diff options
Diffstat (limited to 'spec/policies/ci/pipeline_schedule_policy_spec.rb')
-rw-r--r-- | spec/policies/ci/pipeline_schedule_policy_spec.rb | 185 |
1 files changed, 140 insertions, 45 deletions
diff --git a/spec/policies/ci/pipeline_schedule_policy_spec.rb b/spec/policies/ci/pipeline_schedule_policy_spec.rb index 7025eda1ba1..8fc5c6ca296 100644 --- a/spec/policies/ci/pipeline_schedule_policy_spec.rb +++ b/spec/policies/ci/pipeline_schedule_policy_spec.rb @@ -2,10 +2,13 @@ require 'spec_helper' -RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache do +RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache, feature_category: :continuous_integration do + using RSpec::Parameterized::TableSyntax + let_it_be(:user) { create(:user) } - let_it_be(:project) { create(:project, :repository) } - let_it_be(:pipeline_schedule, reload: true) { create(:ci_pipeline_schedule, :nightly, project: project) } + let_it_be_with_reload(:project) { create(:project, :repository, create_tag: tag_ref_name) } + let_it_be_with_reload(:pipeline_schedule) { create(:ci_pipeline_schedule, :nightly, project: project) } + let_it_be(:tag_ref_name) { "v1.0.0" } let(:policy) do described_class.new(user, pipeline_schedule) @@ -13,51 +16,143 @@ RSpec.describe Ci::PipelineSchedulePolicy, :models, :clean_gitlab_redis_cache do describe 'rules' do describe 'rules for protected ref' do - before do - project.add_developer(user) - end - - context 'when no one can push or merge to the branch' do - before do - create(:protected_branch, :no_one_can_push, name: pipeline_schedule.ref, project: project) - end - - it 'does not include ability to play pipeline schedule' do - expect(policy).to be_disallowed :play_pipeline_schedule + context 'for branch' do + %w[refs/heads/master master].each do |branch_ref| + context "with #{branch_ref}" do + let_it_be(:branch_ref_name) { "master" } + let_it_be(:branch_pipeline_schedule) do + create(:ci_pipeline_schedule, :nightly, project: project, ref: branch_ref) + end + + where(:push_access_level, :merge_access_level, :project_role, :accessible) do + :no_one_can_push | :no_one_can_merge | :owner | :be_disallowed + :no_one_can_push | :no_one_can_merge | :maintainer | :be_disallowed + :no_one_can_push | :no_one_can_merge | :developer | :be_disallowed + :no_one_can_push | :no_one_can_merge | :reporter | :be_disallowed + :no_one_can_push | :no_one_can_merge | :guest | :be_disallowed + + :maintainers_can_push | :no_one_can_merge | :owner | :be_allowed + :maintainers_can_push | :no_one_can_merge | :maintainer | :be_allowed + :maintainers_can_push | :no_one_can_merge | :developer | :be_disallowed + :maintainers_can_push | :no_one_can_merge | :reporter | :be_disallowed + :maintainers_can_push | :no_one_can_merge | :guest | :be_disallowed + + :developers_can_push | :no_one_can_merge | :owner | :be_allowed + :developers_can_push | :no_one_can_merge | :maintainer | :be_allowed + :developers_can_push | :no_one_can_merge | :developer | :be_allowed + :developers_can_push | :no_one_can_merge | :reporter | :be_disallowed + :developers_can_push | :no_one_can_merge | :guest | :be_disallowed + + :no_one_can_push | :maintainers_can_merge | :owner | :be_allowed + :no_one_can_push | :maintainers_can_merge | :maintainer | :be_allowed + :no_one_can_push | :maintainers_can_merge | :developer | :be_disallowed + :no_one_can_push | :maintainers_can_merge | :reporter | :be_disallowed + :no_one_can_push | :maintainers_can_merge | :guest | :be_disallowed + + :maintainers_can_push | :maintainers_can_merge | :owner | :be_allowed + :maintainers_can_push | :maintainers_can_merge | :maintainer | :be_allowed + :maintainers_can_push | :maintainers_can_merge | :developer | :be_disallowed + :maintainers_can_push | :maintainers_can_merge | :reporter | :be_disallowed + :maintainers_can_push | :maintainers_can_merge | :guest | :be_disallowed + + :developers_can_push | :maintainers_can_merge | :owner | :be_allowed + :developers_can_push | :maintainers_can_merge | :maintainer | :be_allowed + :developers_can_push | :maintainers_can_merge | :developer | :be_allowed + :developers_can_push | :maintainers_can_merge | :reporter | :be_disallowed + :developers_can_push | :maintainers_can_merge | :guest | :be_disallowed + + :no_one_can_push | :developers_can_merge | :owner | :be_allowed + :no_one_can_push | :developers_can_merge | :maintainer | :be_allowed + :no_one_can_push | :developers_can_merge | :developer | :be_allowed + :no_one_can_push | :developers_can_merge | :reporter | :be_disallowed + :no_one_can_push | :developers_can_merge | :guest | :be_disallowed + + :maintainers_can_push | :developers_can_merge | :owner | :be_allowed + :maintainers_can_push | :developers_can_merge | :maintainer | :be_allowed + :maintainers_can_push | :developers_can_merge | :developer | :be_allowed + :maintainers_can_push | :developers_can_merge | :reporter | :be_disallowed + :maintainers_can_push | :developers_can_merge | :guest | :be_disallowed + + :developers_can_push | :developers_can_merge | :owner | :be_allowed + :developers_can_push | :developers_can_merge | :maintainer | :be_allowed + :developers_can_push | :developers_can_merge | :developer | :be_allowed + :developers_can_push | :developers_can_merge | :reporter | :be_disallowed + :developers_can_push | :developers_can_merge | :guest | :be_disallowed + end + + with_them do + before do + create(:protected_branch, push_access_level, merge_access_level, name: branch_ref_name, + project: project) + project.add_role(user, project_role) + end + + context 'for create_pipeline_schedule' do + subject(:policy) { described_class.new(user, new_branch_pipeline_schedule) } + + let(:new_branch_pipeline_schedule) { project.pipeline_schedules.new(ref: branch_ref) } + + it { expect(policy).to try(accessible, :create_pipeline_schedule) } + end + + context 'for play_pipeline_schedule' do + subject(:policy) { described_class.new(user, branch_pipeline_schedule) } + + it { expect(policy).to try(accessible, :play_pipeline_schedule) } + end + end + end end end - context 'when developers can push to the branch' do - before do - create(:protected_branch, :developers_can_merge, name: pipeline_schedule.ref, project: project) - end - - it 'includes ability to update pipeline' do - expect(policy).to be_allowed :play_pipeline_schedule - end - end - - context 'when no one can create the tag' do - let(:tag) { 'v1.0.0' } - - before do - pipeline_schedule.update!(ref: tag) - - create(:protected_tag, :no_one_can_create, name: pipeline_schedule.ref, project: project) - end - - it 'does not include ability to play pipeline schedule' do - expect(policy).to be_disallowed :play_pipeline_schedule - end - end - - context 'when no one can create the tag but it is not a tag' do - before do - create(:protected_tag, :no_one_can_create, name: pipeline_schedule.ref, project: project) - end - - it 'includes ability to play pipeline schedule' do - expect(policy).to be_allowed :play_pipeline_schedule + context 'for tag' do + %w[refs/tags/v1.0.0 v1.0.0].each do |tag_ref| + context "with #{tag_ref}" do + let_it_be(:tag_pipeline_schedule) do + create(:ci_pipeline_schedule, :nightly, project: project, ref: tag_ref) + end + + where(:access_level, :project_role, :accessible) do + :no_one_can_create | :owner | :be_disallowed + :no_one_can_create | :maintainer | :be_disallowed + :no_one_can_create | :developer | :be_disallowed + :no_one_can_create | :reporter | :be_disallowed + :no_one_can_create | :guest | :be_disallowed + + :maintainers_can_create | :owner | :be_allowed + :maintainers_can_create | :maintainer | :be_allowed + :maintainers_can_create | :developer | :be_disallowed + :maintainers_can_create | :reporter | :be_disallowed + :maintainers_can_create | :guest | :be_disallowed + + :developers_can_create | :owner | :be_allowed + :developers_can_create | :maintainer | :be_allowed + :developers_can_create | :developer | :be_allowed + :developers_can_create | :reporter | :be_disallowed + :developers_can_create | :guest | :be_disallowed + end + + with_them do + before do + create(:protected_tag, access_level, name: tag_ref_name, project: project) + project.add_role(user, project_role) + end + + context 'for create_pipeline_schedule' do + subject(:policy) { described_class.new(user, new_tag_pipeline_schedule) } + + let(:new_tag_pipeline_schedule) { project.pipeline_schedules.new(ref: tag_ref) } + + it { expect(policy).to try(accessible, :create_pipeline_schedule) } + end + + context 'for play_pipeline_schedule' do + subject(:policy) { described_class.new(user, tag_pipeline_schedule) } + + it { expect(policy).to try(accessible, :play_pipeline_schedule) } + end + end + end end end end |