afan
/
gitea
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 0 Pull Request'ы 0 Релизы 0 Вики Активность
gitea源码
3 коммитов
2 веток
ветка: master
веток Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'master'
${ noResults }
gitea/tests/integration/api_actions_artifact_v4_tes...

api_actions_artifact_v4_test.go 25KB
Постоянная ссылка История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629 
  1. // Copyright 2024 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package integration

  5. 

  6. import (

  7. 	"bytes"

  8. 	"crypto/sha256"

  9. 	"encoding/hex"

  10. 	"encoding/xml"

  11. 	"fmt"

  12. 	"io"

  13. 	"net/http"

  14. 	"strings"

  15. 	"testing"

  16. 	"time"

  17. 

  18. 	auth_model "code.gitea.io/gitea/models/auth"

  19. 	repo_model "code.gitea.io/gitea/models/repo"

  20. 	"code.gitea.io/gitea/models/unittest"

  21. 	user_model "code.gitea.io/gitea/models/user"

  22. 	"code.gitea.io/gitea/modules/json"

  23. 	"code.gitea.io/gitea/modules/storage"

  24. 	api "code.gitea.io/gitea/modules/structs"

  25. 	"code.gitea.io/gitea/routers/api/actions"

  26. 	actions_service "code.gitea.io/gitea/services/actions"

  27. 

  28. 	"github.com/stretchr/testify/assert"

  29. 	"google.golang.org/protobuf/encoding/protojson"

  30. 	"google.golang.org/protobuf/reflect/protoreflect"

  31. 	"google.golang.org/protobuf/types/known/timestamppb"

  32. 	"google.golang.org/protobuf/types/known/wrapperspb"

  33. )

  34. 

  35. func toProtoJSON(m protoreflect.ProtoMessage) io.Reader {

  36. 	resp, _ := protojson.Marshal(m)

  37. 	buf := bytes.Buffer{}

  38. 	buf.Write(resp)

  39. 	return &buf

  40. }

  41. 

  42. func TestActionsArtifactV4UploadSingleFile(t *testing.T) {

  43. 	defer prepareTestEnvActionsArtifacts(t)()

  44. 

  45. 	token, err := actions_service.CreateAuthorizationToken(48, 792, 193)

  46. 	assert.NoError(t, err)

  47. 

  48. 	// acquire artifact upload url

  49. 	req := NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/CreateArtifact", toProtoJSON(&actions.CreateArtifactRequest{

  50. 		Version:                 4,

  51. 		Name:                    "artifact",

  52. 		WorkflowRunBackendId:    "792",

  53. 		WorkflowJobRunBackendId: "193",

  54. 	})).AddTokenAuth(token)

  55. 	resp := MakeRequest(t, req, http.StatusOK)

  56. 	var uploadResp actions.CreateArtifactResponse

  57. 	protojson.Unmarshal(resp.Body.Bytes(), &uploadResp)

  58. 	assert.True(t, uploadResp.Ok)

  59. 	assert.Contains(t, uploadResp.SignedUploadUrl, "/twirp/github.actions.results.api.v1.ArtifactService/UploadArtifact")

  60. 

  61. 	// get upload url

  62. 	idx := strings.Index(uploadResp.SignedUploadUrl, "/twirp/")

  63. 	url := uploadResp.SignedUploadUrl[idx:] + "&comp=block"

  64. 

  65. 	// upload artifact chunk

  66. 	body := strings.Repeat("A", 1024)

  67. 	req = NewRequestWithBody(t, "PUT", url, strings.NewReader(body))

  68. 	MakeRequest(t, req, http.StatusCreated)

  69. 

  70. 	t.Logf("Create artifact confirm")

  71. 

  72. 	sha := sha256.Sum256([]byte(body))

  73. 

  74. 	// confirm artifact upload

  75. 	req = NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/FinalizeArtifact", toProtoJSON(&actions.FinalizeArtifactRequest{

  76. 		Name:                    "artifact",

  77. 		Size:                    1024,

  78. 		Hash:                    wrapperspb.String("sha256:" + hex.EncodeToString(sha[:])),

  79. 		WorkflowRunBackendId:    "792",

  80. 		WorkflowJobRunBackendId: "193",

  81. 	})).

  82. 		AddTokenAuth(token)

  83. 	resp = MakeRequest(t, req, http.StatusOK)

  84. 	var finalizeResp actions.FinalizeArtifactResponse

  85. 	protojson.Unmarshal(resp.Body.Bytes(), &finalizeResp)

  86. 	assert.True(t, finalizeResp.Ok)

  87. }

  88. 

  89. func TestActionsArtifactV4UploadSingleFileWrongChecksum(t *testing.T) {

  90. 	defer prepareTestEnvActionsArtifacts(t)()

  91. 

  92. 	token, err := actions_service.CreateAuthorizationToken(48, 792, 193)

  93. 	assert.NoError(t, err)

  94. 

  95. 	// acquire artifact upload url

  96. 	req := NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/CreateArtifact", toProtoJSON(&actions.CreateArtifactRequest{

  97. 		Version:                 4,

  98. 		Name:                    "artifact-invalid-checksum",

  99. 		WorkflowRunBackendId:    "792",

  100. 		WorkflowJobRunBackendId: "193",

  101. 	})).AddTokenAuth(token)

  102. 	resp := MakeRequest(t, req, http.StatusOK)

  103. 	var uploadResp actions.CreateArtifactResponse

  104. 	protojson.Unmarshal(resp.Body.Bytes(), &uploadResp)

  105. 	assert.True(t, uploadResp.Ok)

  106. 	assert.Contains(t, uploadResp.SignedUploadUrl, "/twirp/github.actions.results.api.v1.ArtifactService/UploadArtifact")

  107. 

  108. 	// get upload url

  109. 	idx := strings.Index(uploadResp.SignedUploadUrl, "/twirp/")

  110. 	url := uploadResp.SignedUploadUrl[idx:] + "&comp=block"

  111. 

  112. 	// upload artifact chunk

  113. 	body := strings.Repeat("B", 1024)

  114. 	req = NewRequestWithBody(t, "PUT", url, strings.NewReader(body))

  115. 	MakeRequest(t, req, http.StatusCreated)

  116. 

  117. 	t.Logf("Create artifact confirm")

  118. 

  119. 	sha := sha256.Sum256([]byte(strings.Repeat("A", 1024)))

  120. 

  121. 	// confirm artifact upload

  122. 	req = NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/FinalizeArtifact", toProtoJSON(&actions.FinalizeArtifactRequest{

  123. 		Name:                    "artifact-invalid-checksum",

  124. 		Size:                    1024,

  125. 		Hash:                    wrapperspb.String("sha256:" + hex.EncodeToString(sha[:])),

  126. 		WorkflowRunBackendId:    "792",

  127. 		WorkflowJobRunBackendId: "193",

  128. 	})).

  129. 		AddTokenAuth(token)

  130. 	MakeRequest(t, req, http.StatusInternalServerError)

  131. }

  132. 

  133. func TestActionsArtifactV4UploadSingleFileWithRetentionDays(t *testing.T) {

  134. 	defer prepareTestEnvActionsArtifacts(t)()

  135. 

  136. 	token, err := actions_service.CreateAuthorizationToken(48, 792, 193)

  137. 	assert.NoError(t, err)

  138. 

  139. 	// acquire artifact upload url

  140. 	req := NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/CreateArtifact", toProtoJSON(&actions.CreateArtifactRequest{

  141. 		Version:                 4,

  142. 		ExpiresAt:               timestamppb.New(time.Now().Add(5 * 24 * time.Hour)),

  143. 		Name:                    "artifactWithRetentionDays",

  144. 		WorkflowRunBackendId:    "792",

  145. 		WorkflowJobRunBackendId: "193",

  146. 	})).AddTokenAuth(token)

  147. 	resp := MakeRequest(t, req, http.StatusOK)

  148. 	var uploadResp actions.CreateArtifactResponse

  149. 	protojson.Unmarshal(resp.Body.Bytes(), &uploadResp)

  150. 	assert.True(t, uploadResp.Ok)

  151. 	assert.Contains(t, uploadResp.SignedUploadUrl, "/twirp/github.actions.results.api.v1.ArtifactService/UploadArtifact")

  152. 

  153. 	// get upload url

  154. 	idx := strings.Index(uploadResp.SignedUploadUrl, "/twirp/")

  155. 	url := uploadResp.SignedUploadUrl[idx:] + "&comp=block"

  156. 

  157. 	// upload artifact chunk

  158. 	body := strings.Repeat("A", 1024)

  159. 	req = NewRequestWithBody(t, "PUT", url, strings.NewReader(body))

  160. 	MakeRequest(t, req, http.StatusCreated)

  161. 

  162. 	t.Logf("Create artifact confirm")

  163. 

  164. 	sha := sha256.Sum256([]byte(body))

  165. 

  166. 	// confirm artifact upload

  167. 	req = NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/FinalizeArtifact", toProtoJSON(&actions.FinalizeArtifactRequest{

  168. 		Name:                    "artifactWithRetentionDays",

  169. 		Size:                    1024,

  170. 		Hash:                    wrapperspb.String("sha256:" + hex.EncodeToString(sha[:])),

  171. 		WorkflowRunBackendId:    "792",

  172. 		WorkflowJobRunBackendId: "193",

  173. 	})).

  174. 		AddTokenAuth(token)

  175. 	resp = MakeRequest(t, req, http.StatusOK)

  176. 	var finalizeResp actions.FinalizeArtifactResponse

  177. 	protojson.Unmarshal(resp.Body.Bytes(), &finalizeResp)

  178. 	assert.True(t, finalizeResp.Ok)

  179. }

  180. 

  181. func TestActionsArtifactV4UploadSingleFileWithPotentialHarmfulBlockID(t *testing.T) {

  182. 	defer prepareTestEnvActionsArtifacts(t)()

  183. 

  184. 	token, err := actions_service.CreateAuthorizationToken(48, 792, 193)

  185. 	assert.NoError(t, err)

  186. 

  187. 	// acquire artifact upload url

  188. 	req := NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/CreateArtifact", toProtoJSON(&actions.CreateArtifactRequest{

  189. 		Version:                 4,

  190. 		Name:                    "artifactWithPotentialHarmfulBlockID",

  191. 		WorkflowRunBackendId:    "792",

  192. 		WorkflowJobRunBackendId: "193",

  193. 	})).AddTokenAuth(token)

  194. 	resp := MakeRequest(t, req, http.StatusOK)

  195. 	var uploadResp actions.CreateArtifactResponse

  196. 	protojson.Unmarshal(resp.Body.Bytes(), &uploadResp)

  197. 	assert.True(t, uploadResp.Ok)

  198. 	assert.Contains(t, uploadResp.SignedUploadUrl, "/twirp/github.actions.results.api.v1.ArtifactService/UploadArtifact")

  199. 

  200. 	// get upload urls

  201. 	idx := strings.Index(uploadResp.SignedUploadUrl, "/twirp/")

  202. 	url := uploadResp.SignedUploadUrl[idx:] + "&comp=block&blockid=%2f..%2fmyfile"

  203. 	blockListURL := uploadResp.SignedUploadUrl[idx:] + "&comp=blocklist"

  204. 

  205. 	// upload artifact chunk

  206. 	body := strings.Repeat("A", 1024)

  207. 	req = NewRequestWithBody(t, "PUT", url, strings.NewReader(body))

  208. 	MakeRequest(t, req, http.StatusCreated)

  209. 

  210. 	// verify that the exploit didn't work

  211. 	_, err = storage.Actions.Stat("myfile")

  212. 	assert.Error(t, err)

  213. 

  214. 	// upload artifact blockList

  215. 	blockList := &actions.BlockList{

  216. 		Latest: []string{

  217. 			"/../myfile",

  218. 		},

  219. 	}

  220. 	rawBlockList, err := xml.Marshal(blockList)

  221. 	assert.NoError(t, err)

  222. 	req = NewRequestWithBody(t, "PUT", blockListURL, bytes.NewReader(rawBlockList))

  223. 	MakeRequest(t, req, http.StatusCreated)

  224. 

  225. 	t.Logf("Create artifact confirm")

  226. 

  227. 	sha := sha256.Sum256([]byte(body))

  228. 

  229. 	// confirm artifact upload

  230. 	req = NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/FinalizeArtifact", toProtoJSON(&actions.FinalizeArtifactRequest{

  231. 		Name:                    "artifactWithPotentialHarmfulBlockID",

  232. 		Size:                    1024,

  233. 		Hash:                    wrapperspb.String("sha256:" + hex.EncodeToString(sha[:])),

  234. 		WorkflowRunBackendId:    "792",

  235. 		WorkflowJobRunBackendId: "193",

  236. 	})).

  237. 		AddTokenAuth(token)

  238. 	resp = MakeRequest(t, req, http.StatusOK)

  239. 	var finalizeResp actions.FinalizeArtifactResponse

  240. 	protojson.Unmarshal(resp.Body.Bytes(), &finalizeResp)

  241. 	assert.True(t, finalizeResp.Ok)

  242. }

  243. 

  244. func TestActionsArtifactV4UploadSingleFileWithChunksOutOfOrder(t *testing.T) {

  245. 	defer prepareTestEnvActionsArtifacts(t)()

  246. 

  247. 	token, err := actions_service.CreateAuthorizationToken(48, 792, 193)

  248. 	assert.NoError(t, err)

  249. 

  250. 	// acquire artifact upload url

  251. 	req := NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/CreateArtifact", toProtoJSON(&actions.CreateArtifactRequest{

  252. 		Version:                 4,

  253. 		Name:                    "artifactWithChunksOutOfOrder",

  254. 		WorkflowRunBackendId:    "792",

  255. 		WorkflowJobRunBackendId: "193",

  256. 	})).AddTokenAuth(token)

  257. 	resp := MakeRequest(t, req, http.StatusOK)

  258. 	var uploadResp actions.CreateArtifactResponse

  259. 	protojson.Unmarshal(resp.Body.Bytes(), &uploadResp)

  260. 	assert.True(t, uploadResp.Ok)

  261. 	assert.Contains(t, uploadResp.SignedUploadUrl, "/twirp/github.actions.results.api.v1.ArtifactService/UploadArtifact")

  262. 

  263. 	// get upload urls

  264. 	idx := strings.Index(uploadResp.SignedUploadUrl, "/twirp/")

  265. 	block1URL := uploadResp.SignedUploadUrl[idx:] + "&comp=block&blockid=block1"

  266. 	block2URL := uploadResp.SignedUploadUrl[idx:] + "&comp=block&blockid=block2"

  267. 	blockListURL := uploadResp.SignedUploadUrl[idx:] + "&comp=blocklist"

  268. 

  269. 	// upload artifact chunks

  270. 	bodyb := strings.Repeat("B", 1024)

  271. 	req = NewRequestWithBody(t, "PUT", block2URL, strings.NewReader(bodyb))

  272. 	MakeRequest(t, req, http.StatusCreated)

  273. 

  274. 	bodya := strings.Repeat("A", 1024)

  275. 	req = NewRequestWithBody(t, "PUT", block1URL, strings.NewReader(bodya))

  276. 	MakeRequest(t, req, http.StatusCreated)

  277. 

  278. 	// upload artifact blockList

  279. 	blockList := &actions.BlockList{

  280. 		Latest: []string{

  281. 			"block1",

  282. 			"block2",

  283. 		},

  284. 	}

  285. 	rawBlockList, err := xml.Marshal(blockList)

  286. 	assert.NoError(t, err)

  287. 	req = NewRequestWithBody(t, "PUT", blockListURL, bytes.NewReader(rawBlockList))

  288. 	MakeRequest(t, req, http.StatusCreated)

  289. 

  290. 	t.Logf("Create artifact confirm")

  291. 

  292. 	sha := sha256.Sum256([]byte(bodya + bodyb))

  293. 

  294. 	// confirm artifact upload

  295. 	req = NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/FinalizeArtifact", toProtoJSON(&actions.FinalizeArtifactRequest{

  296. 		Name:                    "artifactWithChunksOutOfOrder",

  297. 		Size:                    2048,

  298. 		Hash:                    wrapperspb.String("sha256:" + hex.EncodeToString(sha[:])),

  299. 		WorkflowRunBackendId:    "792",

  300. 		WorkflowJobRunBackendId: "193",

  301. 	})).

  302. 		AddTokenAuth(token)

  303. 	resp = MakeRequest(t, req, http.StatusOK)

  304. 	var finalizeResp actions.FinalizeArtifactResponse

  305. 	protojson.Unmarshal(resp.Body.Bytes(), &finalizeResp)

  306. 	assert.True(t, finalizeResp.Ok)

  307. }

  308. 

  309. func TestActionsArtifactV4DownloadSingle(t *testing.T) {

  310. 	defer prepareTestEnvActionsArtifacts(t)()

  311. 

  312. 	token, err := actions_service.CreateAuthorizationToken(48, 792, 193)

  313. 	assert.NoError(t, err)

  314. 

  315. 	// acquire artifact upload url

  316. 	req := NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/ListArtifacts", toProtoJSON(&actions.ListArtifactsRequest{

  317. 		NameFilter:              wrapperspb.String("artifact-v4-download"),

  318. 		WorkflowRunBackendId:    "792",

  319. 		WorkflowJobRunBackendId: "193",

  320. 	})).AddTokenAuth(token)

  321. 	resp := MakeRequest(t, req, http.StatusOK)

  322. 	var listResp actions.ListArtifactsResponse

  323. 	protojson.Unmarshal(resp.Body.Bytes(), &listResp)

  324. 	assert.Len(t, listResp.Artifacts, 1)

  325. 

  326. 	// confirm artifact upload

  327. 	req = NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/GetSignedArtifactURL", toProtoJSON(&actions.GetSignedArtifactURLRequest{

  328. 		Name:                    "artifact-v4-download",

  329. 		WorkflowRunBackendId:    "792",

  330. 		WorkflowJobRunBackendId: "193",

  331. 	})).

  332. 		AddTokenAuth(token)

  333. 	resp = MakeRequest(t, req, http.StatusOK)

  334. 	var finalizeResp actions.GetSignedArtifactURLResponse

  335. 	protojson.Unmarshal(resp.Body.Bytes(), &finalizeResp)

  336. 	assert.NotEmpty(t, finalizeResp.SignedUrl)

  337. 

  338. 	req = NewRequest(t, "GET", finalizeResp.SignedUrl)

  339. 	resp = MakeRequest(t, req, http.StatusOK)

  340. 	body := strings.Repeat("D", 1024)

  341. 	assert.Equal(t, body, resp.Body.String())

  342. }

  343. 

  344. func TestActionsArtifactV4RunDownloadSinglePublicApi(t *testing.T) {

  345. 	defer prepareTestEnvActionsArtifacts(t)()

  346. 

  347. 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})

  348. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})

  349. 	session := loginUser(t, user.Name)

  350. 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)

  351. 

  352. 	// confirm artifact can be listed and found by name

  353. 	req := NewRequestWithBody(t, "GET", fmt.Sprintf("/api/v1/repos/%s/actions/runs/792/artifacts?name=artifact-v4-download", repo.FullName()), nil).

  354. 		AddTokenAuth(token)

  355. 	resp := MakeRequest(t, req, http.StatusOK)

  356. 	var listResp api.ActionArtifactsResponse

  357. 	err := json.Unmarshal(resp.Body.Bytes(), &listResp)

  358. 	assert.NoError(t, err)

  359. 	assert.NotEmpty(t, listResp.Entries[0].ArchiveDownloadURL)

  360. 	assert.Equal(t, "artifact-v4-download", listResp.Entries[0].Name)

  361. 

  362. 	// confirm artifact blob storage url can be retrieved

  363. 	req = NewRequestWithBody(t, "GET", listResp.Entries[0].ArchiveDownloadURL, nil).

  364. 		AddTokenAuth(token)

  365. 

  366. 	resp = MakeRequest(t, req, http.StatusFound)

  367. 

  368. 	// confirm artifact can be downloaded and has expected content

  369. 	req = NewRequestWithBody(t, "GET", resp.Header().Get("Location"), nil).

  370. 		AddTokenAuth(token)

  371. 	resp = MakeRequest(t, req, http.StatusOK)

  372. 

  373. 	body := strings.Repeat("D", 1024)

  374. 	assert.Equal(t, body, resp.Body.String())

  375. }

  376. 

  377. func TestActionsArtifactV4DownloadSinglePublicApi(t *testing.T) {

  378. 	defer prepareTestEnvActionsArtifacts(t)()

  379. 

  380. 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})

  381. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})

  382. 	session := loginUser(t, user.Name)

  383. 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)

  384. 

  385. 	// confirm artifact can be listed and found by name

  386. 	req := NewRequestWithBody(t, "GET", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts?name=artifact-v4-download", repo.FullName()), nil).

  387. 		AddTokenAuth(token)

  388. 	resp := MakeRequest(t, req, http.StatusOK)

  389. 	var listResp api.ActionArtifactsResponse

  390. 	err := json.Unmarshal(resp.Body.Bytes(), &listResp)

  391. 	assert.NoError(t, err)

  392. 	assert.NotEmpty(t, listResp.Entries[0].ArchiveDownloadURL)

  393. 	assert.Equal(t, "artifact-v4-download", listResp.Entries[0].Name)

  394. 

  395. 	// confirm artifact blob storage url can be retrieved

  396. 	req = NewRequestWithBody(t, "GET", listResp.Entries[0].ArchiveDownloadURL, nil).

  397. 		AddTokenAuth(token)

  398. 

  399. 	resp = MakeRequest(t, req, http.StatusFound)

  400. 

  401. 	blobLocation := resp.Header().Get("Location")

  402. 

  403. 	// confirm artifact can be downloaded without token and has expected content

  404. 	req = NewRequestWithBody(t, "GET", blobLocation, nil)

  405. 	resp = MakeRequest(t, req, http.StatusOK)

  406. 	body := strings.Repeat("D", 1024)

  407. 	assert.Equal(t, body, resp.Body.String())

  408. 

  409. 	// confirm artifact can not be downloaded without query

  410. 	req = NewRequestWithBody(t, "GET", blobLocation, nil)

  411. 	req.URL.RawQuery = ""

  412. 	_ = MakeRequest(t, req, http.StatusUnauthorized)

  413. }

  414. 

  415. func TestActionsArtifactV4DownloadSinglePublicApiPrivateRepo(t *testing.T) {

  416. 	defer prepareTestEnvActionsArtifacts(t)()

  417. 

  418. 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})

  419. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})

  420. 	session := loginUser(t, user.Name)

  421. 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)

  422. 

  423. 	// confirm artifact can be listed and found by name

  424. 	req := NewRequestWithBody(t, "GET", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts?name=artifact-v4-download", repo.FullName()), nil).

  425. 		AddTokenAuth(token)

  426. 	resp := MakeRequest(t, req, http.StatusOK)

  427. 	var listResp api.ActionArtifactsResponse

  428. 	err := json.Unmarshal(resp.Body.Bytes(), &listResp)

  429. 	assert.NoError(t, err)

  430. 	assert.Equal(t, int64(23), listResp.Entries[0].ID)

  431. 	assert.NotEmpty(t, listResp.Entries[0].ArchiveDownloadURL)

  432. 	assert.Equal(t, "artifact-v4-download", listResp.Entries[0].Name)

  433. 

  434. 	// confirm artifact blob storage url can be retrieved

  435. 	req = NewRequestWithBody(t, "GET", listResp.Entries[0].ArchiveDownloadURL, nil).

  436. 		AddTokenAuth(token)

  437. 

  438. 	resp = MakeRequest(t, req, http.StatusFound)

  439. 

  440. 	blobLocation := resp.Header().Get("Location")

  441. 	// confirm artifact can be downloaded without token and has expected content

  442. 	req = NewRequestWithBody(t, "GET", blobLocation, nil)

  443. 	resp = MakeRequest(t, req, http.StatusOK)

  444. 	body := strings.Repeat("D", 1024)

  445. 	assert.Equal(t, body, resp.Body.String())

  446. 

  447. 	// confirm artifact can not be downloaded without query

  448. 	req = NewRequestWithBody(t, "GET", blobLocation, nil)

  449. 	req.URL.RawQuery = ""

  450. 	_ = MakeRequest(t, req, http.StatusUnauthorized)

  451. }

  452. 

  453. func TestActionsArtifactV4ListAndGetPublicApi(t *testing.T) {

  454. 	defer prepareTestEnvActionsArtifacts(t)()

  455. 

  456. 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})

  457. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})

  458. 	session := loginUser(t, user.Name)

  459. 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)

  460. 

  461. 	// confirm artifact can be listed

  462. 	req := NewRequestWithBody(t, "GET", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts", repo.FullName()), nil).

  463. 		AddTokenAuth(token)

  464. 	resp := MakeRequest(t, req, http.StatusOK)

  465. 	var listResp api.ActionArtifactsResponse

  466. 	err := json.Unmarshal(resp.Body.Bytes(), &listResp)

  467. 	assert.NoError(t, err)

  468. 

  469. 	for _, artifact := range listResp.Entries {

  470. 		assert.Contains(t, artifact.URL, fmt.Sprintf("/api/v1/repos/%s/actions/artifacts/%d", repo.FullName(), artifact.ID))

  471. 		assert.Contains(t, artifact.ArchiveDownloadURL, fmt.Sprintf("/api/v1/repos/%s/actions/artifacts/%d/zip", repo.FullName(), artifact.ID))

  472. 		req = NewRequestWithBody(t, "GET", listResp.Entries[0].URL, nil).

  473. 			AddTokenAuth(token)

  474. 

  475. 		resp = MakeRequest(t, req, http.StatusOK)

  476. 		var artifactResp api.ActionArtifact

  477. 		err := json.Unmarshal(resp.Body.Bytes(), &artifactResp)

  478. 		assert.NoError(t, err)

  479. 

  480. 		assert.Equal(t, artifact.ID, artifactResp.ID)

  481. 		assert.Equal(t, artifact.Name, artifactResp.Name)

  482. 		assert.Equal(t, artifact.SizeInBytes, artifactResp.SizeInBytes)

  483. 		assert.Equal(t, artifact.URL, artifactResp.URL)

  484. 		assert.Equal(t, artifact.ArchiveDownloadURL, artifactResp.ArchiveDownloadURL)

  485. 	}

  486. }

  487. 

  488. func TestActionsArtifactV4GetArtifactMismatchedRepoNotFound(t *testing.T) {

  489. 	defer prepareTestEnvActionsArtifacts(t)()

  490. 

  491. 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})

  492. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})

  493. 	session := loginUser(t, user.Name)

  494. 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)

  495. 

  496. 	// confirm artifacts of wrong repo is not visible

  497. 	req := NewRequestWithBody(t, "GET", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts/%d", repo.FullName(), 22), nil).

  498. 		AddTokenAuth(token)

  499. 	MakeRequest(t, req, http.StatusNotFound)

  500. }

  501. 

  502. func TestActionsArtifactV4DownloadArtifactMismatchedRepoNotFound(t *testing.T) {

  503. 	defer prepareTestEnvActionsArtifacts(t)()

  504. 

  505. 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})

  506. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})

  507. 	session := loginUser(t, user.Name)

  508. 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)

  509. 

  510. 	// confirm artifacts of wrong repo is not visible

  511. 	req := NewRequestWithBody(t, "GET", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts/%d/zip", repo.FullName(), 22), nil).

  512. 		AddTokenAuth(token)

  513. 	MakeRequest(t, req, http.StatusNotFound)

  514. }

  515. 

  516. func TestActionsArtifactV4DownloadArtifactCorrectRepoFound(t *testing.T) {

  517. 	defer prepareTestEnvActionsArtifacts(t)()

  518. 

  519. 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})

  520. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})

  521. 	session := loginUser(t, user.Name)

  522. 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)

  523. 

  524. 	// confirm artifacts of correct repo is visible

  525. 	req := NewRequestWithBody(t, "GET", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts/%d/zip", repo.FullName(), 22), nil).

  526. 		AddTokenAuth(token)

  527. 	MakeRequest(t, req, http.StatusFound)

  528. }

  529. 

  530. func TestActionsArtifactV4DownloadRawArtifactCorrectRepoMissingSignatureUnauthorized(t *testing.T) {

  531. 	defer prepareTestEnvActionsArtifacts(t)()

  532. 

  533. 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})

  534. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})

  535. 	session := loginUser(t, user.Name)

  536. 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)

  537. 

  538. 	// confirm cannot use the raw artifact endpoint even with a correct access token

  539. 	req := NewRequestWithBody(t, "GET", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts/%d/zip/raw", repo.FullName(), 22), nil).

  540. 		AddTokenAuth(token)

  541. 	MakeRequest(t, req, http.StatusUnauthorized)

  542. }

  543. 

  544. func TestActionsArtifactV4Delete(t *testing.T) {

  545. 	defer prepareTestEnvActionsArtifacts(t)()

  546. 

  547. 	token, err := actions_service.CreateAuthorizationToken(48, 792, 193)

  548. 	assert.NoError(t, err)

  549. 

  550. 	// delete artifact by name

  551. 	req := NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/DeleteArtifact", toProtoJSON(&actions.DeleteArtifactRequest{

  552. 		Name:                    "artifact-v4-download",

  553. 		WorkflowRunBackendId:    "792",

  554. 		WorkflowJobRunBackendId: "193",

  555. 	})).AddTokenAuth(token)

  556. 	resp := MakeRequest(t, req, http.StatusOK)

  557. 	var deleteResp actions.DeleteArtifactResponse

  558. 	protojson.Unmarshal(resp.Body.Bytes(), &deleteResp)

  559. 	assert.True(t, deleteResp.Ok)

  560. 

  561. 	// confirm artifact is no longer accessible by GetSignedArtifactURL

  562. 	req = NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/GetSignedArtifactURL", toProtoJSON(&actions.GetSignedArtifactURLRequest{

  563. 		Name:                    "artifact-v4-download",

  564. 		WorkflowRunBackendId:    "792",

  565. 		WorkflowJobRunBackendId: "193",

  566. 	})).

  567. 		AddTokenAuth(token)

  568. 	_ = MakeRequest(t, req, http.StatusNotFound)

  569. 

  570. 	// confirm artifact is no longer enumerateable by ListArtifacts and returns length == 0 without error

  571. 	req = NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/ListArtifacts", toProtoJSON(&actions.ListArtifactsRequest{

  572. 		NameFilter:              wrapperspb.String("artifact-v4-download"),

  573. 		WorkflowRunBackendId:    "792",

  574. 		WorkflowJobRunBackendId: "193",

  575. 	})).AddTokenAuth(token)

  576. 	resp = MakeRequest(t, req, http.StatusOK)

  577. 	var listResp actions.ListArtifactsResponse

  578. 	protojson.Unmarshal(resp.Body.Bytes(), &listResp)

  579. 	assert.Empty(t, listResp.Artifacts)

  580. }

  581. 

  582. func TestActionsArtifactV4DeletePublicApi(t *testing.T) {

  583. 	defer prepareTestEnvActionsArtifacts(t)()

  584. 

  585. 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})

  586. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})

  587. 	session := loginUser(t, user.Name)

  588. 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)

  589. 

  590. 	// confirm artifacts exists

  591. 	req := NewRequestWithBody(t, "GET", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts/%d", repo.FullName(), 22), nil).

  592. 		AddTokenAuth(token)

  593. 	MakeRequest(t, req, http.StatusOK)

  594. 

  595. 	// delete artifact by id

  596. 	req = NewRequestWithBody(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts/%d", repo.FullName(), 22), nil).

  597. 		AddTokenAuth(token)

  598. 	MakeRequest(t, req, http.StatusNoContent)

  599. 

  600. 	// confirm artifacts has been deleted

  601. 	req = NewRequestWithBody(t, "GET", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts/%d", repo.FullName(), 22), nil).

  602. 		AddTokenAuth(token)

  603. 	MakeRequest(t, req, http.StatusNotFound)

  604. }

  605. 

  606. func TestActionsArtifactV4DeletePublicApiNotAllowedReadScope(t *testing.T) {

  607. 	defer prepareTestEnvActionsArtifacts(t)()

  608. 

  609. 	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})

  610. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})

  611. 	session := loginUser(t, user.Name)

  612. 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)

  613. 

  614. 	// confirm artifacts exists

  615. 	req := NewRequestWithBody(t, "GET", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts/%d", repo.FullName(), 22), nil).

  616. 		AddTokenAuth(token)

  617. 	MakeRequest(t, req, http.StatusOK)

  618. 

  619. 	// try delete artifact by id

  620. 	req = NewRequestWithBody(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts/%d", repo.FullName(), 22), nil).

  621. 		AddTokenAuth(token)

  622. 	MakeRequest(t, req, http.StatusForbidden)

  623. 

  624. 	// confirm artifacts has not been deleted

  625. 	req = NewRequestWithBody(t, "GET", fmt.Sprintf("/api/v1/repos/%s/actions/artifacts/%d", repo.FullName(), 22), nil).

  626. 		AddTokenAuth(token)

  627. 	MakeRequest(t, req, http.StatusOK)

  628. }