Merge branch 'id-spec-requests-api' into 'master'

Extract EE specific specs from spec/requests/api

Closes #6671

See merge request gitlab-org/gitlab-ee!10851

ee/spec/requests/api/branches_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe API::Branches do
+  describe 'PUT /projects/:id/repository/branches/:branch/protect' do
+    context 'when authenticated', 'as a maintainer' do
+      let(:user) { create(:user) }
+      let(:project) { create(:project, :repository, creator: user, path: 'my.project') }
+
+      before do
+        project.add_maintainer(user)
+      end
+
+      context 'when protected branch already exists' do
+        before do
+          project.repository.add_branch(user, protected_branch.name, 'master')
+        end
+
+        context "when no one can push" do
+          let(:protected_branch) { create(:protected_branch, :no_one_can_push, project: project, name: 'protected_branch') }
+
+          it "updates 'developers_can_push' without removing the 'no_one' access level" do
+            put api("/projects/#{project.id}/repository/branches/#{protected_branch.name}/protect", user),
+                params: { developers_can_push: true, developers_can_merge: true }
+
+            expect(response).to have_gitlab_http_status(200)
+            expect(json_response['name']).to eq(protected_branch.name)
+            expect(protected_branch.reload.push_access_levels.pluck(:access_level)).to include(Gitlab::Access::NO_ACCESS)
+          end
+        end
+      end
+    end
+  end
+end

ee/spec/requests/api/helpers_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe API::Helpers do
+  include API::APIGuard::HelperMethods
+  include described_class
+
+  let(:user) { create(:user) }
+  let(:route_authentication_setting) { {} }
+  let(:csrf_token) { SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH) }
+  let(:env) do
+    {
+      'rack.input' => '',
+      'rack.session' => {
+        _csrf_token: csrf_token
+      },
+      'REQUEST_METHOD' => 'GET',
+      'CONTENT_TYPE' => 'text/plain;charset=utf-8'
+    }
+  end
+  let(:header) { }
+  let(:request) { Grape::Request.new(env)}
+  let(:params) { request.params }
+
+  def error!(message, status, header)
+    raise Exception.new("#{status} - #{message}")
+  end
+
+  before do
+    allow_any_instance_of(self.class).to receive(:options).and_return({})
+    allow_any_instance_of(self.class).to receive(:route_authentication_setting)
+      .and_return(route_authentication_setting)
+  end
+
+  describe ".current_user" do
+    describe "when authenticating using a job token" do
+      let(:job) { create(:ci_build, user: user) }
+
+      context 'when route is allowed to be authenticated' do
+        let(:route_authentication_setting) { { job_token_allowed: true } }
+
+        it "returns a 401 response for an invalid token" do
+          env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = 'invalid token'
+
+          expect { current_user }.to raise_error /401/
+        end
+
+        it "returns a 403 response for a user without access" do
+          env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
+          allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(false)
+
+          expect { current_user }.to raise_error /403/
+        end
+
+        it 'returns a 403 response for a user who is blocked' do
+          user.block!
+          env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
+
+          expect { current_user }.to raise_error /403/
+        end
+
+        it "sets current_user" do
+          env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
+
+          expect(current_user).to eq(user)
+        end
+      end
+
+      context 'when route is not allowed to be authenticated' do
+        let(:route_authentication_setting) { { job_token_allowed: false } }
+
+        it "sets current_user to nil" do
+          env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
+          allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(true)
+
+          expect(current_user).to be_nil
+        end
+      end
+    end
+  end
+end

ee/spec/requests/api/protected_branches_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe API::ProtectedBranches do
+  let(:user) { create(:user) }
+  let!(:project) { create(:project, :repository) }
+  let(:protected_name) { 'feature' }
+  let(:branch_name) { protected_name }
+  let!(:protected_branch) do
+    create(:protected_branch, project: project, name: protected_name)
+  end
+
+  describe "GET /projects/:id/protected_branches/:branch" do
+    let(:route) { "/projects/#{project.id}/protected_branches/#{branch_name}" }
+
+    shared_examples_for 'protected branch' do
+      it 'returns the protected branch' do
+        get api(route, user)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response['unprotect_access_levels']).to eq([])
+      end
+
+      context 'with per user/group access levels' do
+        let(:push_user) { create(:user) }
+        let(:merge_group) { create(:group) }
+        let(:unprotect_group) { create(:group) }
+
+        before do
+          project.add_developer(push_user)
+          project.project_group_links.create(group: merge_group)
+          project.project_group_links.create(group: unprotect_group)
+          protected_branch.push_access_levels.create!(user: push_user)
+          protected_branch.merge_access_levels.create!(group: merge_group)
+          protected_branch.unprotect_access_levels.create!(group: unprotect_group)
+        end
+
+        it 'returns access level details' do
+          get api(route, user)
+
+          push_user_ids = json_response['push_access_levels'].map {|level| level['user_id']}
+          merge_group_ids = json_response['merge_access_levels'].map {|level| level['group_id']}
+          unprotect_group_ids = json_response['unprotect_access_levels'].map {|level| level['group_id']}
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(push_user_ids).to include(push_user.id)
+          expect(merge_group_ids).to include(merge_group.id)
+          expect(unprotect_group_ids).to include(unprotect_group.id)
+        end
+      end
+    end
+
+    context 'when authenticated as a maintainer' do
+      before do
+        project.add_maintainer(user)
+      end
+
+      it_behaves_like 'protected branch'
+
+      context 'when protected branch contains a wildcard' do
+        let(:protected_name) { 'feature*' }
+
+        it_behaves_like 'protected branch'
+      end
+
+      context 'when protected branch contains a period' do
+        let(:protected_name) { 'my.feature' }
+
+        it_behaves_like 'protected branch'
+      end
+    end
+
+    context 'when authenticated as a guest' do
+      before do
+        project.add_guest(user)
+      end
+
+      it_behaves_like '403 response' do
+        let(:request) { get api(route, user) }
+      end
+    end
+  end
+
+  describe 'POST /projects/:id/protected_branches' do
+    let(:branch_name) { 'new_branch' }
+    let(:post_endpoint) { api("/projects/#{project.id}/protected_branches", user) }
+
+    def expect_protection_to_be_successful
+      expect(response).to have_gitlab_http_status(201)
+      expect(json_response['name']).to eq(branch_name)
+    end
+
+    context 'when authenticated as a maintainer' do
+      before do
+        project.add_maintainer(user)
+      end
+
+      it 'protects a single branch' do
+        post post_endpoint, params: { name: branch_name }
+
+        expect(response).to have_gitlab_http_status(201)
+        expect(json_response['unprotect_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
+      end
+
+      it 'protects a single branch and only admins can unprotect' do
+        post post_endpoint, params: { name: branch_name, unprotect_access_level: Gitlab::Access::ADMIN }
+
+        expect(response).to have_gitlab_http_status(201)
+        expect(json_response['name']).to eq(branch_name)
+        expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
+        expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
+        expect(json_response['unprotect_access_levels'][0]['access_level']).to eq(Gitlab::Access::ADMIN)
+      end
+
+      context 'with granular access' do
+        let(:invited_group) do
+          create(:project_group_link, project: project).group
+        end
+
+        let(:project_member) do
+          create(:project_member, project: project).user
+        end
+
+        it 'can protect a branch while allowing an individual user to push' do
+          push_user = project_member
+
+          post post_endpoint, params: { name: branch_name, allowed_to_push: [{ user_id: push_user.id }] }
+
+          expect_protection_to_be_successful
+          expect(json_response['push_access_levels'][0]['user_id']).to eq(push_user.id)
+        end
+
+        it 'can protect a branch while allowing an individual user to merge' do
+          merge_user = project_member
+
+          post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ user_id: merge_user.id }] }
+
+          expect_protection_to_be_successful
+          expect(json_response['merge_access_levels'][0]['user_id']).to eq(merge_user.id)
+        end
+
+        it 'can protect a branch while allowing an individual user to unprotect' do
+          unprotect_user = project_member
+
+          post post_endpoint, params: { name: branch_name, allowed_to_unprotect: [{ user_id: unprotect_user.id }] }
+
+          expect_protection_to_be_successful
+          expect(json_response['unprotect_access_levels'][0]['user_id']).to eq(unprotect_user.id)
+        end
+
+        it 'can protect a branch while allowing a group to push' do
+          push_group = invited_group
+
+          post post_endpoint, params: { name: branch_name, allowed_to_push: [{ group_id: push_group.id }] }
+
+          expect_protection_to_be_successful
+          expect(json_response['push_access_levels'][0]['group_id']).to eq(push_group.id)
+        end
+
+        it 'can protect a branch while allowing a group to merge' do
+          merge_group = invited_group
+
+          post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ group_id: merge_group.id }] }
+
+          expect_protection_to_be_successful
+          expect(json_response['merge_access_levels'][0]['group_id']).to eq(merge_group.id)
+        end
+
+        it 'can protect a branch while allowing a group to unprotect' do
+          unprotect_group = invited_group
+
+          post post_endpoint, params: { name: branch_name, allowed_to_unprotect: [{ group_id: unprotect_group.id }] }
+
+          expect_protection_to_be_successful
+          expect(json_response['unprotect_access_levels'][0]['group_id']).to eq(unprotect_group.id)
+        end
+
+        it "fails if users don't all have access to the project" do
+          push_user = create(:user)
+
+          post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ user_id: push_user.id }] }
+
+          expect(response).to have_gitlab_http_status(422)
+          expect(json_response['message'][0]).to match(/is not a member of the project/)
+        end
+
+        it "fails if groups aren't all invited to the project" do
+          merge_group = create(:group)
+
+          post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ group_id: merge_group.id }] }
+
+          expect(response).to have_gitlab_http_status(422)
+          expect(json_response['message'][0]).to match(/does not have access to the project/)
+        end
+
+        it 'avoids creating default access levels unless necessary' do
+          push_user = project_member
+
+          post post_endpoint, params: { name: branch_name, allowed_to_push: [{ user_id: push_user.id }] }
+
+          expect(response).to have_gitlab_http_status(201)
+          expect(json_response['push_access_levels'].count).to eq(1)
+          expect(json_response['merge_access_levels'].count).to eq(1)
+          expect(json_response['push_access_levels'][0]['user_id']).to eq(push_user.id)
+          expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
+        end
+      end
+    end
+  end
+end

spec/requests/api/branches_spec.rb

@@ -433,19 +433,6 @@ describe API::Branches do
             expect(json_response['developers_can_merge']).to eq(true)
           end
         end
-
-        context "when no one can push" do
-          let(:protected_branch) { create(:protected_branch, :no_one_can_push, project: project, name: 'protected_branch') }
-
-          it "updates 'developers_can_push' without removing the 'no_one' access level" do
-            put api("/projects/#{project.id}/repository/branches/#{protected_branch.name}/protect", user),
-                params: { developers_can_push: true, developers_can_merge: true }
-
-            expect(response).to have_gitlab_http_status(200)
-            expect(json_response['name']).to eq(protected_branch.name)
-            expect(protected_branch.reload.push_access_levels.pluck(:access_level)).to include(Gitlab::Access::NO_ACCESS)
-          end
-        end
       end
     end
   end

spec/requests/api/helpers_spec.rb

@@ -23,14 +23,11 @@ describe API::Helpers do
     }
   end
   let(:header) { }
-  let(:route_authentication_setting) { {} }
   let(:request) { Grape::Request.new(env)}
   let(:params) { request.params }
 
   before do
     allow_any_instance_of(self.class).to receive(:options).and_return({})
-    allow_any_instance_of(self.class).to receive(:route_authentication_setting)
-      .and_return(route_authentication_setting)
   end
 
   def warden_authenticate_returns(value)
@@ -222,51 +219,6 @@ describe API::Helpers do
         end
       end
     end
-
-    describe "when authenticating using a job token" do
-      let(:job) { create(:ci_build, user: user) }
-
-      context 'when route is allowed to be authenticated' do
-        let(:route_authentication_setting) { { job_token_allowed: true } }
-
-        it "returns a 401 response for an invalid token" do
-          env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = 'invalid token'
-
-          expect { current_user }.to raise_error /401/
-        end
-
-        it "returns a 403 response for a user without access" do
-          env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
-          allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(false)
-
-          expect { current_user }.to raise_error /403/
-        end
-
-        it 'returns a 403 response for a user who is blocked' do
-          user.block!
-          env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
-
-          expect { current_user }.to raise_error /403/
-        end
-
-        it "sets current_user" do
-          env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
-
-          expect(current_user).to eq(user)
-        end
-      end
-
-      context 'when route is not allowed to be authenticated' do
-        let(:route_authentication_setting) { { job_token_allowed: false } }
-
-        it "sets current_user to nil" do
-          env[Gitlab::Auth::UserAuthFinders::JOB_TOKEN_HEADER] = job.token
-          allow_any_instance_of(Gitlab::UserAccess).to receive(:allowed?).and_return(true)
-
-          expect(current_user).to be_nil
-        end
-      end
-    end
   end
 
   describe '.handle_api_exception' do

spec/requests/api/protected_branches_spec.rb

@@ -56,7 +56,6 @@ describe API::ProtectedBranches do
         expect(json_response['name']).to eq(branch_name)
         expect(json_response['push_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER)
         expect(json_response['merge_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER)
-        expect(json_response['unprotect_access_levels']).to eq([])
       end
 
       context 'when protected branch does not exist' do
@@ -67,34 +66,6 @@ describe API::ProtectedBranches do
           let(:message) { '404 Not found' }
         end
       end
-
-      context 'with per user/group access levels' do
-        let(:push_user) { create(:user) }
-        let(:merge_group) { create(:group) }
-        let(:unprotect_group) { create(:group) }
-
-        before do
-          project.add_developer(push_user)
-          project.project_group_links.create(group: merge_group)
-          project.project_group_links.create(group: unprotect_group)
-          protected_branch.push_access_levels.create!(user: push_user)
-          protected_branch.merge_access_levels.create!(group: merge_group)
-          protected_branch.unprotect_access_levels.create!(group: unprotect_group)
-        end
-
-        it 'returns access level details' do
-          get api(route, user)
-
-          push_user_ids = json_response['push_access_levels'].map {|level| level['user_id']}
-          merge_group_ids = json_response['merge_access_levels'].map {|level| level['group_id']}
-          unprotect_group_ids = json_response['unprotect_access_levels'].map {|level| level['group_id']}
-
-          expect(response).to have_gitlab_http_status(200)
-          expect(push_user_ids).to include(push_user.id)
-          expect(merge_group_ids).to include(merge_group.id)
-          expect(unprotect_group_ids).to include(unprotect_group.id)
-        end
-      end
     end
 
     context 'when authenticated as a maintainer' do
@@ -149,7 +120,6 @@ describe API::ProtectedBranches do
         expect(json_response['name']).to eq(branch_name)
         expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
         expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
-        expect(json_response['unprotect_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
       end
 
       it 'protects a single branch and developers can push' do
@@ -197,16 +167,6 @@ describe API::ProtectedBranches do
         expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
       end
 
-      it 'protects a single branch and only admins can unprotect' do
-        post post_endpoint, params: { name: branch_name, unprotect_access_level: Gitlab::Access::ADMIN }
-
-        expect(response).to have_gitlab_http_status(201)
-        expect(json_response['name']).to eq(branch_name)
-        expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
-        expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
-        expect(json_response['unprotect_access_levels'][0]['access_level']).to eq(Gitlab::Access::ADMIN)
-      end
-
       it 'protects a single branch and no one can push or merge' do
         post post_endpoint, params: { name: branch_name, push_access_level: 0, merge_access_level: 0 }
 
@@ -216,100 +176,6 @@ describe API::ProtectedBranches do
         expect(json_response['merge_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS)
       end
 
-      context 'with granular access' do
-        let(:invited_group) do
-          create(:project_group_link, project: project).group
-        end
-
-        let(:project_member) do
-          create(:project_member, project: project).user
-        end
-
-        it 'can protect a branch while allowing an individual user to push' do
-          push_user = project_member
-
-          post post_endpoint, params: { name: branch_name, allowed_to_push: [{ user_id: push_user.id }] }
-
-          expect_protection_to_be_successful
-          expect(json_response['push_access_levels'][0]['user_id']).to eq(push_user.id)
-        end
-
-        it 'can protect a branch while allowing an individual user to merge' do
-          merge_user = project_member
-
-          post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ user_id: merge_user.id }] }
-
-          expect_protection_to_be_successful
-          expect(json_response['merge_access_levels'][0]['user_id']).to eq(merge_user.id)
-        end
-
-        it 'can protect a branch while allowing an individual user to unprotect' do
-          unprotect_user = project_member
-
-          post post_endpoint, params: { name: branch_name, allowed_to_unprotect: [{ user_id: unprotect_user.id }] }
-
-          expect_protection_to_be_successful
-          expect(json_response['unprotect_access_levels'][0]['user_id']).to eq(unprotect_user.id)
-        end
-
-        it 'can protect a branch while allowing a group to push' do
-          push_group = invited_group
-
-          post post_endpoint, params: { name: branch_name, allowed_to_push: [{ group_id: push_group.id }] }
-
-          expect_protection_to_be_successful
-          expect(json_response['push_access_levels'][0]['group_id']).to eq(push_group.id)
-        end
-
-        it 'can protect a branch while allowing a group to merge' do
-          merge_group = invited_group
-
-          post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ group_id: merge_group.id }] }
-
-          expect_protection_to_be_successful
-          expect(json_response['merge_access_levels'][0]['group_id']).to eq(merge_group.id)
-        end
-
-        it 'can protect a branch while allowing a group to unprotect' do
-          unprotect_group = invited_group
-
-          post post_endpoint, params: { name: branch_name, allowed_to_unprotect: [{ group_id: unprotect_group.id }] }
-
-          expect_protection_to_be_successful
-          expect(json_response['unprotect_access_levels'][0]['group_id']).to eq(unprotect_group.id)
-        end
-
-        it "fails if users don't all have access to the project" do
-          push_user = create(:user)
-
-          post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ user_id: push_user.id }] }
-
-          expect(response).to have_gitlab_http_status(422)
-          expect(json_response['message'][0]).to match(/is not a member of the project/)
-        end
-
-        it "fails if groups aren't all invited to the project" do
-          merge_group = create(:group)
-
-          post post_endpoint, params: { name: branch_name, allowed_to_merge: [{ group_id: merge_group.id }] }
-
-          expect(response).to have_gitlab_http_status(422)
-          expect(json_response['message'][0]).to match(/does not have access to the project/)
-        end
-
-        it 'avoids creating default access levels unless necessary' do
-          push_user = project_member
-
-          post post_endpoint, params: { name: branch_name, allowed_to_push: [{ user_id: push_user.id }] }
-
-          expect(response).to have_gitlab_http_status(201)
-          expect(json_response['push_access_levels'].count).to eq(1)
-          expect(json_response['merge_access_levels'].count).to eq(1)
-          expect(json_response['push_access_levels'][0]['user_id']).to eq(push_user.id)
-          expect(json_response['push_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER)
-        end
-      end
-
       it 'returns a 409 error if the same branch is protected twice' do
         post post_endpoint, params: { name: protected_name }