2019-12-26 22:10:19 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
require 'spec_helper'
|
|
|
|
|
|
2023-09-09 17:08:58 +05:30
|
|
|
RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache, feature_category: :continuous_integration do
|
|
|
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
|
|
2020-04-08 14:13:33 +05:30
|
|
|
let_it_be(:user) { create(:user) }
|
2023-09-09 17:08:58 +05:30
|
|
|
let_it_be_with_reload(:project) { create(:project, :repository, create_tag: tag_ref_name) }
|
|
|
|
|
let_it_be_with_reload(:pipeline_schedule) { create(:ci_pipeline_schedule, :nightly, project: project) }
|
|
|
|
|
let_it_be(:tag_ref_name) { "v1.0.0" }
|
2018-03-17 18:26:18 +05:30
|
|
|
|
|
|
|
|
let(:policy) do
|
|
|
|
|
described_class.new(user, pipeline_schedule)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
describe 'rules' do
|
|
|
|
|
describe 'rules for protected ref' do
|
2023-09-09 17:08:58 +05:30
|
|
|
context 'for branch' do
|
|
|
|
|
%w[refs/heads/master master].each do |branch_ref|
|
|
|
|
|
context "with #{branch_ref}" do
|
|
|
|
|
let_it_be(:branch_ref_name) { "master" }
|
|
|
|
|
let_it_be(:branch_pipeline_schedule) do
|
|
|
|
|
create(:ci_pipeline_schedule, :nightly, project: project, ref: branch_ref)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
where(:push_access_level, :merge_access_level, :project_role, :accessible) do
|
|
|
|
|
:no_one_can_push | :no_one_can_merge | :owner | :be_disallowed
|
|
|
|
|
:no_one_can_push | :no_one_can_merge | :maintainer | :be_disallowed
|
|
|
|
|
:no_one_can_push | :no_one_can_merge | :developer | :be_disallowed
|
|
|
|
|
:no_one_can_push | :no_one_can_merge | :reporter | :be_disallowed
|
|
|
|
|
:no_one_can_push | :no_one_can_merge | :guest | :be_disallowed
|
|
|
|
|
|
|
|
|
|
:maintainers_can_push | :no_one_can_merge | :owner | :be_allowed
|
|
|
|
|
:maintainers_can_push | :no_one_can_merge | :maintainer | :be_allowed
|
|
|
|
|
:maintainers_can_push | :no_one_can_merge | :developer | :be_disallowed
|
|
|
|
|
:maintainers_can_push | :no_one_can_merge | :reporter | :be_disallowed
|
|
|
|
|
:maintainers_can_push | :no_one_can_merge | :guest | :be_disallowed
|
|
|
|
|
|
|
|
|
|
:developers_can_push | :no_one_can_merge | :owner | :be_allowed
|
|
|
|
|
:developers_can_push | :no_one_can_merge | :maintainer | :be_allowed
|
|
|
|
|
:developers_can_push | :no_one_can_merge | :developer | :be_allowed
|
|
|
|
|
:developers_can_push | :no_one_can_merge | :reporter | :be_disallowed
|
|
|
|
|
:developers_can_push | :no_one_can_merge | :guest | :be_disallowed
|
|
|
|
|
|
|
|
|
|
:no_one_can_push | :maintainers_can_merge | :owner | :be_allowed
|
|
|
|
|
:no_one_can_push | :maintainers_can_merge | :maintainer | :be_allowed
|
|
|
|
|
:no_one_can_push | :maintainers_can_merge | :developer | :be_disallowed
|
|
|
|
|
:no_one_can_push | :maintainers_can_merge | :reporter | :be_disallowed
|
|
|
|
|
:no_one_can_push | :maintainers_can_merge | :guest | :be_disallowed
|
|
|
|
|
|
|
|
|
|
:maintainers_can_push | :maintainers_can_merge | :owner | :be_allowed
|
|
|
|
|
:maintainers_can_push | :maintainers_can_merge | :maintainer | :be_allowed
|
|
|
|
|
:maintainers_can_push | :maintainers_can_merge | :developer | :be_disallowed
|
|
|
|
|
:maintainers_can_push | :maintainers_can_merge | :reporter | :be_disallowed
|
|
|
|
|
:maintainers_can_push | :maintainers_can_merge | :guest | :be_disallowed
|
|
|
|
|
|
|
|
|
|
:developers_can_push | :maintainers_can_merge | :owner | :be_allowed
|
|
|
|
|
:developers_can_push | :maintainers_can_merge | :maintainer | :be_allowed
|
|
|
|
|
:developers_can_push | :maintainers_can_merge | :developer | :be_allowed
|
|
|
|
|
:developers_can_push | :maintainers_can_merge | :reporter | :be_disallowed
|
|
|
|
|
:developers_can_push | :maintainers_can_merge | :guest | :be_disallowed
|
|
|
|
|
|
|
|
|
|
:no_one_can_push | :developers_can_merge | :owner | :be_allowed
|
|
|
|
|
:no_one_can_push | :developers_can_merge | :maintainer | :be_allowed
|
|
|
|
|
:no_one_can_push | :developers_can_merge | :developer | :be_allowed
|
|
|
|
|
:no_one_can_push | :developers_can_merge | :reporter | :be_disallowed
|
|
|
|
|
:no_one_can_push | :developers_can_merge | :guest | :be_disallowed
|
|
|
|
|
|
|
|
|
|
:maintainers_can_push | :developers_can_merge | :owner | :be_allowed
|
|
|
|
|
:maintainers_can_push | :developers_can_merge | :maintainer | :be_allowed
|
|
|
|
|
:maintainers_can_push | :developers_can_merge | :developer | :be_allowed
|
|
|
|
|
:maintainers_can_push | :developers_can_merge | :reporter | :be_disallowed
|
|
|
|
|
:maintainers_can_push | :developers_can_merge | :guest | :be_disallowed
|
|
|
|
|
|
|
|
|
|
:developers_can_push | :developers_can_merge | :owner | :be_allowed
|
|
|
|
|
:developers_can_push | :developers_can_merge | :maintainer | :be_allowed
|
|
|
|
|
:developers_can_push | :developers_can_merge | :developer | :be_allowed
|
|
|
|
|
:developers_can_push | :developers_can_merge | :reporter | :be_disallowed
|
|
|
|
|
:developers_can_push | :developers_can_merge | :guest | :be_disallowed
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
|
before do
|
|
|
|
|
create(:protected_branch, push_access_level, merge_access_level, name: branch_ref_name,
|
|
|
|
|
project: project)
|
|
|
|
|
project.add_role(user, project_role)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'for create_pipeline_schedule' do
|
|
|
|
|
subject(:policy) { described_class.new(user, new_branch_pipeline_schedule) }
|
|
|
|
|
|
|
|
|
|
let(:new_branch_pipeline_schedule) { project.pipeline_schedules.new(ref: branch_ref) }
|
|
|
|
|
|
|
|
|
|
it { expect(policy).to try(accessible, :create_pipeline_schedule) }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'for play_pipeline_schedule' do
|
|
|
|
|
subject(:policy) { described_class.new(user, branch_pipeline_schedule) }
|
|
|
|
|
|
|
|
|
|
it { expect(policy).to try(accessible, :play_pipeline_schedule) }
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2018-03-17 18:26:18 +05:30
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2023-09-09 17:08:58 +05:30
|
|
|
context 'for tag' do
|
|
|
|
|
%w[refs/tags/v1.0.0 v1.0.0].each do |tag_ref|
|
|
|
|
|
context "with #{tag_ref}" do
|
|
|
|
|
let_it_be(:tag_pipeline_schedule) do
|
|
|
|
|
create(:ci_pipeline_schedule, :nightly, project: project, ref: tag_ref)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
where(:access_level, :project_role, :accessible) do
|
|
|
|
|
:no_one_can_create | :owner | :be_disallowed
|
|
|
|
|
:no_one_can_create | :maintainer | :be_disallowed
|
|
|
|
|
:no_one_can_create | :developer | :be_disallowed
|
|
|
|
|
:no_one_can_create | :reporter | :be_disallowed
|
|
|
|
|
:no_one_can_create | :guest | :be_disallowed
|
|
|
|
|
|
|
|
|
|
:maintainers_can_create | :owner | :be_allowed
|
|
|
|
|
:maintainers_can_create | :maintainer | :be_allowed
|
|
|
|
|
:maintainers_can_create | :developer | :be_disallowed
|
|
|
|
|
:maintainers_can_create | :reporter | :be_disallowed
|
|
|
|
|
:maintainers_can_create | :guest | :be_disallowed
|
|
|
|
|
|
|
|
|
|
:developers_can_create | :owner | :be_allowed
|
|
|
|
|
:developers_can_create | :maintainer | :be_allowed
|
|
|
|
|
:developers_can_create | :developer | :be_allowed
|
|
|
|
|
:developers_can_create | :reporter | :be_disallowed
|
|
|
|
|
:developers_can_create | :guest | :be_disallowed
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
with_them do
|
|
|
|
|
before do
|
|
|
|
|
create(:protected_tag, access_level, name: tag_ref_name, project: project)
|
|
|
|
|
project.add_role(user, project_role)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'for create_pipeline_schedule' do
|
|
|
|
|
subject(:policy) { described_class.new(user, new_tag_pipeline_schedule) }
|
|
|
|
|
|
|
|
|
|
let(:new_tag_pipeline_schedule) { project.pipeline_schedules.new(ref: tag_ref) }
|
|
|
|
|
|
|
|
|
|
it { expect(policy).to try(accessible, :create_pipeline_schedule) }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'for play_pipeline_schedule' do
|
|
|
|
|
subject(:policy) { described_class.new(user, tag_pipeline_schedule) }
|
|
|
|
|
|
|
|
|
|
it { expect(policy).to try(accessible, :play_pipeline_schedule) }
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2018-03-17 18:26:18 +05:30
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
describe 'rules for owner of schedule' do
|
|
|
|
|
before do
|
|
|
|
|
project.add_developer(user)
|
2020-10-24 23:57:45 +05:30
|
|
|
pipeline_schedule.update!(owner: user)
|
2018-03-17 18:26:18 +05:30
|
|
|
end
|
|
|
|
|
|
2019-02-15 15:39:39 +05:30
|
|
|
it 'includes abilities to do all operations on pipeline schedule' do
|
2018-03-17 18:26:18 +05:30
|
|
|
expect(policy).to be_allowed :play_pipeline_schedule
|
|
|
|
|
expect(policy).to be_allowed :update_pipeline_schedule
|
|
|
|
|
expect(policy).to be_allowed :admin_pipeline_schedule
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2018-11-18 11:00:15 +05:30
|
|
|
describe 'rules for a maintainer' do
|
2018-03-17 18:26:18 +05:30
|
|
|
before do
|
2018-11-18 11:00:15 +05:30
|
|
|
project.add_maintainer(user)
|
2018-03-17 18:26:18 +05:30
|
|
|
end
|
|
|
|
|
|
2022-05-03 16:02:30 +05:30
|
|
|
it 'allows for playing and destroying a pipeline schedule' do
|
2018-03-17 18:26:18 +05:30
|
|
|
expect(policy).to be_allowed :play_pipeline_schedule
|
|
|
|
|
expect(policy).to be_allowed :admin_pipeline_schedule
|
|
|
|
|
end
|
2022-05-03 16:02:30 +05:30
|
|
|
|
|
|
|
|
it 'does not allow for updating of an existing schedule' do
|
|
|
|
|
expect(policy).not_to be_allowed :update_pipeline_schedule
|
|
|
|
|
end
|
2018-03-17 18:26:18 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
|
|
describe 'rules for non-owner of schedule' do
|
|
|
|
|
let(:owner) { create(:user) }
|
|
|
|
|
|
|
|
|
|
before do
|
2018-11-18 11:00:15 +05:30
|
|
|
project.add_maintainer(owner)
|
|
|
|
|
project.add_maintainer(user)
|
2020-10-24 23:57:45 +05:30
|
|
|
pipeline_schedule.update!(owner: owner)
|
2018-03-17 18:26:18 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'includes abilities to take ownership' do
|
2023-05-27 22:25:52 +05:30
|
|
|
expect(policy).to be_allowed :admin_pipeline_schedule
|
2018-03-17 18:26:18 +05:30
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
