Merge branch 'qa/tn/new_test/push_rules' into 'master'

Push Rules test implementation

Closes gitlab-org/quality/testcases#89, gitlab-org/quality/testcases#90, gitlab-org/quality/testcases#91, gitlab-org/quality/testcases#92, gitlab-org/quality/testcases#93, gitlab-org/quality/testcases#94, gitlab-org/quality/testcases#95, gitlab-org/quality/testcases#96, gitlab-org/quality/testcases#97, and gitlab-org/quality/testcases#98

See merge request gitlab-org/gitlab!16454

ee/app/views/projects/push_rules/_index.html.haml

 - return unless @project.feature_available?(:push_rules)
 
 - expanded = expanded_by_default?
-%section.settings.no-animate#js-push-rules{ class: ('expanded' if expanded) }
+%section.settings.no-animate#js-push-rules{ class: ('expanded' if expanded), data: { qa_selector: 'push_rules_content' } }
   .settings-header
     %h4
       Push Rules

ee/app/views/shared/push_rules/_commit_committer_check_setting.html.haml

@@ -4,7 +4,7 @@
 - push_rule = local_assigns.fetch(:push_rule)
 
 .form-check
-  = form.check_box :commit_committer_check, class: "form-check-input", disabled: !can_change_push_rule?(form.object, :commit_committer_check)
+  = form.check_box :commit_committer_check, class: "form-check-input", disabled: !can_change_push_rule?(form.object, :commit_committer_check), data: { qa_selector: 'committer_restriction_checkbox' }
   = form.label :commit_committer_check, class: "label-bold form-check-label" do
     = s_("PushRule|Committer restriction")
   %p.text-muted

ee/app/views/shared/push_rules/_form.html.haml

@@ -3,7 +3,7 @@
 = render 'shared/push_rules/reject_unsigned_commits_setting', form: f, push_rule: f.object
 
 .form-check
-  = f.check_box :deny_delete_tag, class: "form-check-input"
+  = f.check_box :deny_delete_tag, class: "form-check-input", data: { qa_selector: 'deny_delete_tag_checkbox' }
   = f.label :deny_delete_tag, class: "label-bold form-check-label" do
     Do not allow users to remove git tags with
     %code git push
@@ -11,14 +11,14 @@
     Tags can still be deleted through the web UI.
 
 .form-check
-  = f.check_box :member_check, class: "form-check-input"
+  = f.check_box :member_check, class: "form-check-input", data: { qa_selector: 'restrict_author_checkbox' }
   = f.label :member_check, "Check whether author is a GitLab user", class: "label-bold form-check-label"
   %p.text-muted
     Restrict commits by author (email) to existing GitLab users
 
 
 .form-check
-  = f.check_box :prevent_secrets, class: "form-check-input"
+  = f.check_box :prevent_secrets, class: "form-check-input", data: { qa_selector: 'prevent_secrets_checkbox' }
   = f.label :prevent_secrets, "Prevent committing secrets to Git", class: "label-bold form-check-label"
   %p.text-muted
     GitLab will reject any files that are likely to contain secrets.
@@ -26,7 +26,7 @@
 
 .form-group
   = f.label :commit_message_regex, "Commit message", class: "label-bold"
-  = f.text_field :commit_message_regex, class: "form-control", placeholder: 'Example: Fixes \d+\..*'
+  = f.text_field :commit_message_regex, class: "form-control", placeholder: 'Example: Fixes \d+\..*', data: { qa_selector: 'commit_message_field' }
   .form-text.text-muted
     All commit messages must match this
     = link_to 'regular expression', 'https://github.com/google/re2/wiki/Syntax'
@@ -36,7 +36,7 @@
 
 .form-group
   = f.label :commit_message_negative_regex, "Commit message negative match", class: 'label-bold'
-  = f.text_field :commit_message_negative_regex, class: "form-control", placeholder: 'Example: ssh\:\/\/'
+  = f.text_field :commit_message_negative_regex, class: "form-control", placeholder: 'Example: ssh\:\/\/', data: { qa_selector: 'deny_commit_message_field' }
   .form-text.text-muted
     No commit message is allowed to match this
     = link_to 'regular expression', 'https://github.com/google/re2/wiki/Syntax'
@@ -46,7 +46,7 @@
 
 .form-group
   = f.label :branch_name_regex, "Branch name", class: "label-bold"
-  = f.text_field :branch_name_regex, class: "form-control", placeholder: 'Example: (feature|hotfix)\/*'
+  = f.text_field :branch_name_regex, class: "form-control", placeholder: 'Example: (feature|hotfix)\/*', data: { qa_selector: 'branch_name_field' }
   .form-text.text-muted
     All branch names must match this
     = link_to 'regular expression', 'https://github.com/google/re2/wiki/Syntax'
@@ -55,7 +55,7 @@
 
 .form-group
   = f.label :author_email_regex, "Commit author's email", class: "label-bold"
-  = f.text_field :author_email_regex, class: "form-control", placeholder: 'Example: @my-company.com$'
+  = f.text_field :author_email_regex, class: "form-control", placeholder: 'Example: @my-company.com$', data: { qa_selector: 'author_email_field' }
   .form-text.text-muted
     All commit author's email must match this
     = link_to 'regular expression', 'https://github.com/google/re2/wiki/Syntax'
@@ -64,7 +64,7 @@
 
 .form-group
   = f.label :file_name_regex, "Prohibited file names", class: "label-bold"
-  = f.text_field :file_name_regex, class: "form-control", placeholder: 'Example: (jar|exe)$'
+  = f.text_field :file_name_regex, class: "form-control", placeholder: 'Example: (jar|exe)$', data: { qa_selector: 'file_name_field' }
   .form-text.text-muted
     All commited filenames must not match this
     = link_to 'regular expression', 'https://github.com/google/re2/wiki/Syntax'
@@ -73,9 +73,9 @@
 
 .form-group
   = f.label :max_file_size, "Maximum file size (MB)", class: "label-bold"
-  = f.number_field :max_file_size, class: "form-control", min: 0
+  = f.number_field :max_file_size, class: "form-control", min: 0, data: { qa_selector: 'file_size_field' }
   .form-text.text-muted
     Pushes that contain added or updated files that exceed this file size are rejected.
     Set to 0 to allow files of any size.
 
-= f.submit "Save Push Rules", class: "btn btn-success"
+= f.submit "Save Push Rules", class: "btn btn-success", data: { qa_selector: 'submit_settings_button' }

ee/app/views/shared/push_rules/_reject_unsigned_commits_setting.html.haml

@@ -4,7 +4,7 @@
 - push_rule = local_assigns.fetch(:push_rule)
 
 .form-check
-  = form.check_box :reject_unsigned_commits, class: "form-check-input", disabled: !can_change_push_rule?(form.object, :reject_unsigned_commits)
+  = form.check_box :reject_unsigned_commits, class: "form-check-input", disabled: !can_change_push_rule?(form.object, :reject_unsigned_commits), data: { qa_selector: 'reject_unsigned_commits_checkbox' }
   = form.label :reject_unsigned_commits, class: "label-bold form-check-label" do
     Reject unsigned commits
   %p.text-muted

qa/qa.rb

@@ -23,6 +23,7 @@ module QA
     autoload :Feature, 'qa/runtime/feature'
     autoload :Fixtures, 'qa/runtime/fixtures'
     autoload :Logger, 'qa/runtime/logger'
+    autoload :GPG, 'qa/runtime/gpg'
 
     module API
       autoload :Client, 'qa/runtime/api/client'
@@ -67,7 +68,9 @@ module QA
     autoload :Fork, 'qa/resource/fork'
     autoload :SSHKey, 'qa/resource/ssh_key'
     autoload :Snippet, 'qa/resource/snippet'
+    autoload :Tag, 'qa/resource/tag'
     autoload :ProjectMember, 'qa/resource/project_member'
+    autoload :UserGPG, 'qa/resource/user_gpg'
 
     module Events
       autoload :Base, 'qa/resource/events/base'

qa/qa/ee.rb

@@ -109,6 +109,8 @@ module QA
           autoload :MirroringRepositories, 'qa/ee/page/project/settings/mirroring_repositories'
           autoload :Main, 'qa/ee/page/project/settings/main'
           autoload :MergeRequestApproval, 'qa/ee/page/project/settings/merge_request_approval'
+          autoload :Repository, 'qa/ee/page/project/settings/repository'
+          autoload :PushRules, 'qa/ee/page/project/settings/push_rules'
         end
 
         module Operations

qa/qa/ee/page/project/settings/push_rules.rb

+# frozen_string_literal: true
+
+module QA
+  module EE
+    module Page
+      module Project
+        module Settings
+          class PushRules < QA::Page::Base
+            view 'ee/app/views/shared/push_rules/_form.html.haml' do
+              element :deny_delete_tag_checkbox
+              element :restrict_author_checkbox
+              element :prevent_secrets_checkbox
+              element :commit_message_field
+              element :deny_commit_message_field
+              element :branch_name_field
+              element :author_email_field
+              element :file_name_field
+              element :file_size_field
+              element :submit_settings_button
+            end
+
+            view 'ee/app/views/shared/push_rules/_reject_unsigned_commits_setting.html.haml' do
+              element :reject_unsigned_commits_checkbox
+            end
+
+            view 'ee/app/views/shared/push_rules/_commit_committer_check_setting.html.haml' do
+              element :committer_restriction_checkbox
+            end
+
+            def check_reject_unsigned_commits
+              check_element :reject_unsigned_commits_checkbox
+            end
+
+            def check_committer_restriction
+              check_element :committer_restriction_checkbox
+            end
+
+            def check_deny_delete_tag
+              check_element :deny_delete_tag_checkbox
+            end
+
+            def check_restrict_author
+              check_element :restrict_author_checkbox
+            end
+
+            def check_prevent_secrets
+              check_element :prevent_secrets_checkbox
+            end
+
+            def fill_commit_message_rule(message)
+              fill_element :commit_message_field, message
+            end
+
+            def fill_deny_commit_message_rule(message)
+              fill_element :deny_commit_message_field, message
+            end
+
+            def fill_branch_name(name)
+              fill_element :branch_name_field, name
+            end
+
+            def fill_author_email(email)
+              fill_element :author_email_field, email
+            end
+
+            def fill_file_name(file_name)
+              fill_element :file_name_field, file_name
+            end
+
+            def fill_file_size(file_size)
+              fill_element :file_size_field, file_size
+            end
+
+            def click_submit
+              click_element :submit_settings_button
+            end
+          end
+        end
+      end
+    end
+  end
+end

qa/qa/ee/page/project/settings/repository.rb

+# frozen_string_literal: true
+
+module QA
+  module EE
+    module Page
+      module Project
+        module Settings
+          module Repository
+            def self.prepended(page)
+              page.module_eval do
+                view 'ee/app/views/projects/push_rules/_index.html.haml' do
+                  element :push_rules_content
+                end
+              end
+            end
+
+            def expand_push_rules(&block)
+              expand_section(:push_rules_content) do
+                PushRules.perform(&block)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

qa/qa/git/repository.rb

@@ -14,7 +14,7 @@ module QA
       include Scenario::Actable
       RepositoryCommandError = Class.new(StandardError)
 
-      attr_writer :use_lfs
+      attr_writer :use_lfs, :gpg_key_id
       attr_accessor :env_vars
 
       InvalidCredentialsError = Class.new(RuntimeError)
@@ -25,6 +25,7 @@ module QA
         # .netrc can be utilised
         self.env_vars = [%Q{HOME="#{tmp_home_dir}"}]
         @use_lfs = false
+        @gpg_key_id = nil
       end
 
       def self.perform(*args)
@@ -99,10 +100,18 @@ module QA
         git_lfs_track_result.to_s + git_add_result.to_s
       end
 
+      def delete_tag(tag_name)
+        run(%Q{git push origin --delete #{tag_name}}).to_s
+      end
+
       def commit(message)
         run(%Q{git commit -m "#{message}"}).to_s
       end
 
+      def commit_with_gpg(message)
+        run(%Q{git config user.signingkey #{@gpg_key_id} && git config gpg.program $(which gpg) && git commit -S -m "#{message}"}).to_s
+      end
+
       def push_changes(branch = 'master')
         run("git push #{uri} #{branch}").to_s
       end

qa/qa/page/project/settings/repository.rb

@@ -47,3 +47,5 @@ module QA
     end
   end
 end
+
+QA::Page::Project::Settings::Repository.prepend_if_ee('QA::EE::Page::Project::Settings::Repository')

qa/qa/resource/repository/push.rb

@@ -8,9 +8,9 @@ module QA
       class Push < Base
         attr_accessor :file_name, :file_content, :commit_message,
                       :branch_name, :new_branch, :output, :repository_http_uri,
-                      :repository_ssh_uri, :ssh_key, :user, :use_lfs
+                      :repository_ssh_uri, :ssh_key, :user, :use_lfs, :tag_name
 
-        attr_writer :remote_branch
+        attr_writer :remote_branch, :gpg_key_id
 
         def initialize
           @file_name = 'file.txt'
@@ -21,6 +21,8 @@ module QA
           @repository_http_uri = ""
           @ssh_key = nil
           @use_lfs = false
+          @tag_name = nil
+          @gpg_key_id = nil
         end
 
         def remote_branch
@@ -67,29 +69,43 @@ module QA
               email = user.email
             end
 
+            unless @gpg_key_id.nil?
+              repository.gpg_key_id = @gpg_key_id
+            end
+
             @output += repository.clone
             repository.configure_identity(username, email)
 
             @output += repository.checkout(branch_name, new_branch: new_branch)
 
-            if @directory
-              @directory.each_child do |f|
-                @output += repository.add_file(f.basename, f.read) if f.file?
-              end
-            elsif @files
-              @files.each do |f|
-                repository.add_file(f[:name], f[:content])
-              end
+            if @tag_name
+              @output += repository.delete_tag(@tag_name)
             else
-              @output += repository.add_file(file_name, file_content)
-            end
+              if @directory
+                @directory.each_child do |f|
+                  @output += repository.add_file(f.basename, f.read) if f.file?
+                end
+              elsif @files
+                @files.each do |f|
+                  repository.add_file(f[:name], f[:content])
+                end
+              else
+                @output += repository.add_file(file_name, file_content)
+              end
 
-            @output += repository.commit(commit_message)
-            @output += repository.push_changes("#{branch_name}:#{remote_branch}")
+              @output += commit_to repository
+              @output += repository.push_changes("#{branch_name}:#{remote_branch}")
+            end
 
             repository.delete_ssh_key
           end
         end
+
+        private
+
+        def commit_to(repository)
+          @gpg_key_id.nil? ? repository.commit(@commit_message) : repository.commit_with_gpg(@commit_message)
+        end
       end
     end
   end

qa/qa/resource/tag.rb

+# frozen_string_literal: true
+
+module QA
+  module Resource
+    class Tag < Base
+      attr_accessor :project, :name, :ref
+
+      def resource_web_url(resource)
+        super
+      rescue ResourceURLMissingError
+        # this particular resource does not expose a web_url property
+      end
+
+      def api_get_path
+        "/projects/#{project.id}/repository/tags/#{name}"
+      end
+
+      def api_post_path
+        "/projects/#{project.id}/repository/tags"
+      end
+
+      def api_post_body
+        {
+          tag_name: name,
+          ref: ref
+        }
+      end
+    end
+  end
+end

qa/qa/resource/user_gpg.rb

+# frozen_string_literal: true
+
+module QA
+  module Resource
+    class UserGPG < Base
+      attr_accessor :id, :gpg
+      attr_reader :key_id
+
+      def initialize
+        @gpg = Runtime::GPG.new
+        @key_id = @gpg.key_id
+      end
+
+      def fabricate_via_api!
+        super
+        @id = self.api_response[:id]
+      rescue ResourceFabricationFailedError => error
+        if error.message.include? 'has already been taken'
+          self
+        else
+          raise ResourceFabricationFailedError error
+        end
+      end
+
+      def resource_web_url(resource)
+        super
+      rescue ResourceURLMissingError
+        # this particular resource does not expose a web_url property
+      end
+
+      def api_get_path
+        "/user/gpg_keys/#{@id}"
+      end
+
+      def api_post_path
+        '/user/gpg_keys'
+      end
+
+      def api_post_body
+        {
+          key: @gpg.key
+        }
+      end
+    end
+  end
+end

qa/qa/runtime/gpg.rb

+# frozen_string_literal: true
+
+module QA
+  module Runtime
+    class GPG
+      attr_reader :key, :key_id
+
+      def initialize
+        @key_id = 'B8358D73048DACC4'
+        import_key(File.expand_path('qa/ee/fixtures/gpg/admin.asc'))
+        @key = collect_key.first
+      end
+
+      private
+
+      def import_key(path)
+        import_key = "gpg --import #{path}"
+        execute(import_key)
+      end
+
+      def collect_key
+        get_ascii_format = "gpg --armor --export #{@key_id}"
+        execute(get_ascii_format)
+      end
+
+      def execute(command)
+        Open3.capture2e(*command) do |stdin, out, wait|
+          out.each_char { |char| print char }
+
+          if wait.value.exited? && wait.value.exitstatus.nonzero?
+            raise CommandError, "Command `#{command}` failed!"
+          end
+        end
+      end
+    end
+  end
+end

qa/qa/runtime/user.rb

@@ -25,6 +25,10 @@ module QA
         Runtime::Env.user_password || default_password
       end
 
+      def email
+        default_email
+      end
+
       def ldap_user?
         Runtime::Env.ldap_username && Runtime::Env.ldap_password
       end

qa/qa/specs/features/ee/browser_ui/3_create/repository/push_rules_spec.rb

+# frozen_string_literal: true
+
+module QA
+  context 'Create' do
+    context 'Push Rules' do
+      describe 'using non signed commits' do
+        file_name_limitation = 'denied_file'
+        file_size_limitation = 1
+        authors_email_limitation = '(admin@example.com|root@gitlab.com)'
+        branch_name_limitation = 'master'
+        needed_phrase_limitation = 'allowed commit'
+        deny_message_phrase_limitation = 'denied commit'
+
+        before :context do
+          prepare
+
+          Page::Project::Settings::Repository.perform do |repository|
+            repository.expand_push_rules do |push_rules|
+              push_rules.fill_file_name file_name_limitation
+              push_rules.fill_file_size file_size_limitation
+              push_rules.fill_author_email authors_email_limitation
+              push_rules.fill_branch_name branch_name_limitation
+              push_rules.fill_commit_message_rule needed_phrase_limitation
+              push_rules.fill_deny_commit_message_rule deny_message_phrase_limitation
+              push_rules.check_prevent_secrets
+              push_rules.check_restrict_author
+              push_rules.check_deny_delete_tag
+              push_rules.click_submit
+            end
+          end
+        end
+
+        it 'restricts files by name and size' do
+          large_file = [{
+            name: 'file',
+            content: SecureRandom.hex(1000000)
+          }]
+          wrongly_named_file = [{
+            name: file_name_limitation,
+            content: SecureRandom.hex(100)
+          }]
+
+          expect_no_error_on_push file: standard_file
+          expect_error_on_push file: large_file
+          expect_error_on_push file: wrongly_named_file
+        end
+
+        it 'restricts users by email format' do
+          gitlab_user = Resource::User.fabricate_or_use(Runtime::Env.gitlab_qa_username_1, Runtime::Env.gitlab_qa_password_1)
+
+          expect_no_error_on_push file: standard_file
+          expect_error_on_push file: standard_file, user: gitlab_user
+        end
+
+        it 'restricts branches by branch name' do
+          expect_no_error_on_push file: standard_file
+          expect_error_on_push file: standard_file, branch: 'forbidden_branch'
+        end
+
+        it 'restricts commit by message format' do
+          expect_no_error_on_push file: standard_file, commit_message: needed_phrase_limitation
+          expect_error_on_push file: standard_file, commit_message: 'forbidden message'
+          expect_error_on_push file: standard_file, commit_message: "#{needed_phrase_limitation} - #{deny_message_phrase_limitation}"
+        end
+
+        it 'restricts committing files with secrets' do
+          secret_file = [{
+            name: 'id_rsa',
+            content: SecureRandom.hex(100)
+          }]
+
+          expect_no_error_on_push file: standard_file
+          expect_error_on_push file: secret_file
+        end
+
+        it 'restricts commits by user' do
+          expect_no_error_on_push file: standard_file
+          expect_error_on_push file: standard_file, user: root_user
+        end
+
+        it 'restricts removal of tag' do
+          tag = Resource::Tag.fabricate_via_api! do |tag|
+            tag.project = @project
+            tag.ref = 'master'
+            tag.name = 'test_tag'
+          end
+
+          expect_no_error_on_push file: standard_file
+          expect_error_on_push file: standard_file, tag: tag.name
+        end
+      end
+
+      describe 'using signed commits' do
+        before :context do
+          prepare
+
+          Page::Project::Settings::Repository.perform do |repository|
+            repository.expand_push_rules do |push_rules|
+              push_rules.check_reject_unsigned_commits
+              push_rules.check_committer_restriction
+              push_rules.click_submit
+            end
+          end
+
+          @gpg = Resource::UserGPG.fabricate_via_api!
+        end
+
+        it 'restricts to signed commits' do
+          expect_no_error_on_push file: standard_file, gpg: @gpg
+          expect_error_on_push file: standard_file
+        end
+
+        it 'restricts commits to current authenticated user' do
+          gitlab_user = Resource::User.fabricate_or_use(Runtime::Env.gitlab_qa_username_1, Runtime::Env.gitlab_qa_password_1)
+
+          expect_no_error_on_push file: standard_file, gpg: @gpg
+          expect_error_on_push file: standard_file, gpg: @gpg, user: gitlab_user
+        end
+      end
+
+      def standard_file
+        [{
+           name: 'file',
+           content: SecureRandom.hex(100)
+         }]
+      end
+
+      def root_user
+        Resource::User.new.tap do |user|
+          user.username = 'root'
+          user.name = 'GitLab QA'
+          user.email = 'root@gitlab.com'
+          user.password = nil
+        end
+      end
+
+      def push(commit_message:, branch:, file:, user:, tag:, gpg:)
+        Resource::Repository::ProjectPush.fabricate! do |push|
+          push.project = @project
+          push.commit_message = commit_message
+          push.new_branch = branch != 'master'
+          push.branch_name = branch
+          push.user = user
+          push.files = file if tag.nil?
+          push.tag_name = tag unless tag.nil?
+          push.gpg_key_id = gpg.key_id unless gpg.nil?
+        end
+      end
+
+      def expect_no_error_on_push(commit_message: 'allowed commit', branch: 'master', file:, user: Runtime::User, tag: nil, gpg: nil)
+        expect do
+          push commit_message: commit_message, branch: branch, file: file, user: user, tag: tag, gpg: gpg
+        end.not_to raise_error
+      end
+
+      def expect_error_on_push(commit_message: 'allowed commit', branch: 'master', file:, user: Runtime::User, tag: nil, gpg: nil)
+        expect do
+          push commit_message: commit_message, branch: branch, file: file, user: user, tag: tag, gpg: gpg
+        end.to raise_error(QA::Git::Repository::RepositoryCommandError)
+      end
+
+      def prepare
+        Runtime::Browser.visit(:gitlab, Page::Main::Login)
+        Page::Main::Login.perform(&:sign_in_using_credentials)
+
+        @project = Resource::Project.fabricate_via_api! do |project|
+          project.name = 'push_rules'
+        end
+
+        Resource::Repository::ProjectPush.fabricate! do |push|
+          push.project = @project
+          push.files = standard_file
+        end
+
+        @project.visit!
+
+        Page::Project::Menu.perform(&:go_to_repository_settings)
+      end
+    end
+  end
+end