Branch UnprotectAccessLevels can be set via API

app/services/protected_branches/api_service.rb

@@ -5,13 +5,15 @@ module ProtectedBranches
     def create
       @push_params = AccessLevelParams.new(:push, params)
       @merge_params = AccessLevelParams.new(:merge, params)
+      @unprotect_params = AccessLevelParams.new(:unprotect, params)
 
       verify_params!
 
       protected_branch_params = {
         name: params[:name],
         push_access_levels_attributes: @push_params.access_levels,
-        merge_access_levels_attributes: @merge_params.access_levels
+        merge_access_levels_attributes: @merge_params.access_levels,
+        unprotect_access_levels_attributes: @unprotect_params.access_levels
       }
 
       ::ProtectedBranches::CreateService.new(@project, @current_user, protected_branch_params).execute

ee/app/services/ee/protected_branches/api_service.rb

@@ -26,14 +26,14 @@ module EE
       end
 
       def groups_accessible?
-        group_ids = @merge_params.group_ids + @push_params.group_ids # rubocop:disable Gitlab/ModuleWithInstanceVariables
+        group_ids = @merge_params.group_ids + @push_params.group_ids + @unprotect_params.group_ids # rubocop:disable Gitlab/ModuleWithInstanceVariables
         allowed_groups = @project.invited_groups.where(id: group_ids) # rubocop:disable Gitlab/ModuleWithInstanceVariables
 
         group_ids.count == allowed_groups.count
       end
 
       def users_accessible?
-        user_ids = @merge_params.user_ids + @push_params.user_ids # rubocop:disable Gitlab/ModuleWithInstanceVariables
+        user_ids = @merge_params.user_ids + @push_params.user_ids + @unprotect_params.user_ids # rubocop:disable Gitlab/ModuleWithInstanceVariables
         allowed_users = @project.team.users.where(id: user_ids) # rubocop:disable Gitlab/ModuleWithInstanceVariables
 
         user_ids.count == allowed_users.count

lib/api/entities.rb

@@ -394,6 +394,7 @@ module API
       expose :name
       expose :push_access_levels, using: Entities::ProtectedRefAccess
       expose :merge_access_levels, using: Entities::ProtectedRefAccess
+      expose :unprotect_access_levels, using: Entities::ProtectedRefAccess
     end
 
     class Milestone < Grape::Entity

lib/api/protected_branches.rb

@@ -45,6 +45,9 @@ module API
         optional :merge_access_level, type: Integer,
                                       values: ProtectedRefAccess::ALLOWED_ACCESS_LEVELS,
                                       desc: 'Access levels allowed to merge (defaults: `40`, master access level)'
+        optional :unprotect_access_level, type: Integer,
+                                          values: ProtectedRefAccess::ALLOWED_ACCESS_LEVELS,
+                                          desc: 'Access levels allowed to unprotect (defaults: `40`, master access level)'
         optional :allowed_to_push, type: Array, desc: 'An array of users/groups allowed to push' do
           optional :access_level, type: Integer, values: ProtectedRefAccess::ALLOWED_ACCESS_LEVELS
           optional :user_id, type: Integer
@@ -55,6 +58,11 @@ module API
           optional :user_id, type: Integer
           optional :group_id, type: Integer
         end
+        optional :allowed_to_unprotect, type: Array, desc: 'An array of users/groups allowed to unprotect' do
+          optional :access_level, type: Integer, values: ProtectedRefAccess::ALLOWED_ACCESS_LEVELS
+          optional :user_id, type: Integer
+          optional :group_id, type: Integer
+        end
       end
       post ':id/protected_branches' do
         protected_branch = user_project.protected_branches.find_by(name: params[:name])

spec/requests/api/protected_branches_spec.rb

@@ -56,6 +56,7 @@ describe API::ProtectedBranches do
         expect(json_response['name']).to eq(branch_name)
         expect(json_response['push_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MASTER)
         expect(json_response['merge_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MASTER)
+        expect(json_response['unprotect_access_levels']).to eq([])
       end
 
       context 'when protected branch does not exist' do
@@ -70,10 +71,12 @@ describe API::ProtectedBranches do
       context 'with per user/group access levels' do
         let(:push_user) { create(:user) }
         let(:merge_group) { create(:group) }
+        let(:unprotect_group) { create(:group) }
 
         before do
           protected_branch.push_access_levels.create!(user: push_user)
           protected_branch.merge_access_levels.create!(group: merge_group)
+          protected_branch.unprotect_access_levels.create!(group: unprotect_group)
         end
 
         it 'returns access level details' do
@@ -81,10 +84,12 @@ describe API::ProtectedBranches do
 
           push_user_ids = json_response['push_access_levels'].map {|level| level['user_id']}
           merge_group_ids = json_response['merge_access_levels'].map {|level| level['group_id']}
+          unprotect_group_ids = json_response['unprotect_access_levels'].map {|level| level['group_id']}
 
           expect(response).to have_gitlab_http_status(200)
           expect(push_user_ids).to include(push_user.id)
           expect(merge_group_ids).to include(merge_group.id)
+          expect(unprotect_group_ids).to include(unprotect_group.id)
         end
       end
     end
@@ -141,6 +146,7 @@ describe API::ProtectedBranches do
         expect(json_response['name']).to eq(branch_name)
         expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MASTER)
         expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MASTER)
+        expect(json_response['unprotect_access_levels'][0]['access_level']).to eq(Gitlab::Access::MASTER)
       end
 
       it 'protects a single branch and developers can push' do
@@ -188,6 +194,16 @@ describe API::ProtectedBranches do
         expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
       end
 
+      it 'protects a single branch and only admins can unprotect' do
+        post post_endpoint, name: branch_name, unprotect_access_level: Gitlab::Access::ADMIN
+
+        expect(response).to have_gitlab_http_status(201)
+        expect(json_response['name']).to eq(branch_name)
+        expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MASTER)
+        expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MASTER)
+        expect(json_response['unprotect_access_levels'][0]['access_level']).to eq(Gitlab::Access::ADMIN)
+      end
+
       it 'protects a single branch and no one can push or merge' do
         post post_endpoint, name: branch_name, push_access_level: 0, merge_access_level: 0
 
@@ -224,6 +240,15 @@ describe API::ProtectedBranches do
           expect(json_response['merge_access_levels'][0]['user_id']).to eq(merge_user.id)
         end
 
+        it 'can protect a branch while allowing an individual user to unprotect' do
+          unprotect_user = project_member
+
+          post post_endpoint, name: branch_name, allowed_to_unprotect: [{ user_id: unprotect_user.id }]
+
+          expect_protection_to_be_successful
+          expect(json_response['unprotect_access_levels'][0]['user_id']).to eq(unprotect_user.id)
+        end
+
         it 'can protect a branch while allowing a group to push' do
           push_group = invited_group
 
@@ -242,6 +267,15 @@ describe API::ProtectedBranches do
           expect(json_response['merge_access_levels'][0]['group_id']).to eq(merge_group.id)
         end
 
+        it 'can protect a branch while allowing a group to unprotect' do
+          unprotect_group = invited_group
+
+          post post_endpoint, name: branch_name, allowed_to_unprotect: [{ group_id: unprotect_group.id }]
+
+          expect_protection_to_be_successful
+          expect(json_response['unprotect_access_levels'][0]['group_id']).to eq(unprotect_group.id)
+        end
+
         it "fails if users don't all have access to the project" do
           push_user = create(:user)