1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe ProtectedTag::CreateAccessLevel, feature_category: :source_code_management do
include_examples 'protected tag access'
include_examples 'protected ref access allowed_access_levels'
describe 'associations' do
it { is_expected.to belong_to(:deploy_key) }
end
describe 'validations', :aggregate_failures do
let_it_be(:protected_tag) { create(:protected_tag) }
context 'when deploy key enabled for the project' do
let(:deploy_key) { create(:deploy_key, projects: [protected_tag.project]) }
it 'is valid' do
level = build(:protected_tag_create_access_level, protected_tag: protected_tag, deploy_key: deploy_key)
expect(level).to be_valid
end
end
context 'when a record exists with the same access level' do
before do
create(:protected_tag_create_access_level, protected_tag: protected_tag)
end
it 'is not valid' do
level = build(:protected_tag_create_access_level, protected_tag: protected_tag)
expect(level).to be_invalid
expect(level.errors.full_messages).to include('Access level has already been taken')
end
end
context 'when a deploy key already added for this access level' do
let!(:create_access_level) do
create(:protected_tag_create_access_level, protected_tag: protected_tag, deploy_key: deploy_key)
end
let(:deploy_key) { create(:deploy_key, projects: [protected_tag.project]) }
it 'is not valid' do
level = build(:protected_tag_create_access_level, protected_tag: protected_tag, deploy_key: deploy_key)
expect(level).to be_invalid
expect(level.errors.full_messages).to contain_exactly('Deploy key has already been taken')
end
end
context 'when deploy key is not enabled for the project' do
let(:create_access_level) do
build(:protected_tag_create_access_level, protected_tag: protected_tag, deploy_key: create(:deploy_key))
end
it 'returns an error' do
expect(create_access_level).to be_invalid
expect(create_access_level.errors.full_messages).to contain_exactly(
'Deploy key is not enabled for this project'
)
end
end
end
describe '#check_access' do
let_it_be(:project) { create(:project) }
let_it_be(:protected_tag) { create(:protected_tag, :no_one_can_create, project: project) }
let_it_be(:user) { create(:user) }
let_it_be(:deploy_key) { create(:deploy_key, user: user) }
let!(:deploy_keys_project) do
create(:deploy_keys_project, project: project, deploy_key: deploy_key, can_push: can_push)
end
let(:create_access_level) { protected_tag.create_access_levels.first }
let(:can_push) { true }
before_all do
project.add_maintainer(user)
end
it { expect(create_access_level.check_access(user)).to be_falsey }
context 'when this create_access_level is tied to a deploy key' do
let(:create_access_level) do
create(:protected_tag_create_access_level, protected_tag: protected_tag, deploy_key: deploy_key)
end
context 'when the deploy key is among the active keys for this project' do
it { expect(create_access_level.check_access(user)).to be_truthy }
end
context 'when user is missing' do
it { expect(create_access_level.check_access(nil)).to be_falsey }
end
context 'when deploy key does not belong to the user' do
let(:another_user) { create(:user) }
it { expect(create_access_level.check_access(another_user)).to be_falsey }
end
context 'when user cannot access the project' do
before do
allow(user).to receive(:can?).with(:read_project, project).and_return(false)
end
it { expect(create_access_level.check_access(user)).to be_falsey }
end
context 'when the deploy key is not among the active keys of this project' do
let(:can_push) { false }
it { expect(create_access_level.check_access(user)).to be_falsey }
end
end
end
describe '#type' do
let(:create_access_level) { build(:protected_tag_create_access_level) }
it 'returns :role by default' do
expect(create_access_level.type).to eq(:role)
end
context 'when a deploy key is tied to the protected branch' do
let(:create_access_level) { build(:protected_tag_create_access_level, deploy_key: build(:deploy_key)) }
it 'returns :deploy_key' do
expect(create_access_level.type).to eq(:deploy_key)
end
end
end
end
|