Merge branch '62826-graphql-note-mutations-ee' into 'master'

GraphQL mutations for managing Notes (EE)

See merge request gitlab-org/gitlab-ee!14497

app/graphql/gitlab_schema.rb

@@ -66,6 +66,8 @@ class GitlabSchema < GraphQL::Schema
 
       if gid.model_class < ApplicationRecord
         Gitlab::Graphql::Loaders::BatchModelLoader.new(gid.model_class, gid.model_id).find
+      elsif gid.model_class.respond_to?(:lazy_find)
+        gid.model_class.lazy_find(gid.model_id)
       else
         gid.find
       end

app/graphql/mutations/notes/base.rb

+# frozen_string_literal: true
+
+module Mutations
+  module Notes
+    class Base < BaseMutation
+      include Gitlab::Graphql::Authorize::AuthorizeResource
+
+      field :note,
+            Types::Notes::NoteType,
+            null: true,
+            description: 'The note after mutation'
+
+      private
+
+      def find_object(id:)
+        GitlabSchema.object_from_id(id)
+      end
+
+      def check_object_is_noteable!(object)
+        unless object.is_a?(Noteable)
+          raise Gitlab::Graphql::Errors::ResourceNotAvailable,
+                'Cannot add notes to this resource'
+        end
+      end
+
+      def check_object_is_note!(object)
+        unless object.is_a?(Note)
+          raise Gitlab::Graphql::Errors::ResourceNotAvailable,
+                'Resource is not a note'
+        end
+      end
+    end
+  end
+end

app/graphql/mutations/notes/create/base.rb

+# frozen_string_literal: true
+
+module Mutations
+  module Notes
+    module Create
+      # This is a Base class for the Note creation Mutations and is not
+      # mounted as a GraphQL mutation itself.
+      class Base < Mutations::Notes::Base
+        authorize :create_note
+
+        argument :noteable_id,
+                  GraphQL::ID_TYPE,
+                  required: true,
+                  description: 'The global id of the resource to add a note to'
+
+        argument :body,
+                  GraphQL::STRING_TYPE,
+                  required: true,
+                  description: copy_field_description(Types::Notes::NoteType, :body)
+
+        private
+
+        def resolve(args)
+          noteable = authorized_find!(id: args[:noteable_id])
+
+          check_object_is_noteable!(noteable)
+
+          note = ::Notes::CreateService.new(
+            noteable.project,
+            current_user,
+            create_note_params(noteable, args)
+          ).execute
+
+          {
+            note: (note if note.persisted?),
+            errors: errors_on_object(note)
+          }
+        end
+
+        def create_note_params(noteable, args)
+          {
+            noteable: noteable,
+            note: args[:body]
+          }
+        end
+      end
+    end
+  end
+end

app/graphql/mutations/notes/create/diff_note.rb

+# frozen_string_literal: true
+
+module Mutations
+  module Notes
+    module Create
+      class DiffNote < Base
+        graphql_name 'CreateDiffNote'
+
+        argument :position,
+                  Types::Notes::DiffPositionInputType,
+                  required: true,
+                  description: copy_field_description(Types::Notes::NoteType, :position)
+
+        private
+
+        def create_note_params(noteable, args)
+          super(noteable, args).merge({
+            type: 'DiffNote',
+            position: position(noteable, args)
+          })
+        end
+
+        def position(noteable, args)
+          position = args[:position].to_h
+          position[:position_type] = 'text'
+          position.merge!(position[:paths].to_h)
+
+          Gitlab::Diff::Position.new(position)
+        end
+      end
+    end
+  end
+end

app/graphql/mutations/notes/create/image_diff_note.rb

+# frozen_string_literal: true
+
+module Mutations
+  module Notes
+    module Create
+      class ImageDiffNote < Base
+        graphql_name 'CreateImageDiffNote'
+
+        argument :position,
+                  Types::Notes::DiffImagePositionInputType,
+                  required: true,
+                  description: copy_field_description(Types::Notes::NoteType, :position)
+
+        private
+
+        def create_note_params(noteable, args)
+          super(noteable, args).merge({
+            type: 'DiffNote',
+            position: position(noteable, args)
+          })
+        end
+
+        def position(noteable, args)
+          position = args[:position].to_h
+          position[:position_type] = 'image'
+          position.merge!(position[:paths].to_h)
+
+          Gitlab::Diff::Position.new(position)
+        end
+      end
+    end
+  end
+end

app/graphql/mutations/notes/create/note.rb

+# frozen_string_literal: true
+
+module Mutations
+  module Notes
+    module Create
+      class Note < Base
+        graphql_name 'CreateNote'
+
+        argument :discussion_id,
+                  GraphQL::ID_TYPE,
+                  required: false,
+                  description: 'The global id of the discussion this note is in reply to'
+
+        private
+
+        def create_note_params(noteable, args)
+          discussion_id = nil
+
+          if args[:discussion_id]
+            discussion = GitlabSchema.object_from_id(args[:discussion_id])
+            authorize_discussion!(discussion)
+
+            discussion_id = discussion.id
+          end
+
+          super(noteable, args).merge({
+            in_reply_to_discussion_id: discussion_id
+          })
+        end
+
+        def authorize_discussion!(discussion)
+          unless Ability.allowed?(current_user, :read_note, discussion, scope: :user)
+            raise Gitlab::Graphql::Errors::ResourceNotAvailable,
+              "The discussion does not exist or you don't have permission to perform this action"
+          end
+        end
+      end
+    end
+  end
+end

app/graphql/mutations/notes/destroy.rb

+# frozen_string_literal: true
+
+module Mutations
+  module Notes
+    class Destroy < Base
+      graphql_name 'DestroyNote'
+
+      authorize :admin_note
+
+      argument :id,
+                GraphQL::ID_TYPE,
+                required: true,
+                description: 'The global id of the note to destroy'
+
+      def resolve(id:)
+        note = authorized_find!(id: id)
+
+        check_object_is_note!(note)
+
+        ::Notes::DestroyService.new(note.project, current_user).execute(note)
+
+        {
+          errors: []
+        }
+      end
+    end
+  end
+end

app/graphql/mutations/notes/update.rb

+# frozen_string_literal: true
+
+module Mutations
+  module Notes
+    class Update < Base
+      graphql_name 'UpdateNote'
+
+      authorize :admin_note
+
+      argument :id,
+                GraphQL::ID_TYPE,
+                required: true,
+                description: 'The global id of the note to update'
+
+      argument :body,
+                GraphQL::STRING_TYPE,
+                required: true,
+                description: copy_field_description(Types::Notes::NoteType, :body)
+
+      def resolve(args)
+        note = authorized_find!(id: args[:id])
+
+        check_object_is_note!(note)
+
+        note = ::Notes::UpdateService.new(
+          note.project,
+          current_user,
+          { note: args[:body] }
+        ).execute(note)
+
+        {
+          note: note.reset,
+          errors: errors_on_object(note)
+        }
+      end
+    end
+  end
+end

app/graphql/types/base_input_object.rb

@@ -2,5 +2,6 @@
 
 module Types
   class BaseInputObject < GraphQL::Schema::InputObject
+    prepend Gitlab::Graphql::CopyFieldDescription
   end
 end

app/graphql/types/diff_paths_input_type.rb

+# frozen_string_literal: true
+
+module Types
+  # rubocop: disable Graphql/AuthorizeTypes
+  class DiffPathsInputType < BaseInputObject
+    argument :old_path, GraphQL::STRING_TYPE, required: false,
+              description: 'The path of the file on the start sha'
+    argument :new_path, GraphQL::STRING_TYPE, required: false,
+              description: 'The path of the file on the head sha'
+  end
+  # rubocop: enable Graphql/AuthorizeTypes
+end

app/graphql/types/diff_refs_type.rb

+# frozen_string_literal: true
+
+module Types
+  # rubocop: disable Graphql/AuthorizeTypes
+  # Types that use DiffRefsType should have their own authorization
+  class DiffRefsType < BaseObject
+    graphql_name 'DiffRefs'
+
+    field :head_sha, GraphQL::STRING_TYPE, null: false, description: 'The sha of the head at the time the comment was made'
+    field :base_sha, GraphQL::STRING_TYPE, null: false, description: 'The merge base of the branch the comment was made on'
+    field :start_sha, GraphQL::STRING_TYPE, null: false, description: 'The sha of the branch being compared against'
+  end
+  # rubocop: enable Graphql/AuthorizeTypes
+end

app/graphql/types/merge_request_type.rb

@@ -23,6 +23,7 @@ module Types
     field :updated_at, Types::TimeType, null: false
     field :source_project, Types::ProjectType, null: true
     field :target_project, Types::ProjectType, null: false
+    field :diff_refs, Types::DiffRefsType, null: true
     # Alias for target_project
     field :project, Types::ProjectType, null: false
     field :project_id, GraphQL::INT_TYPE, null: false, method: :target_project_id

app/graphql/types/mutation_type.rb

@@ -10,6 +10,11 @@ module Types
     mount_mutation Mutations::AwardEmojis::Remove
     mount_mutation Mutations::AwardEmojis::Toggle
     mount_mutation Mutations::MergeRequests::SetWip, calls_gitaly: true
+    mount_mutation Mutations::Notes::Create::Note, calls_gitaly: true
+    mount_mutation Mutations::Notes::Create::DiffNote, calls_gitaly: true
+    mount_mutation Mutations::Notes::Create::ImageDiffNote, calls_gitaly: true
+    mount_mutation Mutations::Notes::Update
+    mount_mutation Mutations::Notes::Destroy
   end
 end
 

app/graphql/types/notes/diff_image_position_input_type.rb

+# frozen_string_literal: true
+
+module Types
+  module Notes
+    # rubocop: disable Graphql/AuthorizeTypes
+    class DiffImagePositionInputType < DiffPositionBaseInputType
+      graphql_name 'DiffImagePositionInput'
+
+      argument :x, GraphQL::INT_TYPE, required: true,
+               description: copy_field_description(Types::Notes::DiffPositionType, :x)
+      argument :y, GraphQL::INT_TYPE, required: true,
+               description: copy_field_description(Types::Notes::DiffPositionType, :y)
+      argument :width, GraphQL::INT_TYPE, required: true,
+               description: copy_field_description(Types::Notes::DiffPositionType, :width)
+      argument :height, GraphQL::INT_TYPE, required: true,
+               description: copy_field_description(Types::Notes::DiffPositionType, :height)
+    end
+    # rubocop: enable Graphql/AuthorizeTypes
+  end
+end

app/graphql/types/notes/diff_position_base_input_type.rb

+# frozen_string_literal: true
+
+module Types
+  module Notes
+    # rubocop: disable Graphql/AuthorizeTypes
+    class DiffPositionBaseInputType < BaseInputObject
+      argument :head_sha, GraphQL::STRING_TYPE, required: true,
+               description: copy_field_description(Types::DiffRefsType, :head_sha)
+      argument :base_sha,  GraphQL::STRING_TYPE, required: false,
+               description: copy_field_description(Types::DiffRefsType, :base_sha)
+      argument :start_sha, GraphQL::STRING_TYPE, required: true,
+               description: copy_field_description(Types::DiffRefsType, :start_sha)
+
+      argument :paths,
+               Types::DiffPathsInputType,
+               required: true,
+               description: 'The paths of the file that was changed. ' \
+                            'Both of the properties of this input are optional, but at least one of them is required'
+    end
+    # rubocop: enable Graphql/AuthorizeTypes
+  end
+end

app/graphql/types/notes/diff_position_input_type.rb

+# frozen_string_literal: true
+
+module Types
+  module Notes
+    # rubocop: disable Graphql/AuthorizeTypes
+    class DiffPositionInputType < DiffPositionBaseInputType
+      graphql_name 'DiffPositionInput'
+
+      argument :old_line, GraphQL::INT_TYPE, required: false,
+               description: copy_field_description(Types::Notes::DiffPositionType, :old_line)
+      argument :new_line, GraphQL::INT_TYPE, required: true,
+               description: copy_field_description(Types::Notes::DiffPositionType, :new_line)
+    end
+    # rubocop: enable Graphql/AuthorizeTypes
+  end
+end

app/graphql/types/notes/diff_position_type.rb

@@ -7,12 +7,7 @@ module Types
     class DiffPositionType < BaseObject
       graphql_name 'DiffPosition'
 
-      field :head_sha, GraphQL::STRING_TYPE, null: false,
-            description: "The sha of the head at the time the comment was made"
-      field :base_sha,  GraphQL::STRING_TYPE, null: true,
-            description: "The merge base of the branch the comment was made on"
-      field :start_sha, GraphQL::STRING_TYPE, null: false,
-            description: "The sha of the branch being compared against"
+      field :diff_refs, Types::DiffRefsType, null: false
 
       field :file_path, GraphQL::STRING_TYPE, null: false,
             description: "The path of the file that was changed"

app/graphql/types/notes/discussion_type.rb

@@ -8,8 +8,16 @@ module Types
       authorize :read_note
 
       field :id, GraphQL::ID_TYPE, null: false
+      field :reply_id, GraphQL::ID_TYPE, null: false, description: 'The ID used to reply to this discussion'
       field :created_at, Types::TimeType, null: false
       field :notes, Types::Notes::NoteType.connection_type, null: false, description: "All notes in the discussion"
+
+      # The gem we use to generate Global IDs is hard-coded to work with
+      # `id` properties. To generate a GID for the `reply_id` property,
+      # we must use the ::Gitlab::GlobalId module.
+      def reply_id
+        ::Gitlab::GlobalId.build(object, id: object.reply_id)
+      end
     end
   end
 end

app/models/discussion.rb

@@ -38,6 +38,17 @@ class Discussion
     grouped_notes.values.map { |notes| build(notes, context_noteable) }
   end
 
+  def self.lazy_find(discussion_id)
+    BatchLoader.for(discussion_id).batch do |discussion_ids, loader|
+      results = Note.where(discussion_id: discussion_ids).fresh.to_a.group_by(&:discussion_id)
+      results.each do |discussion_id, notes|
+        next if notes.empty?
+
+        loader.call(discussion_id, Discussion.build(notes))
+      end
+    end
+  end
+
   # Returns an alphanumeric discussion ID based on `build_discussion_id`
   def self.discussion_id(note)
     Digest::SHA1.hexdigest(build_discussion_id(note).join("-"))

app/models/note.rb

@@ -158,6 +158,8 @@ class Note < ApplicationRecord
       Discussion.build_collection(all.includes(:noteable).fresh, context_noteable)
     end
 
+    # Note: Where possible consider using Discussion#lazy_find to return
+    # Discussions in order to benefit from having records batch loaded.
     def find_discussion(discussion_id)
       notes = where(discussion_id: discussion_id).fresh.to_a
 

changelogs/unreleased/62826-graphql-note-mutations.yml

+---
+title: GraphQL mutations for managing Notes
+merge_request: 30210
+author:
+type: added

ee/app/graphql/types/design_management/design_type.rb

@@ -15,7 +15,9 @@ module Types
       field :project, Types::ProjectType, null: false
       field :issue, Types::IssueType, null: false
       field :filename, GraphQL::STRING_TYPE, null: false
+      field :full_path, GraphQL::STRING_TYPE, null: false
       field :image, GraphQL::STRING_TYPE, null: false, extras: [:parent]
+      field :diff_refs, Types::DiffRefsType, null: false, calls_gitaly: true
       field :versions,
             Types::DesignManagement::VersionType.connection_type,
             resolver: Resolvers::DesignManagement::VersionResolver,

ee/spec/graphql/types/design_management/design_type_spec.rb

@@ -8,7 +8,7 @@ describe GitlabSchema.types['Design'] do
   it { expect(described_class.interfaces).to include(Types::Notes::NoteableType.to_graphql) }
 
   it 'exposes the expected fields' do
-    expected_fields = [:id, :project, :issue, :filename, :image, :versions, :discussions, :notes]
+    expected_fields = [:id, :project, :issue, :filename, :image, :versions, :discussions, :notes, :diff_refs, :full_path]
 
     is_expected.to have_graphql_fields(*expected_fields)
   end

ee/spec/requests/api/graphql/mutations/notes/create/note_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Adding a Note to an Epic' do
+  include GraphqlHelpers
+
+  set(:current_user) { create(:user) }
+  let(:epic) { create(:epic, group: group) }
+  let(:mutation) do
+    variables = {
+      noteable_id: GitlabSchema.id_from_object(epic).to_s,
+      body: 'Body text'
+    }
+
+    graphql_mutation(:create_note, variables)
+  end
+
+  def mutation_response
+    graphql_mutation_response(:create_note)
+  end
+
+  before do
+    stub_licensed_features(epics: true)
+  end
+
+  context 'when the user does not have permission' do
+    let(:group) { create(:group, :private) }
+
+    it_behaves_like 'a Note mutation when the user does not have permission'
+  end
+
+  context 'when the user has permission' do
+    let(:group) { create(:group, :public) }
+
+    it_behaves_like 'a Note mutation that creates a Note'
+  end
+end

lib/gitlab/global_id.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module GlobalId
+    def self.build(object = nil, model_name: nil, id: nil, params: nil)
+      if object
+        model_name ||= object.class.name
+        id ||= object.id
+      end
+
+      ::URI::GID.build(app: GlobalID.app, model_name: model_name, model_id: id, params: params)
+    end
+  end
+end

spec/graphql/gitlab_schema_spec.rb

@@ -143,6 +143,26 @@ describe GitlabSchema do
       end
     end
 
+    context 'for classes that are not ActiveRecord subclasses and have implemented .lazy_find' do
+      it 'returns the correct record' do
+        note = create(:discussion_note_on_merge_request)
+
+        result = described_class.object_from_id(note.to_global_id)
+
+        expect(result.__sync).to eq(note)
+      end
+
+      it 'batchloads the queries' do
+        note1 = create(:discussion_note_on_merge_request)
+        note2 = create(:discussion_note_on_merge_request)
+
+        expect do
+          [described_class.object_from_id(note1.to_global_id),
+           described_class.object_from_id(note2.to_global_id)].map(&:__sync)
+        end.not_to exceed_query_limit(1)
+      end
+    end
+
     context 'for other classes' do
       # We cannot use an anonymous class here as `GlobalID` expects `.name` not
       # to return `nil`

spec/graphql/types/diff_refs_type_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe GitlabSchema.types['DiffRefs'] do
+  it { expect(described_class.graphql_name).to eq('DiffRefs') }
+
+  it { expect(described_class).to have_graphql_fields(:base_sha, :head_sha, :start_sha) }
+end

spec/graphql/types/merge_request_type_spec.rb

@@ -13,7 +13,7 @@ describe GitlabSchema.types['MergeRequest'] do
       description_html state created_at updated_at source_project target_project
       project project_id source_project_id target_project_id source_branch
       target_branch work_in_progress merge_when_pipeline_succeeds diff_head_sha
-      merge_commit_sha user_notes_count should_remove_source_branch
+      merge_commit_sha user_notes_count should_remove_source_branch diff_refs
       force_remove_source_branch merge_status in_progress_merge_commit_sha
       merge_error allow_collaboration should_be_rebased rebase_commit_sha
       rebase_in_progress merge_commit_message default_merge_commit_message

spec/graphql/types/notes/diff_position_type_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 
 describe GitlabSchema.types['DiffPosition'] do
   it 'exposes the expected fields' do
-    expected_fields = [:head_sha, :base_sha, :start_sha, :file_path, :old_path,
+    expected_fields = [:diff_refs, :file_path, :old_path,
                        :new_path, :position_type, :old_line, :new_line, :x, :y,
                        :width, :height]
 

spec/graphql/types/notes/discussion_type_spec.rb

@@ -2,7 +2,7 @@
 require 'spec_helper'
 
 describe GitlabSchema.types['Discussion'] do
-  it { is_expected.to have_graphql_fields(:id, :created_at, :notes) }
+  it { is_expected.to have_graphql_fields(:id, :created_at, :notes, :reply_id) }
 
   it { is_expected.to require_graphql_authorizations(:read_note) }
 end

spec/lib/gitlab/global_id_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::GlobalId do
+  describe '.build' do
+    set(:object) { create(:issue) }
+
+    it 'returns a standard GlobalId if only object is passed' do
+      expect(described_class.build(object).to_s).to eq(object.to_global_id.to_s)
+    end
+
+    it 'returns a GlobalId from params' do
+      expect(described_class.build(model_name: 'MyModel', id: 'myid').to_s).to eq(
+        'gid://gitlab/MyModel/myid'
+      )
+    end
+
+    it 'returns a GlobalId from object and `id` param' do
+      expect(described_class.build(object, id: 'myid').to_s).to eq(
+        'gid://gitlab/Issue/myid'
+      )
+    end
+
+    it 'returns a GlobalId from object and `model_name` param' do
+      expect(described_class.build(object, model_name: 'MyModel').to_s).to eq(
+        "gid://gitlab/MyModel/#{object.id}"
+      )
+    end
+
+    it 'returns an error if model_name and id are not able to be determined' do
+      expect { described_class.build(id: 'myid') }.to raise_error(URI::InvalidComponentError)
+      expect { described_class.build(model_name: 'MyModel') }.to raise_error(URI::InvalidComponentError)
+      expect { described_class.build }.to raise_error(URI::InvalidComponentError)
+    end
+  end
+end

spec/models/discussion_spec.rb

@@ -10,6 +10,20 @@ describe Discussion do
   let(:second_note) { create(:diff_note_on_merge_request, in_reply_to: first_note) }
   let(:third_note) { create(:diff_note_on_merge_request) }
 
+  describe '.lazy_find' do
+    let!(:note1) { create(:discussion_note_on_merge_request).to_discussion }
+    let!(:note2) { create(:discussion_note_on_merge_request, in_reply_to: note1).to_discussion }
+
+    subject { [note1, note2].map { |note| described_class.lazy_find(note.discussion_id) } }
+
+    it 'batches requests' do
+      expect do
+        [described_class.lazy_find(note1.id),
+         described_class.lazy_find(note2.id)].map(&:__sync)
+      end.not_to exceed_query_limit(1)
+    end
+  end
+
   describe '.build' do
     it 'returns a discussion of the right type' do
       discussion = described_class.build([first_note, second_note], merge_request)

spec/requests/api/graphql/mutations/notes/create/diff_note_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Adding a DiffNote' do
+  include GraphqlHelpers
+
+  set(:current_user) { create(:user) }
+  let(:noteable) { create(:merge_request, source_project: project, target_project: project) }
+  let(:project) { create(:project, :repository) }
+  let(:diff_refs) { noteable.diff_refs }
+  let(:mutation) do
+    variables = {
+      noteable_id: GitlabSchema.id_from_object(noteable).to_s,
+      body: 'Body text',
+      position: {
+        paths: {
+          old_path: 'files/ruby/popen.rb',
+          new_path: 'files/ruby/popen2.rb'
+        },
+        new_line: 14,
+        base_sha: diff_refs.base_sha,
+        head_sha: diff_refs.head_sha,
+        start_sha: diff_refs.start_sha
+      }
+    }
+
+    graphql_mutation(:create_diff_note, variables)
+  end
+
+  def mutation_response
+    graphql_mutation_response(:create_diff_note)
+  end
+
+  it_behaves_like 'a Note mutation when the user does not have permission'
+
+  context 'when the user has permission' do
+    before do
+      project.add_developer(current_user)
+    end
+
+    it_behaves_like 'a Note mutation that creates a Note'
+
+    it_behaves_like 'a Note mutation when there are active record validation errors', model: DiffNote
+
+    context do
+      let(:diff_refs) { build(:merge_request).diff_refs } # Allow fake diff refs so arguments are valid
+
+      it_behaves_like 'a Note mutation when the given resource id is not for a Noteable'
+    end
+
+    it 'returns the note with the correct position' do
+      post_graphql_mutation(mutation, current_user: current_user)
+
+      expect(mutation_response['note']['body']).to eq('Body text')
+      mutation_position_response = mutation_response['note']['position']
+      expect(mutation_position_response['positionType']).to eq('text')
+      expect(mutation_position_response['filePath']).to eq('files/ruby/popen2.rb')
+      expect(mutation_position_response['oldPath']).to eq('files/ruby/popen.rb')
+      expect(mutation_position_response['newPath']).to eq('files/ruby/popen2.rb')
+      expect(mutation_position_response['newLine']).to eq(14)
+    end
+  end
+end

spec/requests/api/graphql/mutations/notes/create/image_diff_note_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Adding an image DiffNote' do
+  include GraphqlHelpers
+
+  set(:current_user) { create(:user) }
+  let(:noteable) { create(:merge_request, source_project: project, target_project: project) }
+  let(:project) { create(:project, :repository) }
+  let(:diff_refs) { noteable.diff_refs }
+  let(:mutation) do
+    variables = {
+      noteable_id: GitlabSchema.id_from_object(noteable).to_s,
+      body: 'Body text',
+      position: {
+        paths: {
+          old_path: 'files/images/any_image.png',
+          new_path: 'files/images/any_image2.png'
+        },
+        width: 100,
+        height: 200,
+        x: 1,
+        y: 2,
+        base_sha: diff_refs.base_sha,
+        head_sha: diff_refs.head_sha,
+        start_sha: diff_refs.start_sha
+      }
+    }
+
+    graphql_mutation(:create_image_diff_note, variables)
+  end
+
+  def mutation_response
+    graphql_mutation_response(:create_image_diff_note)
+  end
+
+  it_behaves_like 'a Note mutation when the user does not have permission'
+
+  context 'when the user has permission' do
+    before do
+      project.add_developer(current_user)
+    end
+
+    it_behaves_like 'a Note mutation that creates a Note'
+
+    it_behaves_like 'a Note mutation when there are active record validation errors', model: DiffNote
+
+    context do
+      let(:diff_refs) { build(:merge_request).diff_refs } # Allow fake diff refs so arguments are valid
+
+      it_behaves_like 'a Note mutation when the given resource id is not for a Noteable'
+    end
+
+    it 'returns the note with the correct position' do
+      post_graphql_mutation(mutation, current_user: current_user)
+
+      expect(mutation_response['note']['body']).to eq('Body text')
+      mutation_position_response = mutation_response['note']['position']
+      expect(mutation_position_response['filePath']).to eq('files/images/any_image2.png')
+      expect(mutation_position_response['oldPath']).to eq('files/images/any_image.png')
+      expect(mutation_position_response['newPath']).to eq('files/images/any_image2.png')
+      expect(mutation_position_response['positionType']).to eq('image')
+      expect(mutation_position_response['width']).to eq(100)
+      expect(mutation_position_response['height']).to eq(200)
+      expect(mutation_position_response['x']).to eq(1)
+      expect(mutation_position_response['y']).to eq(2)
+    end
+  end
+end

spec/requests/api/graphql/mutations/notes/create/note_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Adding a Note' do
+  include GraphqlHelpers
+
+  set(:current_user) { create(:user) }
+  let(:noteable) { create(:merge_request, source_project: project, target_project: project) }
+  let(:project) { create(:project) }
+  let(:discussion) { nil }
+  let(:mutation) do
+    variables = {
+      noteable_id: GitlabSchema.id_from_object(noteable).to_s,
+      discussion_id: (GitlabSchema.id_from_object(discussion).to_s if discussion),
+      body: 'Body text'
+    }
+
+    graphql_mutation(:create_note, variables)
+  end
+
+  def mutation_response
+    graphql_mutation_response(:create_note)
+  end
+
+  it_behaves_like 'a Note mutation when the user does not have permission'
+
+  context 'when the user has permission' do
+    before do
+      project.add_developer(current_user)
+    end
+
+    it_behaves_like 'a Note mutation that creates a Note'
+
+    it_behaves_like 'a Note mutation when there are active record validation errors'
+
+    it_behaves_like 'a Note mutation when the given resource id is not for a Noteable'
+
+    it 'returns the note' do
+      post_graphql_mutation(mutation, current_user: current_user)
+
+      expect(mutation_response['note']['body']).to eq('Body text')
+    end
+
+    describe 'creating Notes in reply to a discussion' do
+      context 'when the user does not have permission to create notes on the discussion' do
+        let(:discussion) { create(:discussion_note).to_discussion }
+
+        it_behaves_like 'a mutation that returns top-level errors',
+                  errors: ["The discussion does not exist or you don't have permission to perform this action"]
+      end
+
+      context 'when the user has permission to create notes on the discussion' do
+        let(:discussion) { create(:discussion_note, project: project).to_discussion }
+
+        it 'creates a Note in a discussion' do
+          post_graphql_mutation(mutation, current_user: current_user)
+
+          expect(mutation_response['note']['discussion']['id']).to eq(discussion.to_global_id.to_s)
+        end
+      end
+    end
+  end
+end

spec/requests/api/graphql/mutations/notes/destroy_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Destroying a Note' do
+  include GraphqlHelpers
+
+  let!(:note) { create(:note) }
+  let(:mutation) do
+    variables = {
+      id: GitlabSchema.id_from_object(note).to_s
+    }
+
+    graphql_mutation(:destroy_note, variables)
+  end
+
+  def mutation_response
+    graphql_mutation_response(:destroy_note)
+  end
+
+  context 'when the user does not have permission' do
+    let(:current_user) { create(:user) }
+
+    it_behaves_like 'a mutation that returns top-level errors',
+                    errors: ['The resource that you are attempting to access does not exist or you don\'t have permission to perform this action']
+
+    it 'does not destroy the Note' do
+      expect do
+        post_graphql_mutation(mutation, current_user: current_user)
+      end.not_to change { Note.count }
+    end
+  end
+
+  context 'when the user has permission' do
+    let(:current_user) { note.author }
+
+    it_behaves_like 'a Note mutation when the given resource id is not for a Note'
+
+    it 'destroys the Note' do
+      expect do
+        post_graphql_mutation(mutation, current_user: current_user)
+      end.to change { Note.count }.by(-1)
+    end
+
+    it 'returns an empty Note' do
+      post_graphql_mutation(mutation, current_user: current_user)
+
+      expect(mutation_response).to have_key('note')
+      expect(mutation_response['note']).to be_nil
+    end
+  end
+end

spec/requests/api/graphql/mutations/notes/update_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Updating a Note' do
+  include GraphqlHelpers
+
+  let!(:note) { create(:note, note: original_body) }
+  let(:original_body) { 'Initial body text' }
+  let(:updated_body) { 'Updated body text' }
+  let(:mutation) do
+    variables = {
+      id: GitlabSchema.id_from_object(note).to_s,
+      body: updated_body
+    }
+
+    graphql_mutation(:update_note, variables)
+  end
+
+  def mutation_response
+    graphql_mutation_response(:update_note)
+  end
+
+  context 'when the user does not have permission' do
+    let(:current_user) { create(:user) }
+
+    it_behaves_like 'a mutation that returns top-level errors',
+                    errors: ['The resource that you are attempting to access does not exist or you don\'t have permission to perform this action']
+
+    it 'does not update the Note' do
+      post_graphql_mutation(mutation, current_user: current_user)
+
+      expect(note.reload.note).to eq(original_body)
+    end
+  end
+
+  context 'when the user has permission' do
+    let(:current_user) { note.author }
+
+    it_behaves_like 'a Note mutation when the given resource id is not for a Note'
+
+    it 'updates the Note' do
+      post_graphql_mutation(mutation, current_user: current_user)
+
+      expect(note.reload.note).to eq(updated_body)
+    end
+
+    it 'returns the updated Note' do
+      post_graphql_mutation(mutation, current_user: current_user)
+
+      expect(mutation_response['note']['body']).to eq(updated_body)
+    end
+
+    context 'when there are ActiveRecord validation errors' do
+      let(:updated_body) { '' }
+
+      it_behaves_like 'a mutation that returns errors in the response', errors: ["Note can't be blank"]
+
+      it 'does not update the Note' do
+        post_graphql_mutation(mutation, current_user: current_user)
+
+        expect(note.reload.note).to eq(original_body)
+      end
+
+      it 'returns the Note with its original body' do
+        post_graphql_mutation(mutation, current_user: current_user)
+
+        expect(mutation_response['note']['body']).to eq(original_body)
+      end
+    end
+  end
+end

spec/support/helpers/graphql_helpers.rb

@@ -57,7 +57,8 @@ module GraphqlHelpers
   end
 
   def variables_for_mutation(name, input)
-    graphql_input = input.map { |name, value| [GraphqlHelpers.fieldnamerize(name), value] }.to_h
+    graphql_input = prepare_input_for_mutation(input)
+
     result = { input_variable_name_for_mutation(name) => graphql_input }
 
     # Avoid trying to serialize multipart data into JSON
@@ -68,6 +69,18 @@ module GraphqlHelpers
     end
   end
 
+  # Recursively convert a Hash with Ruby-style keys to GraphQL fieldname-style keys
+  #
+  # prepare_input_for_mutation({ 'my_key' => 1 })
+  #   => { 'myKey' => 1}
+  def prepare_input_for_mutation(input)
+    input.map do |name, value|
+      value = prepare_input_for_mutation(value) if value.is_a?(Hash)
+
+      [GraphqlHelpers.fieldnamerize(name), value]
+    end.to_h
+  end
+
   def input_variable_name_for_mutation(mutation_name)
     mutation_name = GraphqlHelpers.fieldnamerize(mutation_name)
     mutation_field = GitlabSchema.mutation.fields[mutation_name]

spec/support/shared_examples/graphql/notes_creation_shared_examples.rb

+# frozen_string_literal: true
+
+RSpec.shared_examples 'a Note mutation that does not create a Note' do
+  it do
+    expect do
+      post_graphql_mutation(mutation, current_user: current_user)
+    end.not_to change { Note.count }
+  end
+end
+
+RSpec.shared_examples 'a Note mutation that creates a Note' do
+  it do
+    expect do
+      post_graphql_mutation(mutation, current_user: current_user)
+    end.to change { Note.count }.by(1)
+  end
+end
+
+RSpec.shared_examples 'a Note mutation when the user does not have permission' do
+  it_behaves_like 'a Note mutation that does not create a Note'
+
+  it_behaves_like 'a mutation that returns top-level errors',
+                  errors: ['The resource that you are attempting to access does not exist or you don\'t have permission to perform this action']
+end
+
+RSpec.shared_examples 'a Note mutation when there are active record validation errors' do |model: Note|
+  before do
+    expect_next_instance_of(model) do |note|
+      expect(note).to receive(:valid?).at_least(:once).and_return(false)
+      expect(note).to receive_message_chain(
+        :errors,
+        :full_messages
+      ).and_return(['Error 1', 'Error 2'])
+    end
+  end
+
+  it_behaves_like 'a Note mutation that does not create a Note'
+
+  it_behaves_like 'a mutation that returns errors in the response', errors: ['Error 1', 'Error 2']
+
+  it 'returns an empty Note' do
+    post_graphql_mutation(mutation, current_user: current_user)
+
+    expect(mutation_response).to have_key('note')
+    expect(mutation_response['note']).to be_nil
+  end
+end
+
+RSpec.shared_examples 'a Note mutation when the given resource id is not for a Noteable' do
+  let(:noteable) { create(:label, project: project) }
+
+  it_behaves_like 'a Note mutation that does not create a Note'
+
+  it_behaves_like 'a mutation that returns top-level errors', errors: ['Cannot add notes to this resource']
+end
+
+RSpec.shared_examples 'a Note mutation when the given resource id is not for a Note' do
+  let(:note) { create(:issue) }
+
+  it_behaves_like 'a mutation that returns top-level errors', errors: ['Resource is not a note']
+end