension: 'jar')
url = "/projects/#{project.id}/packages/maven/com/example/my-app/#{version}/my-app-1.0-20180724.124855-1.jar" url = "/projects/#{project.id}/packages/maven/com/example/my-app/#{version}/my-app-1.0-20180724.124855-1.#{file_extension}"
workhorse_finalize( workhorse_finalize(
api(url), api(url),
method: :put, method: :put,
...@@ -655,8 +685,8 @@ RSpec.describe API::MavenPackages do ...@@ -655,8 +685,8 @@ RSpec.describe API::MavenPackages do
) )
end end
def upload_file_with_token(params = {}, request_headers = headers_with_token) def upload_file_with_token(params: {}, request_headers: headers_with_token, file_extension: 'jar')
upload_file(params, request_headers) upload_file(params: params, request_headers: request_headers, file_extension: file_extension)
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment