Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/policies/ci/pipeline_schedule_policy_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies/ci/pipeline_schedule_policy_spec.rb')
-rw-r--r--spec/policies/ci/pipeline_schedule_policy_spec.rb338
1 files changed, 239 insertions, 99 deletions
diff --git a/spec/policies/ci/pipeline_schedule_policy_spec.rb b/spec/policies/ci/pipeline_schedule_policy_spec.rb
index 8fc5c6ca296..1d353b9a35e 100644
--- a/spec/policies/ci/pipeline_schedule_policy_spec.rb
+++ b/spec/policies/ci/pipeline_schedule_policy_spec.rb
@@ -6,6 +6,7 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache, f
using RSpec::Parameterized::TableSyntax
let_it_be(:user) { create(:user) }
+ let_it_be(:other_user) { create(:user) }
let_it_be_with_reload(:project) { create(:project, :repository, create_tag: tag_ref_name) }
let_it_be_with_reload(:pipeline_schedule) { create(:ci_pipeline_schedule, :nightly, project: project) }
let_it_be(:tag_ref_name) { "v1.0.0" }
@@ -17,89 +18,180 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache, f
describe 'rules' do
describe 'rules for protected ref' do
context 'for branch' do
+ subject(:policy) { described_class.new(user, pipeline_schedule) }
+
%w[refs/heads/master master].each do |branch_ref|
context "with #{branch_ref}" do
let_it_be(:branch_ref_name) { "master" }
- let_it_be(:branch_pipeline_schedule) do
+ let_it_be(:pipeline_schedule) do
create(:ci_pipeline_schedule, :nightly, project: project, ref: branch_ref)
end
- where(:push_access_level, :merge_access_level, :project_role, :accessible) do
- :no_one_can_push | :no_one_can_merge | :owner | :be_disallowed
- :no_one_can_push | :no_one_can_merge | :maintainer | :be_disallowed
- :no_one_can_push | :no_one_can_merge | :developer | :be_disallowed
- :no_one_can_push | :no_one_can_merge | :reporter | :be_disallowed
- :no_one_can_push | :no_one_can_merge | :guest | :be_disallowed
-
- :maintainers_can_push | :no_one_can_merge | :owner | :be_allowed
- :maintainers_can_push | :no_one_can_merge | :maintainer | :be_allowed
- :maintainers_can_push | :no_one_can_merge | :developer | :be_disallowed
- :maintainers_can_push | :no_one_can_merge | :reporter | :be_disallowed
- :maintainers_can_push | :no_one_can_merge | :guest | :be_disallowed
-
- :developers_can_push | :no_one_can_merge | :owner | :be_allowed
- :developers_can_push | :no_one_can_merge | :maintainer | :be_allowed
- :developers_can_push | :no_one_can_merge | :developer | :be_allowed
- :developers_can_push | :no_one_can_merge | :reporter | :be_disallowed
- :developers_can_push | :no_one_can_merge | :guest | :be_disallowed
-
- :no_one_can_push | :maintainers_can_merge | :owner | :be_allowed
- :no_one_can_push | :maintainers_can_merge | :maintainer | :be_allowed
- :no_one_can_push | :maintainers_can_merge | :developer | :be_disallowed
- :no_one_can_push | :maintainers_can_merge | :reporter | :be_disallowed
- :no_one_can_push | :maintainers_can_merge | :guest | :be_disallowed
-
- :maintainers_can_push | :maintainers_can_merge | :owner | :be_allowed
- :maintainers_can_push | :maintainers_can_merge | :maintainer | :be_allowed
- :maintainers_can_push | :maintainers_can_merge | :developer | :be_disallowed
- :maintainers_can_push | :maintainers_can_merge | :reporter | :be_disallowed
- :maintainers_can_push | :maintainers_can_merge | :guest | :be_disallowed
-
- :developers_can_push | :maintainers_can_merge | :owner | :be_allowed
- :developers_can_push | :maintainers_can_merge | :maintainer | :be_allowed
- :developers_can_push | :maintainers_can_merge | :developer | :be_allowed
- :developers_can_push | :maintainers_can_merge | :reporter | :be_disallowed
- :developers_can_push | :maintainers_can_merge | :guest | :be_disallowed
-
- :no_one_can_push | :developers_can_merge | :owner | :be_allowed
- :no_one_can_push | :developers_can_merge | :maintainer | :be_allowed
- :no_one_can_push | :developers_can_merge | :developer | :be_allowed
- :no_one_can_push | :developers_can_merge | :reporter | :be_disallowed
- :no_one_can_push | :developers_can_merge | :guest | :be_disallowed
-
- :maintainers_can_push | :developers_can_merge | :owner | :be_allowed
- :maintainers_can_push | :developers_can_merge | :maintainer | :be_allowed
- :maintainers_can_push | :developers_can_merge | :developer | :be_allowed
- :maintainers_can_push | :developers_can_merge | :reporter | :be_disallowed
- :maintainers_can_push | :developers_can_merge | :guest | :be_disallowed
-
- :developers_can_push | :developers_can_merge | :owner | :be_allowed
- :developers_can_push | :developers_can_merge | :maintainer | :be_allowed
- :developers_can_push | :developers_can_merge | :developer | :be_allowed
- :developers_can_push | :developers_can_merge | :reporter | :be_disallowed
- :developers_can_push | :developers_can_merge | :guest | :be_disallowed
+ shared_examples_for 'allowed by those who can update the branch' do
+ where(:push_access_level, :merge_access_level, :project_role, :accessible) do
+ :no_one_can_push | :no_one_can_merge | :owner | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :maintainer | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :developer | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :reporter | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :guest | :be_disallowed
+
+ :maintainers_can_push | :no_one_can_merge | :owner | :be_allowed
+ :maintainers_can_push | :no_one_can_merge | :maintainer | :be_allowed
+ :maintainers_can_push | :no_one_can_merge | :developer | :be_disallowed
+ :maintainers_can_push | :no_one_can_merge | :reporter | :be_disallowed
+ :maintainers_can_push | :no_one_can_merge | :guest | :be_disallowed
+
+ :developers_can_push | :no_one_can_merge | :owner | :be_allowed
+ :developers_can_push | :no_one_can_merge | :maintainer | :be_allowed
+ :developers_can_push | :no_one_can_merge | :developer | :be_allowed
+ :developers_can_push | :no_one_can_merge | :reporter | :be_disallowed
+ :developers_can_push | :no_one_can_merge | :guest | :be_disallowed
+
+ :no_one_can_push | :maintainers_can_merge | :owner | :be_allowed
+ :no_one_can_push | :maintainers_can_merge | :maintainer | :be_allowed
+ :no_one_can_push | :maintainers_can_merge | :developer | :be_disallowed
+ :no_one_can_push | :maintainers_can_merge | :reporter | :be_disallowed
+ :no_one_can_push | :maintainers_can_merge | :guest | :be_disallowed
+
+ :maintainers_can_push | :maintainers_can_merge | :owner | :be_allowed
+ :maintainers_can_push | :maintainers_can_merge | :maintainer | :be_allowed
+ :maintainers_can_push | :maintainers_can_merge | :developer | :be_disallowed
+ :maintainers_can_push | :maintainers_can_merge | :reporter | :be_disallowed
+ :maintainers_can_push | :maintainers_can_merge | :guest | :be_disallowed
+
+ :developers_can_push | :maintainers_can_merge | :owner | :be_allowed
+ :developers_can_push | :maintainers_can_merge | :maintainer | :be_allowed
+ :developers_can_push | :maintainers_can_merge | :developer | :be_allowed
+ :developers_can_push | :maintainers_can_merge | :reporter | :be_disallowed
+ :developers_can_push | :maintainers_can_merge | :guest | :be_disallowed
+
+ :no_one_can_push | :developers_can_merge | :owner | :be_allowed
+ :no_one_can_push | :developers_can_merge | :maintainer | :be_allowed
+ :no_one_can_push | :developers_can_merge | :developer | :be_allowed
+ :no_one_can_push | :developers_can_merge | :reporter | :be_disallowed
+ :no_one_can_push | :developers_can_merge | :guest | :be_disallowed
+
+ :maintainers_can_push | :developers_can_merge | :owner | :be_allowed
+ :maintainers_can_push | :developers_can_merge | :maintainer | :be_allowed
+ :maintainers_can_push | :developers_can_merge | :developer | :be_allowed
+ :maintainers_can_push | :developers_can_merge | :reporter | :be_disallowed
+ :maintainers_can_push | :developers_can_merge | :guest | :be_disallowed
+
+ :developers_can_push | :developers_can_merge | :owner | :be_allowed
+ :developers_can_push | :developers_can_merge | :maintainer | :be_allowed
+ :developers_can_push | :developers_can_merge | :developer | :be_allowed
+ :developers_can_push | :developers_can_merge | :reporter | :be_disallowed
+ :developers_can_push | :developers_can_merge | :guest | :be_disallowed
+ end
+
+ with_them do
+ before do
+ create(:protected_branch, push_access_level, merge_access_level, name: branch_ref_name,
+ project: project)
+ project.add_role(user, project_role)
+ end
+
+ it { expect(policy).to try(accessible, :create_pipeline_schedule) }
+ end
end
- with_them do
- before do
- create(:protected_branch, push_access_level, merge_access_level, name: branch_ref_name,
- project: project)
- project.add_role(user, project_role)
+ shared_examples_for 'only allowed by schedule owners who can update the branch' do
+ where(:push_access_level, :merge_access_level, :schedule_owner, :project_role, :accessible) do
+ :no_one_can_push | :no_one_can_merge | :other_user | :owner | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :user | :owner | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :user | :maintainer | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :user | :developer | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :user | :reporter | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :user | :guest | :be_disallowed
+
+ :maintainers_can_push | :no_one_can_merge | :other_user | :owner | :be_disallowed
+ :maintainers_can_push | :no_one_can_merge | :user | :owner | :be_allowed
+ :maintainers_can_push | :no_one_can_merge | :user | :maintainer | :be_allowed
+ :maintainers_can_push | :no_one_can_merge | :user | :developer | :be_disallowed
+ :maintainers_can_push | :no_one_can_merge | :user | :reporter | :be_disallowed
+ :maintainers_can_push | :no_one_can_merge | :user | :guest | :be_disallowed
+
+ :developers_can_push | :no_one_can_merge | :other_user | :owner | :be_disallowed
+ :developers_can_push | :no_one_can_merge | :user | :owner | :be_allowed
+ :developers_can_push | :no_one_can_merge | :user | :maintainer | :be_allowed
+ :developers_can_push | :no_one_can_merge | :user | :developer | :be_allowed
+ :developers_can_push | :no_one_can_merge | :user | :reporter | :be_disallowed
+ :developers_can_push | :no_one_can_merge | :user | :guest | :be_disallowed
+
+ :no_one_can_push | :maintainers_can_merge | :other_user | :owner | :be_disallowed
+ :no_one_can_push | :maintainers_can_merge | :user | :owner | :be_allowed
+ :no_one_can_push | :maintainers_can_merge | :user | :maintainer | :be_allowed
+ :no_one_can_push | :maintainers_can_merge | :user | :developer | :be_disallowed
+ :no_one_can_push | :maintainers_can_merge | :user | :reporter | :be_disallowed
+ :no_one_can_push | :maintainers_can_merge | :user | :guest | :be_disallowed
+
+ :maintainers_can_push | :maintainers_can_merge | :other_user | :owner | :be_disallowed
+ :maintainers_can_push | :maintainers_can_merge | :user | :owner | :be_allowed
+ :maintainers_can_push | :maintainers_can_merge | :user | :maintainer | :be_allowed
+ :maintainers_can_push | :maintainers_can_merge | :user | :developer | :be_disallowed
+ :maintainers_can_push | :maintainers_can_merge | :user | :reporter | :be_disallowed
+ :maintainers_can_push | :maintainers_can_merge | :user | :guest | :be_disallowed
+
+ :developers_can_push | :maintainers_can_merge | :other_user | :owner | :be_disallowed
+ :developers_can_push | :maintainers_can_merge | :user | :owner | :be_allowed
+ :developers_can_push | :maintainers_can_merge | :user | :maintainer | :be_allowed
+ :developers_can_push | :maintainers_can_merge | :user | :developer | :be_allowed
+ :developers_can_push | :maintainers_can_merge | :user | :reporter | :be_disallowed
+ :developers_can_push | :maintainers_can_merge | :user | :guest | :be_disallowed
+
+ :no_one_can_push | :developers_can_merge | :other_user | :owner | :be_disallowed
+ :no_one_can_push | :developers_can_merge | :user | :owner | :be_allowed
+ :no_one_can_push | :developers_can_merge | :user | :maintainer | :be_allowed
+ :no_one_can_push | :developers_can_merge | :user | :developer | :be_allowed
+ :no_one_can_push | :developers_can_merge | :user | :reporter | :be_disallowed
+ :no_one_can_push | :developers_can_merge | :user | :guest | :be_disallowed
+
+ :maintainers_can_push | :developers_can_merge | :other_user | :owner | :be_disallowed
+ :maintainers_can_push | :developers_can_merge | :user | :owner | :be_allowed
+ :maintainers_can_push | :developers_can_merge | :user | :maintainer | :be_allowed
+ :maintainers_can_push | :developers_can_merge | :user | :developer | :be_allowed
+ :maintainers_can_push | :developers_can_merge | :user | :reporter | :be_disallowed
+ :maintainers_can_push | :developers_can_merge | :user | :guest | :be_disallowed
+
+ :developers_can_push | :developers_can_merge | :other_user | :owner | :be_disallowed
+ :developers_can_push | :developers_can_merge | :user | :owner | :be_allowed
+ :developers_can_push | :developers_can_merge | :user | :maintainer | :be_allowed
+ :developers_can_push | :developers_can_merge | :user | :developer | :be_allowed
+ :developers_can_push | :developers_can_merge | :user | :reporter | :be_disallowed
+ :developers_can_push | :developers_can_merge | :user | :guest | :be_disallowed
end
- context 'for create_pipeline_schedule' do
- subject(:policy) { described_class.new(user, new_branch_pipeline_schedule) }
+ with_them do
+ before do
+ create(:protected_branch, push_access_level, merge_access_level, name: branch_ref_name,
+ project: project)
+ project.add_role(user, project_role)
+ project.add_role(other_user, project_role)
- let(:new_branch_pipeline_schedule) { project.pipeline_schedules.new(ref: branch_ref) }
+ pipeline_schedule.owner = schedule_owner == :user ? user : other_user
+ end
- it { expect(policy).to try(accessible, :create_pipeline_schedule) }
+ it { expect(policy).to try(accessible, ability_name) }
end
+ end
- context 'for play_pipeline_schedule' do
- subject(:policy) { described_class.new(user, branch_pipeline_schedule) }
+ describe 'create_pipeline_schedule' do
+ let(:ability_name) { :create_pipeline_schedule }
+ let(:pipeline_schedule) { project.pipeline_schedules.new(ref: branch_ref) }
- it { expect(policy).to try(accessible, :play_pipeline_schedule) }
- end
+ it_behaves_like 'allowed by those who can update the branch'
+ end
+
+ describe 'play_pipeline_schedule' do
+ let(:ability_name) { :play_pipeline_schedule }
+
+ it_behaves_like 'allowed by those who can update the branch'
+ end
+
+ describe 'update_pipeline_schedule' do
+ let(:ability_name) { :update_pipeline_schedule }
+
+ it_behaves_like 'only allowed by schedule owners who can update the branch'
end
end
end
@@ -108,49 +200,97 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache, f
context 'for tag' do
%w[refs/tags/v1.0.0 v1.0.0].each do |tag_ref|
context "with #{tag_ref}" do
- let_it_be(:tag_pipeline_schedule) do
+ let_it_be(:pipeline_schedule) do
create(:ci_pipeline_schedule, :nightly, project: project, ref: tag_ref)
end
- where(:access_level, :project_role, :accessible) do
- :no_one_can_create | :owner | :be_disallowed
- :no_one_can_create | :maintainer | :be_disallowed
- :no_one_can_create | :developer | :be_disallowed
- :no_one_can_create | :reporter | :be_disallowed
- :no_one_can_create | :guest | :be_disallowed
-
- :maintainers_can_create | :owner | :be_allowed
- :maintainers_can_create | :maintainer | :be_allowed
- :maintainers_can_create | :developer | :be_disallowed
- :maintainers_can_create | :reporter | :be_disallowed
- :maintainers_can_create | :guest | :be_disallowed
-
- :developers_can_create | :owner | :be_allowed
- :developers_can_create | :maintainer | :be_allowed
- :developers_can_create | :developer | :be_allowed
- :developers_can_create | :reporter | :be_disallowed
- :developers_can_create | :guest | :be_disallowed
+ subject(:policy) { described_class.new(user, pipeline_schedule) }
+
+ shared_examples_for 'allowed by those who can update the tag' do
+ where(:access_level, :project_role, :accessible) do
+ :no_one_can_create | :owner | :be_disallowed
+ :no_one_can_create | :maintainer | :be_disallowed
+ :no_one_can_create | :developer | :be_disallowed
+ :no_one_can_create | :reporter | :be_disallowed
+ :no_one_can_create | :guest | :be_disallowed
+
+ :maintainers_can_create | :owner | :be_allowed
+ :maintainers_can_create | :maintainer | :be_allowed
+ :maintainers_can_create | :developer | :be_disallowed
+ :maintainers_can_create | :reporter | :be_disallowed
+ :maintainers_can_create | :guest | :be_disallowed
+
+ :developers_can_create | :owner | :be_allowed
+ :developers_can_create | :maintainer | :be_allowed
+ :developers_can_create | :developer | :be_allowed
+ :developers_can_create | :reporter | :be_disallowed
+ :developers_can_create | :guest | :be_disallowed
+ end
+
+ with_them do
+ before do
+ create(:protected_tag, access_level, name: tag_ref_name, project: project)
+ project.add_role(user, project_role)
+ end
+
+ it { expect(policy).to try(accessible, ability_name) }
+ end
end
- with_them do
- before do
- create(:protected_tag, access_level, name: tag_ref_name, project: project)
- project.add_role(user, project_role)
+ shared_examples_for 'only allowed by schedule owners who can update the tag' do
+ where(:access_level, :schedule_owner, :project_role, :accessible) do
+ :no_one_can_create | :other_user | :owner | :be_disallowed
+ :no_one_can_create | :user | :owner | :be_disallowed
+ :no_one_can_create | :user | :maintainer | :be_disallowed
+ :no_one_can_create | :user | :developer | :be_disallowed
+ :no_one_can_create | :user | :reporter | :be_disallowed
+ :no_one_can_create | :user | :guest | :be_disallowed
+
+ :maintainers_can_create | :other_user | :owner | :be_disallowed
+ :maintainers_can_create | :user | :owner | :be_allowed
+ :maintainers_can_create | :user | :maintainer | :be_allowed
+ :maintainers_can_create | :user | :developer | :be_disallowed
+ :maintainers_can_create | :user | :reporter | :be_disallowed
+ :maintainers_can_create | :user | :guest | :be_disallowed
+
+ :developers_can_create | :other_user | :owner | :be_disallowed
+ :developers_can_create | :user | :owner | :be_allowed
+ :developers_can_create | :user | :maintainer | :be_allowed
+ :developers_can_create | :user | :developer | :be_allowed
+ :developers_can_create | :user | :reporter | :be_disallowed
+ :developers_can_create | :user | :guest | :be_disallowed
end
- context 'for create_pipeline_schedule' do
- subject(:policy) { described_class.new(user, new_tag_pipeline_schedule) }
+ with_them do
+ before do
+ create(:protected_tag, access_level, name: tag_ref_name, project: project)
+ project.add_role(user, project_role)
+ project.add_role(other_user, project_role)
- let(:new_tag_pipeline_schedule) { project.pipeline_schedules.new(ref: tag_ref) }
+ pipeline_schedule.owner = schedule_owner == :user ? user : other_user
+ end
- it { expect(policy).to try(accessible, :create_pipeline_schedule) }
+ it { expect(policy).to try(accessible, ability_name) }
end
+ end
- context 'for play_pipeline_schedule' do
- subject(:policy) { described_class.new(user, tag_pipeline_schedule) }
+ describe 'create_pipeline_schedule' do
+ let(:ability_name) { :create_pipeline_schedule }
+ let(:pipeline_schedule) { project.pipeline_schedules.new(ref: tag_ref) }
- it { expect(policy).to try(accessible, :play_pipeline_schedule) }
- end
+ it_behaves_like 'allowed by those who can update the tag'
+ end
+
+ describe 'play_pipeline_schedule' do
+ let(:ability_name) { :play_pipeline_schedule }
+
+ it_behaves_like 'allowed by those who can update the tag'
+ end
+
+ describe 'update_pipeline_schedule' do
+ let(:ability_name) { :update_pipeline_schedule }
+
+ it_behaves_like 'only allowed by schedule owners who can update the tag'
end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-21 07:32:52 +0300