1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Ci::PlayBuildService, '#execute' do
let(:user) { create(:user, developer_projects: [project]) }
let(:project) { create(:project) }
let(:pipeline) { create(:ci_pipeline, project: project) }
let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
let(:service) do
described_class.new(project, user)
end
context 'when project does not have repository yet' do
let(:project) { create(:project) }
it 'allows user to play build if protected branch rules are met' do
create(:protected_branch, :developers_can_merge,
name: build.ref, project: project)
service.execute(build)
expect(build.reload).to be_pending
end
it 'does not allow user with developer role to play build' do
expect { service.execute(build) }
.to raise_error Gitlab::Access::AccessDeniedError
end
end
context 'when project has repository' do
let(:project) { create(:project, :repository) }
it 'allows user with developer role to play a build' do
service.execute(build)
expect(build.reload).to be_pending
end
it 'prevents a blocked developer from playing a build' do
user.block!
expect { service.execute(build) }.to raise_error(Gitlab::Access::AccessDeniedError)
end
end
context 'when build is a playable manual action' do
let(:build) { create(:ci_build, :manual, pipeline: pipeline) }
let!(:branch) { create(:protected_branch, :developers_can_merge, name: build.ref, project: project) }
it 'enqueues the build' do
expect(service.execute(build)).to eq build
expect(build.reload).to be_pending
end
it 'reassignes build user correctly' do
service.execute(build)
expect(build.reload.user).to eq user
end
context 'when variables are supplied' do
let(:job_variables) do
[{ key: 'first', secret_value: 'first' },
{ key: 'second', secret_value: 'second' }]
end
it 'assigns the variables to the build' do
service.execute(build, job_variables)
expect(build.reload.job_variables.map(&:key)).to contain_exactly('first', 'second')
end
context 'when user defined variables are restricted' do
before do
project.update!(restrict_user_defined_variables: true)
end
context 'when user is maintainer' do
before do
project.add_maintainer(user)
end
it 'assigns the variables to the build' do
service.execute(build, job_variables)
expect(build.reload.job_variables.map(&:key)).to contain_exactly('first', 'second')
end
end
context 'when user is developer' do
it 'raises an error' do
expect { service.execute(build, job_variables) }
.to raise_error Gitlab::Access::AccessDeniedError
end
end
end
end
end
context 'when build is not a playable manual action' do
let(:build) { create(:ci_build, when: :manual, pipeline: pipeline) }
let!(:branch) { create(:protected_branch, :developers_can_merge, name: build.ref, project: project) }
it 'duplicates the build' do
duplicate = service.execute(build)
expect(duplicate).not_to eq build
expect(duplicate).to be_pending
end
it 'assigns users correctly' do
duplicate = service.execute(build)
expect(build.user).not_to eq user
expect(duplicate.user).to eq user
end
end
context 'when build is not action' do
let(:user) { create(:user) }
let(:build) { create(:ci_build, :success, pipeline: pipeline) }
it 'raises an error' do
expect { service.execute(build) }
.to raise_error Gitlab::Access::AccessDeniedError
end
end
context 'when user does not have ability to trigger action' do
let(:user) { create(:user) }
let!(:branch) { create(:protected_branch, :developers_can_merge, name: build.ref, project: project) }
it 'raises an error' do
expect { service.execute(build) }
.to raise_error Gitlab::Access::AccessDeniedError
end
end
end
|