Commit 87355319 authored by Lin Jen-Shin's avatar Lin Jen-Shin

Merge branch 'id-spec-requests-api' into 'master'

Extract EE specific specs from spec/requests/api

Closes #6671

See merge request gitlab-org/gitlab-ee!10851
parents b621b721 f5dba097
# frozen_string_literal: true
require 'spec_helper'
describe API::Branches do
describe 'PUT /projects/:id/repository/branches/:branch/protect' do
context 'when authenticated', 'as a maintainer' do
let(:user) { create(:user) }
let(:project) { create(:project, :repository, creator: user, path: 'my.project') }
before do
project.add_maintainer(user)
end
context 'when protected branch already exists' do
before do
project.repository.add_branch(user, protected_branch.name, 'master')
end
context "when no one can push" do
let(:protected_branch) { create(:protected_branch, :no_one_can_push, project: project, name: 'protected_branch') }
it "updates 'developers_can_push' without removing the 'no_one' access level" do
put api("/projects/#{project.id}/repository/branches/#{protected_branch.name}/protect", user),
params: { developers_can_push: true, developers_can_merge: true }
expect(response).to have_gitlab_http_status(200)
expect(json_response['name']).to eq(protected_branch.name)
expect(protected_branch.reload.push_access_levels.pluck(:access_level)).to include(Gitlab::Access::NO_ACCESS)
end
end
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
describe API::Helpers do
include API::APIGuard::HelperMethods
include described_class
let(:user) { create(:user) }
let(:route_authentication_setting) { {} }
let(:csrf_token) { SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH) }
let(:env) do
{
'rack.input' => '',
'rack.session' => {
_csrf_token: csrf_token
},
'REQUEST_METHOD' => 'GET',
'CONTENT_TYPE' => 'text/plain;charset=utf-8'
}
end
let(:header) { }
let(:request) { Grape::Request.new(env)}
let(:params) { request.params }
def error!(message, status, header)
raise Exception.new("#{status} - #{message}")
end
before do
allow_any_instance_of(self.class).to receive(:options).and_return({})
allow_any_instance_of(self.class).to receive(:route_authentication_setting)
.and_return(route_authentication_setting)
end
describe ".current_user" do
describe "when authenticating using a job token" do
let(:job) { create(:ci_build, user: user) }
context 'when route is allowed to be authenticated' do
let(:route_authentication_setting) { { job_token_allowed: true } }
it "returns a 401 response for an invalid token" do
env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = 'invalid token'
expect { current_user }.to raise_error /401/
end
it "returns a 403 response for a user without access" do
env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(false)
expect { current_user }.to raise_error /403/
end
it 'returns a 403 response for a user who is blocked' do
user.block!
env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
expect { current_user }.to raise_error /403/
end
it "sets current_user" do
env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
expect(current_user).to eq(user)
end
end
context 'when route is not allowed to be authenticated' do
let(:route_authentication_setting) { { job_token_allowed: false } }
it "sets current_user to nil" do
env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(true)
expect(current_user).to be_nil
end
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
describe API::ProtectedBranches do
let(:user) { create(:user) }
let!(:project) { create(:project, :repository) }
let(:protected_name) { 'feature' }
let(:branch_name) { protected_name }
let!(:protected_branch) do
create(:protected_branch, project: project, name: protected_name)
end
describe "GET /projects/:id/protected_branches/:branch" do
let(:route) { "/projects/#{project.id}/protected_branches/#{branch_name}" }
shared_examples_for 'protected branch' do
it 'returns the protected branch' do
get api(route, user)
expect(response).to have_gitlab_http_status(200)
expect(json_response['unprotect_access_levels']).to eq([])
end
context 'with per user/group access levels' do
let(:push_user) { create(:user) }
let(:merge_group) { create(:group) }
let(:unprotect_group) { create(:group) }
before do
project.add_developer(push_user)
project.project_group_links.create(group: merge_group)
project.project_group_links.create(group: unprotect_group)
protected_branch.push_access_levels.create!(user: push_user)
protected_branch.merge_access_levels.create!(group: merge_group)
protected_branch.unprotect_access_levels.create!(group: unprotect_group)
end
it 'returns access level details' do
get api(route, user)
push_user_ids = json_response['push_access_levels'].map {|level| level['user_id']}
merge_group_ids = json_response['merge_access_levels'].map {|level| level['group_id']}
unprotect_group_ids = json_response['unprotect_access_levels'].map {|level| level['group_id']}
expect(response).to have_gitlab_http_status(200)
expect(push_user_ids).to include(push_user.id)
expect(merge_group_ids).to include(merge_group.id)
expect(unprotect_group_ids).to include(unprotect_group.id)
end
end
end
context 'when authenticated as a maintainer' do
before do
project.add_maintainer(user)
end
it_behaves_like 'protected branch'
context 'when protected branch contains a wildcard' do
let(:protected_name) { 'feature*' }
it_behaves_like 'protected branch'
end
context 'when protected branch contains a period' do
let(:protected_name) { 'my.feature' }
it_behaves_like 'protected branch'
end
end
context 'when authenticated as a guest' do
before do
project.add_guest(user)
end
it_behaves_like '403 response' do
let(:request) { get api(route, user) }
end
end
end
describe 'POST /projects/:id/protected_branches' do
let(:branch_name) { 'new_branch' }
let(:post_endpoint) { api("/projects/#{project.id}/protected_branches", user) }
def expect_protection_to_be_successful
expect(response).to have_gitlab_http_status(201)
expect(json_response['name']).to eq(branch_name)
end
context 'when authenticated as a maintainer' do
before do
project.add_maintainer(user)
end
it 'protects a single branch' do
post post_endpoint, params: { name: branch_name }
expect(response).to have_gitlab_http_status(201)
expect(json_response['unprotect_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
end
it 'protects a single branch and only admins can unprotect' do
post post_endpoint, params: { name: branch_name, unprotect_access_level: Gitlab::Access::ADMIN }
expect(response).to have_gitlab_http_status(201)
expect(json_response['name']).to eq(branch_name)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
expect(json_response['unprotect_access_levels'][0]['access_level']).to eq(Gitlab::Access::ADMIN)
end
context 'with granular access' do
let(:invited_group) do
create(:project_group_link, project: project).group
end
let(:project_member) do
create(:project_member, project: project).user
end
it 'can protect a branch while allowing an individual user to push' do
push_user = project_member
post post_endpoint, params: { name: branch_name, allowed_to_push: [{ user_id: push_user.id }] }
expect_protection_to_be_successful
expect(json_response['push_access_levels'][0]['user_id']).to eq(push_user.id)
end
it 'can protect a branch while allowing an individual user to merge' do
merge_user = project_member
post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ user_id: merge_user.id }] }
expect_protection_to_be_successful
expect(json_response['merge_access_levels'][0]['user_id']).to eq(merge_user.id)
end
it 'can protect a branch while allowing an individual user to unprotect' do
unprotect_user = project_member
post post_endpoint, params: { name: branch_name, allowed_to_unprotect: [{ user_id: unprotect_user.id }] }
expect_protection_to_be_successful
expect(json_response['unprotect_access_levels'][0]['user_id']).to eq(unprotect_user.id)
end
it 'can protect a branch while allowing a group to push' do
push_group = invited_group
post post_endpoint, params: { name: branch_name, allowed_to_push: [{ group_id: push_group.id }] }
expect_protection_to_be_successful
expect(json_response['push_access_levels'][0]['group_id']).to eq(push_group.id)
end
it 'can protect a branch while allowing a group to merge' do
merge_group = invited_group
post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ group_id: merge_group.id }] }
expect_protection_to_be_successful
expect(json_response['merge_access_levels'][0]['group_id']).to eq(merge_group.id)
end
it 'can protect a branch while allowing a group to unprotect' do
unprotect_group = invited_group
post post_endpoint, params: { name: branch_name, allowed_to_unprotect: [{ group_id: unprotect_group.id }] }
expect_protection_to_be_successful
expect(json_response['unprotect_access_levels'][0]['group_id']).to eq(unprotect_group.id)
end
it "fails if users don't all have access to the project" do
push_user = create(:user)
post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ user_id: push_user.id }] }
expect(response).to have_gitlab_http_status(422)
expect(json_response['message'][0]).to match(/is not a member of the project/)
end
it "fails if groups aren't all invited to the project" do
merge_group = create(:group)
post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ group_id: merge_group.id }] }
expect(response).to have_gitlab_http_status(422)
expect(json_response['message'][0]).to match(/does not have access to the project/)
end
it 'avoids creating default access levels unless necessary' do
push_user = project_member
post post_endpoint, params: { name: branch_name, allowed_to_push: [{ user_id: push_user.id }] }
expect(response).to have_gitlab_http_status(201)
expect(json_response['push_access_levels'].count).to eq(1)
expect(json_response['merge_access_levels'].count).to eq(1)
expect(json_response['push_access_levels'][0]['user_id']).to eq(push_user.id)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
end
end
end
end
end
...@@ -433,19 +433,6 @@ describe API::Branches do ...@@ -433,19 +433,6 @@ describe API::Branches do
expect(json_response['developers_can_merge']).to eq(true) expect(json_response['developers_can_merge']).to eq(true)
end end
end end
context "when no one can push" do
let(:protected_branch) { create(:protected_branch, :no_one_can_push, project: project, name: 'protected_branch') }
it "updates 'developers_can_push' without removing the 'no_one' access level" do
put api("/projects/#{project.id}/repository/branches/#{protected_branch.name}/protect", user),
params: { developers_can_push: true, developers_can_merge: true }
expect(response).to have_gitlab_http_status(200)
expect(json_response['name']).to eq(protected_branch.name)
expect(protected_branch.reload.push_access_levels.pluck(:access_level)).to include(Gitlab::Access::NO_ACCESS)
end
end
end end
end end
end end
......
...@@ -23,14 +23,11 @@ describe API::Helpers do ...@@ -23,14 +23,11 @@ describe API::Helpers do
} }
end end
let(:header) { } let(:header) { }
let(:route_authentication_setting) { {} }
let(:request) { Grape::Request.new(env)} let(:request) { Grape::Request.new(env)}
let(:params) { request.params } let(:params) { request.params }
before do before do
allow_any_instance_of(self.class).to receive(:options).and_return({}) allow_any_instance_of(self.class).to receive(:options).and_return({})
allow_any_instance_of(self.class).to receive(:route_authentication_setting)
.and_return(route_authentication_setting)
end end
def warden_authenticate_returns(value) def warden_authenticate_returns(value)
...@@ -222,51 +219,6 @@ describe API::Helpers do ...@@ -222,51 +219,6 @@ describe API::Helpers do
end end
end end
end end
describe "when authenticating using a job token" do
let(:job) { create(:ci_build, user: user) }
context 'when route is allowed to be authenticated' do
let(:route_authentication_setting) { { job_token_allowed: true } }
it "returns a 401 response for an invalid token" do
env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = 'invalid token'
expect { current_user }.to raise_error /401/
end
it "returns a 403 response for a user without access" do
env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(false)
expect { current_user }.to raise_error /403/
end
it 'returns a 403 response for a user who is blocked' do
user.block!
env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
expect { current_user }.to raise_error /403/
end
it "sets current_user" do
env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
expect(current_user).to eq(user)
end
end
context 'when route is not allowed to be authenticated' do
let(:route_authentication_setting) { { job_token_allowed: false } }
it "sets current_user to nil" do
env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(true)
expect(current_user).to be_nil
end
end
end
end end
describe '.handle_api_exception' do describe '.handle_api_exception' do
......
...@@ -56,7 +56,6 @@ describe API::ProtectedBranches do ...@@ -56,7 +56,6 @@ describe API::ProtectedBranches do
expect(json_response['name']).to eq(branch_name) expect(json_response['name']).to eq(branch_name)
expect(json_response['push_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER) expect(json_response['push_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER)
expect(json_response['merge_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER) expect(json_response['merge_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER)
expect(json_response['unprotect_access_levels']).to eq([])
end end
context 'when protected branch does not exist' do context 'when protected branch does not exist' do
...@@ -67,34 +66,6 @@ describe API::ProtectedBranches do ...@@ -67,34 +66,6 @@ describe API::ProtectedBranches do
let(:message) { '404 Not found' } let(:message) { '404 Not found' }
end end
end end
context 'with per user/group access levels' do
let(:push_user) { create(:user) }
let(:merge_group) { create(:group) }
let(:unprotect_group) { create(:group) }
before do
project.add_developer(push_user)
project.project_group_links.create(group: merge_group)
project.project_group_links.create(group: unprotect_group)
protected_branch.push_access_levels.create!(user: push_user)
protected_branch.merge_access_levels.create!(group: merge_group)
protected_branch.unprotect_access_levels.create!(group: unprotect_group)
end
it 'returns access level details' do
get api(route, user)
push_user_ids = json_response['push_access_levels'].map {|level| level['user_id']}
merge_group_ids = json_response['merge_access_levels'].map {|level| level['group_id']}
unprotect_group_ids = json_response['unprotect_access_levels'].map {|level| level['group_id']}
expect(response).to have_gitlab_http_status(200)
expect(push_user_ids).to include(push_user.id)
expect(merge_group_ids).to include(merge_group.id)
expect(unprotect_group_ids).to include(unprotect_group.id)
end
end
end end
context 'when authenticated as a maintainer' do context 'when authenticated as a maintainer' do
...@@ -149,7 +120,6 @@ describe API::ProtectedBranches do ...@@ -149,7 +120,6 @@ describe API::ProtectedBranches do
expect(json_response['name']).to eq(branch_name) expect(json_response['name']).to eq(branch_name)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER) expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER) expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
expect(json_response['unprotect_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
end end
it 'protects a single branch and developers can push' do it 'protects a single branch and developers can push' do
...@@ -197,16 +167,6 @@ describe API::ProtectedBranches do ...@@ -197,16 +167,6 @@ describe API::ProtectedBranches do
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS) expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
end end
it 'protects a single branch and only admins can unprotect' do
post post_endpoint, params: { name: branch_name, unprotect_access_level: Gitlab::Access::ADMIN }
expect(response).to have_gitlab_http_status(201)
expect(json_response['name']).to eq(branch_name)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
expect(json_response['unprotect_access_levels'][0]['access_level']).to eq(Gitlab::Access::ADMIN)
end
it 'protects a single branch and no one can push or merge' do it 'protects a single branch and no one can push or merge' do
post post_endpoint, params: { name: branch_name, push_access_level: 0, merge_access_level: 0 } post post_endpoint, params: { name: branch_name, push_access_level: 0, merge_access_level: 0 }
...@@ -216,100 +176,6 @@ describe API::ProtectedBranches do ...@@ -216,100 +176,6 @@ describe API::ProtectedBranches do
expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS) expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
end end
context 'with granular access' do
let(:invited_group) do
create(:project_group_link, project: project).group
end
let(:project_member) do
create(:project_member, project: project).user
end
it 'can protect a branch while allowing an individual user to push' do
push_user = project_member
post post_endpoint, params: { name: branch_name, allowed_to_push: [{ user_id: push_user.id }] }
expect_protection_to_be_successful
expect(json_response['push_access_levels'][0]['user_id']).to eq(push_user.id)
end
it 'can protect a branch while allowing an individual user to merge' do
merge_user = project_member
post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ user_id: merge_user.id }] }
expect_protection_to_be_successful
expect(json_response['merge_access_levels'][0]['user_id']).to eq(merge_user.id)
end
it 'can protect a branch while allowing an individual user to unprotect' do
unprotect_user = project_member
post post_endpoint, params: { name: branch_name, allowed_to_unprotect: [{ user_id: unprotect_user.id }] }
expect_protection_to_be_successful
expect(json_response['unprotect_access_levels'][0]['user_id']).to eq(unprotect_user.id)
end
it 'can protect a branch while allowing a group to push' do
push_group = invited_group
post post_endpoint, params: { name: branch_name, allowed_to_push: [{ group_id: push_group.id }] }
expect_protection_to_be_successful
expect(json_response['push_access_levels'][0]['group_id']).to eq(push_group.id)
end
it 'can protect a branch while allowing a group to merge' do
merge_group = invited_group
post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ group_id: merge_group.id }] }
expect_protection_to_be_successful
expect(json_response['merge_access_levels'][0]['group_id']).to eq(merge_group.id)
end
it 'can protect a branch while allowing a group to unprotect' do
unprotect_group = invited_group
post post_endpoint, params: { name: branch_name, allowed_to_unprotect: [{ group_id: unprotect_group.id }] }
expect_protection_to_be_successful
expect(json_response['unprotect_access_levels'][0]['group_id']).to eq(unprotect_group.id)
end
it "fails if users don't all have access to the project" do
push_user = create(:user)
post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ user_id: push_user.id }] }
expect(response).to have_gitlab_http_status(422)
expect(json_response['message'][0]).to match(/is not a member of the project/)
end
it "fails if groups aren't all invited to the project" do
merge_group = create(:group)
post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ group_id: merge_group.id }] }
expect(response).to have_gitlab_http_status(422)
expect(json_response['message'][0]).to match(/does not have access to the project/)
end
it 'avoids creating default access levels unless necessary' do
push_user = project_member
post post_endpoint, params: { name: branch_name, allowed_to_push: [{ user_id: push_user.id }] }
expect(response).to have_gitlab_http_status(201)
expect(json_response['push_access_levels'].count).to eq(1)
expect(json_response['merge_access_levels'].count).to eq(1)
expect(json_response['push_access_levels'][0]['user_id']).to eq(push_user.id)
expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
end
end
it 'returns a 409 error if the same branch is protected twice' do it 'returns a 409 error if the same branch is protected twice' do
post post_endpoint, params: { name: protected_name } post post_endpoint, params: { name: protected_name }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment