Merge branch '18471-restrict-tag-pushes-protected-tags' into 'master'

Protected Tags

Closes #18471

See merge request !10356

20 files changed, 524 insertions, 103 deletions

diff --git a/spec/controllers/projects/protected_branches_controller_spec.rb b/spec/controllers/projects/protected_branches_controller_spec.rb
index e378b5714fe..80be135b5d8 100644
--- a/spec/controllers/projects/protected_branches_controller_spec.rb
+++ b/spec/controllers/projects/protected_branches_controller_spec.rb
@@ -3,6 +3,7 @@ require('spec_helper')
 describe Projects::ProtectedBranchesController do
   describe "GET #index" do
     let(:project) { create(:project_empty_repo, :public) }
+
     it "redirects empty repo to projects page" do
       get(:index, namespace_id: project.namespace.to_param, project_id: project)
     end
diff --git a/spec/controllers/projects/protected_tags_controller_spec.rb b/spec/controllers/projects/protected_tags_controller_spec.rb
new file mode 100644
index 00000000000..64658988b3f
--- /dev/null
+++ b/spec/controllers/projects/protected_tags_controller_spec.rb
@@ -0,0 +1,11 @@
+require('spec_helper')
+
+describe Projects::ProtectedTagsController do
+  describe "GET #index" do
+    let(:project) { create(:project_empty_repo, :public) }
+
+    it "redirects empty repo to projects page" do
+      get(:index, namespace_id: project.namespace.to_param, project_id: project)
+    end
+  end
+end
diff --git a/spec/factories/protected_tags.rb b/spec/factories/protected_tags.rb
new file mode 100644
index 00000000000..d8e90ae1ee1
--- /dev/null
+++ b/spec/factories/protected_tags.rb
@@ -0,0 +1,22 @@
+FactoryGirl.define do
+  factory :protected_tag do
+    name
+    project
+
+    after(:build) do |protected_tag|
+      protected_tag.create_access_levels.new(access_level: Gitlab::Access::MASTER)
+    end
+
+    trait :developers_can_create do
+      after(:create) do |protected_tag|
+        protected_tag.create_access_levels.first.update!(access_level: Gitlab::Access::DEVELOPER)
+      end
+    end
+
+    trait :no_one_can_create do
+      after(:create) do |protected_tag|
+        protected_tag.create_access_levels.first.update!(access_level: Gitlab::Access::NO_ACCESS)
+      end
+    end
+  end
+end
diff --git a/spec/features/protected_branches/access_control_ce_spec.rb b/spec/features/protected_branches/access_control_ce_spec.rb
index e4aca25a339..eb3cea775da 100644
--- a/spec/features/protected_branches/access_control_ce_spec.rb
+++ b/spec/features/protected_branches/access_control_ce_spec.rb
@@ -2,7 +2,9 @@ RSpec.shared_examples "protected branches > access control > CE" do
   ProtectedBranch::PushAccessLevel.human_access_levels.each do |(access_type_id, access_type_name)|
     it "allows creating protected branches that #{access_type_name} can push to" do
       visit namespace_project_protected_branches_path(project.namespace, project)
+
       set_protected_branch_name('master')
+
       within('.new_protected_branch') do
         allowed_to_push_button = find(".js-allowed-to-push")
 
@@ -11,6 +13,7 @@ RSpec.shared_examples "protected branches > access control > CE" do
           within(".dropdown.open .dropdown-menu") { click_on access_type_name }
         end
       end
+
       click_on "Protect"
 
       expect(ProtectedBranch.count).to eq(1)
@@ -19,7 +22,9 @@ RSpec.shared_examples "protected branches > access control > CE" do
 
     it "allows updating protected branches so that #{access_type_name} can push to them" do
       visit namespace_project_protected_branches_path(project.namespace, project)
+
       set_protected_branch_name('master')
+
       click_on "Protect"
 
       expect(ProtectedBranch.count).to eq(1)
@@ -34,6 +39,7 @@ RSpec.shared_examples "protected branches > access control > CE" do
       end
 
       wait_for_ajax
+
       expect(ProtectedBranch.last.push_access_levels.map(&:access_level)).to include(access_type_id)
     end
   end
@@ -41,7 +47,9 @@ RSpec.shared_examples "protected branches > access control > CE" do
   ProtectedBranch::MergeAccessLevel.human_access_levels.each do |(access_type_id, access_type_name)|
     it "allows creating protected branches that #{access_type_name} can merge to" do
       visit namespace_project_protected_branches_path(project.namespace, project)
+
       set_protected_branch_name('master')
+
       within('.new_protected_branch') do
         allowed_to_merge_button = find(".js-allowed-to-merge")
 
@@ -50,6 +58,7 @@ RSpec.shared_examples "protected branches > access control > CE" do
           within(".dropdown.open .dropdown-menu") { click_on access_type_name }
         end
       end
+
       click_on "Protect"
 
       expect(ProtectedBranch.count).to eq(1)
@@ -58,7 +67,9 @@ RSpec.shared_examples "protected branches > access control > CE" do
 
     it "allows updating protected branches so that #{access_type_name} can merge to them" do
       visit namespace_project_protected_branches_path(project.namespace, project)
+
       set_protected_branch_name('master')
+
       click_on "Protect"
 
       expect(ProtectedBranch.count).to eq(1)
@@ -73,6 +84,7 @@ RSpec.shared_examples "protected branches > access control > CE" do
       end
 
       wait_for_ajax
+
       expect(ProtectedBranch.last.merge_access_levels.map(&:access_level)).to include(access_type_id)
     end
   end
diff --git a/spec/features/protected_tags/access_control_ce_spec.rb b/spec/features/protected_tags/access_control_ce_spec.rb
new file mode 100644
index 00000000000..5b2baf8616c
--- /dev/null
+++ b/spec/features/protected_tags/access_control_ce_spec.rb
@@ -0,0 +1,46 @@
+RSpec.shared_examples "protected tags > access control > CE" do
+  ProtectedTag::CreateAccessLevel.human_access_levels.each do |(access_type_id, access_type_name)|
+    it "allows creating protected tags that #{access_type_name} can create" do
+      visit namespace_project_protected_tags_path(project.namespace, project)
+
+      set_protected_tag_name('master')
+
+      within('.js-new-protected-tag') do
+        allowed_to_create_button = find(".js-allowed-to-create")
+
+        unless allowed_to_create_button.text == access_type_name
+          allowed_to_create_button.click
+          within(".dropdown.open .dropdown-menu") { click_on access_type_name }
+        end
+      end
+
+      click_on "Protect"
+
+      expect(ProtectedTag.count).to eq(1)
+      expect(ProtectedTag.last.create_access_levels.map(&:access_level)).to eq([access_type_id])
+    end
+
+    it "allows updating protected tags so that #{access_type_name} can create them" do
+      visit namespace_project_protected_tags_path(project.namespace, project)
+
+      set_protected_tag_name('master')
+
+      click_on "Protect"
+
+      expect(ProtectedTag.count).to eq(1)
+
+      within(".protected-tags-list") do
+        find(".js-allowed-to-create").click
+
+        within('.js-allowed-to-create-container') do
+          expect(first("li")).to have_content("Roles")
+          click_on access_type_name
+        end
+      end
+
+      wait_for_ajax
+
+      expect(ProtectedTag.last.create_access_levels.map(&:access_level)).to include(access_type_id)
+    end
+  end
+end
diff --git a/spec/features/protected_tags_spec.rb b/spec/features/protected_tags_spec.rb
new file mode 100644
index 00000000000..09e8c850de3
--- /dev/null
+++ b/spec/features/protected_tags_spec.rb
@@ -0,0 +1,94 @@
+require 'spec_helper'
+Dir["./spec/features/protected_tags/*.rb"].sort.each { |f| require f }
+
+feature 'Projected Tags', feature: true, js: true do
+  include WaitForAjax
+
+  let(:user) { create(:user, :admin) }
+  let(:project) { create(:project) }
+
+  before { login_as(user) }
+
+  def set_protected_tag_name(tag_name)
+    find(".js-protected-tag-select").click
+    find(".dropdown-input-field").set(tag_name)
+    click_on("Create wildcard #{tag_name}")
+  end
+
+  describe "explicit protected tags" do
+    it "allows creating explicit protected tags" do
+      visit namespace_project_protected_tags_path(project.namespace, project)
+      set_protected_tag_name('some-tag')
+      click_on "Protect"
+
+      within(".protected-tags-list") { expect(page).to have_content('some-tag') }
+      expect(ProtectedTag.count).to eq(1)
+      expect(ProtectedTag.last.name).to eq('some-tag')
+    end
+
+    it "displays the last commit on the matching tag if it exists" do
+      commit = create(:commit, project: project)
+      project.repository.add_tag(user, 'some-tag', commit.id)
+
+      visit namespace_project_protected_tags_path(project.namespace, project)
+      set_protected_tag_name('some-tag')
+      click_on "Protect"
+
+      within(".protected-tags-list") { expect(page).to have_content(commit.id[0..7]) }
+    end
+
+    it "displays an error message if the named tag does not exist" do
+      visit namespace_project_protected_tags_path(project.namespace, project)
+      set_protected_tag_name('some-tag')
+      click_on "Protect"
+
+      within(".protected-tags-list") { expect(page).to have_content('tag was removed') }
+    end
+  end
+
+  describe "wildcard protected tags" do
+    it "allows creating protected tags with a wildcard" do
+      visit namespace_project_protected_tags_path(project.namespace, project)
+      set_protected_tag_name('*-stable')
+      click_on "Protect"
+
+      within(".protected-tags-list") { expect(page).to have_content('*-stable') }
+      expect(ProtectedTag.count).to eq(1)
+      expect(ProtectedTag.last.name).to eq('*-stable')
+    end
+
+    it "displays the number of matching tags" do
+      project.repository.add_tag(user, 'production-stable', 'master')
+      project.repository.add_tag(user, 'staging-stable', 'master')
+
+      visit namespace_project_protected_tags_path(project.namespace, project)
+      set_protected_tag_name('*-stable')
+      click_on "Protect"
+
+      within(".protected-tags-list") { expect(page).to have_content("2 matching tags") }
+    end
+
+    it "displays all the tags matching the wildcard" do
+      project.repository.add_tag(user, 'production-stable', 'master')
+      project.repository.add_tag(user, 'staging-stable', 'master')
+      project.repository.add_tag(user, 'development', 'master')
+
+      visit namespace_project_protected_tags_path(project.namespace, project)
+      set_protected_tag_name('*-stable')
+      click_on "Protect"
+
+      visit namespace_project_protected_tags_path(project.namespace, project)
+      click_on "2 matching tags"
+
+      within(".protected-tags-list") do
+        expect(page).to have_content("production-stable")
+        expect(page).to have_content("staging-stable")
+        expect(page).not_to have_content("development")
+      end
+    end
+  end
+
+  describe "access control" do
+    include_examples "protected tags > access control > CE"
+  end
+end
diff --git a/spec/lib/gitlab/checks/change_access_spec.rb b/spec/lib/gitlab/checks/change_access_spec.rb
index e22f88b7a32..959ae02c222 100644
--- a/spec/lib/gitlab/checks/change_access_spec.rb
+++ b/spec/lib/gitlab/checks/change_access_spec.rb
@@ -5,13 +5,10 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
     let(:user) { create(:user) }
     let(:project) { create(:project, :repository) }
     let(:user_access) { Gitlab::UserAccess.new(user, project: project) }
-    let(:changes) do
-      {
-        oldrev: 'be93687618e4b132087f430a4d8fc3a609c9b77c',
-        newrev: '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51',
-        ref: 'refs/heads/master'
-      }
-    end
+    let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
+    let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
+    let(:ref) { 'refs/heads/master' }
+    let(:changes) { { oldrev: oldrev, newrev: newrev, ref: ref } }
     let(:protocol) { 'ssh' }
 
     subject do
@@ -23,7 +20,7 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
       ).exec
     end
 
-    before { allow(user_access).to receive(:can_do_action?).with(:push_code).and_return(true) }
+    before { project.add_developer(user) }
 
     context 'without failed checks' do
       it "doesn't return any error" do
@@ -41,25 +38,67 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
     end
 
     context 'tags check' do
-      let(:changes) do
-        {
-          oldrev: 'be93687618e4b132087f430a4d8fc3a609c9b77c',
-          newrev: '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51',
-          ref: 'refs/tags/v1.0.0'
-        }
-      end
+      let(:ref) { 'refs/tags/v1.0.0' }
 
       it 'returns an error if the user is not allowed to update tags' do
+        allow(user_access).to receive(:can_do_action?).with(:push_code).and_return(true)
         expect(user_access).to receive(:can_do_action?).with(:admin_project).and_return(false)
 
         expect(subject.status).to be(false)
         expect(subject.message).to eq('You are not allowed to change existing tags on this project.')
       end
+
+      context 'with protected tag' do
+        let!(:protected_tag) { create(:protected_tag, project: project, name: 'v*') }
+
+        context 'as master' do
+          before { project.add_master(user) }
+
+          context 'deletion' do
+            let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
+            let(:newrev) { '0000000000000000000000000000000000000000' }
+
+            it 'is prevented' do
+              expect(subject.status).to be(false)
+              expect(subject.message).to include('cannot be deleted')
+            end
+          end
+
+          context 'update' do
+            let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' }
+            let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
+
+            it 'is prevented' do
+              expect(subject.status).to be(false)
+              expect(subject.message).to include('cannot be updated')
+            end
+          end
+        end
+
+        context 'creation' do
+          let(:oldrev) { '0000000000000000000000000000000000000000' }
+          let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' }
+          let(:ref) { 'refs/tags/v9.1.0' }
+
+          it 'prevents creation below access level' do
+            expect(subject.status).to be(false)
+            expect(subject.message).to include('allowed to create this tag as it is protected')
+          end
+
+          context 'when user has access' do
+            let!(:protected_tag) { create(:protected_tag, :developers_can_create, project: project, name: 'v*') }
+
+            it 'allows tag creation' do
+              expect(subject.status).to be(true)
+            end
+          end
+        end
+      end
     end
 
     context 'protected branches check' do
       before do
-        allow(project).to receive(:protected_branch?).with('master').and_return(true)
+        allow(ProtectedBranch).to receive(:protected?).with(project, 'master').and_return(true)
       end
 
       it 'returns an error if the user is not allowed to do forced pushes to protected branches' do
@@ -86,13 +125,7 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
       end
 
       context 'branch deletion' do
-        let(:changes) do
-          {
-            oldrev: 'be93687618e4b132087f430a4d8fc3a609c9b77c',
-            newrev: '0000000000000000000000000000000000000000',
-            ref: 'refs/heads/master'
-          }
-        end
+        let(:newrev) { '0000000000000000000000000000000000000000' }
 
         it 'returns an error if the user is not allowed to delete protected branches' do
           expect(subject.status).to be(false)
diff --git a/spec/lib/gitlab/import_export/all_models.yml b/spec/lib/gitlab/import_export/all_models.yml
index 9770d2e3b13..0abf89d060c 100644
--- a/spec/lib/gitlab/import_export/all_models.yml
+++ b/spec/lib/gitlab/import_export/all_models.yml
@@ -124,10 +124,15 @@ protected_branches:
 - project
 - merge_access_levels
 - push_access_levels
+protected_tags:
+- project
+- create_access_levels
 merge_access_levels:
 - protected_branch
 push_access_levels:
 - protected_branch
+create_access_levels:
+- protected_tag
 container_repositories:
 - project
 - name
@@ -188,6 +193,7 @@ project:
 - snippets
 - hooks
 - protected_branches
+- protected_tags
 - project_members
 - users
 - requesters
diff --git a/spec/lib/gitlab/import_export/project.json b/spec/lib/gitlab/import_export/project.json
index d9b67426818..7a0b0b06d4b 100644
--- a/spec/lib/gitlab/import_export/project.json
+++ b/spec/lib/gitlab/import_export/project.json
@@ -7455,6 +7455,24 @@
       ]
     }
   ],
+  "protected_tags": [
+    {
+      "id": 1,
+      "project_id": 9,
+      "name": "v*",
+      "created_at": "2017-04-04T13:48:13.426Z",
+      "updated_at": "2017-04-04T13:48:13.426Z",
+      "create_access_levels": [
+        {
+          "id": 1,
+          "protected_tag_id": 1,
+          "access_level": 40,
+          "created_at": "2017-04-04T13:48:13.458Z",
+          "updated_at": "2017-04-04T13:48:13.458Z"
+        }
+      ]
+    }
+  ],
   "project_feature": {
     "builds_access_level": 0,
     "created_at": "2014-12-26T09:26:45.000Z",
diff --git a/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb b/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
index af9c25acb02..0e9607c5bd3 100644
--- a/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
+++ b/spec/lib/gitlab/import_export/project_tree_restorer_spec.rb
@@ -64,6 +64,10 @@ describe Gitlab::ImportExport::ProjectTreeRestorer, services: true do
         expect(ProtectedBranch.first.push_access_levels).not_to be_empty
       end
 
+      it 'contains the create access levels on a protected tag' do
+        expect(ProtectedTag.first.create_access_levels).not_to be_empty
+      end
+
       context 'event at forth level of the tree' do
         let(:event) { Event.where(title: 'test levels').first }
 
diff --git a/spec/lib/gitlab/import_export/safe_model_attributes.yml b/spec/lib/gitlab/import_export/safe_model_attributes.yml
index 04b5c80f22d..db5bc7e928a 100644
--- a/spec/lib/gitlab/import_export/safe_model_attributes.yml
+++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml
@@ -313,6 +313,12 @@ ProtectedBranch:
 - name
 - created_at
 - updated_at
+ProtectedTag:
+- id
+- project_id
+- name
+- created_at
+- updated_at
 Project:
 - description
 - issues_enabled
@@ -346,6 +352,14 @@ ProtectedBranch::PushAccessLevel:
 - access_level
 - created_at
 - updated_at
+ProtectedTag::CreateAccessLevel:
+- id
+- protected_tag_id
+- access_level
+- created_at
+- updated_at
+- user_id
+- group_id
 AwardEmoji:
 - id
 - user_id
diff --git a/spec/lib/gitlab/user_access_spec.rb b/spec/lib/gitlab/user_access_spec.rb
index 369e55f61f1..611cdbbc865 100644
--- a/spec/lib/gitlab/user_access_spec.rb
+++ b/spec/lib/gitlab/user_access_spec.rb
@@ -142,4 +142,73 @@ describe Gitlab::UserAccess, lib: true do
       end
     end
   end
+
+  describe 'can_create_tag?' do
+    describe 'push to none protected tag' do
+      it 'returns true if user is a master' do
+        project.add_user(user, :master)
+
+        expect(access.can_create_tag?('random_tag')).to be_truthy
+      end
+
+      it 'returns true if user is a developer' do
+        project.add_user(user, :developer)
+
+        expect(access.can_create_tag?('random_tag')).to be_truthy
+      end
+
+      it 'returns false if user is a reporter' do
+        project.add_user(user, :reporter)
+
+        expect(access.can_create_tag?('random_tag')).to be_falsey
+      end
+    end
+
+    describe 'push to protected tag' do
+      let(:tag) { create(:protected_tag, project: project, name: "test") }
+      let(:not_existing_tag) { create :protected_tag, project: project }
+
+      it 'returns true if user is a master' do
+        project.add_user(user, :master)
+
+        expect(access.can_create_tag?(tag.name)).to be_truthy
+      end
+
+      it 'returns false if user is a developer' do
+        project.add_user(user, :developer)
+
+        expect(access.can_create_tag?(tag.name)).to be_falsey
+      end
+
+      it 'returns false if user is a reporter' do
+        project.add_user(user, :reporter)
+
+        expect(access.can_create_tag?(tag.name)).to be_falsey
+      end
+    end
+
+    describe 'push to protected tag if allowed for developers' do
+      before do
+        @tag = create(:protected_tag, :developers_can_create, project: project)
+      end
+
+      it 'returns true if user is a master' do
+        project.add_user(user, :master)
+
+        expect(access.can_create_tag?(@tag.name)).to be_truthy
+      end
+
+      it 'returns true if user is a developer' do
+        project.add_user(user, :developer)
+
+        expect(access.can_create_tag?(@tag.name)).to be_truthy
+      end
+
+      it 'returns false if user is a reporter' do
+        project.add_user(user, :reporter)
+
+        expect(access.can_create_tag?(@tag.name)).to be_falsey
+      end
+    end
+  end
 end
diff --git a/spec/models/merge_request_spec.rb b/spec/models/merge_request_spec.rb
index 24e7c1b17d9..2f6614c133e 100644
--- a/spec/models/merge_request_spec.rb
+++ b/spec/models/merge_request_spec.rb
@@ -441,7 +441,7 @@ describe MergeRequest, models: true do
     end
 
     it "can't be removed when its a protected branch" do
-      allow(subject.source_project).to receive(:protected_branch?).and_return(true)
+      allow(ProtectedBranch).to receive(:protected?).and_return(true)
       expect(subject.can_remove_source_branch?(user)).to be_falsey
     end
 
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 6d4ef78f8ec..d485ee104fd 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -704,25 +704,6 @@ describe Project, models: true do
     end
   end
 
-  describe '#open_branches' do
-    let(:project) { create(:project, :repository) }
-
-    before do
-      project.protected_branches.create(name: 'master')
-    end
-
-    it { expect(project.open_branches.map(&:name)).to include('feature') }
-    it { expect(project.open_branches.map(&:name)).not_to include('master') }
-
-    it "includes branches matching a protected branch wildcard" do
-      expect(project.open_branches.map(&:name)).to include('feature')
-
-      create(:protected_branch, name: 'feat*', project: project)
-
-      expect(Project.find(project.id).open_branches.map(&:name)).to include('feature')
-    end
-  end
-
   describe '#star_count' do
     it 'counts stars from multiple users' do
       user1 = create :user
@@ -1297,62 +1278,6 @@ describe Project, models: true do
     end
   end
 
-  describe '#protected_branch?' do
-    context 'existing project' do
-      let(:project) { create(:project, :repository) }
-
-      it 'returns true when the branch matches a protected branch via direct match' do
-        create(:protected_branch, project: project, name: "foo")
-
-        expect(project.protected_branch?('foo')).to eq(true)
-      end
-
-      it 'returns true when the branch matches a protected branch via wildcard match' do
-        create(:protected_branch, project: project, name: "production/*")
-
-        expect(project.protected_branch?('production/some-branch')).to eq(true)
-      end
-
-      it 'returns false when the branch does not match a protected branch via direct match' do
-        expect(project.protected_branch?('foo')).to eq(false)
-      end
-
-      it 'returns false when the branch does not match a protected branch via wildcard match' do
-        create(:protected_branch, project: project, name: "production/*")
-
-        expect(project.protected_branch?('staging/some-branch')).to eq(false)
-      end
-    end
-
-    context "new project" do
-      let(:project) { create(:empty_project) }
-
-      it 'returns false when default_protected_branch is unprotected' do
-        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_NONE)
-
-        expect(project.protected_branch?('master')).to be false
-      end
-
-      it 'returns false when default_protected_branch lets developers push' do
-        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_DEV_CAN_PUSH)
-
-        expect(project.protected_branch?('master')).to be false
-      end
-
-      it 'returns true when default_branch_protection does not let developers push but let developer merge branches' do
-        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_DEV_CAN_MERGE)
-
-        expect(project.protected_branch?('master')).to be true
-      end
-
-      it 'returns true when default_branch_protection is in full protection' do
-        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_FULL)
-
-        expect(project.protected_branch?('master')).to be true
-      end
-    end
-  end
-
   describe '#user_can_push_to_empty_repo?' do
     let(:project) { create(:empty_project) }
     let(:user)    { create(:user) }
diff --git a/spec/models/protectable_dropdown_spec.rb b/spec/models/protectable_dropdown_spec.rb
new file mode 100644
index 00000000000..4c9bade592b
--- /dev/null
+++ b/spec/models/protectable_dropdown_spec.rb
@@ -0,0 +1,25 @@
+require 'spec_helper'
+
+describe ProtectableDropdown, models: true do
+  let(:project) { create(:project, :repository) }
+  let(:subject) { described_class.new(project, :branches) }
+
+  describe '#protectable_ref_names' do
+    before do
+      project.protected_branches.create(name: 'master')
+    end
+
+    it { expect(subject.protectable_ref_names).to include('feature') }
+    it { expect(subject.protectable_ref_names).not_to include('master') }
+
+    it "includes branches matching a protected branch wildcard" do
+      expect(subject.protectable_ref_names).to include('feature')
+
+      create(:protected_branch, name: 'feat*', project: project)
+
+      subject = described_class.new(project.reload, :branches)
+
+      expect(subject.protectable_ref_names).to include('feature')
+    end
+  end
+end
diff --git a/spec/models/protected_branch_spec.rb b/spec/models/protected_branch_spec.rb
index 8bf0d24a128..179a443c43d 100644
--- a/spec/models/protected_branch_spec.rb
+++ b/spec/models/protected_branch_spec.rb
@@ -113,8 +113,8 @@ describe ProtectedBranch, models: true do
         staging = build(:protected_branch, name: "staging")
 
         expect(ProtectedBranch.matching("production")).to be_empty
-        expect(ProtectedBranch.matching("production", protected_branches: [production, staging])).to include(production)
-        expect(ProtectedBranch.matching("production", protected_branches: [production, staging])).not_to include(staging)
+        expect(ProtectedBranch.matching("production", protected_refs: [production, staging])).to include(production)
+        expect(ProtectedBranch.matching("production", protected_refs: [production, staging])).not_to include(staging)
       end
     end
 
@@ -132,8 +132,64 @@ describe ProtectedBranch, models: true do
         staging = build(:protected_branch, name: "staging/*")
 
         expect(ProtectedBranch.matching("production/some-branch")).to be_empty
-        expect(ProtectedBranch.matching("production/some-branch", protected_branches: [production, staging])).to include(production)
-        expect(ProtectedBranch.matching("production/some-branch", protected_branches: [production, staging])).not_to include(staging)
+        expect(ProtectedBranch.matching("production/some-branch", protected_refs: [production, staging])).to include(production)
+        expect(ProtectedBranch.matching("production/some-branch", protected_refs: [production, staging])).not_to include(staging)
+      end
+    end
+  end
+
+  describe '#protected?' do
+    context 'existing project' do
+      let(:project) { create(:project, :repository) }
+
+      it 'returns true when the branch matches a protected branch via direct match' do
+        create(:protected_branch, project: project, name: "foo")
+
+        expect(ProtectedBranch.protected?(project, 'foo')).to eq(true)
+      end
+
+      it 'returns true when the branch matches a protected branch via wildcard match' do
+        create(:protected_branch, project: project, name: "production/*")
+
+        expect(ProtectedBranch.protected?(project, 'production/some-branch')).to eq(true)
+      end
+
+      it 'returns false when the branch does not match a protected branch via direct match' do
+        expect(ProtectedBranch.protected?(project, 'foo')).to eq(false)
+      end
+
+      it 'returns false when the branch does not match a protected branch via wildcard match' do
+        create(:protected_branch, project: project, name: "production/*")
+
+        expect(ProtectedBranch.protected?(project, 'staging/some-branch')).to eq(false)
+      end
+    end
+
+    context "new project" do
+      let(:project) { create(:empty_project) }
+
+      it 'returns false when default_protected_branch is unprotected' do
+        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_NONE)
+
+        expect(ProtectedBranch.protected?(project, 'master')).to be false
+      end
+
+      it 'returns false when default_protected_branch lets developers push' do
+        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_DEV_CAN_PUSH)
+
+        expect(ProtectedBranch.protected?(project, 'master')).to be false
+      end
+
+      it 'returns true when default_branch_protection does not let developers push but let developer merge branches' do
+        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_DEV_CAN_MERGE)
+
+        expect(ProtectedBranch.protected?(project, 'master')).to be true
+      end
+
+      it 'returns true when default_branch_protection is in full protection' do
+        stub_application_setting(default_branch_protection: Gitlab::Access::PROTECTION_FULL)
+
+        expect(ProtectedBranch.protected?(project, 'master')).to be true
       end
     end
   end
diff --git a/spec/models/protected_tag_spec.rb b/spec/models/protected_tag_spec.rb
new file mode 100644
index 00000000000..51353852a93
--- /dev/null
+++ b/spec/models/protected_tag_spec.rb
@@ -0,0 +1,12 @@
+require 'spec_helper'
+
+describe ProtectedTag, models: true do
+  describe 'Associations' do
+    it { is_expected.to belong_to(:project) }
+  end
+
+  describe 'Validation' do
+    it { is_expected.to validate_presence_of(:project) }
+    it { is_expected.to validate_presence_of(:name) }
+  end
+end
diff --git a/spec/services/protected_branches/update_service_spec.rb b/spec/services/protected_branches/update_service_spec.rb
new file mode 100644
index 00000000000..62bdd49a4d7
--- /dev/null
+++ b/spec/services/protected_branches/update_service_spec.rb
@@ -0,0 +1,26 @@
+require 'spec_helper'
+
+describe ProtectedBranches::UpdateService, services: true do
+  let(:protected_branch) { create(:protected_branch) }
+  let(:project) { protected_branch.project }
+  let(:user) { project.owner }
+  let(:params) { { name: 'new protected branch name' } }
+
+  describe '#execute' do
+    subject(:service) { described_class.new(project, user, params) }
+
+    it 'updates a protected branch' do
+      result = service.execute(protected_branch)
+
+      expect(result.reload.name).to eq(params[:name])
+    end
+
+    context 'without admin_project permissions' do
+      let(:user) { create(:user) }
+
+      it "raises error" do
+        expect{ service.execute(protected_branch) }.to raise_error(Gitlab::Access::AccessDeniedError)
+      end
+    end
+  end
+end
diff --git a/spec/services/protected_tags/create_service_spec.rb b/spec/services/protected_tags/create_service_spec.rb
new file mode 100644
index 00000000000..d91a58e8de5
--- /dev/null
+++ b/spec/services/protected_tags/create_service_spec.rb
@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe ProtectedTags::CreateService, services: true do
+  let(:project) { create(:empty_project) }
+  let(:user) { project.owner }
+  let(:params) do
+    {
+      name: 'master',
+      create_access_levels_attributes: [{ access_level: Gitlab::Access::MASTER }]
+    }
+  end
+
+  describe '#execute' do
+    subject(:service) { described_class.new(project, user, params) }
+
+    it 'creates a new protected tag' do
+      expect { service.execute }.to change(ProtectedTag, :count).by(1)
+      expect(project.protected_tags.last.create_access_levels.map(&:access_level)).to eq([Gitlab::Access::MASTER])
+    end
+  end
+end
diff --git a/spec/services/protected_tags/update_service_spec.rb b/spec/services/protected_tags/update_service_spec.rb
new file mode 100644
index 00000000000..e78fde4c48d
--- /dev/null
+++ b/spec/services/protected_tags/update_service_spec.rb
@@ -0,0 +1,26 @@
+require 'spec_helper'
+
+describe ProtectedTags::UpdateService, services: true do
+  let(:protected_tag) { create(:protected_tag) }
+  let(:project) { protected_tag.project }
+  let(:user) { project.owner }
+  let(:params) { { name: 'new protected tag name' } }
+
+  describe '#execute' do
+    subject(:service) { described_class.new(project, user, params) }
+
+    it 'updates a protected tag' do
+      result = service.execute(protected_tag)
+
+      expect(result.reload.name).to eq(params[:name])
+    end
+
+    context 'without admin_project permissions' do
+      let(:user) { create(:user) }
+
+      it "raises error" do
+        expect{ service.execute(protected_tag) }.to raise_error(Gitlab::Access::AccessDeniedError)
+      end
+    end
+  end
+end