Extract EE specific files/lines for Create spec/requests/api
We have the following files containing EE specific code. We should move them to ee/
spec/requests/api/branches_spec.rb
diff --git a/spec/requests/api/branches_spec.rb b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/requests/api/branches_spec.rb
index b38cd66986f..1a5c5905591 100644
--- a/spec/requests/api/branches_spec.rb
+++ b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/requests/api/branches_spec.rb
@@ -413,6 +413,19 @@ describe API::Branches do
expect(json_response['developers_can_merge']).to eq(true)
end
end
+
+ context "when no one can push" do
+ let(:protected_branch) { create(:protected_branch, :no_one_can_push, project: project, name: 'protected_branch') }
+
+ it "updates 'developers_can_push' without removing the 'no_one' access level" do
+ put api("/projects/#{project.id}/repository/branches/#{protected_branch.name}/protect", user),
+ params: { developers_can_push: true, developers_can_merge: true }
+
+ expect(response).to have_gitlab_http_status(200)
+ expect(json_response['name']).to eq(protected_branch.name)
+ expect(protected_branch.reload.push_access_levels.pluck(:access_level)).to include(Gitlab::Access::NO_ACCESS)
+ end
+ end
end
end
endspec/requests/api/helpers_spec.rb
diff --git a/spec/requests/api/helpers_spec.rb b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/requests/api/helpers_spec.rb
index a0c64d295c0..f40c44162c2 100644
--- a/spec/requests/api/helpers_spec.rb
+++ b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/requests/api/helpers_spec.rb
@@ -23,11 +23,14 @@ describe API::Helpers do
}
end
let(:header) { }
+ let(:route_authentication_setting) { {} }
let(:request) { Grape::Request.new(env)}
let(:params) { request.params }
before do
allow_any_instance_of(self.class).to receive(:options).and_return({})
+ allow_any_instance_of(self.class).to receive(:route_authentication_setting)
+ .and_return(route_authentication_setting)
end
def warden_authenticate_returns(value)
@@ -219,6 +222,51 @@ describe API::Helpers do
end
end
end
+
+ describe "when authenticating using a job token" do
+ let(:job) { create(:ci_build, user: user) }
+
+ context 'when route is allowed to be authenticated' do
+ let(:route_authentication_setting) { { job_token_allowed: true } }
+
+ it "returns a 401 response for an invalid token" do
+ env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = 'invalid token'
+
+ expect { current_user }.to raise_error /401/
+ end
+
+ it "returns a 403 response for a user without access" do
+ env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
+ allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(false)
+
+ expect { current_user }.to raise_error /403/
+ end
+
+ it 'returns a 403 response for a user who is blocked' do
+ user.block!
+ env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
+
+ expect { current_user }.to raise_error /403/
+ end
+
+ it "sets current_user" do
+ env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
+
+ expect(current_user).to eq(user)
+ end
+ end
+
+ context 'when route is not allowed to be authenticated' do
+ let(:route_authentication_setting) { { job_token_allowed: false } }
+
+ it "sets current_user to nil" do
+ env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
+ allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(true)
+
+ expect(current_user).to be_nil
+ end
+ end
+ end
end
describe '.handle_api_exception' dospec/requests/api/protected_branches_spec.rb
diff --git a/spec/requests/api/protected_branches_spec.rb b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/requests/api/protected_branches_spec.rb
index f90558d77a9..5ec433b3704 100644
--- a/spec/requests/api/protected_branches_spec.rb
+++ b/home/yorickpeterse/Projects/gitlab/gdk-ee/gitlab/spec/requests/api/protected_branches_spec.rb
@@ -56,6 +56,7 @@ describe API::ProtectedBranches do
expect(json_response['name']).to eq(branch_name)
expect(json_response['push_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER)
expect(json_response['merge_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER)
+ expect(json_response['unprotect_access_levels']).to eq([])
end
context 'when protected branch does not exist' do
@@ -66,6 +67,34 @@ describe API::ProtectedBranches do
let(:message) { '404 Not found' }
end
end
+
+ context 'with per user/group access levels' do
+ let(:push_user) { create(:user) }
+ let(:merge_group) { create(:group) }
+ let(:unprotect_group) { create(:group) }
+
+ before do
+ project.add_developer(push_user)
+ project.project_group_links.create(group: merge_group)
+ project.project_group_links.create(group: unprotect_group)
+ protected_branch.push_access_levels.create!(user: push_user)
+ protected_branch.merge_access_levels.create!(group: merge_group)
+ protected_branch.unprotect_access_levels.create!(group: unprotect_group)
+ end
+
+ it 'returns access level details' do
+ get api(route, user)
+
+ push_user_ids = json_response['push_access_levels'].map {|level| level['user_id']}
+ merge_group_ids = json_response['merge_access_levels'].map {|level| level['group_id']}
+ unprotect_group_ids = json_response['unprotect_access_levels'].map {|level| level['group_id']}
+
+ expect(response).to have_gitlab_http_status(200)
+ expect(push_user_ids).to include(push_user.id)
+ expect(merge_group_ids).to include(merge_group.id)
+ expect(unprotect_group_ids).to include(unprotect_group.id)
+ end
+ end
end
context 'when authenticated as a maintainer' do
@@ -120,6 +149,7 @@ describe API::ProtectedBranches do
expect(json_response['name']).to eq(branch_name)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
+ expect(json_response['unprotect_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
end
it 'protects a single branch and developers can push' do
@@ -167,6 +197,16 @@ describe API::ProtectedBranches do
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
end
+ it 'protects a single branch and only admins can unprotect' do
+ post post_endpoint, params: { name: branch_name, unprotect_access_level: Gitlab::Access::ADMIN }
+
+ expect(response).to have_gitlab_http_status(201)
+ expect(json_response['name']).to eq(branch_name)
+ expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
+ expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
+ expect(json_response['unprotect_access_levels'][0]['access_level']).to eq(Gitlab::Access::ADMIN)
+ end
+
it 'protects a single branch and no one can push or merge' do
post post_endpoint, params: { name: branch_name, push_access_level: 0, merge_access_level: 0 }
@@ -176,6 +216,100 @@ describe API::ProtectedBranches do
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
end
+ context 'with granular access' do
+ let(:invited_group) do
+ create(:project_group_link, project: project).group
+ end
+
+ let(:project_member) do
+ create(:project_member, project: project).user
+ end
+
+ it 'can protect a branch while allowing an individual user to push' do
+ push_user = project_member
+
+ post post_endpoint, params: { name: branch_name, allowed_to_push: [{ user_id: push_user.id }] }
+
+ expect_protection_to_be_successful
+ expect(json_response['push_access_levels'][0]['user_id']).to eq(push_user.id)
+ end
+
+ it 'can protect a branch while allowing an individual user to merge' do
+ merge_user = project_member
+
+ post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ user_id: merge_user.id }] }
+
+ expect_protection_to_be_successful
+ expect(json_response['merge_access_levels'][0]['user_id']).to eq(merge_user.id)
+ end
+
+ it 'can protect a branch while allowing an individual user to unprotect' do
+ unprotect_user = project_member
+
+ post post_endpoint, params: { name: branch_name, allowed_to_unprotect: [{ user_id: unprotect_user.id }] }
+
+ expect_protection_to_be_successful
+ expect(json_response['unprotect_access_levels'][0]['user_id']).to eq(unprotect_user.id)
+ end
+
+ it 'can protect a branch while allowing a group to push' do
+ push_group = invited_group
+
+ post post_endpoint, params: { name: branch_name, allowed_to_push: [{ group_id: push_group.id }] }
+
+ expect_protection_to_be_successful
+ expect(json_response['push_access_levels'][0]['group_id']).to eq(push_group.id)
+ end
+
+ it 'can protect a branch while allowing a group to merge' do
+ merge_group = invited_group
+
+ post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ group_id: merge_group.id }] }
+
+ expect_protection_to_be_successful
+ expect(json_response['merge_access_levels'][0]['group_id']).to eq(merge_group.id)
+ end
+
+ it 'can protect a branch while allowing a group to unprotect' do
+ unprotect_group = invited_group
+
+ post post_endpoint, params: { name: branch_name, allowed_to_unprotect: [{ group_id: unprotect_group.id }] }
+
+ expect_protection_to_be_successful
+ expect(json_response['unprotect_access_levels'][0]['group_id']).to eq(unprotect_group.id)
+ end
+
+ it "fails if users don't all have access to the project" do
+ push_user = create(:user)
+
+ post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ user_id: push_user.id }] }
+
+ expect(response).to have_gitlab_http_status(422)
+ expect(json_response['message'][0]).to match(/is not a member of the project/)
+ end
+
+ it "fails if groups aren't all invited to the project" do
+ merge_group = create(:group)
+
+ post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ group_id: merge_group.id }] }
+
+ expect(response).to have_gitlab_http_status(422)
+ expect(json_response['message'][0]).to match(/does not have access to the project/)
+ end
+
+ it 'avoids creating default access levels unless necessary' do
+ push_user = project_member
+
+ post post_endpoint, params: { name: branch_name, allowed_to_push: [{ user_id: push_user.id }] }
+
+ expect(response).to have_gitlab_http_status(201)
+ expect(json_response['push_access_levels'].count).to eq(1)
+ expect(json_response['merge_access_levels'].count).to eq(1)
+ expect(json_response['push_access_levels'][0]['user_id']).to eq(push_user.id)
+ expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
+ end
+ end
+
it 'returns a 409 error if the same branch is protected twice' do
post post_endpoint, params: { name: protected_name }Edited by Douwe Maan