gitlab-org--gitlab-foss/spec/lib/gitlab/checks/change_access_spec.rb

require 'spec_helper'

describe Gitlab::Checks::ChangeAccess do
  describe '#exec' do
    let(:user) { create(:user) }
    let(:project) { create(:project, :repository) }
    let(:user_access) { Gitlab::UserAccess.new(user, project: project) }
    let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
    let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
    let(:ref) { 'refs/heads/master' }
    let(:changes) { { oldrev: oldrev, newrev: newrev, ref: ref } }
    let(:protocol) { 'ssh' }

    subject do
      described_class.new(
        changes,
        project: project,
        user_access: user_access,
        protocol: protocol
      ).exec
    end

    before do
      project.add_developer(user)
    end

    context 'without failed checks' do
      it "doesn't raise an error" do
        expect { subject }.not_to raise_error
      end
    end

    context 'when the user is not allowed to push code' do
      it 'raises an error' do
        expect(user_access).to receive(:can_do_action?).with(:push_code).and_return(false)

        expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to this project.')
      end
    end

    context 'tags check' do
      let(:ref) { 'refs/tags/v1.0.0' }

      it 'raises an error if the user is not allowed to update tags' do
        allow(user_access).to receive(:can_do_action?).with(:push_code).and_return(true)
        expect(user_access).to receive(:can_do_action?).with(:admin_project).and_return(false)

        expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to change existing tags on this project.')
      end

      context 'with protected tag' do
        let!(:protected_tag) { create(:protected_tag, project: project, name: 'v*') }

        context 'as master' do
          before do
            project.add_master(user)
          end

          context 'deletion' do
            let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
            let(:newrev) { '0000000000000000000000000000000000000000' }

            it 'is prevented' do
              expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /cannot be deleted/)
            end
          end

          context 'update' do
            let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
            let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }

            it 'is prevented' do
              expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /cannot be updated/)
            end
          end
        end

        context 'creation' do
          let(:oldrev) { '0000000000000000000000000000000000000000' }
          let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
          let(:ref) { 'refs/tags/v9.1.0' }

          it 'prevents creation below access level' do
            expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /allowed to create this tag as it is protected/)
          end

          context 'when user has access' do
            let!(:protected_tag) { create(:protected_tag, :developers_can_create, project: project, name: 'v*') }

            it 'allows tag creation' do
              expect { subject }.not_to raise_error
            end
          end
        end
      end
    end

    context 'branches check' do
      context 'trying to delete the default branch' do
        let(:newrev) { '0000000000000000000000000000000000000000' }
        let(:ref) { 'refs/heads/master' }

        it 'raises an error' do
          expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'The default branch of a project cannot be deleted.')
        end
      end

      context 'protected branches check' do
        before do
          allow(ProtectedBranch).to receive(:protected?).with(project, 'master').and_return(true)
          allow(ProtectedBranch).to receive(:protected?).with(project, 'feature').and_return(true)
        end

        it 'raises an error if the user is not allowed to do forced pushes to protected branches' do
          expect(Gitlab::Checks::ForcePush).to receive(:force_push?).and_return(true)

          expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to force push code to a protected branch on this project.')
        end

        it 'raises an error if the user is not allowed to merge to protected branches' do
          expect_any_instance_of(Gitlab::Checks::MatchingMergeRequest).to receive(:match?).and_return(true)
          expect(user_access).to receive(:can_merge_to_branch?).and_return(false)
          expect(user_access).to receive(:can_push_to_branch?).and_return(false)

          expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to merge code into protected branches on this project.')
        end

        it 'raises an error if the user is not allowed to push to protected branches' do
          expect(user_access).to receive(:can_push_to_branch?).and_return(false)

          expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to protected branches on this project.')
        end

        context 'branch deletion' do
          let(:newrev) { '0000000000000000000000000000000000000000' }
          let(:ref) { 'refs/heads/feature' }

          context 'if the user is not allowed to delete protected branches' do
            it 'raises an error' do
              expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to delete protected branches from this project. Only a project master or owner can delete a protected branch.')
            end
          end

          context 'if the user is allowed to delete protected branches' do
            before do
              project.add_master(user)
            end

            context 'through the web interface' do
              let(:protocol) { 'web' }

              it 'allows branch deletion' do
                expect { subject }.not_to raise_error
              end
            end

            context 'over SSH or HTTP' do
              it 'raises an error' do
                expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only delete protected branches using the web interface.')
              end
            end
          end
        end
      end
    end
  end
end
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00			`require 'spec_helper'`

Remove superfluous lib: true, type: redis, service: true, models: true, services: true, no_db: true, api: true Signed-off-by: Rémy Coutable <remy@rymai.me> 2017-07-10 14:24:02 +00:00			`describe Gitlab::Checks::ChangeAccess do`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00			`describe '#exec' do`
			`let(:user) { create(:user) }`
Use `:empty_project` where possible throughout spec/lib 2017-01-24 23:42:12 +00:00			`let(:project) { create(:project, :repository) }`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00			`let(:user_access) { Gitlab::UserAccess.new(user, project: project) }`
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }`
			`let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }`
			`let(:ref) { 'refs/heads/master' }`
			`let(:changes) { { oldrev: oldrev, newrev: newrev, ref: ref } }`
Backport changes from gitlab-org/gitlab-ee!1406 2017-03-13 11:31:27 +00:00			`let(:protocol) { 'ssh' }`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00
Backport changes from gitlab-org/gitlab-ee!1406 2017-03-13 11:31:27 +00:00			`subject do`
			`described_class.new(`
			`changes,`
			`project: project,`
			`user_access: user_access,`
			`protocol: protocol`
			`).exec`
			`end`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00
Correct RSpec/SingleLineHook cop offenses 2017-06-14 18:18:56 +00:00			`before do`
			`project.add_developer(user)`
			`end`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00
			`context 'without failed checks' do`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`it "doesn't raise an error" do`
			`expect { subject }.not_to raise_error`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00			`end`
			`end`

			`context 'when the user is not allowed to push code' do`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`it 'raises an error' do`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00			`expect(user_access).to receive(:can_do_action?).with(:push_code).and_return(false)`

Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to this project.')`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00			`end`
			`end`

			`context 'tags check' do`
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`let(:ref) { 'refs/tags/v1.0.0' }`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`it 'raises an error if the user is not allowed to update tags' do`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00			`allow(user_access).to receive(:can_do_action?).with(:push_code).and_return(true)`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00			`expect(user_access).to receive(:can_do_action?).with(:admin_project).and_return(false)`

Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to change existing tags on this project.')`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00			`end`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00
			`context 'with protected tag' do`
			`let!(:protected_tag) { create(:protected_tag, project: project, name: 'v*') }`

Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`context 'as master' do`
Correct RSpec/SingleLineHook cop offenses 2017-06-14 18:18:56 +00:00			`before do`
			`project.add_master(user)`
			`end`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`context 'deletion' do`
			`let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }`
			`let(:newrev) { '0000000000000000000000000000000000000000' }`

			`it 'is prevented' do`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /cannot be deleted/)`
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`end`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00			`end`

Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`context 'update' do`
			`let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }`
			`let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`it 'is prevented' do`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /cannot be updated/)`
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`end`
			`end`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00			`end`

Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`context 'creation' do`
			`let(:oldrev) { '0000000000000000000000000000000000000000' }`
			`let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }`
			`let(:ref) { 'refs/tags/v9.1.0' }`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`it 'prevents creation below access level' do`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /allowed to create this tag as it is protected/)`
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`end`

			`context 'when user has access' do`
Renamed ProtectedTag push_access_levels to create_access_levels 2017-04-04 02:37:22 +00:00			`let!(:protected_tag) { create(:protected_tag, :developers_can_create, project: project, name: 'v*') }`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`it 'allows tag creation' do`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`expect { subject }.not_to raise_error`
Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 23:05:51 +00:00			`end`
Protected Tags enforced over git 2017-03-31 16:57:29 +00:00			`end`
			`end`
			`end`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00			`end`

Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`context 'branches check' do`
			`context 'trying to delete the default branch' do`
			`let(:newrev) { '0000000000000000000000000000000000000000' }`
			`let(:ref) { 'refs/heads/master' }`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`it 'raises an error' do`
			`expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'The default branch of a project cannot be deleted.')`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`end`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00			`end`

Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`context 'protected branches check' do`
			`before do`
			`allow(ProtectedBranch).to receive(:protected?).with(project, 'master').and_return(true)`
			`allow(ProtectedBranch).to receive(:protected?).with(project, 'feature').and_return(true)`
			`end`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`it 'raises an error if the user is not allowed to do forced pushes to protected branches' do`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`expect(Gitlab::Checks::ForcePush).to receive(:force_push?).and_return(true)`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to force push code to a protected branch on this project.')`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`end`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`it 'raises an error if the user is not allowed to merge to protected branches' do`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`expect_any_instance_of(Gitlab::Checks::MatchingMergeRequest).to receive(:match?).and_return(true)`
			`expect(user_access).to receive(:can_merge_to_branch?).and_return(false)`
			`expect(user_access).to receive(:can_push_to_branch?).and_return(false)`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to merge code into protected branches on this project.')`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`end`

Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`it 'raises an error if the user is not allowed to push to protected branches' do`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`expect(user_access).to receive(:can_push_to_branch?).and_return(false)`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to protected branches on this project.')`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`end`

			`context 'branch deletion' do`
			`let(:newrev) { '0000000000000000000000000000000000000000' }`
			`let(:ref) { 'refs/heads/feature' }`

			`context 'if the user is not allowed to delete protected branches' do`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`it 'raises an error' do`
			`expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to delete protected branches from this project. Only a project master or owner can delete a protected branch.')`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`end`
			`end`

			`context 'if the user is allowed to delete protected branches' do`
			`before do`
			`project.add_master(user)`
			`end`

			`context 'through the web interface' do`
			`let(:protocol) { 'web' }`

			`it 'allows branch deletion' do`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`expect { subject }.not_to raise_error`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`end`
			`end`

			`context 'over SSH or HTTP' do`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 19:58:45 +00:00			`it 'raises an error' do`
			`expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only delete protected branches using the web interface.')`
Add confirm delete protected branch modal 2017-05-08 07:41:58 +00:00			`end`
			`end`
			`end`
Change the order of the access rules to check simpler first, and add specs 2016-08-12 22:27:42 +00:00			`end`
			`end`
			`end`
			`end`
			`end`