kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity
gitlab-org--gitlab-foss/spec/lib/gitlab/checks/change_access_spec.rb

222 lines
8.3 KiB
Ruby
Raw Normal View History

Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
require 'spec_helper'
Remove superfluous lib: true, type: redis, service: true, models: true, services: true, no_db: true, api: true Signed-off-by: Rémy Coutable <remy@rymai.me>
2017-07-10 10:24:02 -04:00
describe Gitlab::Checks::ChangeAccess do
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
describe '#exec' do
let(:user) { create(:user) }
Use `:empty_project` where possible throughout spec/lib
2017-01-24 18:42:12 -05:00
let(:project) { create(:project, :repository) }
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
let(:user_access) { Gitlab::UserAccess.new(user, project: project) }
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
let(:ref) { 'refs/heads/master' }
let(:changes) { { oldrev: oldrev, newrev: newrev, ref: ref } }
Backport changes from gitlab-org/gitlab-ee!1406
2017-03-13 07:31:27 -04:00
let(:protocol) { 'ssh' }
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
subject(:change_access) do
Backport changes from gitlab-org/gitlab-ee!1406
2017-03-13 07:31:27 -04:00
described_class.new(
changes,
project: project,
user_access: user_access,
protocol: protocol
Prevent git push when LFS objects are missing
2017-08-24 21:30:12 -04:00
)
end
Correct RSpec/SingleLineHook cop offenses
2017-06-14 14:18:56 -04:00
before do
project.add_developer(user)
end
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
context 'without failed checks' do
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate.
2017-05-19 15:58:45 -04:00
it "doesn't raise an error" do
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.not_to raise_error
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
end
end
Allow abilities on forks while MR is open When an MR is created using `allow_maintainer_to_push`, we enable some abilities while the MR is open. This should allow every user with developer abilities on the target project, to push to the source project.
2018-02-26 07:32:42 -05:00
context 'when the user is not allowed to push to the repo' do
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate.
2017-05-19 15:58:45 -04:00
it 'raises an error' do
Limit queries to a user-branch combination The query becomes a lot simpler if we can check the branch name as well instead of having to load all branch names.
2018-03-06 17:30:47 -05:00
expect(user_access).to receive(:can_do_action?).with(:push_code).and_return(false)
expect(user_access).to receive(:can_push_to_branch?).with('master').and_return(false)
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to this project.')
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
end
end
context 'tags check' do
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
let(:ref) { 'refs/tags/v1.0.0' }
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate.
2017-05-19 15:58:45 -04:00
it 'raises an error if the user is not allowed to update tags' do
Limit queries to a user-branch combination The query becomes a lot simpler if we can check the branch name as well instead of having to load all branch names.
2018-03-06 17:30:47 -05:00
allow(user_access).to receive(:can_do_action?).with(:push_code).and_return(true)
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
expect(user_access).to receive(:can_do_action?).with(:admin_project).and_return(false)
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to change existing tags on this project.')
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
end
Protected Tags enforced over git
2017-03-31 12:57:29 -04:00
context 'with protected tag' do
let!(:protected_tag) { create(:protected_tag, project: project, name: 'v*') }
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
context 'as master' do
Correct RSpec/SingleLineHook cop offenses
2017-06-14 14:18:56 -04:00
before do
project.add_master(user)
end
Protected Tags enforced over git
2017-03-31 12:57:29 -04:00
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
context 'deletion' do
let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
let(:newrev) { '0000000000000000000000000000000000000000' }
it 'is prevented' do
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /cannot be deleted/)
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
end
Protected Tags enforced over git
2017-03-31 12:57:29 -04:00
end
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
context 'update' do
let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
Protected Tags enforced over git
2017-03-31 12:57:29 -04:00
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
it 'is prevented' do
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /cannot be updated/)
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
end
end
Protected Tags enforced over git
2017-03-31 12:57:29 -04:00
end
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
context 'creation' do
let(:oldrev) { '0000000000000000000000000000000000000000' }
let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
let(:ref) { 'refs/tags/v9.1.0' }
Protected Tags enforced over git
2017-03-31 12:57:29 -04:00
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
it 'prevents creation below access level' do
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /allowed to create this tag as it is protected/)
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
end
context 'when user has access' do
Renamed ProtectedTag push_access_levels to create_access_levels
2017-04-03 22:37:22 -04:00
let!(:protected_tag) { create(:protected_tag, :developers_can_create, project: project, name: 'v*') }
Protected Tags enforced over git
2017-03-31 12:57:29 -04:00
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
it 'allows tag creation' do
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.not_to raise_error
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature
2017-04-03 19:05:51 -04:00
end
Protected Tags enforced over git
2017-03-31 12:57:29 -04:00
end
end
end
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
end
Add confirm delete protected branch modal
2017-05-08 03:41:58 -04:00
context 'branches check' do
context 'trying to delete the default branch' do
let(:newrev) { '0000000000000000000000000000000000000000' }
let(:ref) { 'refs/heads/master' }
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate.
2017-05-19 15:58:45 -04:00
it 'raises an error' do
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'The default branch of a project cannot be deleted.')
Add confirm delete protected branch modal
2017-05-08 03:41:58 -04:00
end
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
end
Add confirm delete protected branch modal
2017-05-08 03:41:58 -04:00
context 'protected branches check' do
before do
allow(ProtectedBranch).to receive(:protected?).with(project, 'master').and_return(true)
allow(ProtectedBranch).to receive(:protected?).with(project, 'feature').and_return(true)
end
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate.
2017-05-19 15:58:45 -04:00
it 'raises an error if the user is not allowed to do forced pushes to protected branches' do
Add confirm delete protected branch modal
2017-05-08 03:41:58 -04:00
expect(Gitlab::Checks::ForcePush).to receive(:force_push?).and_return(true)
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to force push code to a protected branch on this project.')
Add confirm delete protected branch modal
2017-05-08 03:41:58 -04:00
end
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate.
2017-05-19 15:58:45 -04:00
it 'raises an error if the user is not allowed to merge to protected branches' do
Add confirm delete protected branch modal
2017-05-08 03:41:58 -04:00
expect_any_instance_of(Gitlab::Checks::MatchingMergeRequest).to receive(:match?).and_return(true)
expect(user_access).to receive(:can_merge_to_branch?).and_return(false)
expect(user_access).to receive(:can_push_to_branch?).and_return(false)
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to merge code into protected branches on this project.')
Add confirm delete protected branch modal
2017-05-08 03:41:58 -04:00
end
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate.
2017-05-19 15:58:45 -04:00
it 'raises an error if the user is not allowed to push to protected branches' do
Add confirm delete protected branch modal
2017-05-08 03:41:58 -04:00
expect(user_access).to receive(:can_push_to_branch?).and_return(false)
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to protected branches on this project.')
Add confirm delete protected branch modal
2017-05-08 03:41:58 -04:00
end
context 'branch deletion' do
let(:newrev) { '0000000000000000000000000000000000000000' }
let(:ref) { 'refs/heads/feature' }
context 'if the user is not allowed to delete protected branches' do
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate.
2017-05-19 15:58:45 -04:00
it 'raises an error' do
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to delete protected branches from this project. Only a project master or owner can delete a protected branch.')
Add confirm delete protected branch modal
2017-05-08 03:41:58 -04:00
end
end
context 'if the user is allowed to delete protected branches' do
before do
project.add_master(user)
end
context 'through the web interface' do
let(:protocol) { 'web' }
it 'allows branch deletion' do
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.not_to raise_error
Add confirm delete protected branch modal
2017-05-08 03:41:58 -04:00
end
end
context 'over SSH or HTTP' do
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate.
2017-05-19 15:58:45 -04:00
it 'raises an error' do
Replaced subject with subject.exec in spec/lib/gitlab/checks/change_access_spec.rb
2017-10-17 07:45:59 -04:00
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only delete protected branches using the web interface.')
Add confirm delete protected branch modal
2017-05-08 03:41:58 -04:00
end
end
end
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
end
end
end
Prevent git push when LFS objects are missing
2017-08-24 21:30:12 -04:00
context 'LFS integrity check' do
Moved LfsIntegrity specs to own file
2017-11-08 07:27:01 -05:00
it 'fails if any LFS blobs are missing' do
allow_any_instance_of(Gitlab::Checks::LfsIntegrity).to receive(:objects_missing?).and_return(true)
Prevent git push when LFS objects are missing
2017-08-24 21:30:12 -04:00
Moved LfsIntegrity specs to own file
2017-11-08 07:27:01 -05:00
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /LFS objects are missing/)
Prevent git push when LFS objects are missing
2017-08-24 21:30:12 -04:00
end
Moved LfsIntegrity specs to own file
2017-11-08 07:27:01 -05:00
it 'succeeds if LFS objects have already been uploaded' do
allow_any_instance_of(Gitlab::Checks::LfsIntegrity).to receive(:objects_missing?).and_return(false)
Prevent git push when LFS objects are missing
2017-08-24 21:30:12 -04:00
Moved LfsIntegrity specs to own file
2017-11-08 07:27:01 -05:00
expect { subject.exec }.not_to raise_error
Prevent git push when LFS objects are missing
2017-08-24 21:30:12 -04:00
end
end
Backport of LFS File Locking API
2018-02-07 08:00:53 -05:00
context 'LFS file lock check' do
let(:owner) { create(:user) }
let!(:lock) { create(:lfs_file_lock, user: owner, project: project, path: 'README') }
before do
allow(project.repository).to receive(:new_commits).and_return(
project.repository.commits_between('be93687618e4b132087f430a4d8fc3a609c9b77c', '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51')
)
end
context 'with LFS not enabled' do
it 'skips the validation' do
Avoid slow File Lock checks when not used Also avoid double commit lookup during file lock check by reusing memoized commits.
2018-02-15 00:21:17 -05:00
expect_any_instance_of(Gitlab::Checks::CommitCheck).not_to receive(:validate)
Backport of LFS File Locking API
2018-02-07 08:00:53 -05:00
subject.exec
end
end
context 'with LFS enabled' do
before do
allow(project).to receive(:lfs_enabled?).and_return(true)
end
context 'when change is sent by a different user' do
it 'raises an error if the user is not allowed to update the file' do
expect { subject.exec }.to raise_error(Gitlab::GitAccess::UnauthorizedError, "The path 'README' is locked in Git LFS by #{lock.user.name}")
end
end
Avoid slow File Lock checks when not used Also avoid double commit lookup during file lock check by reusing memoized commits.
2018-02-15 00:21:17 -05:00
context 'when change is sent by the author of the lock' do
Backport of LFS File Locking API
2018-02-07 08:00:53 -05:00
let(:user) { owner }
it "doesn't raise any error" do
expect { subject.exec }.not_to raise_error
end
end
end
end
Change the order of the access rules to check simpler first, and add specs
2016-08-12 18:27:42 -04:00
end
end
Copy permalink