debian-mirror-gitlab/spec/lib/gitlab/checks/change_access_spec.rb

232 lines
8.8 KiB
Ruby
Raw Normal View History

2016-09-13 17:45:13 +05:30
require 'spec_helper'
2017-09-10 17:25:29 +05:30
describe Gitlab::Checks::ChangeAccess do
2016-09-13 17:45:13 +05:30
describe '#exec' do
let(:user) { create(:user) }
2017-08-17 22:00:37 +05:30
let(:project) { create(:project, :repository) }
2016-09-13 17:45:13 +05:30
let(:user_access) { Gitlab::UserAccess.new(user, project: project) }
2017-08-17 22:00:37 +05:30
let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
let(:ref) { 'refs/heads/master' }
let(:changes) { { oldrev: oldrev, newrev: newrev, ref: ref } }
let(:protocol) { 'ssh' }
2018-03-17 18:26:18 +05:30
subject(:change_access) do
2017-08-17 22:00:37 +05:30
described_class.new(
changes,
project: project,
user_access: user_access,
protocol: protocol
2018-03-17 18:26:18 +05:30
)
2016-09-13 17:45:13 +05:30
end
2017-09-10 17:25:29 +05:30
before do
project.add_developer(user)
end
2016-09-13 17:45:13 +05:30
context 'without failed checks' do
2017-09-10 17:25:29 +05:30
it "doesn't raise an error" do
2018-03-17 18:26:18 +05:30
expect { subject.exec }.not_to raise_error
2016-09-13 17:45:13 +05:30
end
end
2018-03-27 19:54:05 +05:30
context 'when the user is not allowed to push to the repo' do
2017-09-10 17:25:29 +05:30
it 'raises an error' do
2016-09-13 17:45:13 +05:30
expect(user_access).to receive(:can_do_action?).with(:push_code).and_return(false)
2018-03-27 19:54:05 +05:30
expect(user_access).to receive(:can_push_to_branch?).with('master').and_return(false)
2016-09-13 17:45:13 +05:30
2018-03-17 18:26:18 +05:30
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to this project.')
2016-09-13 17:45:13 +05:30
end
end
context 'tags check' do
2017-08-17 22:00:37 +05:30
let(:ref) { 'refs/tags/v1.0.0' }
2016-09-13 17:45:13 +05:30
2017-09-10 17:25:29 +05:30
it 'raises an error if the user is not allowed to update tags' do
2017-08-17 22:00:37 +05:30
allow(user_access).to receive(:can_do_action?).with(:push_code).and_return(true)
2016-09-13 17:45:13 +05:30
expect(user_access).to receive(:can_do_action?).with(:admin_project).and_return(false)
2018-03-17 18:26:18 +05:30
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to change existing tags on this project.')
2016-09-13 17:45:13 +05:30
end
2017-08-17 22:00:37 +05:30
context 'with protected tag' do
let!(:protected_tag) { create(:protected_tag, project: project, name: 'v*') }
2018-11-08 19:23:39 +05:30
context 'as maintainer' do
2017-09-10 17:25:29 +05:30
before do
2018-11-18 11:00:15 +05:30
project.add_maintainer(user)
2017-09-10 17:25:29 +05:30
end
2017-08-17 22:00:37 +05:30
context 'deletion' do
let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
let(:newrev) { '0000000000000000000000000000000000000000' }
it 'is prevented' do
2018-03-17 18:26:18 +05:30
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /cannot be deleted/)
2017-08-17 22:00:37 +05:30
end
end
context 'update' do
let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
it 'is prevented' do
2018-03-17 18:26:18 +05:30
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /cannot be updated/)
2017-08-17 22:00:37 +05:30
end
end
end
context 'creation' do
let(:oldrev) { '0000000000000000000000000000000000000000' }
let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
let(:ref) { 'refs/tags/v9.1.0' }
it 'prevents creation below access level' do
2018-03-17 18:26:18 +05:30
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /allowed to create this tag as it is protected/)
2017-08-17 22:00:37 +05:30
end
context 'when user has access' do
let!(:protected_tag) { create(:protected_tag, :developers_can_create, project: project, name: 'v*') }
it 'allows tag creation' do
2018-03-17 18:26:18 +05:30
expect { subject.exec }.not_to raise_error
2017-08-17 22:00:37 +05:30
end
end
end
end
2016-09-13 17:45:13 +05:30
end
2017-09-10 17:25:29 +05:30
context 'branches check' do
context 'trying to delete the default branch' do
let(:newrev) { '0000000000000000000000000000000000000000' }
let(:ref) { 'refs/heads/master' }
it 'raises an error' do
2018-03-17 18:26:18 +05:30
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'The default branch of a project cannot be deleted.')
2017-09-10 17:25:29 +05:30
end
2016-09-13 17:45:13 +05:30
end
2017-09-10 17:25:29 +05:30
context 'protected branches check' do
before do
allow(ProtectedBranch).to receive(:protected?).with(project, 'master').and_return(true)
allow(ProtectedBranch).to receive(:protected?).with(project, 'feature').and_return(true)
end
2016-09-13 17:45:13 +05:30
2017-09-10 17:25:29 +05:30
it 'raises an error if the user is not allowed to do forced pushes to protected branches' do
expect(Gitlab::Checks::ForcePush).to receive(:force_push?).and_return(true)
2016-09-13 17:45:13 +05:30
2018-03-17 18:26:18 +05:30
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to force push code to a protected branch on this project.')
2017-09-10 17:25:29 +05:30
end
2016-09-13 17:45:13 +05:30
2017-09-10 17:25:29 +05:30
it 'raises an error if the user is not allowed to merge to protected branches' do
expect_any_instance_of(Gitlab::Checks::MatchingMergeRequest).to receive(:match?).and_return(true)
expect(user_access).to receive(:can_merge_to_branch?).and_return(false)
expect(user_access).to receive(:can_push_to_branch?).and_return(false)
2016-09-13 17:45:13 +05:30
2018-03-17 18:26:18 +05:30
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to merge code into protected branches on this project.')
2017-09-10 17:25:29 +05:30
end
2016-09-13 17:45:13 +05:30
2017-09-10 17:25:29 +05:30
it 'raises an error if the user is not allowed to push to protected branches' do
expect(user_access).to receive(:can_push_to_branch?).and_return(false)
2016-09-13 17:45:13 +05:30
2018-03-17 18:26:18 +05:30
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to protected branches on this project.')
2017-09-10 17:25:29 +05:30
end
2018-11-18 11:00:15 +05:30
context 'when project repository is empty' do
let(:project) { create(:project) }
it 'raises an error if the user is not allowed to push to protected branches' do
expect(user_access).to receive(:can_push_to_branch?).and_return(false)
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /Ask a project Owner or Maintainer to create a default branch/)
end
end
2017-09-10 17:25:29 +05:30
context 'branch deletion' do
let(:newrev) { '0000000000000000000000000000000000000000' }
let(:ref) { 'refs/heads/feature' }
context 'if the user is not allowed to delete protected branches' do
it 'raises an error' do
2018-11-08 19:23:39 +05:30
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to delete protected branches from this project. Only a project maintainer or owner can delete a protected branch.')
2017-09-10 17:25:29 +05:30
end
end
context 'if the user is allowed to delete protected branches' do
before do
2018-11-18 11:00:15 +05:30
project.add_maintainer(user)
2017-09-10 17:25:29 +05:30
end
context 'through the web interface' do
let(:protocol) { 'web' }
it 'allows branch deletion' do
2018-03-17 18:26:18 +05:30
expect { subject.exec }.not_to raise_error
2017-09-10 17:25:29 +05:30
end
end
2016-09-13 17:45:13 +05:30
2017-09-10 17:25:29 +05:30
context 'over SSH or HTTP' do
it 'raises an error' do
2018-03-17 18:26:18 +05:30
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only delete protected branches using the web interface.')
2017-09-10 17:25:29 +05:30
end
end
end
2016-09-13 17:45:13 +05:30
end
end
end
2018-03-17 18:26:18 +05:30
context 'LFS integrity check' do
it 'fails if any LFS blobs are missing' do
allow_any_instance_of(Gitlab::Checks::LfsIntegrity).to receive(:objects_missing?).and_return(true)
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /LFS objects are missing/)
end
it 'succeeds if LFS objects have already been uploaded' do
allow_any_instance_of(Gitlab::Checks::LfsIntegrity).to receive(:objects_missing?).and_return(false)
expect { subject.exec }.not_to raise_error
end
end
context 'LFS file lock check' do
let(:owner) { create(:user) }
let!(:lock) { create(:lfs_file_lock, user: owner, project: project, path: 'README') }
before do
allow(project.repository).to receive(:new_commits).and_return(
project.repository.commits_between('be93687618e4b132087f430a4d8fc3a609c9b77c', '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51')
)
end
context 'with LFS not enabled' do
it 'skips the validation' do
expect_any_instance_of(Gitlab::Checks::CommitCheck).not_to receive(:validate)
subject.exec
end
end
context 'with LFS enabled' do
before do
allow(project).to receive(:lfs_enabled?).and_return(true)
end
context 'when change is sent by a different user' do
it 'raises an error if the user is not allowed to update the file' do
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, "The path 'README' is locked in Git LFS by #{lock.user.name}")
end
end
context 'when change is sent by the author of the lock' do
let(:user) { owner }
it "doesn't raise any error" do
expect { subject.exec }.not_to raise_error
end
end
end
end
2016-09-13 17:45:13 +05:30
end
end