From 08cc6afc6eaa05fbc072452901a7d381bbdb2af8 Mon Sep 17 00:00:00 2001 From: Robert Schilling Date: Sat, 25 Aug 2018 05:38:54 +0000 Subject: [PATCH] API: Protected tags --- app/models/protected_tag.rb | 2 + changelogs/unreleased/api-protected-tags.yml | 5 + ...711103851_drop_duplicate_protected_tags.rb | 45 ++++ ...20180711103922_add_protected_tags_index.rb | 18 ++ db/schema.rb | 1 + doc/api/README.md | 1 + doc/api/protected_tags.md | 128 +++++++++++ lib/api/api.rb | 9 +- lib/api/entities.rb | 5 + lib/api/protected_tags.rb | 79 +++++++ .../drop_duplicate_protected_tags_spec.rb | 40 ++++ spec/requests/api/protected_tags_spec.rb | 202 ++++++++++++++++++ 12 files changed, 531 insertions(+), 4 deletions(-) create mode 100644 changelogs/unreleased/api-protected-tags.yml create mode 100644 db/migrate/20180711103851_drop_duplicate_protected_tags.rb create mode 100644 db/migrate/20180711103922_add_protected_tags_index.rb create mode 100644 doc/api/protected_tags.md create mode 100644 lib/api/protected_tags.rb create mode 100644 spec/migrations/drop_duplicate_protected_tags_spec.rb create mode 100644 spec/requests/api/protected_tags_spec.rb diff --git a/app/models/protected_tag.rb b/app/models/protected_tag.rb index a36f0d36262..94746141945 100644 --- a/app/models/protected_tag.rb +++ b/app/models/protected_tag.rb @@ -4,6 +4,8 @@ class ProtectedTag < ActiveRecord::Base include Gitlab::ShellAdapter include ProtectedRef + validates :name, uniqueness: { scope: :project_id } + protected_ref_access_levels :create def self.protected?(project, ref_name) diff --git a/changelogs/unreleased/api-protected-tags.yml b/changelogs/unreleased/api-protected-tags.yml new file mode 100644 index 00000000000..6e7ecf24b6e --- /dev/null +++ b/changelogs/unreleased/api-protected-tags.yml @@ -0,0 +1,5 @@ +--- +title: 'API: Protected tags' +merge_request: 14986 +author: Robert Schilling +type: added diff --git a/db/migrate/20180711103851_drop_duplicate_protected_tags.rb b/db/migrate/20180711103851_drop_duplicate_protected_tags.rb new file mode 100644 index 00000000000..8fa2137551e --- /dev/null +++ b/db/migrate/20180711103851_drop_duplicate_protected_tags.rb @@ -0,0 +1,45 @@ +# See http://doc.gitlab.com/ce/development/migration_style_guide.html +# for more information on how to write migrations for GitLab. + +class DropDuplicateProtectedTags < ActiveRecord::Migration + DOWNTIME = false + + disable_ddl_transaction! + + BATCH_SIZE = 1000 + + class Project < ActiveRecord::Base + self.table_name = 'projects' + + include ::EachBatch + end + + class ProtectedTag < ActiveRecord::Base + self.table_name = 'protected_tags' + end + + def up + Project.each_batch(of: BATCH_SIZE) do |projects| + ids = ProtectedTag + .where(project_id: projects) + .group(:name, :project_id) + .select('max(id)') + + tags = ProtectedTag + .where(project_id: projects) + .where.not(id: ids) + + if Gitlab::Database.postgresql? + tags.delete_all + else + # Workaround needed for MySQL + sql = "SELECT id FROM (#{tags.to_sql}) protected_tags" + + ProtectedTag.where("id IN (#{sql})").delete_all # rubocop:disable GitlabSecurity/SqlInjection + end + end + end + + def down + end +end diff --git a/db/migrate/20180711103922_add_protected_tags_index.rb b/db/migrate/20180711103922_add_protected_tags_index.rb new file mode 100644 index 00000000000..7ed2258ebaf --- /dev/null +++ b/db/migrate/20180711103922_add_protected_tags_index.rb @@ -0,0 +1,18 @@ +# See http://doc.gitlab.com/ce/development/migration_style_guide.html +# for more information on how to write migrations for GitLab. + +class AddProtectedTagsIndex < ActiveRecord::Migration + include Gitlab::Database::MigrationHelpers + + DOWNTIME = false + + disable_ddl_transaction! + + def up + add_concurrent_index :protected_tags, [:project_id, :name], unique: true + end + + def down + remove_concurrent_index :protected_tags, [:project_id, :name] + end +end diff --git a/db/schema.rb b/db/schema.rb index f5ce7df60e8..380d4e49ddf 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -1741,6 +1741,7 @@ ActiveRecord::Schema.define(version: 20180816193530) do t.datetime "updated_at", null: false end + add_index "protected_tags", ["project_id", "name"], name: "index_protected_tags_on_project_id_and_name", unique: true, using: :btree add_index "protected_tags", ["project_id"], name: "index_protected_tags_on_project_id", using: :btree create_table "push_event_payloads", id: false, force: :cascade do |t| diff --git a/doc/api/README.md b/doc/api/README.md index 45e926d3b6b..e2a6e87a2c3 100644 --- a/doc/api/README.md +++ b/doc/api/README.md @@ -53,6 +53,7 @@ following locations: - [Project Members](members.md) - [Project Snippets](project_snippets.md) - [Protected Branches](protected_branches.md) +- [Protected Tags](protected_tags.md) - [Repositories](repositories.md) - [Repository Files](repository_files.md) - [Runners](runners.md) diff --git a/doc/api/protected_tags.md b/doc/api/protected_tags.md new file mode 100644 index 00000000000..aa750e467f8 --- /dev/null +++ b/doc/api/protected_tags.md @@ -0,0 +1,128 @@ +# Protected tags API + +>**Note:** This feature was introduced in GitLab 11.3 + +**Valid access levels** + +Currently, these levels are recognized: +``` +0 => No access +30 => Developer access +40 => Maintainer access +``` + +## List protected tags + +Gets a list of protected tags from a project. +This function takes pagination parameters `page` and `per_page` to restrict the list of protected tags. + +``` +GET /projects/:id/protected_tags +``` + +| Attribute | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | + +```bash +curl --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" 'https://gitlab.example.com/api/v4/projects/5/protected_tags' +``` + +Example response: + +```json +[ + { + "name": "release-1-0", + "create_access_levels": [ + { + "access_level": 40, + "access_level_description": "Maintainers" + } + ] + }, + ... +] +``` + +## Get a single protected tag or wildcard protected tag + +Gets a single protected tag or wildcard protected tag. +The pagination parameters `page` and `per_page` can be used to restrict the list of protected tags. + +``` +GET /projects/:id/protected_tags/:name +``` + +| Attribute | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | +| `name` | string | yes | The name of the tag or wildcard | + +```bash +curl --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" 'https://gitlab.example.com/api/v4/projects/5/protected_tags/release-1-0' +``` + +Example response: + +```json +{ + "name": "release-1-0", + "create_access_levels": [ + { + "access_level": 40, + "access_level_description": "Maintainers" + } + ] +} +``` + +## Protect repository tags + +Protects a single repository tag or several project repository +tags using a wildcard protected tag. + +``` +POST /projects/:id/protected_tags +``` + +```bash +curl --request POST --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" 'https://gitlab.example.com/api/v4/projects/5/protected_tags?name=*-stable&create_access_level=30' +``` + +| Attribute | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | +| `name` | string | yes | The name of the tag or wildcard | +| `create_access_level` | string | no | Access levels allowed to create (defaults: `40`, maintainer access level) | + +Example response: + +```json +{ + "name": "*-stable", + "create_access_levels": [ + { + "access_level": 30, + "access_level_description": "Developers + Maintainers" + } + ] +} +``` + +## Unprotect repository tags + +Unprotects the given protected tag or wildcard protected tag. + +``` +DELETE /projects/:id/protected_tags/:name +``` + +```bash +curl --request DELETE --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" 'https://gitlab.example.com/api/v4/projects/5/protected_tags/*-stable' +``` + +| Attribute | Type | Required | Description | +| --------- | ---- | -------- | ----------- | +| `id` | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user | +| `name` | string | yes | The name of the tag | diff --git a/lib/api/api.rb b/lib/api/api.rb index e2ad3c5f4e3..c000666d992 100644 --- a/lib/api/api.rb +++ b/lib/api/api.rb @@ -99,12 +99,13 @@ module API mount ::API::Features mount ::API::Files mount ::API::GroupBoards - mount ::API::Groups mount ::API::GroupMilestones + mount ::API::Groups + mount ::API::GroupVariables mount ::API::Internal mount ::API::Issues - mount ::API::Jobs mount ::API::JobArtifacts + mount ::API::Jobs mount ::API::Keys mount ::API::Labels mount ::API::Lint @@ -122,11 +123,12 @@ module API mount ::API::ProjectExport mount ::API::ProjectImport mount ::API::ProjectHooks - mount ::API::Projects mount ::API::ProjectMilestones + mount ::API::Projects mount ::API::ProjectSnapshots mount ::API::ProjectSnippets mount ::API::ProtectedBranches + mount ::API::ProtectedTags mount ::API::Repositories mount ::API::Runner mount ::API::Runners @@ -143,7 +145,6 @@ module API mount ::API::Triggers mount ::API::Users mount ::API::Variables - mount ::API::GroupVariables mount ::API::Version mount ::API::Wikis diff --git a/lib/api/entities.rb b/lib/api/entities.rb index 06262f0f991..95b25d7351a 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -429,6 +429,11 @@ module API expose :merge_access_levels, using: Entities::ProtectedRefAccess end + class ProtectedTag < Grape::Entity + expose :name + expose :create_access_levels, using: Entities::ProtectedRefAccess + end + class Milestone < Grape::Entity expose :id, :iid expose :project_id, if: -> (entity, options) { entity&.project_id } diff --git a/lib/api/protected_tags.rb b/lib/api/protected_tags.rb new file mode 100644 index 00000000000..bf0a7184e1c --- /dev/null +++ b/lib/api/protected_tags.rb @@ -0,0 +1,79 @@ +module API + class ProtectedTags < Grape::API + include PaginationParams + + TAG_ENDPOINT_REQUIREMENTS = API::PROJECT_ENDPOINT_REQUIREMENTS.merge(name: API::NO_SLASH_URL_PART_REGEX) + + before { authorize_admin_project } + + params do + requires :id, type: String, desc: 'The ID of a project' + end + resource :projects, requirements: API::PROJECT_ENDPOINT_REQUIREMENTS do + desc "Get a project's protected tags" do + detail 'This feature was introduced in GitLab 11.3.' + success Entities::ProtectedTag + end + params do + use :pagination + end + get ':id/protected_tags' do + protected_tags = user_project.protected_tags.preload(:create_access_levels) + + present paginate(protected_tags), with: Entities::ProtectedTag, project: user_project + end + + desc 'Get a single protected tag' do + detail 'This feature was introduced in GitLab 11.3.' + success Entities::ProtectedTag + end + params do + requires :name, type: String, desc: 'The name of the tag or wildcard' + end + get ':id/protected_tags/:name', requirements: TAG_ENDPOINT_REQUIREMENTS do + protected_tag = user_project.protected_tags.find_by!(name: params[:name]) + + present protected_tag, with: Entities::ProtectedTag, project: user_project + end + + desc 'Protect a single tag or wildcard' do + detail 'This feature was introduced in GitLab 11.3.' + success Entities::ProtectedTag + end + params do + requires :name, type: String, desc: 'The name of the protected tag' + optional :create_access_level, type: Integer, default: Gitlab::Access::MAINTAINER, + values: ProtectedRefAccess::ALLOWED_ACCESS_LEVELS, + desc: 'Access levels allowed to create (defaults: `40`, maintainer access level)' + end + post ':id/protected_tags' do + protected_tags_params = { + name: params[:name], + create_access_levels_attributes: [{ access_level: params[:create_access_level] }] + } + + protected_tag = ::ProtectedTags::CreateService.new(user_project, + current_user, + protected_tags_params).execute + + if protected_tag.persisted? + present protected_tag, with: Entities::ProtectedTag, project: user_project + else + render_api_error!(protected_tag.errors.full_messages, 422) + end + end + + desc 'Unprotect a single tag' do + detail 'This feature was introduced in GitLab 11.3.' + end + params do + requires :name, type: String, desc: 'The name of the protected tag' + end + delete ':id/protected_tags/:name', requirements: TAG_ENDPOINT_REQUIREMENTS do + protected_tag = user_project.protected_tags.find_by!(name: params[:name]) + + destroy_conditionally!(protected_tag) + end + end + end +end diff --git a/spec/migrations/drop_duplicate_protected_tags_spec.rb b/spec/migrations/drop_duplicate_protected_tags_spec.rb new file mode 100644 index 00000000000..acfb6850722 --- /dev/null +++ b/spec/migrations/drop_duplicate_protected_tags_spec.rb @@ -0,0 +1,40 @@ +require 'spec_helper' +require Rails.root.join('db', 'migrate', '20180711103851_drop_duplicate_protected_tags.rb') + +describe DropDuplicateProtectedTags, :migration do + let(:namespaces) { table(:namespaces) } + let(:projects) { table(:projects) } + let(:protected_tags) { table(:protected_tags) } + + before do + stub_const("#{described_class}::BATCH_SIZE", 2) + + namespaces.create(id: 1, name: 'gitlab-org', path: 'gitlab-org') + projects.create!(id: 1, namespace_id: 1, name: 'gitlab1', path: 'gitlab1') + projects.create!(id: 2, namespace_id: 1, name: 'gitlab2', path: 'gitlab2') + end + + it 'removes duplicated protected tags' do + protected_tags.create!(id: 1, project_id: 1, name: 'foo') + tag2 = protected_tags.create!(id: 2, project_id: 1, name: 'foo1') + protected_tags.create!(id: 3, project_id: 1, name: 'foo') + tag4 = protected_tags.create!(id: 4, project_id: 1, name: 'foo') + tag5 = protected_tags.create!(id: 5, project_id: 2, name: 'foo') + + migrate! + + expect(protected_tags.all.count).to eq 3 + expect(protected_tags.all.pluck(:id)).to contain_exactly(tag2.id, tag4.id, tag5.id) + end + + it 'does not remove unique protected tags' do + tag1 = protected_tags.create!(id: 1, project_id: 1, name: 'foo1') + tag2 = protected_tags.create!(id: 2, project_id: 1, name: 'foo2') + tag3 = protected_tags.create!(id: 3, project_id: 1, name: 'foo3') + + migrate! + + expect(protected_tags.all.count).to eq 3 + expect(protected_tags.all.pluck(:id)).to contain_exactly(tag1.id, tag2.id, tag3.id) + end +end diff --git a/spec/requests/api/protected_tags_spec.rb b/spec/requests/api/protected_tags_spec.rb new file mode 100644 index 00000000000..f4f3ef31bc3 --- /dev/null +++ b/spec/requests/api/protected_tags_spec.rb @@ -0,0 +1,202 @@ +require 'spec_helper' + +describe API::ProtectedTags do + let(:user) { create(:user) } + let!(:project) { create(:project, :repository) } + let(:project2) { create(:project, path: 'project2', namespace: user.namespace) } + let(:protected_name) { 'feature' } + let(:tag_name) { protected_name } + let!(:protected_tag) do + create(:protected_tag, project: project, name: protected_name) + end + + describe 'GET /projects/:id/protected_tags' do + let(:route) { "/projects/#{project.id}/protected_tags" } + + shared_examples_for 'protected tags' do + it 'returns the protected tags' do + get api(route, user), per_page: 100 + + expect(response).to have_gitlab_http_status(200) + expect(response).to include_pagination_headers + expect(json_response).to be_an Array + + protected_tag_names = json_response.map { |x| x['name'] } + expected_tags_names = project.protected_tags.map { |x| x['name'] } + expect(protected_tag_names).to match_array(expected_tags_names) + end + end + + context 'when authenticated as a maintainer' do + before do + project.add_maintainer(user) + end + + it_behaves_like 'protected tags' + end + + context 'when authenticated as a guest' do + before do + project.add_guest(user) + end + + it_behaves_like '403 response' do + let(:request) { get api(route, user) } + end + end + end + + describe 'GET /projects/:id/protected_tags/:tag' do + let(:route) { "/projects/#{project.id}/protected_tags/#{tag_name}" } + + shared_examples_for 'protected tag' do + it 'returns the protected tag' do + get api(route, user) + + expect(response).to have_gitlab_http_status(200) + expect(json_response['name']).to eq(tag_name) + expect(json_response['create_access_levels'][0]['access_level']).to eq(::Gitlab::Access::MAINTAINER) + end + + context 'when protected tag does not exist' do + let(:tag_name) { 'unknown' } + + it_behaves_like '404 response' do + let(:request) { get api(route, user) } + let(:message) { '404 Not found' } + end + end + end + + context 'when authenticated as a maintainer' do + before do + project.add_maintainer(user) + end + + it_behaves_like 'protected tag' + + context 'when protected tag contains a wildcard' do + let(:protected_name) { 'feature*' } + + it_behaves_like 'protected tag' + end + end + + context 'when authenticated as a guest' do + before do + project.add_guest(user) + end + + it_behaves_like '403 response' do + let(:request) { get api(route, user) } + end + end + end + + describe 'POST /projects/:id/protected_tags' do + let(:tag_name) { 'new_tag' } + + context 'when authenticated as a maintainer' do + before do + project.add_maintainer(user) + end + + it 'protects a single tag with maintainers can create tags' do + post api("/projects/#{project.id}/protected_tags", user), name: tag_name + + expect(response).to have_gitlab_http_status(201) + expect(json_response['name']).to eq(tag_name) + expect(json_response['create_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER) + end + + it 'protects a single tag with developers can create tags' do + post api("/projects/#{project.id}/protected_tags", user), + name: tag_name, create_access_level: 30 + + expect(response).to have_gitlab_http_status(201) + expect(json_response['name']).to eq(tag_name) + expect(json_response['create_access_levels'][0]['access_level']).to eq(Gitlab::Access::DEVELOPER) + end + + it 'protects a single tag with no one can create tags' do + post api("/projects/#{project.id}/protected_tags", user), + name: tag_name, create_access_level: 0 + + expect(response).to have_gitlab_http_status(201) + expect(json_response['name']).to eq(tag_name) + expect(json_response['create_access_levels'][0]['access_level']).to eq(Gitlab::Access::NO_ACCESS) + end + + it 'returns a 422 error if the same tag is protected twice' do + post api("/projects/#{project.id}/protected_tags", user), name: protected_name + + expect(response).to have_gitlab_http_status(422) + expect(json_response['message'][0]).to eq('Name has already been taken') + end + + it 'returns 201 if the same tag is proteted on different projects' do + post api("/projects/#{project.id}/protected_tags", user), name: protected_name + post api("/projects/#{project2.id}/protected_tags", user), name: protected_name + + expect(response).to have_gitlab_http_status(201) + expect(json_response['name']).to eq(protected_name) + end + + context 'when tag has a wildcard in its name' do + let(:tag_name) { 'feature/*' } + + it 'protects multiple tags with a wildcard in the name' do + post api("/projects/#{project.id}/protected_tags", user), name: tag_name + + expect(response).to have_gitlab_http_status(201) + expect(json_response['name']).to eq(tag_name) + expect(json_response['create_access_levels'][0]['access_level']).to eq(Gitlab::Access::MAINTAINER) + end + end + end + + context 'when authenticated as a guest' do + before do + project.add_guest(user) + end + + it 'returns a 403 error if guest' do + post api("/projects/#{project.id}/protected_tags/", user), name: tag_name + + expect(response).to have_gitlab_http_status(403) + end + end + end + + describe 'DELETE /projects/:id/protected_tags/unprotect/:tag' do + before do + project.add_maintainer(user) + end + + it 'unprotects a single tag' do + delete api("/projects/#{project.id}/protected_tags/#{tag_name}", user) + + expect(response).to have_gitlab_http_status(204) + end + + it_behaves_like '412 response' do + let(:request) { api("/projects/#{project.id}/protected_tags/#{tag_name}", user) } + end + + it "returns 404 if tag does not exist" do + delete api("/projects/#{project.id}/protected_tags/barfoo", user) + + expect(response).to have_gitlab_http_status(404) + end + + context 'when tag has a wildcard in its name' do + let(:protected_name) { 'feature*' } + + it 'unprotects a wildcard tag' do + delete api("/projects/#{project.id}/protected_tags/#{tag_name}", user) + + expect(response).to have_gitlab_http_status(204) + end + end + end +end