GitLab steht wegen Wartungsarbeiten am Montag, den 10. Mai, zwischen 17:00 und 19:00 Uhr nicht zur Verfügung.

branch_check_spec.rb 8.24 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
# frozen_string_literal: true

require 'spec_helper'

describe Gitlab::Checks::BranchCheck do
  include_context 'change access checks context'

  describe '#validate!' do
    it 'does not raise any error' do
      expect { subject.validate! }.not_to raise_error
    end

    context 'trying to delete the default branch' do
      let(:newrev) { '0000000000000000000000000000000000000000' }
      let(:ref) { 'refs/heads/master' }

      it 'raises an error' do
        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'The default branch of a project cannot be deleted.')
      end
    end

    context 'protected branches check' do
      before do
        allow(ProtectedBranch).to receive(:protected?).with(project, 'master').and_return(true)
        allow(ProtectedBranch).to receive(:protected?).with(project, 'feature').and_return(true)
      end

      it 'raises an error if the user is not allowed to do forced pushes to protected branches' do
        expect(Gitlab::Checks::ForcePush).to receive(:force_push?).and_return(true)

        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to force push code to a protected branch on this project.')
      end

      it 'raises an error if the user is not allowed to merge to protected branches' do
        expect_any_instance_of(Gitlab::Checks::MatchingMergeRequest).to receive(:match?).and_return(true)
        expect(user_access).to receive(:can_merge_to_branch?).and_return(false)
        expect(user_access).to receive(:can_push_to_branch?).and_return(false)

        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to merge code into protected branches on this project.')
      end

      it 'raises an error if the user is not allowed to push to protected branches' do
        expect(user_access).to receive(:can_push_to_branch?).and_return(false)

        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to protected branches on this project.')
      end

      context 'when project repository is empty' do
        let(:project) { create(:project) }

51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
        context 'user is not allowed to push to protected branches' do
          before do
            allow(user_access)
              .to receive(:can_push_to_branch?)
              .and_return(false)
          end

          it 'raises an error' do
            expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /Ask a project Owner or Maintainer to create a default branch/)
          end
        end

        context 'user is allowed to push to protected branches' do
          before do
            allow(user_access)
              .to receive(:can_push_to_branch?)
              .and_return(true)
          end
69

70 71 72
          it 'allows branch creation' do
            expect { subject.validate! }.not_to raise_error
          end
73 74 75
        end
      end

76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110
      context 'branch creation' do
        let(:oldrev) { '0000000000000000000000000000000000000000' }
        let(:ref) { 'refs/heads/feature' }

        context 'protected branch creation feature is disabled' do
          before do
            stub_feature_flags(protected_branch_creation: false)
          end

          context 'user is not allowed to push to protected branch' do
            before do
              allow(user_access)
                .to receive(:can_push_to_branch?)
                .and_return(false)
            end

            it 'raises an error' do
              expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to protected branches on this project.')
            end
          end

          context 'user is allowed to push to protected branch' do
            before do
              allow(user_access)
                .to receive(:can_push_to_branch?)
                .and_return(true)
            end

            it 'does not raise an error' do
              expect { subject.validate! }.not_to raise_error
            end
          end
        end

        context 'protected branch creation feature is enabled' do
111
          context 'user can push to branch' do
112 113
            before do
              allow(user_access)
114
                .to receive(:can_push_to_branch?)
115
                .with('feature')
116
                .and_return(true)
117 118
            end

119 120
            it 'does not raise an error' do
              expect { subject.validate! }.not_to raise_error
121 122 123
            end
          end

124
          context 'user cannot push to branch' do
125 126
            before do
              allow(user_access)
127
                .to receive(:can_push_to_branch?)
128
                .with('feature')
129
                .and_return(false)
130 131
            end

132
            context 'user cannot merge to branch' do
133
              before do
134 135 136
                allow(user_access)
                  .to receive(:can_merge_to_branch?)
                  .with('feature')
137 138 139 140
                  .and_return(false)
              end

              it 'raises an error' do
141
                expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to create protected branches on this project.')
142 143 144
              end
            end

145
            context 'user can merge to branch' do
146
              before do
147 148 149
                allow(user_access)
                  .to receive(:can_merge_to_branch?)
                  .with('feature')
150
                  .and_return(true)
151 152 153 154 155

                allow(project.repository)
                  .to receive(:branch_names_contains_sha)
                  .with(newrev)
                  .and_return(['branch'])
156 157
              end

158 159 160 161 162 163 164
              context "newrev isn't in any protected branches" do
                before do
                  allow(ProtectedBranch)
                    .to receive(:any_protected?)
                    .with(project, ['branch'])
                    .and_return(false)
                end
165

166 167
                it 'raises an error' do
                  expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only use an existing protected branch ref as the basis of a new protected branch.')
168 169 170
                end
              end

171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190
              context 'newrev is included in a protected branch' do
                before do
                  allow(ProtectedBranch)
                    .to receive(:any_protected?)
                    .with(project, ['branch'])
                    .and_return(true)
                end

                context 'via web interface' do
                  let(:protocol) { 'web' }

                  it 'allows branch creation' do
                    expect { subject.validate! }.not_to raise_error
                  end
                end

                context 'via SSH' do
                  it 'raises an error' do
                    expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only create protected branches using the web interface and API.')
                  end
191 192 193 194 195 196 197
                end
              end
            end
          end
        end
      end

198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230
      context 'branch deletion' do
        let(:newrev) { '0000000000000000000000000000000000000000' }
        let(:ref) { 'refs/heads/feature' }

        context 'if the user is not allowed to delete protected branches' do
          it 'raises an error' do
            expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to delete protected branches from this project. Only a project maintainer or owner can delete a protected branch.')
          end
        end

        context 'if the user is allowed to delete protected branches' do
          before do
            project.add_maintainer(user)
          end

          context 'through the web interface' do
            let(:protocol) { 'web' }

            it 'allows branch deletion' do
              expect { subject.validate! }.not_to raise_error
            end
          end

          context 'over SSH or HTTP' do
            it 'raises an error' do
              expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only delete protected branches using the web interface.')
            end
          end
        end
      end
    end
  end
end