Merge branch 'master' into new-resolvable-discussion

7 files changed, 359 insertions, 23 deletions

diff --git a/spec/lib/gitlab/cache/ci/project_pipeline_status_spec.rb b/spec/lib/gitlab/cache/ci/project_pipeline_status_spec.rb
new file mode 100644
index 00000000000..fced253dd01
--- /dev/null
+++ b/spec/lib/gitlab/cache/ci/project_pipeline_status_spec.rb
@@ -0,0 +1,190 @@
+require 'spec_helper'
+
+describe Gitlab::Cache::Ci::ProjectPipelineStatus do
+  let(:project) { create(:project) }
+  let(:pipeline_status) { described_class.new(project) }
+
+  describe '.load_for_project' do
+    it "loads the status" do
+      expect_any_instance_of(described_class).to receive(:load_status)
+
+      described_class.load_for_project(project)
+    end
+  end
+
+  describe '.update_for_pipeline' do
+    it 'refreshes the cache if nescessary' do
+      pipeline = build_stubbed(:ci_pipeline, sha: '123456', status: 'success')
+      fake_status = double
+      expect(described_class).to receive(:new).
+                                   with(pipeline.project, sha: '123456', status: 'success', ref: 'master').
+                                   and_return(fake_status)
+
+      expect(fake_status).to receive(:store_in_cache_if_needed)
+
+      described_class.update_for_pipeline(pipeline)
+    end
+  end
+
+  describe '#has_status?' do
+    it "is false when the status wasn't loaded yet" do
+      expect(pipeline_status.has_status?).to be_falsy
+    end
+
+    it 'is true when all status information was loaded' do
+      fake_commit = double
+      allow(fake_commit).to receive(:status).and_return('failed')
+      allow(fake_commit).to receive(:sha).and_return('failed424d1b73bc0d3cb726eb7dc4ce17a4d48552f8c6')
+      allow(pipeline_status).to receive(:commit).and_return(fake_commit)
+      allow(pipeline_status).to receive(:has_cache?).and_return(false)
+
+      pipeline_status.load_status
+
+      expect(pipeline_status.has_status?).to be_truthy
+    end
+  end
+
+  describe '#load_status' do
+    it 'loads the status from the cache when there is one' do
+      expect(pipeline_status).to receive(:has_cache?).and_return(true)
+      expect(pipeline_status).to receive(:load_from_cache)
+
+      pipeline_status.load_status
+    end
+
+    it 'loads the status from the project commit when there is no cache' do
+      allow(pipeline_status).to receive(:has_cache?).and_return(false)
+
+      expect(pipeline_status).to receive(:load_from_project)
+
+      pipeline_status.load_status
+    end
+
+    it 'stores the status in the cache when it loading it from the project' do
+      allow(pipeline_status).to receive(:has_cache?).and_return(false)
+      allow(pipeline_status).to receive(:load_from_project)
+
+      expect(pipeline_status).to receive(:store_in_cache)
+
+      pipeline_status.load_status
+    end
+
+    it 'sets the state to loaded' do
+      pipeline_status.load_status
+
+      expect(pipeline_status).to be_loaded
+    end
+
+    it 'only loads the status once' do
+      expect(pipeline_status).to receive(:has_cache?).and_return(true).exactly(1)
+      expect(pipeline_status).to receive(:load_from_cache).exactly(1)
+
+      pipeline_status.load_status
+      pipeline_status.load_status
+    end
+  end
+
+  describe "#load_from_project" do
+    let!(:pipeline) { create(:ci_pipeline, :success, project: project, sha: project.commit.sha) }
+
+    it 'reads the status from the pipeline for the commit' do
+      pipeline_status.load_from_project
+
+      expect(pipeline_status.status).to eq('success')
+      expect(pipeline_status.sha).to eq(project.commit.sha)
+      expect(pipeline_status.ref).to eq(project.default_branch)
+    end
+
+    it "doesn't fail for an empty project" do
+      status_for_empty_commit = described_class.new(create(:empty_project))
+
+      status_for_empty_commit.load_status
+
+      expect(status_for_empty_commit).to be_loaded
+    end
+  end
+
+  describe "#store_in_cache", :redis do
+    it "sets the object in redis" do
+      pipeline_status.sha = '123456'
+      pipeline_status.status = 'failed'
+
+      pipeline_status.store_in_cache
+      read_sha, read_status = Gitlab::Redis.with { |redis| redis.hmget("projects/#{project.id}/build_status", :sha, :status) }
+
+      expect(read_sha).to eq('123456')
+      expect(read_status).to eq('failed')
+    end
+  end
+
+  describe '#store_in_cache_if_needed', :redis do
+    it 'stores the state in the cache when the sha is the HEAD of the project' do
+      create(:ci_pipeline, :success, project: project, sha: project.commit.sha)
+      build_status = described_class.load_for_project(project)
+
+      build_status.store_in_cache_if_needed
+      sha, status, ref = Gitlab::Redis.with { |redis| redis.hmget("projects/#{project.id}/build_status", :sha, :status, :ref) }
+
+      expect(sha).not_to be_nil
+      expect(status).not_to be_nil
+      expect(ref).not_to be_nil
+    end
+
+    it "doesn't store the status in redis when the sha is not the head of the project" do
+      other_status = described_class.new(project, sha: "123456", status: "failed")
+
+      other_status.store_in_cache_if_needed
+      sha, status = Gitlab::Redis.with { |redis| redis.hmget("projects/#{project.id}/build_status", :sha, :status) }
+
+      expect(sha).to be_nil
+      expect(status).to be_nil
+    end
+
+    it "deletes the cache if the repository doesn't have a head commit" do
+      empty_project = create(:empty_project)
+      Gitlab::Redis.with { |redis| redis.mapped_hmset("projects/#{empty_project.id}/build_status", { sha: "sha", status: "pending", ref: 'master' }) }
+      other_status = described_class.new(empty_project, sha: "123456", status: "failed")
+
+      other_status.store_in_cache_if_needed
+      sha, status, ref = Gitlab::Redis.with { |redis| redis.hmget("projects/#{empty_project.id}/build_status", :sha, :status, :ref) }
+
+      expect(sha).to be_nil
+      expect(status).to be_nil
+      expect(ref).to be_nil
+    end
+  end
+
+  describe "with a status in redis", :redis do
+    let(:status) { 'success' }
+    let(:sha) { '424d1b73bc0d3cb726eb7dc4ce17a4d48552f8c6' }
+
+    before do
+      Gitlab::Redis.with { |redis| redis.mapped_hmset("projects/#{project.id}/build_status", { sha: sha, status: status }) }
+    end
+
+    describe '#load_from_cache' do
+      it 'reads the status from redis' do
+        pipeline_status.load_from_cache
+
+        expect(pipeline_status.sha).to eq(sha)
+        expect(pipeline_status.status).to eq(status)
+      end
+    end
+
+    describe '#has_cache?' do
+      it 'knows the status is cached' do
+        expect(pipeline_status.has_cache?).to be_truthy
+      end
+    end
+
+    describe '#delete_from_cache' do
+      it 'deletes values from redis'  do
+        pipeline_status.delete_from_cache
+
+        key_exists = Gitlab::Redis.with { |redis| redis.exists("projects/#{project.id}/build_status") }
+
+        expect(key_exists).to be_falsy
+      end
+    end
+  end
+end
diff --git a/spec/lib/gitlab/checks/change_access_spec.rb b/spec/lib/gitlab/checks/change_access_spec.rb
index e22f88b7a32..959ae02c222 100644
--- a/spec/lib/gitlab/checks/change_access_spec.rb
+++ b/spec/lib/gitlab/checks/change_access_spec.rb
@@ -5,13 +5,10 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
     let(:user) { create(:user) }
     let(:project) { create(:project, :repository) }
     let(:user_access) { Gitlab::UserAccess.new(user, project: project) }
-    let(:changes) do
-      {
-        oldrev: 'be93687618e4b132087f430a4d8fc3a609c9b77c',
-        newrev: '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51',
-        ref: 'refs/heads/master'
-      }
-    end
+    let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
+    let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
+    let(:ref) { 'refs/heads/master' }
+    let(:changes) { { oldrev: oldrev, newrev: newrev, ref: ref } }
     let(:protocol) { 'ssh' }
 
     subject do
@@ -23,7 +20,7 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
       ).exec
     end
 
-    before { allow(user_access).to receive(:can_do_action?).with(:push_code).and_return(true) }
+    before { project.add_developer(user) }
 
     context 'without failed checks' do
       it "doesn't return any error" do
@@ -41,25 +38,67 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
     end
 
     context 'tags check' do
-      let(:changes) do
-        {
-          oldrev: 'be93687618e4b132087f430a4d8fc3a609c9b77c',
-          newrev: '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51',
-          ref: 'refs/tags/v1.0.0'
-        }
-      end
+      let(:ref) { 'refs/tags/v1.0.0' }
 
       it 'returns an error if the user is not allowed to update tags' do
+        allow(user_access).to receive(:can_do_action?).with(:push_code).and_return(true)
         expect(user_access).to receive(:can_do_action?).with(:admin_project).and_return(false)
 
         expect(subject.status).to be(false)
         expect(subject.message).to eq('You are not allowed to change existing tags on this project.')
       end
+
+      context 'with protected tag' do
+        let!(:protected_tag) { create(:protected_tag, project: project, name: 'v*') }
+
+        context 'as master' do
+          before { project.add_master(user) }
+
+          context 'deletion' do
+            let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
+            let(:newrev) { '0000000000000000000000000000000000000000' }
+
+            it 'is prevented' do
+              expect(subject.status).to be(false)
+              expect(subject.message).to include('cannot be deleted')
+            end
+          end
+
+          context 'update' do
+            let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
+            let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
+
+            it 'is prevented' do
+              expect(subject.status).to be(false)
+              expect(subject.message).to include('cannot be updated')
+            end
+          end
+        end
+
+        context 'creation' do
+          let(:oldrev) { '0000000000000000000000000000000000000000' }
+          let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
+          let(:ref) { 'refs/tags/v9.1.0' }
+
+          it 'prevents creation below access level' do
+            expect(subject.status).to be(false)
+            expect(subject.message).to include('allowed to create this tag as it is protected')
+          end
+
+          context 'when user has access' do
+            let!(:protected_tag) { create(:protected_tag, :developers_can_create, project: project, name: 'v*') }
+
+            it 'allows tag creation' do
+              expect(subject.status).to be(true)
+            end
+          end
+        end
+      end
     end
 
     context 'protected branches check' do
       before do
-        allow(project).to receive(:protected_branch?).with('master').and_return(true)
+        allow(ProtectedBranch).to receive(:protected?).with(project, 'master').and_return(true)
       end
 
       it 'returns an error if the user is not allowed to do forced pushes to protected branches' do
@@ -86,13 +125,7 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
       end
 
       context 'branch deletion' do
-        let(:changes) do
-          {
-            oldrev: 'be93687618e4b132087f430a4d8fc3a609c9b77c',
-            newrev: '0000000000000000000000000000000000000000',
-            ref: 'refs/heads/master'
-          }
-        end
+        let(:newrev) { '0000000000000000000000000000000000000000' }
 
         it 'returns an error if the user is not allowed to delete protected branches' do
           expect(subject.status).to be(false)
diff --git a/spec/lib/gitlab/import_export/all_models.yml b/spec/lib/gitlab/import_export/all_models.yml
index 9770d2e3b13..0abf89d060c 100644
--- a/spec/lib/gitlab/import_export/all_models.yml
+++ b/spec/lib/gitlab/import_export/all_models.yml
@@ -124,10 +124,15 @@ protected_branches:
 - project
 - merge_access_levels
 - push_access_levels
+protected_tags:
+- project
+- create_access_levels
 merge_access_levels:
 - protected_branch
 push_access_levels:
 - protected_branch
+create_access_levels:
+- protected_tag
 container_repositories:
 - project
 - name
@@ -188,6 +193,7 @@ project:
 - snippets
 - hooks
 - protected_branches
+- protected_tags
 - project_members
 - users
 - requesters
diff --git a/spec/lib/gitlab/import_export/project.json b/spec/lib/gitlab/import_export/project.json
index d9b67426818..7a0b0b06d4b 100644
--- a/spec/lib/gitlab/import_export/project.json
+++ b/spec/lib/gitlab/import_export/project.json
@@ -7455,6 +7455,24 @@
       ]
     }
   ],
+  "protected_tags": [
+    {
+      "id": 1,
+      "project_id": 9,
+      "name": "v*",
+      "created_at": "2017-04-04T13:48:13.426Z",
+      "updated_at": "2017-04-04T13:48:13.426Z",
+      "create_access_levels": [
+        {
+          "id": 1,
+          "protected_tag_id": 1,
+          "access_level": 40,
+          "created_at": "2017-04-04T13:48:13.458Z",
+          "updated_at": "2017-04-04T13:48:13.458Z"
+        }
+      ]
+    }
+  ],
   "project_feature": {
     "builds_access_level": 0,
     "created_at": "2014-12-26T09:26:45.000Z",
diff --git a/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb b/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
index af9c25acb02..0e9607c5bd3 100644
--- a/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
+++ b/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
@@ -64,6 +64,10 @@ describe Gitlab::ImportExport::ProjectTreeRestorer, services: true do
         expect(ProtectedBranch.first.push_access_levels).not_to be_empty
       end
 
+      it 'contains the create access levels on a protected tag' do
+        expect(ProtectedTag.first.create_access_levels).not_to be_empty
+      end
+
       context 'event at forth level of the tree' do
         let(:event) { Event.where(title: 'test levels').first }
 
diff --git a/spec/lib/gitlab/import_export/safe_model_attributes.yml b/spec/lib/gitlab/import_export/safe_model_attributes.yml
index 04b5c80f22d..0372e3f7dbf 100644
--- a/spec/lib/gitlab/import_export/safe_model_attributes.yml
+++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml
@@ -253,6 +253,8 @@ Ci::TriggerSchedule:
 - cron
 - cron_timezone
 - next_run_at
+- ref
+- active
 DeployKey:
 - id
 - user_id
@@ -313,6 +315,12 @@ ProtectedBranch:
 - name
 - created_at
 - updated_at
+ProtectedTag:
+- id
+- project_id
+- name
+- created_at
+- updated_at
 Project:
 - description
 - issues_enabled
@@ -346,6 +354,14 @@ ProtectedBranch::PushAccessLevel:
 - access_level
 - created_at
 - updated_at
+ProtectedTag::CreateAccessLevel:
+- id
+- protected_tag_id
+- access_level
+- created_at
+- updated_at
+- user_id
+- group_id
 AwardEmoji:
 - id
 - user_id
diff --git a/spec/lib/gitlab/user_access_spec.rb b/spec/lib/gitlab/user_access_spec.rb
index 369e55f61f1..611cdbbc865 100644
--- a/spec/lib/gitlab/user_access_spec.rb
+++ b/spec/lib/gitlab/user_access_spec.rb
@@ -142,4 +142,73 @@ describe Gitlab::UserAccess, lib: true do
       end
     end
   end
+
+  describe 'can_create_tag?' do
+    describe 'push to none protected tag' do
+      it 'returns true if user is a master' do
+        project.add_user(user, :master)
+
+        expect(access.can_create_tag?('random_tag')).to be_truthy
+      end
+
+      it 'returns true if user is a developer' do
+        project.add_user(user, :developer)
+
+        expect(access.can_create_tag?('random_tag')).to be_truthy
+      end
+
+      it 'returns false if user is a reporter' do
+        project.add_user(user, :reporter)
+
+        expect(access.can_create_tag?('random_tag')).to be_falsey
+      end
+    end
+
+    describe 'push to protected tag' do
+      let(:tag) { create(:protected_tag, project: project, name: "test") }
+      let(:not_existing_tag) { create :protected_tag, project: project }
+
+      it 'returns true if user is a master' do
+        project.add_user(user, :master)
+
+        expect(access.can_create_tag?(tag.name)).to be_truthy
+      end
+
+      it 'returns false if user is a developer' do
+        project.add_user(user, :developer)
+
+        expect(access.can_create_tag?(tag.name)).to be_falsey
+      end
+
+      it 'returns false if user is a reporter' do
+        project.add_user(user, :reporter)
+
+        expect(access.can_create_tag?(tag.name)).to be_falsey
+      end
+    end
+
+    describe 'push to protected tag if allowed for developers' do
+      before do
+        @tag = create(:protected_tag, :developers_can_create, project: project)
+      end
+
+      it 'returns true if user is a master' do
+        project.add_user(user, :master)
+
+        expect(access.can_create_tag?(@tag.name)).to be_truthy
+      end
+
+      it 'returns true if user is a developer' do
+        project.add_user(user, :developer)
+
+        expect(access.can_create_tag?(@tag.name)).to be_truthy
+      end
+
+      it 'returns false if user is a reporter' do
+        project.add_user(user, :reporter)
+
+        expect(access.can_create_tag?(@tag.name)).to be_falsey
+      end
+    end
+  end
 end