Merge branch '322150-more-test-conditions-for-maven' into 'master'

Add subgroups and user namespaces spec examples for maven

See merge request gitlab-org/gitlab!61477

spec/requests/api/maven_packages_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe API::MavenPackages do
   include_context 'workhorse headers'
 
   let_it_be_with_refind(:package_settings) { create(:namespace_package_setting, :group) }
-  let_it_be(:group) { package_settings.namespace }
+  let_it_be_with_refind(:group) { package_settings.namespace }
   let_it_be(:user) { create(:user) }
   let_it_be(:project, reload: true) { create(:project, :public, namespace: group) }
   let_it_be(:package, reload: true) { create(:maven_package, project: project, name: project.full_path) }
@@ -39,6 +39,59 @@ RSpec.describe API::MavenPackages do
     project.add_developer(user)
   end
 
+  shared_examples 'handling groups and subgroups for' do |shared_example_name, visibilities: %i[public]|
+    context 'within a group' do
+      visibilities.each do |visibility|
+        context "that is #{visibility}" do
+          before do
+            group.update!(visibility_level: Gitlab::VisibilityLevel.level_value(visibility.to_s))
+          end
+
+          it_behaves_like shared_example_name
+        end
+      end
+    end
+
+    context 'within a subgroup' do
+      let_it_be_with_reload(:subgroup) { create(:group, parent: group) }
+
+      before do
+        move_project_to_namespace(subgroup)
+      end
+
+      visibilities.each do |visibility|
+        context "that is #{visibility}" do
+          before do
+            subgroup.update!(visibility_level: Gitlab::VisibilityLevel.level_value(visibility.to_s))
+            group.update!(visibility_level: Gitlab::VisibilityLevel.level_value(visibility.to_s))
+          end
+
+          it_behaves_like shared_example_name
+        end
+      end
+    end
+  end
+
+  shared_examples 'handling groups, subgroups and user namespaces for' do |shared_example_name, visibilities: %i[public]|
+    it_behaves_like 'handling groups and subgroups for', shared_example_name, visibilities: visibilities
+
+    context 'within a user namespace' do
+      before do
+        move_project_to_namespace(user.namespace)
+      end
+
+      visibilities.each do |visibility|
+        context "that is #{visibility}" do
+          before do
+            user.namespace.update!(visibility_level: Gitlab::VisibilityLevel.level_value(visibility.to_s))
+          end
+
+          it_behaves_like shared_example_name
+        end
+      end
+    end
+  end
+
   shared_examples 'tracking the file download event' do
     context 'with jar file' do
       let_it_be(:package_file) { jar_file }
@@ -165,6 +218,7 @@ RSpec.describe API::MavenPackages do
     context 'a public project' do
       subject { download_file(file_name: package_file.file_name) }
 
+      shared_examples 'getting a file' do
         it_behaves_like 'tracking the file download event'
 
         it 'returns the file' do
@@ -189,6 +243,9 @@ RSpec.describe API::MavenPackages do
         end
       end
 
+      it_behaves_like 'handling groups, subgroups and user namespaces for', 'getting a file'
+    end
+
     context 'internal project' do
       before do
         project.team.truncate
@@ -197,6 +254,7 @@ RSpec.describe API::MavenPackages do
 
       subject { download_file_with_token(file_name: package_file.file_name) }
 
+      shared_examples 'getting a file' do
         it_behaves_like 'tracking the file download event'
 
         it 'returns the file' do
@@ -223,6 +281,9 @@ RSpec.describe API::MavenPackages do
         end
       end
 
+      it_behaves_like 'handling groups, subgroups and user namespaces for', 'getting a file', visibilities: %i[public internal]
+    end
+
     context 'private project' do
       subject { download_file_with_token(file_name: package_file.file_name) }
 
@@ -230,6 +291,7 @@ RSpec.describe API::MavenPackages do
         project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
       end
 
+      shared_examples 'getting a file' do
         it_behaves_like 'tracking the file download event'
 
         it 'returns the file' do
@@ -240,12 +302,14 @@ RSpec.describe API::MavenPackages do
         end
 
         it 'denies download when not enough permissions' do
+          unless project.root_namespace == user.namespace
             project.add_guest(user)
 
             subject
 
             expect(response).to have_gitlab_http_status(:forbidden)
           end
+        end
 
         it 'denies download when no private token' do
           download_file(file_name: package_file.file_name)
@@ -281,6 +345,9 @@ RSpec.describe API::MavenPackages do
         end
       end
 
+      it_behaves_like 'handling groups, subgroups and user namespaces for', 'getting a file', visibilities: %i[public internal private]
+    end
+
     context 'project name is different from a package name' do
       before do
         maven_metadatum.update!(path: "wrong_name/#{package.version}")
@@ -306,9 +373,27 @@ RSpec.describe API::MavenPackages do
     let(:path) { package.maven_metadatum.path }
     let(:url) { "/packages/maven/#{path}/#{package_file.file_name}" }
 
+    shared_examples 'heading a file' do
       it_behaves_like 'processing HEAD requests', instance_level: true
     end
 
+    context 'with check_maven_path_first enabled' do
+      before do
+        stub_feature_flags(check_maven_path_first: true)
+      end
+
+      it_behaves_like 'handling groups, subgroups and user namespaces for', 'heading a file'
+    end
+
+    context 'with check_maven_path_first disabled' do
+      before do
+        stub_feature_flags(check_maven_path_first: false)
+      end
+
+      it_behaves_like 'handling groups, subgroups and user namespaces for', 'heading a file'
+    end
+  end
+
   describe 'GET /api/v4/groups/:id/-/packages/maven/*path/:file_name' do
     before do
       project.team.truncate
@@ -318,6 +403,7 @@ RSpec.describe API::MavenPackages do
     context 'a public project' do
       subject { download_file(file_name: package_file.file_name) }
 
+      shared_examples 'getting a file for a group' do
         it_behaves_like 'tracking the file download event'
 
         it 'returns the file' do
@@ -342,6 +428,9 @@ RSpec.describe API::MavenPackages do
         end
       end
 
+      it_behaves_like 'handling groups and subgroups for', 'getting a file for a group'
+    end
+
     context 'internal project' do
       before do
         group.group_member(user).destroy!
@@ -350,6 +439,7 @@ RSpec.describe API::MavenPackages do
 
       subject { download_file_with_token(file_name: package_file.file_name) }
 
+      shared_examples 'getting a file for a group' do
         it_behaves_like 'tracking the file download event'
 
         it 'returns the file' do
@@ -376,6 +466,9 @@ RSpec.describe API::MavenPackages do
         end
       end
 
+      it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', visibilities: %i[internal public]
+    end
+
     context 'private project' do
       before do
         project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
@@ -383,6 +476,7 @@ RSpec.describe API::MavenPackages do
 
       subject { download_file_with_token(file_name: package_file.file_name) }
 
+      shared_examples 'getting a file for a group' do
         it_behaves_like 'tracking the file download event'
 
         it 'returns the file' do
@@ -441,6 +535,9 @@ RSpec.describe API::MavenPackages do
             it_behaves_like 'rejecting the request for non existing maven path'
           end
         end
+      end
+
+      it_behaves_like 'handling groups and subgroups for', 'getting a file for a group', visibilities: %i[private internal public]
 
       context 'with a reporter from a subgroup accessing the root group' do
         let_it_be(:root_group) { create(:group, :private) }
@@ -534,7 +631,21 @@ RSpec.describe API::MavenPackages do
     let(:path) { package.maven_metadatum.path }
     let(:url) { "/groups/#{group.id}/-/packages/maven/#{path}/#{package_file.file_name}" }
 
-    it_behaves_like 'processing HEAD requests'
+    context 'with check_maven_path_first enabled' do
+      before do
+        stub_feature_flags(check_maven_path_first: true)
+      end
+
+      it_behaves_like 'handling groups and subgroups for', 'processing HEAD requests'
+    end
+
+    context 'with check_maven_path_first disabled' do
+      before do
+        stub_feature_flags(check_maven_path_first: false)
+      end
+
+      it_behaves_like 'handling groups and subgroups for', 'processing HEAD requests'
+    end
   end
 
   describe 'GET /api/v4/projects/:id/packages/maven/*path/:file_name' do
@@ -620,9 +731,23 @@ RSpec.describe API::MavenPackages do
     let(:path) { package.maven_metadatum.path }
     let(:url) { "/projects/#{project.id}/packages/maven/#{path}/#{package_file.file_name}" }
 
+    context 'with check_maven_path_first enabled' do
+      before do
+        stub_feature_flags(check_maven_path_first: true)
+      end
+
       it_behaves_like 'processing HEAD requests'
     end
 
+    context 'with check_maven_path_first disabled' do
+      before do
+        stub_feature_flags(check_maven_path_first: false)
+      end
+
+      it_behaves_like 'processing HEAD requests'
+    end
+  end
+
   describe 'PUT /api/v4/projects/:id/packages/maven/*path/:file_name/authorize' do
     it 'rejects a malicious request' do
       put api("/projects/#{project.id}/packages/maven/com/example/my-app/#{version}/%2e%2e%2F.ssh%2Fauthorized_keys/authorize"), headers: headers_with_token
@@ -918,4 +1043,10 @@ RSpec.describe API::MavenPackages do
       upload_file(params: params, request_headers: request_headers, file_extension: file_extension)
     end
   end
+
+  def move_project_to_namespace(namespace)
+    project.update!(namespace: namespace)
+    package.update!(name: project.full_path)
+    maven_metadatum.update!(path: "#{package.name}/#{package.version}")
+  end
 end