diff options
Diffstat (limited to 'spec/lib/gitlab/checks/tag_check_spec.rb')
-rw-r--r-- | spec/lib/gitlab/checks/tag_check_spec.rb | 129 |
1 files changed, 78 insertions, 51 deletions
diff --git a/spec/lib/gitlab/checks/tag_check_spec.rb b/spec/lib/gitlab/checks/tag_check_spec.rb index 2b1fbc7e797..15c6b906689 100644 --- a/spec/lib/gitlab/checks/tag_check_spec.rb +++ b/spec/lib/gitlab/checks/tag_check_spec.rb @@ -11,126 +11,138 @@ RSpec.describe Gitlab::Checks::TagCheck, feature_category: :source_code_manageme it 'raises an error when user does not have access' do allow(user_access).to receive(:can_do_action?).with(:admin_tag).and_return(false) - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, 'You are not allowed to change existing tags on this project.') + expect { change_check.validate! }.to raise_error( + Gitlab::GitAccess::ForbiddenError, + 'You are not allowed to change existing tags on this project.' + ) end - context "prohibited tags check" do + describe "prohibited tags check" do it 'prohibits tags name that include refs/heads at the head' do - allow(subject).to receive(:tag_name).and_return("refs/heads/foo") + allow(change_check).to receive(:tag_name).and_return("refs/heads/foo") - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a tag with a prohibited pattern.") + expect { change_check.validate! }.to raise_error( + Gitlab::GitAccess::ForbiddenError, + "You cannot create a tag with a prohibited pattern." + ) end it "prohibits tag names that include refs/tags/ at the head" do - allow(subject).to receive(:tag_name).and_return("refs/tags/foo") + allow(change_check).to receive(:tag_name).and_return("refs/tags/foo") - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "You cannot create a tag with a prohibited pattern.") + expect { change_check.validate! }.to raise_error( + Gitlab::GitAccess::ForbiddenError, + "You cannot create a tag with a prohibited pattern." + ) end it "doesn't prohibit a nested refs/tags/ string in a tag name" do - allow(subject).to receive(:tag_name).and_return("fix-for-refs/tags/foo") - - expect { subject.validate! }.not_to raise_error - end + allow(change_check).to receive(:tag_name).and_return("fix-for-refs/tags/foo") - context "deleting a refs/tags headed tag" do - let(:newrev) { "0000000000000000000000000000000000000000" } - let(:ref) { "refs/tags/refs/tags/267208abfe40e546f5e847444276f7d43a39503e" } - - it "doesn't prohibit the deletion of a refs/tags/ tag name" do - expect { subject.validate! }.not_to raise_error - end + expect { change_check.validate! }.not_to raise_error end it "prohibits tag names that include characters incompatible with UTF-8" do - allow(subject).to receive(:tag_name).and_return("v6.0.0-\xCE.BETA") + allow(change_check).to receive(:tag_name).and_return("v6.0.0-\xCE.BETA") - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, "Tag names must be valid when converted to UTF-8 encoding") + expect { change_check.validate! }.to raise_error( + Gitlab::GitAccess::ForbiddenError, + "Tag names must be valid when converted to UTF-8 encoding" + ) end it "doesn't prohibit UTF-8 compatible characters" do - allow(subject).to receive(:tag_name).and_return("v6.0.0-Ü.BETA") + allow(change_check).to receive(:tag_name).and_return("v6.0.0-Ü.BETA") - expect { subject.validate! }.not_to raise_error + expect { change_check.validate! }.not_to raise_error end context "when prohibited_tag_name_encoding_check feature flag is disabled" do before do stub_feature_flags(prohibited_tag_name_encoding_check: false) - allow(subject).to receive(:validate_tag_name_not_sha_like!) + allow(change_check).to receive(:validate_tag_name_not_sha_like!) end it "doesn't prohibit tag names that include characters incompatible with UTF-8" do - allow(subject).to receive(:tag_name).and_return("v6.0.0-\xCE.BETA") + allow(change_check).to receive(:tag_name).and_return("v6.0.0-\xCE.BETA") - expect { subject.validate! }.not_to raise_error + expect { change_check.validate! }.not_to raise_error end it "doesn't prohibit UTF-8 compatible characters" do - allow(subject).to receive(:tag_name).and_return("v6.0.0-Ü.BETA") + allow(change_check).to receive(:tag_name).and_return("v6.0.0-Ü.BETA") + + expect { change_check.validate! }.not_to raise_error + end + end - expect { subject.validate! }.not_to raise_error + describe "deleting a refs/tags headed tag" do + let(:newrev) { "0000000000000000000000000000000000000000" } + let(:ref) { "refs/tags/refs/tags/267208abfe40e546f5e847444276f7d43a39503e" } + + it "doesn't prohibit the deletion of a refs/tags/ tag name" do + expect { change_check.validate! }.not_to raise_error end end it "forbids SHA-1 values" do - allow(subject) + allow(change_check) .to receive(:tag_name) .and_return("267208abfe40e546f5e847444276f7d43a39503e") - expect { subject.validate! }.to raise_error( + expect { change_check.validate! }.to raise_error( Gitlab::GitAccess::ForbiddenError, "You cannot create a tag with a SHA-1 or SHA-256 tag name." ) end it "forbids SHA-256 values" do - allow(subject) + allow(change_check) .to receive(:tag_name) .and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175") - expect { subject.validate! }.to raise_error( + expect { change_check.validate! }.to raise_error( Gitlab::GitAccess::ForbiddenError, "You cannot create a tag with a SHA-1 or SHA-256 tag name." ) end it "forbids '{SHA-1}{+anything}' values" do - allow(subject) + allow(change_check) .to receive(:tag_name) .and_return("267208abfe40e546f5e847444276f7d43a39503e-") - expect { subject.validate! }.to raise_error( + expect { change_check.validate! }.to raise_error( Gitlab::GitAccess::ForbiddenError, "You cannot create a tag with a SHA-1 or SHA-256 tag name." ) end it "forbids '{SHA-256}{+anything} values" do - allow(subject) + allow(change_check) .to receive(:tag_name) .and_return("09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175-") - expect { subject.validate! }.to raise_error( + expect { change_check.validate! }.to raise_error( Gitlab::GitAccess::ForbiddenError, "You cannot create a tag with a SHA-1 or SHA-256 tag name." ) end it "allows SHA-1 values to be appended to the tag name" do - allow(subject) + allow(change_check) .to receive(:tag_name) .and_return("fix-267208abfe40e546f5e847444276f7d43a39503e") - expect { subject.validate! }.not_to raise_error + expect { change_check.validate! }.not_to raise_error end it "allows SHA-256 values to be appended to the tag name" do - allow(subject) + allow(change_check) .to receive(:tag_name) .and_return("fix-09b9fd3ea68e9b95a51b693a29568c898e27d1476bbd83c825664f18467fc175") - expect { subject.validate! }.not_to raise_error + expect { change_check.validate! }.not_to raise_error end end @@ -142,31 +154,36 @@ RSpec.describe Gitlab::Checks::TagCheck, feature_category: :source_code_manageme project.add_maintainer(user) end - context 'deletion' do + describe 'deleting a tag' do let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' } let(:newrev) { '0000000000000000000000000000000000000000' } - context 'via web interface' do + context 'when deleting via web interface' do let(:protocol) { 'web' } it 'is allowed' do - expect { subject.validate! }.not_to raise_error + expect { change_check.validate! }.not_to raise_error end end - context 'via SSH' do + context 'when deleting via SSH' do it 'is prevented' do - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, /only delete.*web interface/) + expect { change_check.validate! }.to raise_error( + Gitlab::GitAccess::ForbiddenError, + 'You can only delete protected tags using the web interface.' + ) end end end - context 'update' do + describe 'updating a tag' do let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' } let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' } it 'is prevented' do - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, /cannot be updated/) + expect { change_check.validate! }.to raise_error( + Gitlab::GitAccess::ForbiddenError, 'Protected tags cannot be updated.' + ) end end end @@ -176,37 +193,47 @@ RSpec.describe Gitlab::Checks::TagCheck, feature_category: :source_code_manageme project.add_developer(user) end - context 'deletion' do + describe 'deleting a tag' do let(:oldrev) { 'be93687618e4b132087f430a4d8fc3a609c9b77c' } let(:newrev) { '0000000000000000000000000000000000000000' } it 'is prevented' do - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, /not allowed to delete/) + expect { change_check.validate! }.to raise_error( + Gitlab::GitAccess::ForbiddenError, + 'You are not allowed to delete protected tags from this project. ' \ + 'Only a project maintainer or owner can delete a protected tag.' + ) end end end - context 'creation' do + describe 'creating a tag' do let(:oldrev) { '0000000000000000000000000000000000000000' } let(:newrev) { '54fcc214b94e78d7a41a9a8fe6d87a5e59500e51' } let(:ref) { 'refs/tags/v9.1.0' } it 'prevents creation below access level' do - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, /allowed to create this tag as it is protected/) + expect { change_check.validate! }.to raise_error( + Gitlab::GitAccess::ForbiddenError, + 'You are not allowed to create this tag as it is protected.' + ) end context 'when user has access' do let!(:protected_tag) { create(:protected_tag, :developers_can_create, project: project, name: 'v*') } it 'allows tag creation' do - expect { subject.validate! }.not_to raise_error + expect { change_check.validate! }.not_to raise_error end context 'when tag name is the same as default branch' do let(:ref) { "refs/tags/#{project.default_branch}" } it 'is prevented' do - expect { subject.validate! }.to raise_error(Gitlab::GitAccess::ForbiddenError, /cannot use default branch name to create a tag/) + expect { change_check.validate! }.to raise_error( + Gitlab::GitAccess::ForbiddenError, + 'You cannot use default branch name to create a tag' + ) end end end |