BigW Consortium Gitlab

multipart_spec.rb 2.44 KB
Newer Older
1 2 3 4 5 6 7 8 9
require 'spec_helper'

require 'tempfile'

describe Gitlab::Middleware::Multipart do
  let(:app) { double(:app) }
  let(:middleware) { described_class.new(app) }

  it 'opens top-level files' do
Sean McGivern committed
10
    Tempfile.open('top-level') do |tempfile|
11 12 13 14
      env = post_env({ 'file' => tempfile.path }, { 'file.name' => 'filename' }, Gitlab::Workhorse.secret, 'gitlab-workhorse')

      expect(app).to receive(:call) do |env|
        file = Rack::Request.new(env).params['file']
15
        expect(file).to be_a(::UploadedFile)
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
        expect(file.path).to eq(tempfile.path)
      end

      middleware.call(env)
    end
  end

  it 'rejects headers signed with the wrong secret' do
    env = post_env({ 'file' => '/var/empty/nonesuch' }, {}, 'x' * 32, 'gitlab-workhorse')

    expect { middleware.call(env) }.to raise_error(JWT::VerificationError)
  end

  it 'rejects headers signed with the wrong issuer' do
    env = post_env({ 'file' => '/var/empty/nonesuch' }, {}, Gitlab::Workhorse.secret, 'acme-inc')

    expect { middleware.call(env) }.to raise_error(JWT::InvalidIssuerError)
  end

  it 'opens files one level deep' do
Sean McGivern committed
36
    Tempfile.open('one-level') do |tempfile|
37 38 39 40 41
      in_params = { 'user' => { 'avatar' => { '.name' => 'filename' } } }
      env = post_env({ 'user[avatar]' => tempfile.path }, in_params, Gitlab::Workhorse.secret, 'gitlab-workhorse')

      expect(app).to receive(:call) do |env|
        file = Rack::Request.new(env).params['user']['avatar']
42
        expect(file).to be_a(::UploadedFile)
43 44 45 46 47 48 49 50
        expect(file.path).to eq(tempfile.path)
      end

      middleware.call(env)
    end
  end

  it 'opens files two levels deep' do
Sean McGivern committed
51
    Tempfile.open('two-levels') do |tempfile|
52 53 54 55 56
      in_params = { 'project' => { 'milestone' => { 'themesong' => { '.name' => 'filename' } } } }
      env = post_env({ 'project[milestone][themesong]' => tempfile.path }, in_params, Gitlab::Workhorse.secret, 'gitlab-workhorse')

      expect(app).to receive(:call) do |env|
        file = Rack::Request.new(env).params['project']['milestone']['themesong']
57
        expect(file).to be_a(::UploadedFile)
58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
        expect(file.path).to eq(tempfile.path)
      end

      middleware.call(env)
    end
  end

  def post_env(rewritten_fields, params, secret, issuer)
    token = JWT.encode({ 'iss' => issuer, 'rewritten_fields' => rewritten_fields }, secret, 'HS256')
    Rack::MockRequest.env_for(
      '/',
      method: 'post',
      params: params,
      described_class::RACK_ENV_KEY => token
    )
  end
end