Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/policies/ci/pipeline_schedule_policy_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies/ci/pipeline_schedule_policy_spec.rb')
-rw-r--r--spec/policies/ci/pipeline_schedule_policy_spec.rb185
1 files changed, 140 insertions, 45 deletions
diff --git a/spec/policies/ci/pipeline_schedule_policy_spec.rb b/spec/policies/ci/pipeline_schedule_policy_spec.rb
index 7025eda1ba1..8fc5c6ca296 100644
--- a/spec/policies/ci/pipeline_schedule_policy_spec.rb
+++ b/spec/policies/ci/pipeline_schedule_policy_spec.rb
@@ -2,10 +2,13 @@
require 'spec_helper'
-RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache do
+RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache, feature_category: :continuous_integration do
+ using RSpec::Parameterized::TableSyntax
+
let_it_be(:user) { create(:user) }
- let_it_be(:project) { create(:project, :repository) }
- let_it_be(:pipeline_schedule, reload: true) { create(:ci_pipeline_schedule, :nightly, project: project) }
+ let_it_be_with_reload(:project) { create(:project, :repository, create_tag: tag_ref_name) }
+ let_it_be_with_reload(:pipeline_schedule) { create(:ci_pipeline_schedule, :nightly, project: project) }
+ let_it_be(:tag_ref_name) { "v1.0.0" }
let(:policy) do
described_class.new(user, pipeline_schedule)
@@ -13,51 +16,143 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache do
describe 'rules' do
describe 'rules for protected ref' do
- before do
- project.add_developer(user)
- end
-
- context 'when no one can push or merge to the branch' do
- before do
- create(:protected_branch, :no_one_can_push, name: pipeline_schedule.ref, project: project)
- end
-
- it 'does not include ability to play pipeline schedule' do
- expect(policy).to be_disallowed :play_pipeline_schedule
+ context 'for branch' do
+ %w[refs/heads/master master].each do |branch_ref|
+ context "with #{branch_ref}" do
+ let_it_be(:branch_ref_name) { "master" }
+ let_it_be(:branch_pipeline_schedule) do
+ create(:ci_pipeline_schedule, :nightly, project: project, ref: branch_ref)
+ end
+
+ where(:push_access_level, :merge_access_level, :project_role, :accessible) do
+ :no_one_can_push | :no_one_can_merge | :owner | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :maintainer | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :developer | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :reporter | :be_disallowed
+ :no_one_can_push | :no_one_can_merge | :guest | :be_disallowed
+
+ :maintainers_can_push | :no_one_can_merge | :owner | :be_allowed
+ :maintainers_can_push | :no_one_can_merge | :maintainer | :be_allowed
+ :maintainers_can_push | :no_one_can_merge | :developer | :be_disallowed
+ :maintainers_can_push | :no_one_can_merge | :reporter | :be_disallowed
+ :maintainers_can_push | :no_one_can_merge | :guest | :be_disallowed
+
+ :developers_can_push | :no_one_can_merge | :owner | :be_allowed
+ :developers_can_push | :no_one_can_merge | :maintainer | :be_allowed
+ :developers_can_push | :no_one_can_merge | :developer | :be_allowed
+ :developers_can_push | :no_one_can_merge | :reporter | :be_disallowed
+ :developers_can_push | :no_one_can_merge | :guest | :be_disallowed
+
+ :no_one_can_push | :maintainers_can_merge | :owner | :be_allowed
+ :no_one_can_push | :maintainers_can_merge | :maintainer | :be_allowed
+ :no_one_can_push | :maintainers_can_merge | :developer | :be_disallowed
+ :no_one_can_push | :maintainers_can_merge | :reporter | :be_disallowed
+ :no_one_can_push | :maintainers_can_merge | :guest | :be_disallowed
+
+ :maintainers_can_push | :maintainers_can_merge | :owner | :be_allowed
+ :maintainers_can_push | :maintainers_can_merge | :maintainer | :be_allowed
+ :maintainers_can_push | :maintainers_can_merge | :developer | :be_disallowed
+ :maintainers_can_push | :maintainers_can_merge | :reporter | :be_disallowed
+ :maintainers_can_push | :maintainers_can_merge | :guest | :be_disallowed
+
+ :developers_can_push | :maintainers_can_merge | :owner | :be_allowed
+ :developers_can_push | :maintainers_can_merge | :maintainer | :be_allowed
+ :developers_can_push | :maintainers_can_merge | :developer | :be_allowed
+ :developers_can_push | :maintainers_can_merge | :reporter | :be_disallowed
+ :developers_can_push | :maintainers_can_merge | :guest | :be_disallowed
+
+ :no_one_can_push | :developers_can_merge | :owner | :be_allowed
+ :no_one_can_push | :developers_can_merge | :maintainer | :be_allowed
+ :no_one_can_push | :developers_can_merge | :developer | :be_allowed
+ :no_one_can_push | :developers_can_merge | :reporter | :be_disallowed
+ :no_one_can_push | :developers_can_merge | :guest | :be_disallowed
+
+ :maintainers_can_push | :developers_can_merge | :owner | :be_allowed
+ :maintainers_can_push | :developers_can_merge | :maintainer | :be_allowed
+ :maintainers_can_push | :developers_can_merge | :developer | :be_allowed
+ :maintainers_can_push | :developers_can_merge | :reporter | :be_disallowed
+ :maintainers_can_push | :developers_can_merge | :guest | :be_disallowed
+
+ :developers_can_push | :developers_can_merge | :owner | :be_allowed
+ :developers_can_push | :developers_can_merge | :maintainer | :be_allowed
+ :developers_can_push | :developers_can_merge | :developer | :be_allowed
+ :developers_can_push | :developers_can_merge | :reporter | :be_disallowed
+ :developers_can_push | :developers_can_merge | :guest | :be_disallowed
+ end
+
+ with_them do
+ before do
+ create(:protected_branch, push_access_level, merge_access_level, name: branch_ref_name,
+ project: project)
+ project.add_role(user, project_role)
+ end
+
+ context 'for create_pipeline_schedule' do
+ subject(:policy) { described_class.new(user, new_branch_pipeline_schedule) }
+
+ let(:new_branch_pipeline_schedule) { project.pipeline_schedules.new(ref: branch_ref) }
+
+ it { expect(policy).to try(accessible, :create_pipeline_schedule) }
+ end
+
+ context 'for play_pipeline_schedule' do
+ subject(:policy) { described_class.new(user, branch_pipeline_schedule) }
+
+ it { expect(policy).to try(accessible, :play_pipeline_schedule) }
+ end
+ end
+ end
end
end
- context 'when developers can push to the branch' do
- before do
- create(:protected_branch, :developers_can_merge, name: pipeline_schedule.ref, project: project)
- end
-
- it 'includes ability to update pipeline' do
- expect(policy).to be_allowed :play_pipeline_schedule
- end
- end
-
- context 'when no one can create the tag' do
- let(:tag) { 'v1.0.0' }
-
- before do
- pipeline_schedule.update!(ref: tag)
-
- create(:protected_tag, :no_one_can_create, name: pipeline_schedule.ref, project: project)
- end
-
- it 'does not include ability to play pipeline schedule' do
- expect(policy).to be_disallowed :play_pipeline_schedule
- end
- end
-
- context 'when no one can create the tag but it is not a tag' do
- before do
- create(:protected_tag, :no_one_can_create, name: pipeline_schedule.ref, project: project)
- end
-
- it 'includes ability to play pipeline schedule' do
- expect(policy).to be_allowed :play_pipeline_schedule
+ context 'for tag' do
+ %w[refs/tags/v1.0.0 v1.0.0].each do |tag_ref|
+ context "with #{tag_ref}" do
+ let_it_be(:tag_pipeline_schedule) do
+ create(:ci_pipeline_schedule, :nightly, project: project, ref: tag_ref)
+ end
+
+ where(:access_level, :project_role, :accessible) do
+ :no_one_can_create | :owner | :be_disallowed
+ :no_one_can_create | :maintainer | :be_disallowed
+ :no_one_can_create | :developer | :be_disallowed
+ :no_one_can_create | :reporter | :be_disallowed
+ :no_one_can_create | :guest | :be_disallowed
+
+ :maintainers_can_create | :owner | :be_allowed
+ :maintainers_can_create | :maintainer | :be_allowed
+ :maintainers_can_create | :developer | :be_disallowed
+ :maintainers_can_create | :reporter | :be_disallowed
+ :maintainers_can_create | :guest | :be_disallowed
+
+ :developers_can_create | :owner | :be_allowed
+ :developers_can_create | :maintainer | :be_allowed
+ :developers_can_create | :developer | :be_allowed
+ :developers_can_create | :reporter | :be_disallowed
+ :developers_can_create | :guest | :be_disallowed
+ end
+
+ with_them do
+ before do
+ create(:protected_tag, access_level, name: tag_ref_name, project: project)
+ project.add_role(user, project_role)
+ end
+
+ context 'for create_pipeline_schedule' do
+ subject(:policy) { described_class.new(user, new_tag_pipeline_schedule) }
+
+ let(:new_tag_pipeline_schedule) { project.pipeline_schedules.new(ref: tag_ref) }
+
+ it { expect(policy).to try(accessible, :create_pipeline_schedule) }
+ end
+
+ context 'for play_pipeline_schedule' do
+ subject(:policy) { described_class.new(user, tag_pipeline_schedule) }
+
+ it { expect(policy).to try(accessible, :play_pipeline_schedule) }
+ end
+ end
+ end
end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-16 01:07:54 +0300