branch_check_spec.rb 7.13 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
# frozen_string_literal: true

require 'spec_helper'

describe Gitlab::Checks::BranchCheck do
  include_context 'change access checks context'

  describe '#validate!' do
    it 'does not raise any error' do
      expect { subject.validate! }.not_to raise_error
    end

    context 'trying to delete the default branch' do
      let(:newrev) { '0000000000000000000000000000000000000000' }
      let(:ref) { 'refs/heads/master' }

      it 'raises an error' do
        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'The default branch of a project cannot be deleted.')
      end
    end

    context 'protected branches check' do
      before do
        allow(ProtectedBranch).to receive(:protected?).with(project, 'master').and_return(true)
        allow(ProtectedBranch).to receive(:protected?).with(project, 'feature').and_return(true)
      end

      it 'raises an error if the user is not allowed to do forced pushes to protected branches' do
        expect(Gitlab::Checks::ForcePush).to receive(:force_push?).and_return(true)

        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to force push code to a protected branch on this project.')
      end

      it 'raises an error if the user is not allowed to merge to protected branches' do
        expect_any_instance_of(Gitlab::Checks::MatchingMergeRequest).to receive(:match?).and_return(true)
        expect(user_access).to receive(:can_merge_to_branch?).and_return(false)
        expect(user_access).to receive(:can_push_to_branch?).and_return(false)

        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to merge code into protected branches on this project.')
      end

      it 'raises an error if the user is not allowed to push to protected branches' do
        expect(user_access).to receive(:can_push_to_branch?).and_return(false)

        expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to protected branches on this project.')
      end

      context 'when project repository is empty' do
        let(:project) { create(:project) }

        it 'raises an error if the user is not allowed to push to protected branches' do
          expect(user_access).to receive(:can_push_to_branch?).and_return(false)

          expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, /Ask a project Owner or Maintainer to create a default branch/)
        end
      end

58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157
      context 'branch creation' do
        let(:oldrev) { '0000000000000000000000000000000000000000' }
        let(:ref) { 'refs/heads/feature' }

        context 'protected branch creation feature is disabled' do
          before do
            stub_feature_flags(protected_branch_creation: false)
          end

          context 'user is not allowed to push to protected branch' do
            before do
              allow(user_access)
                .to receive(:can_push_to_branch?)
                .and_return(false)
            end

            it 'raises an error' do
              expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to protected branches on this project.')
            end
          end

          context 'user is allowed to push to protected branch' do
            before do
              allow(user_access)
                .to receive(:can_push_to_branch?)
                .and_return(true)
            end

            it 'does not raise an error' do
              expect { subject.validate! }.not_to raise_error
            end
          end
        end

        context 'protected branch creation feature is enabled' do
          context 'user is not allowed to create protected branches' do
            before do
              allow(user_access)
                .to receive(:can_merge_to_branch?)
                .with('feature')
                .and_return(false)
            end

            it 'raises an error' do
              expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to create protected branches on this project.')
            end
          end

          context 'user is allowed to create protected branches' do
            before do
              allow(user_access)
                .to receive(:can_merge_to_branch?)
                .with('feature')
                .and_return(true)

              allow(project.repository)
                .to receive(:branch_names_contains_sha)
                .with(newrev)
                .and_return(['branch'])
            end

            context "newrev isn't in any protected branches" do
              before do
                allow(ProtectedBranch)
                  .to receive(:any_protected?)
                  .with(project, ['branch'])
                  .and_return(false)
              end

              it 'raises an error' do
                expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only use an existing protected branch ref as the basis of a new protected branch.')
              end
            end

            context 'newrev is included in a protected branch' do
              before do
                allow(ProtectedBranch)
                  .to receive(:any_protected?)
                  .with(project, ['branch'])
                  .and_return(true)
              end

              context 'via web interface' do
                let(:protocol) { 'web' }

                it 'allows branch creation' do
                  expect { subject.validate! }.not_to raise_error
                end
              end

              context 'via SSH' do
                it 'raises an error' do
                  expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only create protected branches using the web interface and API.')
                end
              end
            end
          end
        end
      end

158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190
      context 'branch deletion' do
        let(:newrev) { '0000000000000000000000000000000000000000' }
        let(:ref) { 'refs/heads/feature' }

        context 'if the user is not allowed to delete protected branches' do
          it 'raises an error' do
            expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to delete protected branches from this project. Only a project maintainer or owner can delete a protected branch.')
          end
        end

        context 'if the user is allowed to delete protected branches' do
          before do
            project.add_maintainer(user)
          end

          context 'through the web interface' do
            let(:protocol) { 'web' }

            it 'allows branch deletion' do
              expect { subject.validate! }.not_to raise_error
            end
          end

          context 'over SSH or HTTP' do
            it 'raises an error' do
              expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only delete protected branches using the web interface.')
            end
          end
        end
      end
    end
  end
end