Add latest changes from gitlab-org/gitlab@master

5 files changed, 152 insertions, 32 deletions

diff --git a/spec/frontend/packages/details/components/package_files_spec.js b/spec/frontend/packages/details/components/package_files_spec.js
index fe1d51cecd4..813a2170154 100644
--- a/spec/frontend/packages/details/components/package_files_spec.js
+++ b/spec/frontend/packages/details/components/package_files_spec.js
@@ -12,6 +12,7 @@ describe('Package Files', () => {
   const findAllRows = () => wrapper.findAll('[data-testid="file-row"');
   const findFirstRow = () => findAllRows().at(0);
   const findFirstRowDownloadLink = () => findFirstRow().find('[data-testid="download-link"');
+  const findFirstRowCommitLink = () => findFirstRow().find('[data-testid="commit-link"');
   const findFirstRowFileIcon = () => findFirstRow().find(FileIcon);
   const findFirstRowCreatedAt = () => findFirstRow().find(TimeAgoTooltip);
 
@@ -96,4 +97,35 @@ describe('Package Files', () => {
       expect(findFirstRowCreatedAt().props('time')).toBe(npmFiles[0].created_at);
     });
   });
+
+  describe('commit', () => {
+    describe('when package file has a pipeline associated', () => {
+      it('exists', () => {
+        createComponent();
+
+        expect(findFirstRowCommitLink().exists()).toBe(true);
+      });
+
+      it('the link points to the commit url', () => {
+        createComponent();
+
+        expect(findFirstRowCommitLink().attributes('href')).toBe(
+          npmFiles[0].pipelines[0].project.commit_url,
+        );
+      });
+
+      it('the text is git_commit_message', () => {
+        createComponent();
+
+        expect(findFirstRowCommitLink().text()).toBe(npmFiles[0].pipelines[0].git_commit_message);
+      });
+    });
+    describe('when package file has no pipeline associated', () => {
+      it('does not exist', () => {
+        createComponent(mavenFiles);
+
+        expect(findFirstRowCommitLink().exists()).toBe(false);
+      });
+    });
+  });
 });
diff --git a/spec/frontend/packages/mock_data.js b/spec/frontend/packages/mock_data.js
index d7494bf85d0..fbc167729d9 100644
--- a/spec/frontend/packages/mock_data.js
+++ b/spec/frontend/packages/mock_data.js
@@ -76,6 +76,9 @@ export const npmFiles = [
     id: 2,
     size: 200,
     download_path: '/-/package_files/2/download',
+    pipelines: [
+      { id: 1, project: { commit_url: 'http://foo.bar' }, git_commit_message: 'foo bar baz?' },
+    ],
   },
 ];
 
diff --git a/spec/lib/gitlab/deploy_key_access_spec.rb b/spec/lib/gitlab/deploy_key_access_spec.rb
new file mode 100644
index 00000000000..7989b427a85
--- /dev/null
+++ b/spec/lib/gitlab/deploy_key_access_spec.rb
@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::DeployKeyAccess do
+  let_it_be(:user) { create(:user) }
+  let_it_be(:deploy_key) { create(:deploy_key, user: user) }
+  let(:project) { create(:project, :repository) }
+  let(:protected_branch) { create(:protected_branch, :no_one_can_push, project: project) }
+
+  subject(:access) { described_class.new(deploy_key, container: project) }
+
+  before do
+    project.add_guest(user)
+    create(:deploy_keys_project, :write_access, project: project, deploy_key: deploy_key)
+  end
+
+  describe '#can_create_tag?' do
+    context 'push tag that matches a protected tag pattern via a deploy key' do
+      it 'still pushes that tag' do
+        create(:protected_tag, project: project, name: 'v*')
+
+        expect(access.can_create_tag?('v0.1.2')).to be_truthy
+      end
+    end
+  end
+
+  describe '#can_push_to_branch?' do
+    context 'push to a protected branch of this project via a deploy key' do
+      before do
+        create(:protected_branch_push_access_level, protected_branch: protected_branch, deploy_key: deploy_key)
+      end
+
+      context 'when the project has active deploy key owned by this user' do
+        it 'returns true' do
+          expect(access.can_push_to_branch?(protected_branch.name)).to be_truthy
+        end
+      end
+
+      context 'when the project has active deploy keys, but not by this user' do
+        let(:deploy_key) { create(:deploy_key, user: create(:user)) }
+
+        it 'returns false' do
+          expect(access.can_push_to_branch?(protected_branch.name)).to be_falsey
+        end
+      end
+
+      context 'when there is another branch no one can push to' do
+        let(:another_branch) { create(:protected_branch, :no_one_can_push, name: 'another_branch', project: project) }
+
+        it 'returns false when trying to push to that other branch' do
+          expect(access.can_push_to_branch?(another_branch.name)).to be_falsey
+        end
+
+        context 'and the deploy key added for the first protected branch is also added for this other branch' do
+          it 'returns true for both protected branches' do
+            create(:protected_branch_push_access_level, protected_branch: another_branch, deploy_key: deploy_key)
+
+            expect(access.can_push_to_branch?(protected_branch.name)).to be_truthy
+            expect(access.can_push_to_branch?(another_branch.name)).to be_truthy
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/spec/models/ci/pipeline_spec.rb b/spec/models/ci/pipeline_spec.rb
index 05387f06746..255333dbc29 100644
--- a/spec/models/ci/pipeline_spec.rb
+++ b/spec/models/ci/pipeline_spec.rb
@@ -755,10 +755,6 @@ RSpec.describe Ci::Pipeline, :mailer, factory_default: :keep do
     end
 
     context 'when pipeline is merge request' do
-      before do
-        stub_feature_flags(ci_mr_diff_variables: false)
-      end
-
       let(:pipeline) do
         create(:ci_pipeline, :detached_merge_request_pipeline, merge_request: merge_request)
       end
@@ -799,22 +795,13 @@ RSpec.describe Ci::Pipeline, :mailer, factory_default: :keep do
             'CI_MERGE_REQUEST_MILESTONE' => milestone.title,
             'CI_MERGE_REQUEST_LABELS' => labels.map(&:title).sort.join(','),
             'CI_MERGE_REQUEST_EVENT_TYPE' => 'detached')
-        expect(subject.to_hash.keys).not_to include(
-          %w[CI_MERGE_REQUEST_DIFF_ID
-             CI_MERGE_REQUEST_DIFF_BASE_SHA])
       end
 
-      context 'when feature flag ci_mr_diff_variables is enabled' do
-        before do
-          stub_feature_flags(ci_mr_diff_variables: true)
-        end
-
-        it 'exposes diff variables' do
-          expect(subject.to_hash)
-            .to include(
-              'CI_MERGE_REQUEST_DIFF_ID' => merge_request.merge_request_diff.id.to_s,
-              'CI_MERGE_REQUEST_DIFF_BASE_SHA' => merge_request.merge_request_diff.base_commit_sha)
-        end
+      it 'exposes diff variables' do
+        expect(subject.to_hash)
+          .to include(
+            'CI_MERGE_REQUEST_DIFF_ID' => merge_request.merge_request_diff.id.to_s,
+            'CI_MERGE_REQUEST_DIFF_BASE_SHA' => merge_request.merge_request_diff.base_commit_sha)
       end
 
       context 'without assignee' do
@@ -867,22 +854,13 @@ RSpec.describe Ci::Pipeline, :mailer, factory_default: :keep do
               'CI_MERGE_REQUEST_MILESTONE' => milestone.title,
               'CI_MERGE_REQUEST_LABELS' => labels.map(&:title).sort.join(','),
               'CI_MERGE_REQUEST_EVENT_TYPE' => 'merged_result')
-          expect(subject.to_hash.keys).not_to include(
-            %w[CI_MERGE_REQUEST_DIFF_ID
-               CI_MERGE_REQUEST_DIFF_BASE_SHA])
         end
 
-        context 'when feature flag ci_mr_diff_variables is enabled' do
-          before do
-            stub_feature_flags(ci_mr_diff_variables: true)
-          end
-
-          it 'exposes diff variables' do
-            expect(subject.to_hash)
-              .to include(
-                'CI_MERGE_REQUEST_DIFF_ID' => merge_request.merge_request_diff.id.to_s,
-                'CI_MERGE_REQUEST_DIFF_BASE_SHA' => merge_request.merge_request_diff.base_commit_sha)
-          end
+        it 'exposes diff variables' do
+          expect(subject.to_hash)
+            .to include(
+              'CI_MERGE_REQUEST_DIFF_ID' => merge_request.merge_request_diff.id.to_s,
+              'CI_MERGE_REQUEST_DIFF_BASE_SHA' => merge_request.merge_request_diff.base_commit_sha)
         end
       end
     end
diff --git a/spec/models/protected_branch/push_access_level_spec.rb b/spec/models/protected_branch/push_access_level_spec.rb
index 0aba51ea567..0688df057a4 100644
--- a/spec/models/protected_branch/push_access_level_spec.rb
+++ b/spec/models/protected_branch/push_access_level_spec.rb
@@ -34,4 +34,45 @@ RSpec.describe ProtectedBranch::PushAccessLevel do
       expect(level.errors.full_messages).to contain_exactly('Deploy key is not enabled for this project')
     end
   end
+
+  describe '#check_access' do
+    let_it_be(:project) { create(:project) }
+    let_it_be(:protected_branch) { create(:protected_branch, :no_one_can_push, project: project) }
+    let_it_be(:user) { create(:user) }
+    let_it_be(:deploy_key) { create(:deploy_key, user: user) }
+    let!(:deploy_keys_project) { create(:deploy_keys_project, project: project, deploy_key: deploy_key, can_push: can_push) }
+    let(:can_push) { true }
+
+    before_all do
+      project.add_guest(user)
+    end
+
+    context 'when this push_access_level is tied to a deploy key' do
+      let(:push_access_level) { create(:protected_branch_push_access_level, protected_branch: protected_branch, deploy_key: deploy_key) }
+
+      context 'when the deploy key is among the active keys for this project' do
+        specify do
+          expect(push_access_level.check_access(user)).to be_truthy
+        end
+
+        context 'when the deploy_keys_on_protected_branches FF is false' do
+          before do
+            stub_feature_flags(deploy_keys_on_protected_branches: false)
+          end
+
+          it 'is false' do
+            expect(push_access_level.check_access(user)).to be_falsey
+          end
+        end
+      end
+
+      context 'when the deploy key is not among the active keys of this project' do
+        let(:can_push) { false }
+
+        it 'is false' do
+          expect(push_access_level.check_access(user)).to be_falsey
+        end
+      end
+    end
+  end
 end