From 20093f9de0b34da88a8b01ca94ee773685b16308 Mon Sep 17 00:00:00 2001
From: Agustin Henze <tin@redhat.com>
Date: Tue, 9 Apr 2019 14:53:44 +0000
Subject: Add new permission model `read-pipeline-variable`

Used to get the variables via the API endpoint
`/projects/:id/pipelines/:pipeline_id/variables`

Signed-off-by: Agustin Henze <tin@redhat.com>
---
 spec/policies/ci/pipeline_policy_spec.rb | 46 ++++++++++++++++++++++
 spec/requests/api/pipelines_spec.rb      | 66 ++++++++++++++++++++++++++++++++
 2 files changed, 112 insertions(+)

(limited to 'spec')

diff --git a/spec/policies/ci/pipeline_policy_spec.rb b/spec/policies/ci/pipeline_policy_spec.rb
index 844d96017de..126d44d1860 100644
--- a/spec/policies/ci/pipeline_policy_spec.rb
+++ b/spec/policies/ci/pipeline_policy_spec.rb
@@ -100,5 +100,51 @@ describe Ci::PipelinePolicy, :models do
         end
       end
     end
+
+    describe 'read_pipeline_variable' do
+      let(:project) { create(:project, :public) }
+
+      context 'when user has owner access' do
+        let(:user) { project.owner }
+
+        it 'is enabled' do
+          expect(policy).to be_allowed :read_pipeline_variable
+        end
+      end
+
+      context 'when user is developer and the creator of the pipeline' do
+        let(:pipeline) { create(:ci_empty_pipeline, project: project, user: user) }
+
+        before do
+          project.add_developer(user)
+          create(:protected_branch, :developers_can_merge,
+                 name: pipeline.ref, project: project)
+        end
+
+        it 'is enabled' do
+          expect(policy).to be_allowed :read_pipeline_variable
+        end
+      end
+
+      context 'when user is developer and it is not the creator of the pipeline' do
+        let(:pipeline) { create(:ci_empty_pipeline, project: project, user: project.owner) }
+
+        before do
+          project.add_developer(user)
+          create(:protected_branch, :developers_can_merge,
+                 name: pipeline.ref, project: project)
+        end
+
+        it 'is disabled' do
+          expect(policy).to be_disallowed :read_pipeline_variable
+        end
+      end
+
+      context 'when user is not owner nor developer' do
+        it 'is disabled' do
+          expect(policy).not_to be_allowed :read_pipeline_variable
+        end
+      end
+    end
   end
 end
diff --git a/spec/requests/api/pipelines_spec.rb b/spec/requests/api/pipelines_spec.rb
index 9fed07cae82..0d46463312b 100644
--- a/spec/requests/api/pipelines_spec.rb
+++ b/spec/requests/api/pipelines_spec.rb
@@ -445,6 +445,72 @@ describe API::Pipelines do
     end
   end
 
+  describe 'GET /projects/:id/pipelines/:pipeline_id/variables' do
+    subject { get api("/projects/#{project.id}/pipelines/#{pipeline.id}/variables", api_user) }
+
+    let(:api_user) { user }
+
+    context 'user is a mantainer' do
+      it 'returns pipeline variables empty' do
+        subject
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response).to be_empty
+      end
+
+      context 'with variables' do
+        let!(:variable) { create(:ci_pipeline_variable, pipeline: pipeline, key: 'foo', value: 'bar') }
+
+        it 'returns pipeline variables' do
+          subject
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response).to contain_exactly({ "key" => "foo", "value" => "bar" })
+        end
+      end
+    end
+
+    context 'user is a developer' do
+      let(:pipeline_owner_user) { create(:user) }
+      let(:pipeline) { create(:ci_empty_pipeline, project: project, user: pipeline_owner_user) }
+
+      before do
+        project.add_developer(api_user)
+      end
+
+      context 'pipeline created by the developer user' do
+        let(:api_user) { pipeline_owner_user }
+        let!(:variable) { create(:ci_pipeline_variable, pipeline: pipeline, key: 'foo', value: 'bar') }
+
+        it 'returns pipeline variables' do
+          subject
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response).to contain_exactly({ "key" => "foo", "value" => "bar" })
+        end
+      end
+
+      context 'pipeline created is not created by the developer user' do
+        let(:api_user) { create(:user) }
+
+        it 'should not return pipeline variables' do
+          subject
+
+          expect(response).to have_gitlab_http_status(403)
+        end
+      end
+    end
+
+    context 'user is not a project member' do
+      it 'should not return pipeline variables' do
+        get api("/projects/#{project.id}/pipelines/#{pipeline.id}/variables", non_member)
+
+        expect(response).to have_gitlab_http_status(404)
+        expect(json_response['message']).to eq '404 Project Not Found'
+      end
+    end
+  end
+
   describe 'DELETE /projects/:id/pipelines/:pipeline_id' do
     context 'authorized user' do
       let(:owner) { project.owner }
-- 
cgit v1.2.1