Ini

lib/api/api.rb

@@ -134,6 +134,7 @@ module API
     mount ::API::Triggers
     mount ::API::Users
     mount ::API::Variables
+    mount ::API::GroupVariables
     mount ::API::Version
 
     route :any, '*path' do

lib/api/group_variables.rb

+module API
+  class GroupVariables < Grape::API
+    include PaginationParams
+
+    before { authenticate! }
+    before { authorize! :admin_build, user_group }
+
+    params do
+      requires :id, type: String, desc: 'The ID of a group'
+    end
+
+    resource :groups, requirements: { id: %r{[^/]+} } do
+      desc 'Get group-level variables' do
+        success Entities::Variable
+      end
+      params do
+        use :pagination
+      end
+      get ':id/variables' do
+        variables = user_group.variables
+        present paginate(variables), with: Entities::Variable
+      end
+
+      desc 'Get a specific variable from a group' do
+        success Entities::Variable
+      end
+      params do
+        requires :key, type: String, desc: 'The key of the variable'
+      end
+      get ':id/variables/:key' do
+        key = params[:key]
+        variable = user_group.variables.find_by(key: key)
+
+        return not_found!('GroupVariable') unless variable
+
+        present variable, with: Entities::Variable
+      end
+
+      desc 'Create a new variable in a group' do
+        success Entities::Variable
+      end
+      params do
+        requires :key, type: String, desc: 'The key of the variable'
+        requires :value, type: String, desc: 'The value of the variable'
+        optional :protected, type: String, desc: 'Whether the variable is protected'
+      end
+      post ':id/variables' do
+        variable_params = declared_params(include_missing: false)
+
+        variable = user_group.variables.create(variable_params)
+
+        if variable.valid?
+          present variable, with: Entities::Variable
+        else
+          render_validation_error!(variable)
+        end
+      end
+
+      desc 'Update an existing variable from a group' do
+        success Entities::Variable
+      end
+      params do
+        optional :key, type: String, desc: 'The key of the variable'
+        optional :value, type: String, desc: 'The value of the variable'
+        optional :protected, type: String, desc: 'Whether the variable is protected'
+      end
+      put ':id/variables/:key' do
+        variable = user_group.variables.find_by(key: params[:key])
+
+        return not_found!('GroupVariable') unless variable
+
+        variable_params = declared_params(include_missing: false).except(:key)
+
+        if variable.update(variable_params)
+          present variable, with: Entities::Variable
+        else
+          render_validation_error!(variable)
+        end
+      end
+
+      desc 'Delete an existing variable from a group' do
+        success Entities::Variable
+      end
+      params do
+        requires :key, type: String, desc: 'The key of the variable'
+      end
+      delete ':id/variables/:key' do
+        variable = user_group.variables.find_by(key: params[:key])
+        not_found!('GroupVariable') unless variable
+
+        variable.destroy
+      end
+    end
+  end
+end

lib/api/helpers.rb

@@ -29,6 +29,10 @@ module API
       @project ||= find_project!(params[:id])
     end
 
+    def user_group
+      @group ||= find_group!(params[:id])
+    end
+
     def available_labels
       @available_labels ||= LabelsFinder.new(current_user, project_id: user_project.id).execute
     end

spec/requests/api/group_variables_spec.rb

+require 'spec_helper'
+
+describe API::GroupVariables do
+  let(:group) { create(:group) }
+  let(:user) { create(:user) }
+
+  describe 'GET /groups/:id/variables' do
+    let!(:variable) { create(:ci_group_variable, group: group) }
+
+    context 'authorized user with proper permissions' do
+      before do
+        group.add_master(user)
+      end
+
+      it 'returns group variables' do
+        get api("/groups/#{group.id}/variables", user)
+
+        expect(response).to have_http_status(200)
+        expect(json_response).to be_a(Array)
+      end
+    end
+
+    context 'authorized user with invalid permissions' do
+      it 'does not return group variables' do
+        get api("/groups/#{group.id}/variables", user)
+
+        expect(response).to have_http_status(403)
+      end
+    end
+
+    context 'unauthorized user' do
+      it 'does not return group variables' do
+        get api("/groups/#{group.id}/variables")
+
+        expect(response).to have_http_status(401)
+      end
+    end
+  end
+
+  describe 'GET /groups/:id/variables/:key' do
+    let!(:variable) { create(:ci_group_variable, group: group) }
+
+    context 'authorized user with proper permissions' do
+      before do
+        group.add_master(user)
+      end
+
+      it 'returns group variable details' do
+        get api("/groups/#{group.id}/variables/#{variable.key}", user)
+
+        expect(response).to have_http_status(200)
+        expect(json_response['value']).to eq(variable.value)
+        expect(json_response['protected']).to eq(variable.protected?)
+      end
+
+      it 'responds with 404 Not Found if requesting non-existing variable' do
+        get api("/groups/#{group.id}/variables/non_existing_variable", user)
+
+        expect(response).to have_http_status(404)
+      end
+    end
+
+    context 'authorized user with invalid permissions' do
+      it 'does not return group variable details' do
+        get api("/groups/#{group.id}/variables/#{variable.key}", user)
+
+        expect(response).to have_http_status(403)
+      end
+    end
+
+    context 'unauthorized user' do
+      it 'does not return group variable details' do
+        get api("/groups/#{group.id}/variables/#{variable.key}")
+
+        expect(response).to have_http_status(401)
+      end
+    end
+  end
+
+  describe 'POST /groups/:id/variables' do
+    context 'authorized user with proper permissions' do
+      let!(:variable) { create(:ci_group_variable, group: group) }
+
+      before do
+        group.add_master(user)
+      end
+
+      it 'creates variable' do
+        expect do
+          post api("/groups/#{group.id}/variables", user), key: 'TEST_VARIABLE_2', value: 'VALUE_2', protected: true
+        end.to change{group.variables.count}.by(1)
+
+        expect(response).to have_http_status(201)
+        expect(json_response['key']).to eq('TEST_VARIABLE_2')
+        expect(json_response['value']).to eq('VALUE_2')
+        expect(json_response['protected']).to be_truthy
+      end
+
+      it 'creates variable with optional attributes' do
+        expect do
+          post api("/groups/#{group.id}/variables", user), key: 'TEST_VARIABLE_2', value: 'VALUE_2'
+        end.to change{group.variables.count}.by(1)
+
+        expect(response).to have_http_status(201)
+        expect(json_response['key']).to eq('TEST_VARIABLE_2')
+        expect(json_response['value']).to eq('VALUE_2')
+        expect(json_response['protected']).to be_falsey
+      end
+
+      it 'does not allow to duplicate variable key' do
+        expect do
+          post api("/groups/#{group.id}/variables", user), key: variable.key, value: 'VALUE_2'
+        end.to change{group.variables.count}.by(0)
+
+        expect(response).to have_http_status(400)
+      end
+    end
+
+    context 'authorized user with invalid permissions' do
+      it 'does not create variable' do
+        post api("/groups/#{group.id}/variables", user)
+
+        expect(response).to have_http_status(403)
+      end
+    end
+
+    context 'unauthorized user' do
+      it 'does not create variable' do
+        post api("/groups/#{group.id}/variables")
+
+        expect(response).to have_http_status(401)
+      end
+    end
+  end
+
+  describe 'PUT /groups/:id/variables/:key' do
+    let!(:variable) { create(:ci_group_variable, group: group) }
+
+    context 'authorized user with proper permissions' do
+      before do
+        group.add_master(user)
+      end
+
+      it 'updates variable data' do
+        initial_variable = group.variables.first
+        value_before = initial_variable.value
+
+        put api("/groups/#{group.id}/variables/#{variable.key}", user), value: 'VALUE_1_UP', protected: true
+
+        updated_variable = group.variables.first
+
+        expect(response).to have_http_status(200)
+        expect(value_before).to eq(variable.value)
+        expect(updated_variable.value).to eq('VALUE_1_UP')
+        expect(updated_variable).to be_protected
+      end
+
+      it 'responds with 404 Not Found if requesting non-existing variable' do
+        put api("/groups/#{group.id}/variables/non_existing_variable", user)
+
+        expect(response).to have_http_status(404)
+      end
+    end
+
+    context 'authorized user with invalid permissions' do
+      it 'does not update variable' do
+        put api("/groups/#{group.id}/variables/#{variable.key}", user)
+
+        expect(response).to have_http_status(403)
+      end
+    end
+
+    context 'unauthorized user' do
+      it 'does not update variable' do
+        put api("/groups/#{group.id}/variables/#{variable.key}")
+
+        expect(response).to have_http_status(401)
+      end
+    end
+  end
+
+  describe 'DELETE /groups/:id/variables/:key' do
+    let!(:variable) { create(:ci_group_variable, group: group) }
+
+    context 'authorized user with proper permissions' do
+      before do
+        group.add_master(user)
+      end
+
+      it 'deletes variable' do
+        expect do
+          delete api("/groups/#{group.id}/variables/#{variable.key}", user)
+
+          expect(response).to have_http_status(204)
+        end.to change{group.variables.count}.by(-1)
+      end
+
+      it 'responds with 404 Not Found if requesting non-existing variable' do
+        delete api("/groups/#{group.id}/variables/non_existing_variable", user)
+
+        expect(response).to have_http_status(404)
+      end
+    end
+
+    context 'authorized user with invalid permissions' do
+      it 'does not delete variable' do
+        delete api("/groups/#{group.id}/variables/#{variable.key}", user)
+
+        expect(response).to have_http_status(403)
+      end
+    end
+
+    context 'unauthorized user' do
+      it 'does not delete variable' do
+        delete api("/groups/#{group.id}/variables/#{variable.key}")
+
+        expect(response).to have_http_status(401)
+      end
+    end
+  end
+end