diff options
Diffstat (limited to 'spec/graphql/mutations')
21 files changed, 301 insertions, 10 deletions
diff --git a/spec/graphql/mutations/alert_management/prometheus_integration/create_spec.rb b/spec/graphql/mutations/alert_management/prometheus_integration/create_spec.rb index 7ab0f43d674..164bd9b1e39 100644 --- a/spec/graphql/mutations/alert_management/prometheus_integration/create_spec.rb +++ b/spec/graphql/mutations/alert_management/prometheus_integration/create_spec.rb @@ -19,7 +19,7 @@ RSpec.describe Mutations::AlertManagement::PrometheusIntegration::Create do end context 'when Prometheus Integration already exists' do - let_it_be(:existing_integration) { create(:prometheus_service, project: project) } + let_it_be(:existing_integration) { create(:prometheus_integration, project: project) } it 'returns errors' do expect(resolve).to eq( @@ -32,7 +32,7 @@ RSpec.describe Mutations::AlertManagement::PrometheusIntegration::Create do context 'when UpdateService responds with success' do it 'returns the integration with no errors' do expect(resolve).to eq( - integration: ::PrometheusService.last!, + integration: ::Integrations::Prometheus.last!, errors: [] ) end diff --git a/spec/graphql/mutations/alert_management/prometheus_integration/reset_token_spec.rb b/spec/graphql/mutations/alert_management/prometheus_integration/reset_token_spec.rb index c9e1bf4162c..be07c142f4e 100644 --- a/spec/graphql/mutations/alert_management/prometheus_integration/reset_token_spec.rb +++ b/spec/graphql/mutations/alert_management/prometheus_integration/reset_token_spec.rb @@ -5,7 +5,7 @@ require 'spec_helper' RSpec.describe Mutations::AlertManagement::PrometheusIntegration::ResetToken do let_it_be(:current_user) { create(:user) } let_it_be(:project) { create(:project) } - let_it_be(:integration) { create(:prometheus_service, project: project) } + let_it_be(:integration) { create(:prometheus_integration, project: project) } let(:args) { { id: GitlabSchema.id_from_object(integration) } } diff --git a/spec/graphql/mutations/alert_management/prometheus_integration/update_spec.rb b/spec/graphql/mutations/alert_management/prometheus_integration/update_spec.rb index 19e0d53b75f..81d057c6ae2 100644 --- a/spec/graphql/mutations/alert_management/prometheus_integration/update_spec.rb +++ b/spec/graphql/mutations/alert_management/prometheus_integration/update_spec.rb @@ -5,7 +5,7 @@ require 'spec_helper' RSpec.describe Mutations::AlertManagement::PrometheusIntegration::Update do let_it_be(:current_user) { create(:user) } let_it_be(:project) { create(:project) } - let_it_be(:integration) { create(:prometheus_service, project: project) } + let_it_be(:integration) { create(:prometheus_integration, project: project) } let(:args) { { id: GitlabSchema.id_from_object(integration), active: false, api_url: 'http://new-url.com' } } diff --git a/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb b/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb new file mode 100644 index 00000000000..412be5f16a4 --- /dev/null +++ b/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb @@ -0,0 +1,65 @@ +# frozen_string_literal: true +require 'spec_helper' + +RSpec.describe Mutations::Ci::JobTokenScope::AddProject do + let(:mutation) do + described_class.new(object: nil, context: { current_user: current_user }, field: nil) + end + + describe '#resolve' do + let_it_be(:project) do + create(:project, ci_job_token_scope_enabled: true).tap(&:save!) + end + + let_it_be(:target_project) { create(:project) } + + let(:target_project_path) { target_project.full_path } + + subject do + mutation.resolve(project_path: project.full_path, target_project_path: target_project_path) + end + + context 'when user is not logged in' do + let(:current_user) { nil } + + it 'raises error' do + expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) + end + end + + context 'when user is logged in' do + let(:current_user) { create(:user) } + + context 'when user does not have permissions to admin project' do + it 'raises error' do + expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) + end + end + + context 'when user has permissions to admin project and read target project' do + before do + project.add_maintainer(current_user) + target_project.add_guest(current_user) + end + + it 'adds target project to the job token scope' do + expect do + expect(subject).to include(ci_job_token_scope: be_present, errors: be_empty) + end.to change { Ci::JobToken::ProjectScopeLink.count }.by(1) + end + + context 'when the service returns an error' do + let(:service) { double(:service) } + + it 'returns an error response' do + expect(::Ci::JobTokenScope::AddProjectService).to receive(:new).with(project, current_user).and_return(service) + expect(service).to receive(:execute).with(target_project).and_return(ServiceResponse.error(message: 'The error message')) + + expect(subject.fetch(:ci_job_token_scope)).to be_nil + expect(subject.fetch(:errors)).to include("The error message") + end + end + end + end + end +end diff --git a/spec/graphql/mutations/ci/job_token_scope/remove_project_spec.rb b/spec/graphql/mutations/ci/job_token_scope/remove_project_spec.rb new file mode 100644 index 00000000000..0e706ea6e0c --- /dev/null +++ b/spec/graphql/mutations/ci/job_token_scope/remove_project_spec.rb @@ -0,0 +1,68 @@ +# frozen_string_literal: true +require 'spec_helper' + +RSpec.describe Mutations::Ci::JobTokenScope::RemoveProject do + let(:mutation) do + described_class.new(object: nil, context: { current_user: current_user }, field: nil) + end + + describe '#resolve' do + let_it_be(:project) { create(:project, ci_job_token_scope_enabled: true).tap(&:save!) } + let_it_be(:target_project) { create(:project) } + + let_it_be(:link) do + create(:ci_job_token_project_scope_link, + source_project: project, + target_project: target_project) + end + + let(:target_project_path) { target_project.full_path } + + subject do + mutation.resolve(project_path: project.full_path, target_project_path: target_project_path) + end + + context 'when user is not logged in' do + let(:current_user) { nil } + + it 'raises error' do + expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) + end + end + + context 'when user is logged in' do + let(:current_user) { create(:user) } + + context 'when user does not have permissions to admin project' do + it 'raises error' do + expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) + end + end + + context 'when user has permissions to admin project and read target project' do + before do + project.add_maintainer(current_user) + target_project.add_guest(current_user) + end + + it 'removes target project from the job token scope' do + expect do + expect(subject).to include(ci_job_token_scope: be_present, errors: be_empty) + end.to change { Ci::JobToken::ProjectScopeLink.count }.by(-1) + end + + context 'when the service returns an error' do + let(:service) { double(:service) } + + it 'returns an error response' do + expect(::Ci::JobTokenScope::RemoveProjectService).to receive(:new).with(project, current_user).and_return(service) + expect(service).to receive(:execute).with(target_project).and_return(ServiceResponse.error(message: 'The error message')) + + expect(subject.fetch(:ci_job_token_scope)).to be_nil + expect(subject.fetch(:errors)).to include("The error message") + end + end + end + end + end +end diff --git a/spec/graphql/mutations/custom_emoji/create_spec.rb b/spec/graphql/mutations/custom_emoji/create_spec.rb index 118c5d67188..7c98e53a72c 100644 --- a/spec/graphql/mutations/custom_emoji/create_spec.rb +++ b/spec/graphql/mutations/custom_emoji/create_spec.rb @@ -5,6 +5,7 @@ require 'spec_helper' RSpec.describe Mutations::CustomEmoji::Create do let_it_be(:group) { create(:group) } let_it_be(:user) { create(:user) } + let(:args) { { group_path: group.full_path, name: 'tanuki', url: 'https://about.gitlab.com/images/press/logo/png/gitlab-icon-rgb.png' } } before do diff --git a/spec/graphql/mutations/discussions/toggle_resolve_spec.rb b/spec/graphql/mutations/discussions/toggle_resolve_spec.rb index 162b1249ab5..b03c6cb094f 100644 --- a/spec/graphql/mutations/discussions/toggle_resolve_spec.rb +++ b/spec/graphql/mutations/discussions/toggle_resolve_spec.rb @@ -140,6 +140,7 @@ RSpec.describe Mutations::Discussions::ToggleResolve do context 'when discussion is on a merge request' do let_it_be(:noteable) { create(:merge_request, source_project: project) } + let(:discussion) { create(:diff_note_on_merge_request, noteable: noteable, project: project).to_discussion } it_behaves_like 'a working resolve method' @@ -147,6 +148,7 @@ RSpec.describe Mutations::Discussions::ToggleResolve do context 'when discussion is on a design' do let_it_be(:noteable) { create(:design, :with_file, issue: create(:issue, project: project)) } + let(:discussion) { create(:diff_note_on_design, noteable: noteable, project: project).to_discussion } it_behaves_like 'a working resolve method' diff --git a/spec/graphql/mutations/environments/canary_ingress/update_spec.rb b/spec/graphql/mutations/environments/canary_ingress/update_spec.rb index c022828cf09..2715a908f85 100644 --- a/spec/graphql/mutations/environments/canary_ingress/update_spec.rb +++ b/spec/graphql/mutations/environments/canary_ingress/update_spec.rb @@ -7,6 +7,7 @@ RSpec.describe Mutations::Environments::CanaryIngress::Update do let_it_be(:environment) { create(:environment, project: project) } let_it_be(:maintainer) { create(:user) } let_it_be(:reporter) { create(:user) } + let(:user) { maintainer } subject(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) } diff --git a/spec/graphql/mutations/issues/create_spec.rb b/spec/graphql/mutations/issues/create_spec.rb index b32f0991959..0e7ef0e55b9 100644 --- a/spec/graphql/mutations/issues/create_spec.rb +++ b/spec/graphql/mutations/issues/create_spec.rb @@ -50,6 +50,7 @@ RSpec.describe Mutations::Issues::Create do stub_licensed_features(multiple_issue_assignees: false, issue_weights: false) project.add_guest(assignee1) project.add_guest(assignee2) + stub_spam_services end subject { mutation.resolve(**mutation_params) } diff --git a/spec/graphql/mutations/issues/set_confidential_spec.rb b/spec/graphql/mutations/issues/set_confidential_spec.rb index c3269e5c0c0..495b8442d95 100644 --- a/spec/graphql/mutations/issues/set_confidential_spec.rb +++ b/spec/graphql/mutations/issues/set_confidential_spec.rb @@ -17,6 +17,10 @@ RSpec.describe Mutations::Issues::SetConfidential do subject { mutation.resolve(project_path: project.full_path, iid: issue.iid, confidential: confidential) } + before do + stub_spam_services + end + it_behaves_like 'permission level for issue mutation is correctly verified' context 'when the user can update the issue' do diff --git a/spec/graphql/mutations/issues/set_severity_spec.rb b/spec/graphql/mutations/issues/set_severity_spec.rb index 7698118ae3e..7ce9c7f6621 100644 --- a/spec/graphql/mutations/issues/set_severity_spec.rb +++ b/spec/graphql/mutations/issues/set_severity_spec.rb @@ -5,12 +5,13 @@ require 'spec_helper' RSpec.describe Mutations::Issues::SetSeverity do let_it_be(:user) { create(:user) } let_it_be(:issue) { create(:incident) } + let(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) } specify { expect(described_class).to require_graphql_authorizations(:update_issue) } describe '#resolve' do - let(:severity) { 'CRITICAL' } + let(:severity) { 'critical' } let(:mutated_incident) { subject[:issue] } subject(:resolve) { mutation.resolve(project_path: issue.project.full_path, iid: issue.iid, severity: severity) } diff --git a/spec/graphql/mutations/issues/update_spec.rb b/spec/graphql/mutations/issues/update_spec.rb index bd780477658..80f43338bb5 100644 --- a/spec/graphql/mutations/issues/update_spec.rb +++ b/spec/graphql/mutations/issues/update_spec.rb @@ -35,6 +35,10 @@ RSpec.describe Mutations::Issues::Update do subject { mutation.resolve(**mutation_params) } + before do + stub_spam_services + end + it_behaves_like 'permission level for issue mutation is correctly verified' context 'when the user can update the issue' do diff --git a/spec/graphql/mutations/labels/create_spec.rb b/spec/graphql/mutations/labels/create_spec.rb index b2dd94f31bb..53a17041125 100644 --- a/spec/graphql/mutations/labels/create_spec.rb +++ b/spec/graphql/mutations/labels/create_spec.rb @@ -45,6 +45,7 @@ RSpec.describe Mutations::Labels::Create do context 'when creating a project label' do let_it_be(:parent) { create(:project) } + let(:extra_params) { { project_path: parent.full_path } } it_behaves_like 'create labels mutation' @@ -52,6 +53,7 @@ RSpec.describe Mutations::Labels::Create do context 'when creating a group label' do let_it_be(:parent) { create(:group) } + let(:extra_params) { { group_path: parent.full_path } } it_behaves_like 'create labels mutation' diff --git a/spec/graphql/mutations/notes/reposition_image_diff_note_spec.rb b/spec/graphql/mutations/notes/reposition_image_diff_note_spec.rb index d88b196cbff..e78f755d5c7 100644 --- a/spec/graphql/mutations/notes/reposition_image_diff_note_spec.rb +++ b/spec/graphql/mutations/notes/reposition_image_diff_note_spec.rb @@ -12,6 +12,7 @@ RSpec.describe Mutations::Notes::RepositionImageDiffNote do let_it_be(:noteable) { create(:merge_request) } let_it_be(:project) { noteable.project } + let(:note) { create(:image_diff_note_on_merge_request, noteable: noteable, project: project) } let(:mutation) do diff --git a/spec/graphql/mutations/release_asset_links/create_spec.rb b/spec/graphql/mutations/release_asset_links/create_spec.rb index 089bc3d3276..eb7cbb4b789 100644 --- a/spec/graphql/mutations/release_asset_links/create_spec.rb +++ b/spec/graphql/mutations/release_asset_links/create_spec.rb @@ -50,6 +50,24 @@ RSpec.describe Mutations::ReleaseAssetLinks::Create do end end + context 'with protected tag' do + context 'when user has access to the protected tag' do + let!(:protected_tag) { create(:protected_tag, :developers_can_create, name: '*', project: project) } + + it 'does not have errors' do + expect(subject).to include(errors: []) + end + end + + context 'when user does not have access to the protected tag' do + let!(:protected_tag) { create(:protected_tag, :maintainers_can_create, name: '*', project: project) } + + it 'has an access error' do + expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) + end + end + end + context "when the user doesn't have access to the project" do let(:current_user) { reporter } diff --git a/spec/graphql/mutations/release_asset_links/delete_spec.rb b/spec/graphql/mutations/release_asset_links/delete_spec.rb index 15d320b58ee..cda292f2ffa 100644 --- a/spec/graphql/mutations/release_asset_links/delete_spec.rb +++ b/spec/graphql/mutations/release_asset_links/delete_spec.rb @@ -7,6 +7,7 @@ RSpec.describe Mutations::ReleaseAssetLinks::Delete do let_it_be(:project) { create(:project, :private, :repository) } let_it_be_with_reload(:release) { create(:release, project: project) } + let_it_be(:reporter) { create(:user).tap { |u| project.add_reporter(u) } } let_it_be(:developer) { create(:user).tap { |u| project.add_developer(u) } } let_it_be(:maintainer) { create(:user).tap { |u| project.add_maintainer(u) } } let_it_be_with_reload(:release_link) { create(:release_link, release: release) } @@ -22,7 +23,7 @@ RSpec.describe Mutations::ReleaseAssetLinks::Delete do let(:deleted_link) { subject[:link] } context 'when the current user has access to delete the link' do - let(:current_user) { maintainer } + let(:current_user) { developer } it 'deletes the link and returns it', :aggregate_failures do expect(deleted_link).to eq(release_link) @@ -30,6 +31,26 @@ RSpec.describe Mutations::ReleaseAssetLinks::Delete do expect(release.links).to be_empty end + context 'with protected tag' do + context 'when user has access to the protected tag' do + let!(:protected_tag) { create(:protected_tag, :developers_can_create, name: '*', project: project) } + + it 'does not have errors' do + subject + + expect(resolve).to include(errors: []) + end + end + + context 'when user does not have access to the protected tag' do + let!(:protected_tag) { create(:protected_tag, :maintainers_can_create, name: '*', project: project) } + + it 'raises a resource access error' do + expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) + end + end + end + context "when the link doesn't exist" do let(:mutation_arguments) { super().merge(id: "gid://gitlab/Releases::Link/#{non_existing_record_id}") } @@ -48,7 +69,7 @@ RSpec.describe Mutations::ReleaseAssetLinks::Delete do end context 'when the current user does not have access to delete the link' do - let(:current_user) { developer } + let(:current_user) { reporter } it 'raises an error' do expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) diff --git a/spec/graphql/mutations/release_asset_links/update_spec.rb b/spec/graphql/mutations/release_asset_links/update_spec.rb index 20c1c8b581c..64648687336 100644 --- a/spec/graphql/mutations/release_asset_links/update_spec.rb +++ b/spec/graphql/mutations/release_asset_links/update_spec.rb @@ -87,6 +87,26 @@ RSpec.describe Mutations::ReleaseAssetLinks::Update do end it_behaves_like 'no changes to the link except for the', :name + + context 'with protected tag' do + context 'when user has access to the protected tag' do + let!(:protected_tag) { create(:protected_tag, :developers_can_create, name: '*', project: project) } + + it 'does not have errors' do + subject + + expect(resolve).to include(errors: []) + end + end + + context 'when user does not have access to the protected tag' do + let!(:protected_tag) { create(:protected_tag, :maintainers_can_create, name: '*', project: project) } + + it 'raises a resource access error' do + expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) + end + end + end end context 'when nil is provided' do diff --git a/spec/graphql/mutations/releases/create_spec.rb b/spec/graphql/mutations/releases/create_spec.rb index 7776f968346..1f2c3ed537f 100644 --- a/spec/graphql/mutations/releases/create_spec.rb +++ b/spec/graphql/mutations/releases/create_spec.rb @@ -117,6 +117,28 @@ RSpec.describe Mutations::Releases::Create do expect(new_link.filepath).to eq(expected_link[:filepath]) end end + + context 'with protected tag' do + context 'when user has access to the protected tag' do + let!(:protected_tag) { create(:protected_tag, :developers_can_create, name: '*', project: project) } + + it 'does not have errors' do + subject + + expect(resolve).to include(errors: []) + end + end + + context 'when user does not have access to the protected tag' do + let!(:protected_tag) { create(:protected_tag, :maintainers_can_create, name: '*', project: project) } + + it 'has an access error' do + subject + + expect(resolve).to include(errors: ['Access Denied']) + end + end + end end context "when the current user doesn't have access to create releases" do diff --git a/spec/graphql/mutations/releases/delete_spec.rb b/spec/graphql/mutations/releases/delete_spec.rb index bedb72b002c..d97f839ce87 100644 --- a/spec/graphql/mutations/releases/delete_spec.rb +++ b/spec/graphql/mutations/releases/delete_spec.rb @@ -5,6 +5,7 @@ require 'spec_helper' RSpec.describe Mutations::Releases::Delete do let_it_be(:project) { create(:project, :public, :repository) } let_it_be(:non_project_member) { create(:user) } + let_it_be(:reporter) { create(:user) } let_it_be(:developer) { create(:user) } let_it_be(:maintainer) { create(:user) } let_it_be(:tag) { 'v1.1.0'} @@ -20,6 +21,7 @@ RSpec.describe Mutations::Releases::Delete do end before do + project.add_reporter(reporter) project.add_developer(developer) project.add_maintainer(maintainer) end @@ -36,7 +38,7 @@ RSpec.describe Mutations::Releases::Delete do end context 'when the current user has access to create releases' do - let(:current_user) { maintainer } + let(:current_user) { developer } it 'deletes the release' do expect { subject }.to change { Release.count }.by(-1) @@ -54,6 +56,28 @@ RSpec.describe Mutations::Releases::Delete do expect(subject[:errors]).to eq([]) end + context 'with protected tag' do + context 'when user has access to the protected tag' do + let!(:protected_tag) { create(:protected_tag, :developers_can_create, name: '*', project: project) } + + it 'does not have errors' do + subject + + expect(resolve).to include(errors: []) + end + end + + context 'when user does not have access to the protected tag' do + let!(:protected_tag) { create(:protected_tag, :maintainers_can_create, name: '*', project: project) } + + it 'has an access error' do + subject + + expect(resolve).to include(errors: ['Access Denied']) + end + end + end + context 'validation' do context 'when the release does not exist' do let(:mutation_arguments) { super().merge(tag: 'not-a-real-release') } @@ -76,8 +100,8 @@ RSpec.describe Mutations::Releases::Delete do end context "when the current user doesn't have access to update releases" do - context 'when the user is a developer' do - let(:current_user) { developer } + context 'when the user is a reporter' do + let(:current_user) { reporter } it_behaves_like 'unauthorized or not found error' end diff --git a/spec/graphql/mutations/releases/update_spec.rb b/spec/graphql/mutations/releases/update_spec.rb index c541afd53a1..5ee63ac4dc2 100644 --- a/spec/graphql/mutations/releases/update_spec.rb +++ b/spec/graphql/mutations/releases/update_spec.rb @@ -107,6 +107,28 @@ RSpec.describe Mutations::Releases::Update do end it_behaves_like 'no changes to the release except for the', :name + + context 'with protected tag' do + context 'when user has access to the protected tag' do + let!(:protected_tag) { create(:protected_tag, :developers_can_create, name: '*', project: project) } + + it 'does not have errors' do + subject + + expect(resolve).to include(errors: []) + end + end + + context 'when user does not have access to the protected tag' do + let!(:protected_tag) { create(:protected_tag, :maintainers_can_create, name: '*', project: project) } + + it 'has an access error' do + subject + + expect(resolve).to include(errors: ['Access Denied']) + end + end + end end context 'when nil is provided' do diff --git a/spec/graphql/mutations/security/ci_configuration/base_security_analyzer_spec.rb b/spec/graphql/mutations/security/ci_configuration/base_security_analyzer_spec.rb new file mode 100644 index 00000000000..818a7d303bd --- /dev/null +++ b/spec/graphql/mutations/security/ci_configuration/base_security_analyzer_spec.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Mutations::Security::CiConfiguration::BaseSecurityAnalyzer do + include GraphqlHelpers + + it 'raises a NotImplementedError error if the resolve method is called on the base class' do + user = create(:user) + project = create(:project, :public, :repository) + project.add_developer(user) + expect { resolve(described_class, args: { project_path: project.full_path }, ctx: { current_user: user }) }.to raise_error(NotImplementedError) + end +end |