Allow protected branch creation via web and API

This commit includes changes to add `UserAccess#can_create_branch?` which will check whether the user is allowed to create a branch even if it matches a protected branch. This is used in `Gitlab::Checks::BranchCheck` when the branch name matches a protected branch. A `push_to_create_protected_branch` ability in `ProjectPolicy` has been added to allow Developers and above to create protected branches.
author: Patrick Bajao <ebajao@gitlab.com> 2019-03-06 12:20:27 +0000
committer: Kamil Trzciński <ayufan@ayufan.eu> 2019-03-06 12:20:27 +0000
commit: e371520f465a9f92794d5820faf5c21a893dd77e (patch)
tree: 252e239251b8000dc7d5a80a3fd6baa46dcad213 /spec
parent: e94c13d39d691983864e3b99434de19681d22783 (diff)
download: gitlab-ce-e371520f465a9f92794d5820faf5c21a893dd77e.tar.gz
3 files changed, 129 insertions, 2 deletions
diff --git a/spec/lib/gitlab/checks/branch_check_spec.rb b/spec/lib/gitlab/checks/branch_check_spec.rb
index 77366e91dca..f99fc639dbd 100644
--- a/spec/lib/gitlab/checks/branch_check_spec.rb
+++ b/spec/lib/gitlab/checks/branch_check_spec.rb
@@ -55,6 +55,106 @@ describe Gitlab::Checks::BranchCheck do
         end
       end
 
+      context 'branch creation' do
+        let(:oldrev) { '0000000000000000000000000000000000000000' }
+        let(:ref) { 'refs/heads/feature' }
+
+        context 'protected branch creation feature is disabled' do
+          before do
+            stub_feature_flags(protected_branch_creation: false)
+          end
+
+          context 'user is not allowed to push to protected branch' do
+            before do
+              allow(user_access)
+                .to receive(:can_push_to_branch?)
+                .and_return(false)
+            end
+
+            it 'raises an error' do
+              expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to push code to protected branches on this project.')
+            end
+          end
+
+          context 'user is allowed to push to protected branch' do
+            before do
+              allow(user_access)
+                .to receive(:can_push_to_branch?)
+                .and_return(true)
+            end
+
+            it 'does not raise an error' do
+              expect { subject.validate! }.not_to raise_error
+            end
+          end
+        end
+
+        context 'protected branch creation feature is enabled' do
+          context 'user is not allowed to create protected branches' do
+            before do
+              allow(user_access)
+                .to receive(:can_merge_to_branch?)
+                .with('feature')
+                .and_return(false)
+            end
+
+            it 'raises an error' do
+              expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You are not allowed to create protected branches on this project.')
+            end
+          end
+
+          context 'user is allowed to create protected branches' do
+            before do
+              allow(user_access)
+                .to receive(:can_merge_to_branch?)
+                .with('feature')
+                .and_return(true)
+
+              allow(project.repository)
+                .to receive(:branch_names_contains_sha)
+                .with(newrev)
+                .and_return(['branch'])
+            end
+
+            context "newrev isn't in any protected branches" do
+              before do
+                allow(ProtectedBranch)
+                  .to receive(:any_protected?)
+                  .with(project, ['branch'])
+                  .and_return(false)
+              end
+
+              it 'raises an error' do
+                expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only use an existing protected branch ref as the basis of a new protected branch.')
+              end
+            end
+
+            context 'newrev is included in a protected branch' do
+              before do
+                allow(ProtectedBranch)
+                  .to receive(:any_protected?)
+                  .with(project, ['branch'])
+                  .and_return(true)
+              end
+
+              context 'via web interface' do
+                let(:protocol) { 'web' }
+
+                it 'allows branch creation' do
+                  expect { subject.validate! }.not_to raise_error
+                end
+              end
+
+              context 'via SSH' do
+                it 'raises an error' do
+                  expect { subject.validate! }.to raise_error(Gitlab::GitAccess::UnauthorizedError, 'You can only create protected branches using the web interface and API.')
+                end
+              end
+            end
+          end
+        end
+      end
+
       context 'branch deletion' do
         let(:newrev) { '0000000000000000000000000000000000000000' }
         let(:ref) { 'refs/heads/feature' }
diff --git a/spec/models/protected_branch_spec.rb b/spec/models/protected_branch_spec.rb
index 4c677200ae2..dafe7646366 100644
--- a/spec/models/protected_branch_spec.rb
+++ b/spec/models/protected_branch_spec.rb
@@ -190,4 +190,32 @@ describe ProtectedBranch do
       end
     end
   end
+
+  describe '#any_protected?' do
+    context 'existing project' do
+      let(:project) { create(:project, :repository) }
+
+      it 'returns true when any of the branch names match a protected branch via direct match' do
+        create(:protected_branch, project: project, name: 'foo')
+
+        expect(described_class.any_protected?(project, ['foo', 'production/some-branch'])).to eq(true)
+      end
+
+      it 'returns true when any of the branch matches a protected branch via wildcard match' do
+        create(:protected_branch, project: project, name: 'production/*')
+
+        expect(described_class.any_protected?(project, ['foo', 'production/some-branch'])).to eq(true)
+      end
+
+      it 'returns false when none of branches does not match a protected branch via direct match' do
+        expect(described_class.any_protected?(project, ['foo'])).to eq(false)
+      end
+
+      it 'returns false when none of the branches does not match a protected branch via wildcard match' do
+        create(:protected_branch, project: project, name: 'production/*')
+
+        expect(described_class.any_protected?(project, ['staging/some-branch'])).to eq(false)
+      end
+    end
+  end
 end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 47491f708e9..772d1fbee2b 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -45,8 +45,7 @@ describe ProjectPolicy do
   let(:base_maintainer_permissions) do
     %i[
       push_to_delete_protected_branch update_project_snippet update_environment
-      update_deployment admin_project_snippet
-      admin_project_member admin_note admin_wiki admin_project
+      update_deployment admin_project_snippet admin_project_member admin_note admin_wiki admin_project
       admin_commit_status admin_build admin_container_image
       admin_pipeline admin_environment admin_deployment destroy_release add_cluster
       daily_statistics
author	Patrick Bajao <ebajao@gitlab.com>	2019-03-06 12:20:27 +0000
committer	Kamil Trzciński <ayufan@ayufan.eu>	2019-03-06 12:20:27 +0000
commit	e371520f465a9f92794d5820faf5c21a893dd77e (patch)
tree	252e239251b8000dc7d5a80a3fd6baa46dcad213 /spec
parent	e94c13d39d691983864e3b99434de19681d22783 (diff)
download	gitlab-ce-e371520f465a9f92794d5820faf5c21a893dd77e.tar.gz