debian-mirror-gitlab/spec/requests/api/protected_branches_spec.rb

426 lines
15 KiB
Ruby
Raw Normal View History

2019-12-26 22:10:19 +05:30
# frozen_string_literal: true
2017-09-10 17:25:29 +05:30
require 'spec_helper'
2023-03-04 22:38:38 +05:30
RSpec.describe API::ProtectedBranches, feature_category: :source_code_management do
2022-08-27 11:52:29 +05:30
let_it_be_with_reload(:project) { create(:project, :repository) }
let_it_be(:maintainer) { create(:user) }
2023-06-20 00:43:36 +05:30
let_it_be(:developer) { create(:user) }
2022-08-27 11:52:29 +05:30
let_it_be(:guest) { create(:user) }
2017-09-10 17:25:29 +05:30
let(:protected_name) { 'feature' }
let(:branch_name) { protected_name }
2022-08-27 11:52:29 +05:30
2017-09-10 17:25:29 +05:30
let!(:protected_branch) do
create(:protected_branch, project: project, name: protected_name)
end
2022-08-27 11:52:29 +05:30
before_all do
project.add_maintainer(maintainer)
2023-06-20 00:43:36 +05:30
project.add_developer(developer)
2022-08-27 11:52:29 +05:30
project.add_guest(guest)
end
2017-09-10 17:25:29 +05:30
describe "GET /projects/:id/protected_branches" do
2020-03-13 15:44:24 +05:30
let(:params) { {} }
2017-09-10 17:25:29 +05:30
let(:route) { "/projects/#{project.id}/protected_branches" }
2023-06-20 00:43:36 +05:30
let(:expected_branch_names) { project.protected_branches.map { |x| x['name'] } }
2017-09-10 17:25:29 +05:30
shared_examples_for 'protected branches' do
it 'returns the protected branches' do
2020-03-13 15:44:24 +05:30
get api(route, user), params: params.merge(per_page: 100)
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:ok)
2017-09-10 17:25:29 +05:30
expect(response).to include_pagination_headers
2023-01-13 00:05:48 +05:30
expect(response).to match_response_schema('protected_branches')
2017-09-10 17:25:29 +05:30
protected_branch_names = json_response.map { |x| x['name'] }
expect(protected_branch_names).to match_array(expected_branch_names)
end
end
2018-11-18 11:00:15 +05:30
context 'when authenticated as a maintainer' do
2022-08-27 11:52:29 +05:30
let(:user) { maintainer }
2017-09-10 17:25:29 +05:30
2020-03-13 15:44:24 +05:30
context 'when search param is not present' do
2023-06-20 00:43:36 +05:30
it_behaves_like 'protected branches'
2020-03-13 15:44:24 +05:30
end
context 'when search param is present' do
it_behaves_like 'protected branches' do
let(:another_protected_branch) { create(:protected_branch, project: project, name: 'stable') }
let(:params) { { search: another_protected_branch.name } }
let(:expected_branch_names) { [another_protected_branch.name] }
end
end
2017-09-10 17:25:29 +05:30
end
2023-06-20 00:43:36 +05:30
context 'when authenticated as a developer' do
let(:user) { developer }
it_behaves_like 'protected branches'
end
2017-09-10 17:25:29 +05:30
context 'when authenticated as a guest' do
2022-08-27 11:52:29 +05:30
let(:user) { guest }
2017-09-10 17:25:29 +05:30
it_behaves_like '403 response' do
let(:request) { get api(route, user) }
end
end
end
describe "GET /projects/:id/protected_branches/:branch" do
let(:route) { "/projects/#{project.id}/protected_branches/#{branch_name}" }
shared_examples_for 'protected branch' do
it 'returns the protected branch' do
get api(route, user)
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:ok)
2023-01-13 00:05:48 +05:30
expect(response).to match_response_schema('protected_branch')
2017-09-10 17:25:29 +05:30
expect(json_response['name']).to eq(branch_name)
2021-04-17 20:07:23 +05:30
expect(json_response['allow_force_push']).to eq(false)
2018-11-18 11:00:15 +05:30
expect(json_response['push_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER)
expect(json_response['merge_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER)
2017-09-10 17:25:29 +05:30
end
context 'when protected branch does not exist' do
let(:branch_name) { 'unknown' }
it_behaves_like '404 response' do
let(:request) { get api(route, user) }
let(:message) { '404 Not found' }
end
end
end
2018-11-18 11:00:15 +05:30
context 'when authenticated as a maintainer' do
2022-08-27 11:52:29 +05:30
let(:user) { maintainer }
2017-09-10 17:25:29 +05:30
it_behaves_like 'protected branch'
context 'when protected branch contains a wildcard' do
let(:protected_name) { 'feature*' }
it_behaves_like 'protected branch'
end
2018-03-17 18:26:18 +05:30
context 'when protected branch contains a period' do
let(:protected_name) { 'my.feature' }
it_behaves_like 'protected branch'
end
2023-07-09 08:55:56 +05:30
context 'when a deploy key is present' do
let(:deploy_key) do
create(:deploy_key, deploy_keys_projects: [create(:deploy_keys_project, :write_access, project: project)])
end
it 'returns deploy key information' do
create(:protected_branch_push_access_level, protected_branch: protected_branch, deploy_key: deploy_key)
get api(route, user)
expect(json_response['push_access_levels']).to include(
a_hash_including('access_level_description' => 'Deploy key', 'deploy_key_id' => deploy_key.id)
)
end
end
2017-09-10 17:25:29 +05:30
end
2023-06-20 00:43:36 +05:30
context 'when authenticated as a developer' do
let(:user) { developer }
it_behaves_like 'protected branch'
end
2017-09-10 17:25:29 +05:30
context 'when authenticated as a guest' do
2022-08-27 11:52:29 +05:30
let(:user) { guest }
2017-09-10 17:25:29 +05:30
it_behaves_like '403 response' do
let(:request) { get api(route, user) }
end
end
end
describe 'POST /projects/:id/protected_branches' do
let(:branch_name) { 'new_branch' }
2018-03-17 18:26:18 +05:30
let(:post_endpoint) { api("/projects/#{project.id}/protected_branches", user) }
def expect_protection_to_be_successful
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:created)
2018-03-17 18:26:18 +05:30
expect(json_response['name']).to eq(branch_name)
end
2017-09-10 17:25:29 +05:30
2018-11-18 11:00:15 +05:30
context 'when authenticated as a maintainer' do
2022-08-27 11:52:29 +05:30
let(:user) { maintainer }
2017-09-10 17:25:29 +05:30
it 'protects a single branch' do
2019-02-15 15:39:39 +05:30
post post_endpoint, params: { name: branch_name }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:created)
2023-01-13 00:05:48 +05:30
expect(response).to match_response_schema('protected_branch')
2017-09-10 17:25:29 +05:30
expect(json_response['name']).to eq(branch_name)
2021-04-17 20:07:23 +05:30
expect(json_response['allow_force_push']).to eq(false)
2018-11-18 11:00:15 +05:30
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
2017-09-10 17:25:29 +05:30
end
it 'protects a single branch and developers can push' do
2019-02-15 15:39:39 +05:30
post post_endpoint, params: { name: branch_name, push_access_level: 30 }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:created)
2023-01-13 00:05:48 +05:30
expect(response).to match_response_schema('protected_branch')
2017-09-10 17:25:29 +05:30
expect(json_response['name']).to eq(branch_name)
2021-04-17 20:07:23 +05:30
expect(json_response['allow_force_push']).to eq(false)
2017-09-10 17:25:29 +05:30
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::DEVELOPER)
2018-11-18 11:00:15 +05:30
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
2017-09-10 17:25:29 +05:30
end
it 'protects a single branch and developers can merge' do
2019-02-15 15:39:39 +05:30
post post_endpoint, params: { name: branch_name, merge_access_level: 30 }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:created)
2023-01-13 00:05:48 +05:30
expect(response).to match_response_schema('protected_branch')
2017-09-10 17:25:29 +05:30
expect(json_response['name']).to eq(branch_name)
2021-04-17 20:07:23 +05:30
expect(json_response['allow_force_push']).to eq(false)
2018-11-18 11:00:15 +05:30
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
2017-09-10 17:25:29 +05:30
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::DEVELOPER)
end
it 'protects a single branch and developers can push and merge' do
2019-02-15 15:39:39 +05:30
post post_endpoint, params: { name: branch_name, push_access_level: 30, merge_access_level: 30 }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:created)
2023-01-13 00:05:48 +05:30
expect(response).to match_response_schema('protected_branch')
2017-09-10 17:25:29 +05:30
expect(json_response['name']).to eq(branch_name)
2021-04-17 20:07:23 +05:30
expect(json_response['allow_force_push']).to eq(false)
2017-09-10 17:25:29 +05:30
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::DEVELOPER)
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::DEVELOPER)
end
it 'protects a single branch and no one can push' do
2019-02-15 15:39:39 +05:30
post post_endpoint, params: { name: branch_name, push_access_level: 0 }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:created)
2023-01-13 00:05:48 +05:30
expect(response).to match_response_schema('protected_branch')
2017-09-10 17:25:29 +05:30
expect(json_response['name']).to eq(branch_name)
2021-04-17 20:07:23 +05:30
expect(json_response['allow_force_push']).to eq(false)
2017-09-10 17:25:29 +05:30
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
2018-11-18 11:00:15 +05:30
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
2017-09-10 17:25:29 +05:30
end
it 'protects a single branch and no one can merge' do
2019-02-15 15:39:39 +05:30
post post_endpoint, params: { name: branch_name, merge_access_level: 0 }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:created)
2023-01-13 00:05:48 +05:30
expect(response).to match_response_schema('protected_branch')
2017-09-10 17:25:29 +05:30
expect(json_response['name']).to eq(branch_name)
2021-04-17 20:07:23 +05:30
expect(json_response['allow_force_push']).to eq(false)
2018-11-18 11:00:15 +05:30
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
2017-09-10 17:25:29 +05:30
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
end
it 'protects a single branch and no one can push or merge' do
2019-02-15 15:39:39 +05:30
post post_endpoint, params: { name: branch_name, push_access_level: 0, merge_access_level: 0 }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:created)
2023-01-13 00:05:48 +05:30
expect(response).to match_response_schema('protected_branch')
2017-09-10 17:25:29 +05:30
expect(json_response['name']).to eq(branch_name)
2021-04-17 20:07:23 +05:30
expect(json_response['allow_force_push']).to eq(false)
2017-09-10 17:25:29 +05:30
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
end
2021-04-17 20:07:23 +05:30
it 'protects a single branch and allows force pushes' do
post post_endpoint, params: { name: branch_name, allow_force_push: true }
expect(response).to have_gitlab_http_status(:created)
2023-01-13 00:05:48 +05:30
expect(response).to match_response_schema('protected_branch')
2021-04-17 20:07:23 +05:30
expect(json_response['name']).to eq(branch_name)
expect(json_response['allow_force_push']).to eq(true)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
end
2017-09-10 17:25:29 +05:30
it 'returns a 409 error if the same branch is protected twice' do
2019-02-15 15:39:39 +05:30
post post_endpoint, params: { name: protected_name }
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:conflict)
2017-09-10 17:25:29 +05:30
end
context 'when branch has a wildcard in its name' do
let(:branch_name) { 'feature/*' }
it "protects multiple branches with a wildcard in the name" do
2019-02-15 15:39:39 +05:30
post post_endpoint, params: { name: branch_name }
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
expect_protection_to_be_successful
2018-11-18 11:00:15 +05:30
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
2017-09-10 17:25:29 +05:30
end
end
2018-05-09 12:01:36 +05:30
2022-08-27 11:52:29 +05:30
context 'when a policy restricts rule creation' do
it "prevents creations of the protected branch rule" do
disallow(:create_protected_branch, an_instance_of(ProtectedBranch))
2018-05-09 12:01:36 +05:30
2019-02-15 15:39:39 +05:30
post post_endpoint, params: { name: branch_name }
2018-05-09 12:01:36 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:forbidden)
2018-05-09 12:01:36 +05:30
end
end
2017-09-10 17:25:29 +05:30
end
2023-06-20 00:43:36 +05:30
context 'when authenticated as a developer' do
let(:user) { developer }
it "returns a 403 error" do
post post_endpoint, params: { name: branch_name }
expect(response).to have_gitlab_http_status(:forbidden)
end
end
2017-09-10 17:25:29 +05:30
context 'when authenticated as a guest' do
2022-08-27 11:52:29 +05:30
let(:user) { guest }
2017-09-10 17:25:29 +05:30
2023-06-20 00:43:36 +05:30
it "returns a 403 error" do
2019-02-15 15:39:39 +05:30
post post_endpoint, params: { name: branch_name }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:forbidden)
2017-09-10 17:25:29 +05:30
end
end
end
2023-01-13 00:05:48 +05:30
describe 'PATCH /projects/:id/protected_branches/:name' do
let(:route) { "/projects/#{project.id}/protected_branches/#{branch_name}" }
context 'when authenticated as a maintainer' do
let(:user) { maintainer }
it "updates a single branch" do
expect do
patch api(route, user), params: { allow_force_push: true }
end.to change { protected_branch.reload.allow_force_push }.from(false).to(true)
expect(response).to have_gitlab_http_status(:ok)
end
2023-05-27 22:25:52 +05:30
context 'when allow_force_push is not set' do
it 'responds with a bad request error' do
patch api(route, user), params: { allow_force_push: nil }
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['error']).to eq 'allow_force_push is empty'
end
end
2023-01-13 00:05:48 +05:30
end
context 'when returned protected branch is invalid' do
let(:user) { maintainer }
before do
allow_next_found_instance_of(ProtectedBranch) do |instance|
allow(instance).to receive(:valid?).and_return(false)
end
end
it "returns a 422" do
expect do
patch api(route, user), params: { allow_force_push: true }
end.not_to change { protected_branch.reload.allow_force_push }
expect(response).to have_gitlab_http_status(:unprocessable_entity)
end
end
2023-06-20 00:43:36 +05:30
context 'when authenticated as a developer' do
let(:user) { developer }
it "returns a 403 error" do
patch api(route, user), params: { allow_force_push: true }
expect(response).to have_gitlab_http_status(:forbidden)
end
end
2023-01-13 00:05:48 +05:30
context 'when authenticated as a guest' do
let(:user) { guest }
it "returns a 403 error" do
patch api(route, user), params: { allow_force_push: true }
expect(response).to have_gitlab_http_status(:forbidden)
end
end
end
2017-09-10 17:25:29 +05:30
describe "DELETE /projects/:id/protected_branches/unprotect/:branch" do
2018-05-09 12:01:36 +05:30
let(:delete_endpoint) { api("/projects/#{project.id}/protected_branches/#{branch_name}", user) }
2023-06-20 00:43:36 +05:30
context "when authenticated as a maintainer" do
let(:user) { maintainer }
it "unprotects a single branch" do
delete delete_endpoint
2017-09-10 17:25:29 +05:30
2023-06-20 00:43:36 +05:30
expect(response).to have_gitlab_http_status(:no_content)
end
2017-09-10 17:25:29 +05:30
2023-06-20 00:43:36 +05:30
it_behaves_like '412 response' do
let(:request) { delete_endpoint }
end
2018-03-17 18:26:18 +05:30
2023-06-20 00:43:36 +05:30
it "returns 404 if branch does not exist" do
delete api("/projects/#{project.id}/protected_branches/barfoo", user)
2017-09-10 17:25:29 +05:30
2023-06-20 00:43:36 +05:30
expect(response).to have_gitlab_http_status(:not_found)
end
context 'when a policy restricts rule deletion' do
it "prevents deletion of the protected branch rule" do
disallow(:destroy_protected_branch, protected_branch)
delete delete_endpoint
expect(response).to have_gitlab_http_status(:forbidden)
end
end
context 'when branch has a wildcard in its name' do
let(:protected_name) { 'feature*' }
it "unprotects a wildcard branch" do
delete delete_endpoint
expect(response).to have_gitlab_http_status(:no_content)
end
end
2017-09-10 17:25:29 +05:30
end
2023-06-20 00:43:36 +05:30
context 'when authenticated as a developer' do
let(:user) { developer }
2022-08-27 11:52:29 +05:30
2023-06-20 00:43:36 +05:30
it "returns a 403 error" do
2018-05-09 12:01:36 +05:30
delete delete_endpoint
2020-04-08 14:13:33 +05:30
expect(response).to have_gitlab_http_status(:forbidden)
2018-05-09 12:01:36 +05:30
end
end
2023-06-20 00:43:36 +05:30
context 'when authenticated as a guest' do
let(:user) { guest }
2018-03-17 18:26:18 +05:30
2023-06-20 00:43:36 +05:30
it "returns a 403 error" do
2018-05-09 12:01:36 +05:30
delete delete_endpoint
2017-09-10 17:25:29 +05:30
2023-06-20 00:43:36 +05:30
expect(response).to have_gitlab_http_status(:forbidden)
2017-09-10 17:25:29 +05:30
end
end
end
2022-08-27 11:52:29 +05:30
def disallow(ability, protected_branch)
allow(Ability).to receive(:allowed?).and_call_original
allow(Ability).to receive(:allowed?).with(user, ability, protected_branch).and_return(false)
end
2017-09-10 17:25:29 +05:30
end