Merge branch 'security-apply-codeowners-checks-to-web_ui' into 'master'

Apply CODEOWNER validations to web requests

Closes #93

See merge request gitlab-org/security/gitlab!346

changelogs/unreleased/security-apply-codeowners-checks-to-web_ui.yml

+---
+title: Apply CODEOWNERS validations to web requests
+merge_request:
+author:
+type: security

ee/lib/ee/gitlab/checks/diff_check.rb

@@ -12,7 +12,7 @@ module EE
         def path_validations
           validations = [super].flatten
 
-          if !updated_from_web? && project.branch_requires_code_owner_approval?(branch_name)
+          if project.branch_requires_code_owner_approval?(branch_name)
             validations << validate_code_owners
           end
 
@@ -34,11 +34,13 @@ module EE
           matched_rules = loader.entries.collect { |e| "- #{e.pattern}" }
           code_owner_path = project.repository.code_owners_blob(ref: branch_name).path || "CODEOWNERS"
 
-          "Pushes to protected branches that contain changes to files that\n" \
+          msg = "Pushes to protected branches that contain changes to files that\n" \
             "match patterns defined in `#{code_owner_path}` are disabled for\n" \
             "this project. Please submit these changes via a merge request.\n\n" \
             "The following pattern(s) from `#{code_owner_path}` were matched:\n" \
             "#{matched_rules.join('\n')}\n"
+
+          updated_from_web? ? msg.tr("\n", " ") : msg
         end
 
         def validate_path_locks?

ee/spec/lib/gitlab/checks/diff_check_spec.rb

@@ -89,8 +89,22 @@ describe Gitlab::Checks::DiffCheck do
             stub_feature_flags(sectional_codeowners: false)
           end
 
-          it "returns an error message" do
-            expect(validation_result).to include("Pushes to protected branches")
+          context "for a non-web-based request" do
+            it "returns an error message" do
+              expect(validation_result).to include("Pushes to protected branches")
+              expect(validation_result).to include("\n")
+            end
+          end
+
+          context "for a web-based request" do
+            before do
+              expect(subject).to receive(:updated_from_web?).and_return(true)
+            end
+
+            it "returns an error message with newline chars removed" do
+              expect(validation_result).to include("Pushes to protected branches")
+              expect(validation_result).not_to include("\n")
+            end
           end
         end
 
@@ -128,30 +142,16 @@ describe Gitlab::Checks::DiffCheck do
       end
 
       context "when the feature is enabled on the project" do
-        context "updated_from_web? == false" do
-          before do
-            expect(subject).to receive(:updated_from_web?).and_return(false)
-            expect(project).to receive(:branch_requires_code_owner_approval?)
-              .once.and_return(true)
-          end
-
-          it "returns an array of Proc(s)" do
-            validations = subject.send(:path_validations)
-
-            expect(validations.any?).to be_truthy
-            expect(validations.any? { |v| !v.is_a? Proc }).to be_falsy
-          end
+        before do
+          expect(project).to receive(:branch_requires_code_owner_approval?)
+            .once.and_return(true)
         end
 
-        context "updated_from_web? == true" do
-          before do
-            expect(subject).to receive(:updated_from_web?).and_return(true)
-            expect(project).not_to receive(:branch_requires_code_owner_approval?)
-          end
+        it "returns an array of Proc(s)" do
+          validations = subject.send(:path_validations)
 
-          it "returns an empty array" do
-            expect(subject.send(:path_validations)).to eq([])
-          end
+          expect(validations.any?).to be_truthy
+          expect(validations.any? { |v| !v.is_a? Proc }).to be_falsy
         end
       end
     end