2016-08-12 18:27:42 -04:00
require 'spec_helper'
2017-07-10 10:24:02 -04:00
describe Gitlab :: Checks :: ChangeAccess do
2016-08-12 18:27:42 -04:00
describe '#exec' do
let ( :user ) { create ( :user ) }
2017-01-24 18:42:12 -05:00
let ( :project ) { create ( :project , :repository ) }
2016-08-12 18:27:42 -04:00
let ( :user_access ) { Gitlab :: UserAccess . new ( user , project : project ) }
2017-04-03 19:05:51 -04:00
let ( :oldrev ) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
let ( :newrev ) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
let ( :ref ) { 'refs/heads/master' }
let ( :changes ) { { oldrev : oldrev , newrev : newrev , ref : ref } }
2017-03-13 07:31:27 -04:00
let ( :protocol ) { 'ssh' }
2016-08-12 18:27:42 -04:00
2017-08-24 21:30:12 -04:00
let ( :change_access ) do
2017-03-13 07:31:27 -04:00
described_class . new (
changes ,
project : project ,
user_access : user_access ,
protocol : protocol
2017-08-24 21:30:12 -04:00
)
end
subject do
# TODO: Replace use of `subject` with `subject.exec`
# Then rename change_access back to subject
change_access . exec
2017-03-13 07:31:27 -04:00
end
2016-08-12 18:27:42 -04:00
2017-06-14 14:18:56 -04:00
before do
project . add_developer ( user )
end
2016-08-12 18:27:42 -04:00
context 'without failed checks' do
2017-05-19 15:58:45 -04:00
it " doesn't raise an error " do
expect { subject } . not_to raise_error
2016-08-12 18:27:42 -04:00
end
end
context 'when the user is not allowed to push code' do
2017-05-19 15:58:45 -04:00
it 'raises an error' do
2016-08-12 18:27:42 -04:00
expect ( user_access ) . to receive ( :can_do_action? ) . with ( :push_code ) . and_return ( false )
2017-05-19 15:58:45 -04:00
expect { subject } . to raise_error ( Gitlab :: GitAccess :: UnauthorizedError , 'You are not allowed to push code to this project.' )
2016-08-12 18:27:42 -04:00
end
end
context 'tags check' do
2017-04-03 19:05:51 -04:00
let ( :ref ) { 'refs/tags/v1.0.0' }
2016-08-12 18:27:42 -04:00
2017-05-19 15:58:45 -04:00
it 'raises an error if the user is not allowed to update tags' do
2017-03-31 12:57:29 -04:00
allow ( user_access ) . to receive ( :can_do_action? ) . with ( :push_code ) . and_return ( true )
2016-08-12 18:27:42 -04:00
expect ( user_access ) . to receive ( :can_do_action? ) . with ( :admin_project ) . and_return ( false )
2017-05-19 15:58:45 -04:00
expect { subject } . to raise_error ( Gitlab :: GitAccess :: UnauthorizedError , 'You are not allowed to change existing tags on this project.' )
2016-08-12 18:27:42 -04:00
end
2017-03-31 12:57:29 -04:00
context 'with protected tag' do
let! ( :protected_tag ) { create ( :protected_tag , project : project , name : 'v*' ) }
2017-04-03 19:05:51 -04:00
context 'as master' do
2017-06-14 14:18:56 -04:00
before do
project . add_master ( user )
end
2017-03-31 12:57:29 -04:00
2017-04-03 19:05:51 -04:00
context 'deletion' do
let ( :oldrev ) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
let ( :newrev ) { '0000000000000000000000000000000000000000' }
it 'is prevented' do
2017-05-19 15:58:45 -04:00
expect { subject } . to raise_error ( Gitlab :: GitAccess :: UnauthorizedError , / cannot be deleted / )
2017-04-03 19:05:51 -04:00
end
2017-03-31 12:57:29 -04:00
end
2017-04-03 19:05:51 -04:00
context 'update' do
let ( :oldrev ) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
let ( :newrev ) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
2017-03-31 12:57:29 -04:00
2017-04-03 19:05:51 -04:00
it 'is prevented' do
2017-05-19 15:58:45 -04:00
expect { subject } . to raise_error ( Gitlab :: GitAccess :: UnauthorizedError , / cannot be updated / )
2017-04-03 19:05:51 -04:00
end
end
2017-03-31 12:57:29 -04:00
end
2017-04-03 19:05:51 -04:00
context 'creation' do
let ( :oldrev ) { '0000000000000000000000000000000000000000' }
let ( :newrev ) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
let ( :ref ) { 'refs/tags/v9.1.0' }
2017-03-31 12:57:29 -04:00
2017-04-03 19:05:51 -04:00
it 'prevents creation below access level' do
2017-05-19 15:58:45 -04:00
expect { subject } . to raise_error ( Gitlab :: GitAccess :: UnauthorizedError , / allowed to create this tag as it is protected / )
2017-04-03 19:05:51 -04:00
end
context 'when user has access' do
2017-04-03 22:37:22 -04:00
let! ( :protected_tag ) { create ( :protected_tag , :developers_can_create , project : project , name : 'v*' ) }
2017-03-31 12:57:29 -04:00
2017-04-03 19:05:51 -04:00
it 'allows tag creation' do
2017-05-19 15:58:45 -04:00
expect { subject } . not_to raise_error
2017-04-03 19:05:51 -04:00
end
2017-03-31 12:57:29 -04:00
end
end
end
2016-08-12 18:27:42 -04:00
end
2017-05-08 03:41:58 -04:00
context 'branches check' do
context 'trying to delete the default branch' do
let ( :newrev ) { '0000000000000000000000000000000000000000' }
let ( :ref ) { 'refs/heads/master' }
2016-08-12 18:27:42 -04:00
2017-05-19 15:58:45 -04:00
it 'raises an error' do
expect { subject } . to raise_error ( Gitlab :: GitAccess :: UnauthorizedError , 'The default branch of a project cannot be deleted.' )
2017-05-08 03:41:58 -04:00
end
2016-08-12 18:27:42 -04:00
end
2017-05-08 03:41:58 -04:00
context 'protected branches check' do
before do
allow ( ProtectedBranch ) . to receive ( :protected? ) . with ( project , 'master' ) . and_return ( true )
allow ( ProtectedBranch ) . to receive ( :protected? ) . with ( project , 'feature' ) . and_return ( true )
end
2016-08-12 18:27:42 -04:00
2017-05-19 15:58:45 -04:00
it 'raises an error if the user is not allowed to do forced pushes to protected branches' do
2017-05-08 03:41:58 -04:00
expect ( Gitlab :: Checks :: ForcePush ) . to receive ( :force_push? ) . and_return ( true )
2016-08-12 18:27:42 -04:00
2017-05-19 15:58:45 -04:00
expect { subject } . to raise_error ( Gitlab :: GitAccess :: UnauthorizedError , 'You are not allowed to force push code to a protected branch on this project.' )
2017-05-08 03:41:58 -04:00
end
2016-08-12 18:27:42 -04:00
2017-05-19 15:58:45 -04:00
it 'raises an error if the user is not allowed to merge to protected branches' do
2017-05-08 03:41:58 -04:00
expect_any_instance_of ( Gitlab :: Checks :: MatchingMergeRequest ) . to receive ( :match? ) . and_return ( true )
expect ( user_access ) . to receive ( :can_merge_to_branch? ) . and_return ( false )
expect ( user_access ) . to receive ( :can_push_to_branch? ) . and_return ( false )
2016-08-12 18:27:42 -04:00
2017-05-19 15:58:45 -04:00
expect { subject } . to raise_error ( Gitlab :: GitAccess :: UnauthorizedError , 'You are not allowed to merge code into protected branches on this project.' )
2017-05-08 03:41:58 -04:00
end
2017-05-19 15:58:45 -04:00
it 'raises an error if the user is not allowed to push to protected branches' do
2017-05-08 03:41:58 -04:00
expect ( user_access ) . to receive ( :can_push_to_branch? ) . and_return ( false )
2016-08-12 18:27:42 -04:00
2017-05-19 15:58:45 -04:00
expect { subject } . to raise_error ( Gitlab :: GitAccess :: UnauthorizedError , 'You are not allowed to push code to protected branches on this project.' )
2017-05-08 03:41:58 -04:00
end
context 'branch deletion' do
let ( :newrev ) { '0000000000000000000000000000000000000000' }
let ( :ref ) { 'refs/heads/feature' }
context 'if the user is not allowed to delete protected branches' do
2017-05-19 15:58:45 -04:00
it 'raises an error' do
expect { subject } . to raise_error ( Gitlab :: GitAccess :: UnauthorizedError , 'You are not allowed to delete protected branches from this project. Only a project master or owner can delete a protected branch.' )
2017-05-08 03:41:58 -04:00
end
end
context 'if the user is allowed to delete protected branches' do
before do
project . add_master ( user )
end
context 'through the web interface' do
let ( :protocol ) { 'web' }
it 'allows branch deletion' do
2017-05-19 15:58:45 -04:00
expect { subject } . not_to raise_error
2017-05-08 03:41:58 -04:00
end
end
context 'over SSH or HTTP' do
2017-05-19 15:58:45 -04:00
it 'raises an error' do
expect { subject } . to raise_error ( Gitlab :: GitAccess :: UnauthorizedError , 'You can only delete protected branches using the web interface.' )
2017-05-08 03:41:58 -04:00
end
end
end
2016-08-12 18:27:42 -04:00
end
end
end
2017-08-24 21:30:12 -04:00
context 'LFS integrity check' do
let ( :blob_object ) { project . repository . blob_at_branch ( 'lfs' , 'files/lfs/lfs_object.iso' ) }
before do
allow_any_instance_of ( Gitlab :: Git :: RevList ) . to receive ( :new_objects ) do | & lazy_block |
lazy_block . call ( [ blob_object . id ] )
end
end
context 'with LFS not enabled' do
it 'skips integrity check' do
expect_any_instance_of ( Gitlab :: Git :: RevList ) . not_to receive ( :new_objects )
change_access . exec
end
end
context 'with LFS enabled' do
before do
allow ( project ) . to receive ( :lfs_enabled? ) . and_return ( true )
end
context 'deletion' do
let ( :changes ) { { oldrev : oldrev , ref : ref } }
it 'skips integrity check' do
expect_any_instance_of ( Gitlab :: Git :: RevList ) . not_to receive ( :new_objects )
change_access . exec
end
end
it 'fails if any LFS blobs are missing' do
expect { change_access . exec } . to raise_error ( Gitlab :: GitAccess :: UnauthorizedError , / LFS objects are missing / )
end
it 'succeeds if LFS objects have already been uploaded' do
lfs_object = create ( :lfs_object , oid : blob_object . lfs_oid )
create ( :lfs_objects_project , project : project , lfs_object : lfs_object )
expect { change_access . exec } . not_to raise_error
end
end
end
2016-08-12 18:27:42 -04:00
end
end