Merge branch '30769-fix-call-to-push-check' into 'master'

Added can_push_for_ref? method RUN AS-IF-FOSS See merge request gitlab-org/gitlab!49723

Merge branch '30769-fix-call-to-push-check' into 'master'
Added can_push_for_ref? method RUN AS-IF-FOSS See merge request gitlab-org/gitlab!49723
6f360232 · Thong Kuah · 48a39cc6 · e5863fb8 · 6f360232 · 6f360232
Commit 6f360232 authored Dec 15, 2020 by Thong Kuah
6 changed files
--- a/lib/gitlab/checks/push_check.rb
+++ b/lib/gitlab/checks/push_check.rb
@@ -14,17 +14,9 @@ module Gitlab
      private

      def can_push?
-        user_access_can_push? ||
+        user_access.can_push_for_ref?(ref) ||
          project.branch_allows_collaboration?(user_access.user, branch_name)
      end
-
-      def user_access_can_push?
-        if Feature.enabled?(:deploy_keys_on_protected_branches, project)
-          user_access.can_push_to_branch?(ref)
-        else
-          user_access.can_do_action?(:push_code)
-        end
-      end
    end
  end
 end
--- a/lib/gitlab/deploy_key_access.rb
+++ b/lib/gitlab/deploy_key_access.rb
@@ -8,6 +8,10 @@ module Gitlab
      @container = container
    end

+    def can_push_for_ref?(ref)
+      can_push_to_branch?(ref)
+    end
+
    private

    attr_reader :deploy_key

--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -81,6 +81,10 @@ module Gitlab
      end
    end

+    def can_push_for_ref?(_)
+      can_do_action?(:push_code)
+    end
+
    private

    def can_push?

--- a/spec/lib/gitlab/checks/push_check_spec.rb
+++ b/spec/lib/gitlab/checks/push_check_spec.rb
@@ -12,11 +12,32 @@ RSpec.describe Gitlab::Checks::PushCheck do

    context 'when the user is not allowed to push to the repo' do
      it 'raises an error' do
-        expect(user_access).to receive(:can_push_to_branch?).and_return(false)
+        expect(user_access).to receive(:can_do_action?).with(:push_code).and_return(false)
        expect(project).to receive(:branch_allows_collaboration?).with(user_access.user, 'master').and_return(false)

        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, 'You are not allowed to push code to this project.')
      end
    end
+
+    context 'when using a DeployKeyAccess instance' do
+      let(:deploy_key) { create(:deploy_key) }
+      let(:user_access) { Gitlab::DeployKeyAccess.new(deploy_key, container: project) }
+
+      context 'when the deploy key cannot push to the targetted branch' do
+        it 'raises an error' do
+          allow(user_access).to receive(:can_push_to_branch?).and_return(false)
+
+          expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, 'You are not allowed to push code to this project.')
+        end
+      end
+
+      context 'when the deploy key can push to the targetted branch' do
+        it 'is valid' do
+          allow(user_access).to receive(:can_push_to_branch?).and_return(true)
+
+          expect { subject.validate! }.not_to raise_error
+        end
+      end
+    end
  end
 end
--- a/spec/lib/gitlab/deploy_key_access_spec.rb
+++ b/spec/lib/gitlab/deploy_key_access_spec.rb
@@ -25,7 +25,7 @@ RSpec.describe Gitlab::DeployKeyAccess do
    end
  end

-  describe '#can_push_to_branch?' do
+  describe '#can_push_for_ref?' do
    context 'push to a protected branch of this project via a deploy key' do
      before do
        create(:protected_branch_push_access_level, protected_branch: protected_branch, deploy_key: deploy_key)
@@ -33,7 +33,7 @@ RSpec.describe Gitlab::DeployKeyAccess do

      context 'when the project has active deploy key owned by this user' do
        it 'returns true' do
-          expect(access.can_push_to_branch?(protected_branch.name)).to be_truthy
+          expect(access.can_push_for_ref?(protected_branch.name)).to be_truthy
        end
      end

@@ -41,7 +41,7 @@ RSpec.describe Gitlab::DeployKeyAccess do
        let(:deploy_key) { create(:deploy_key, user: create(:user)) }

        it 'returns false' do
-          expect(access.can_push_to_branch?(protected_branch.name)).to be_falsey
+          expect(access.can_push_for_ref?(protected_branch.name)).to be_falsey
        end
      end

@@ -49,15 +49,15 @@ RSpec.describe Gitlab::DeployKeyAccess do
        let(:another_branch) { create(:protected_branch, :no_one_can_push, name: 'another_branch', project: project) }

        it 'returns false when trying to push to that other branch' do
-          expect(access.can_push_to_branch?(another_branch.name)).to be_falsey
+          expect(access.can_push_for_ref?(another_branch.name)).to be_falsey
        end

        context 'and the deploy key added for the first protected branch is also added for this other branch' do
          it 'returns true for both protected branches' do
            create(:protected_branch_push_access_level, protected_branch: another_branch, deploy_key: deploy_key)

-            expect(access.can_push_to_branch?(protected_branch.name)).to be_truthy
-            expect(access.can_push_to_branch?(another_branch.name)).to be_truthy
+            expect(access.can_push_for_ref?(protected_branch.name)).to be_truthy
+            expect(access.can_push_for_ref?(another_branch.name)).to be_truthy
          end
        end
      end

--- a/spec/lib/gitlab/user_access_spec.rb
+++ b/spec/lib/gitlab/user_access_spec.rb
@@ -310,4 +310,24 @@ RSpec.describe Gitlab::UserAccess do
      end
    end
  end
+
+  describe '#can_push_for_ref?' do
+    let(:ref) { 'test_ref' }
+
+    context 'when user cannot push_code to a project repository (eg. as a guest)' do
+      it 'is false' do
+        project.add_user(user, :guest)
+
+        expect(access.can_push_for_ref?(ref)).to be_falsey
+      end
+    end
+
+    context 'when user can push_code to a project repository (eg. as a developer)' do
+      it 'is true' do
+        project.add_user(user, :developer)
+
+        expect(access.can_push_for_ref?(ref)).to be_truthy
+      end
+    end
+  end
 end