Add latest changes from gitlab-org/gitlab@master

1 files changed, 155 insertions, 15 deletions

diff --git a/spec/models/deploy_token_spec.rb b/spec/models/deploy_token_spec.rb
index 5c14d57cf18..568699cf3f6 100644
--- a/spec/models/deploy_token_spec.rb
+++ b/spec/models/deploy_token_spec.rb
@@ -7,6 +7,8 @@ describe DeployToken do
 
   it { is_expected.to have_many :project_deploy_tokens }
   it { is_expected.to have_many(:projects).through(:project_deploy_tokens) }
+  it { is_expected.to have_many :group_deploy_tokens }
+  it { is_expected.to have_many(:groups).through(:group_deploy_tokens) }
 
   it_behaves_like 'having unique enum values'
 
@@ -17,6 +19,29 @@ describe DeployToken do
     it { is_expected.to allow_value('GitLab+deploy_token-3.14').for(:username) }
     it { is_expected.not_to allow_value('<script>').for(:username).with_message(username_format_message) }
     it { is_expected.not_to allow_value('').for(:username).with_message(username_format_message) }
+    it { is_expected.to validate_presence_of(:deploy_token_type) }
+  end
+
+  describe 'deploy_token_type validations' do
+    context 'when a deploy token is associated to a group' do
+      it 'does not allow setting a project to it' do
+        group_token = create(:deploy_token, :group)
+        group_token.projects << build(:project)
+
+        expect(group_token).not_to be_valid
+        expect(group_token.errors.full_messages).to include('Deploy token cannot have projects assigned')
+      end
+    end
+
+    context 'when a deploy token is associated to a project' do
+      it 'does not allow setting a group to it' do
+        project_token = create(:deploy_token)
+        project_token.groups << build(:group)
+
+        expect(project_token).not_to be_valid
+        expect(project_token.errors.full_messages).to include('Deploy token cannot have groups assigned')
+      end
+    end
   end
 
   describe '#ensure_token' do
@@ -125,33 +150,148 @@ describe DeployToken do
     end
   end
 
+  describe '#holder' do
+    subject { deploy_token.holder }
+
+    context 'when the token is of project type' do
+      it 'returns the relevant holder token' do
+        expect(subject).to eq(deploy_token.project_deploy_tokens.first)
+      end
+    end
+
+    context 'when the token is of group type' do
+      let(:group) { create(:group) }
+      let(:deploy_token) { create(:deploy_token, :group) }
+
+      it 'returns the relevant holder token' do
+        expect(subject).to eq(deploy_token.group_deploy_tokens.first)
+      end
+    end
+  end
+
   describe '#has_access_to?' do
     let(:project) { create(:project) }
 
     subject { deploy_token.has_access_to?(project) }
 
-    context 'when deploy token is active and related to project' do
-      let(:deploy_token) { create(:deploy_token, projects: [project]) }
+    context 'when a project is not passed in' do
+      let(:project) { nil }
 
-      it { is_expected.to be_truthy }
+      it { is_expected.to be_falsy }
     end
 
-    context 'when deploy token is active but not related to project' do
-      let(:deploy_token) { create(:deploy_token) }
+    context 'when a project is passed in' do
+      context 'when deploy token is active and related to project' do
+        let(:deploy_token) { create(:deploy_token, projects: [project]) }
 
-      it { is_expected.to be_falsy }
-    end
+        it { is_expected.to be_truthy }
+      end
 
-    context 'when deploy token is revoked and related to project' do
-      let(:deploy_token) { create(:deploy_token, :revoked, projects: [project]) }
+      context 'when deploy token is active but not related to project' do
+        let(:deploy_token) { create(:deploy_token) }
 
-      it { is_expected.to be_falsy }
-    end
+        it { is_expected.to be_falsy }
+      end
 
-    context 'when deploy token is revoked and not related to the project' do
-      let(:deploy_token) { create(:deploy_token, :revoked) }
+      context 'when deploy token is revoked and related to project' do
+        let(:deploy_token) { create(:deploy_token, :revoked, projects: [project]) }
 
-      it { is_expected.to be_falsy }
+        it { is_expected.to be_falsy }
+      end
+
+      context 'when deploy token is revoked and not related to the project' do
+        let(:deploy_token) { create(:deploy_token, :revoked) }
+
+        it { is_expected.to be_falsy }
+      end
+
+      context 'and when the token is of group type' do
+        let_it_be(:group) { create(:group) }
+        let(:deploy_token) { create(:deploy_token, :group) }
+
+        before do
+          deploy_token.groups << group
+        end
+
+        context 'and the allow_group_deploy_token feature flag is turned off' do
+          it 'is false' do
+            stub_feature_flags(allow_group_deploy_token: false)
+
+            is_expected.to be_falsy
+          end
+        end
+
+        context 'and the allow_group_deploy_token feature flag is turned on' do
+          before do
+            stub_feature_flags(allow_group_deploy_token: true)
+          end
+
+          context 'and the passed-in project does not belong to any group' do
+            it { is_expected.to be_falsy }
+          end
+
+          context 'and the passed-in project belongs to the token group' do
+            it 'is true' do
+              group.projects << project
+
+              is_expected.to be_truthy
+            end
+          end
+
+          context 'and the passed-in project belongs to a subgroup' do
+            let(:child_group) { create(:group, parent_id: group.id) }
+            let(:grandchild_group) { create(:group, parent_id: child_group.id) }
+
+            before do
+              grandchild_group.projects << project
+            end
+
+            context 'and the token group is an ancestor (grand-parent) of this group' do
+              it { is_expected.to be_truthy }
+            end
+
+            context 'and the token group is not ancestor of this group' do
+              let(:child2_group) { create(:group, parent_id: group.id) }
+
+              it 'is false' do
+                deploy_token.groups = [child2_group]
+
+                is_expected.to be_falsey
+              end
+            end
+          end
+
+          context 'and the passed-in project does not belong to the token group' do
+            it { is_expected.to be_falsy }
+          end
+
+          context 'and the project belongs to a group that is parent of the token group' do
+            let(:super_group) { create(:group) }
+            let(:deploy_token) { create(:deploy_token, :group) }
+            let(:group) { create(:group, parent_id: super_group.id) }
+
+            it 'is false' do
+              super_group.projects << project
+
+              is_expected.to be_falsey
+            end
+          end
+        end
+      end
+
+      context 'and the token is of project type' do
+        let(:deploy_token) { create(:deploy_token, projects: [project]) }
+
+        context 'and the passed-in project is the same as the token project' do
+          it { is_expected.to be_truthy }
+        end
+
+        context 'and the passed-in project is not the same as the token project' do
+          subject { deploy_token.has_access_to?(create(:project)) }
+
+          it { is_expected.to be_falsey }
+        end
+      end
     end
   end
 
@@ -183,7 +323,7 @@ describe DeployToken do
       end
     end
 
-    context 'when passign a value' do
+    context 'when passing a value' do
       let(:expires_at) { Date.today + 5.months }
       let(:deploy_token) { create(:deploy_token, expires_at: expires_at) }