1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe ContainerRegistry::Protection::CreateRuleService, '#execute', feature_category: :container_registry do
let_it_be(:project) { create(:project, :repository) }
let_it_be(:current_user) { create(:user, maintainer_projects: [project]) }
let(:service) { described_class.new(project, current_user, params) }
let(:params) { attributes_for(:container_registry_protection_rule) }
subject { service.execute }
shared_examples 'a successful service response' do
it { is_expected.to be_success }
it { is_expected.to have_attributes(errors: be_blank) }
it do
is_expected.to have_attributes(
payload: {
container_registry_protection_rule:
be_a(ContainerRegistry::Protection::Rule)
.and(have_attributes(
repository_path_pattern: params[:repository_path_pattern],
push_protected_up_to_access_level: params[:push_protected_up_to_access_level].to_s,
delete_protected_up_to_access_level: params[:delete_protected_up_to_access_level].to_s
))
}
)
end
it 'creates a new container registry protection rule in the database' do
expect { subject }.to change { ContainerRegistry::Protection::Rule.count }.by(1)
expect(
ContainerRegistry::Protection::Rule.where(
project: project,
repository_path_pattern: params[:repository_path_pattern],
push_protected_up_to_access_level: params[:push_protected_up_to_access_level]
)
).to exist
end
end
shared_examples 'an erroneous service response' do
it { is_expected.to be_error }
it { is_expected.to have_attributes(errors: be_present, payload: include(container_registry_protection_rule: nil)) }
it 'does not create a new container registry protection rule in the database' do
expect { subject }.not_to change { ContainerRegistry::Protection::Rule.count }
end
it 'does not create a container registry protection rule with the given params' do
subject
expect(
ContainerRegistry::Protection::Rule.where(
project: project,
repository_path_pattern: params[:repository_path_pattern],
push_protected_up_to_access_level: params[:push_protected_up_to_access_level]
)
).not_to exist
end
end
it_behaves_like 'a successful service response'
context 'when fields are invalid' do
context 'when repository_path_pattern is invalid' do
let(:params) { super().merge(repository_path_pattern: '') }
it_behaves_like 'an erroneous service response'
it { is_expected.to have_attributes(message: match(/Repository path pattern can't be blank/)) }
end
context 'when delete_protected_up_to_access_level is invalid' do
let(:params) { super().merge(delete_protected_up_to_access_level: 1000) }
it_behaves_like 'an erroneous service response'
it { is_expected.to have_attributes(message: match(/is not a valid delete_protected_up_to_access_level/)) }
end
context 'when push_protected_up_to_access_level is invalid' do
let(:params) { super().merge(push_protected_up_to_access_level: 1000) }
it_behaves_like 'an erroneous service response'
it { is_expected.to have_attributes(message: match(/is not a valid push_protected_up_to_access_level/)) }
end
end
context 'with existing container registry protection rule in the database' do
let_it_be_with_reload(:existing_container_registry_protection_rule) do
create(:container_registry_protection_rule, project: project)
end
context 'when container registry name pattern is slightly different' do
let(:params) do
super().merge(
# The field `repository_path_pattern` is unique; this is why we change the value in a minimum way
repository_path_pattern: "#{existing_container_registry_protection_rule.repository_path_pattern}-unique",
push_protected_up_to_access_level:
existing_container_registry_protection_rule.push_protected_up_to_access_level
)
end
it_behaves_like 'a successful service response'
end
context 'when field `repository_path_pattern` is taken' do
let(:params) do
super().merge(
repository_path_pattern: existing_container_registry_protection_rule.repository_path_pattern,
push_protected_up_to_access_level: :maintainer
)
end
it_behaves_like 'an erroneous service response'
it { is_expected.to have_attributes(errors: ['Repository path pattern has already been taken']) }
it { expect { subject }.not_to change { existing_container_registry_protection_rule.updated_at } }
end
end
context 'with disallowed params' do
let(:params) { super().merge(project_id: 1, unsupported_param: 'unsupported_param_value') }
it_behaves_like 'a successful service response'
end
context 'with forbidden user access level (project developer role)' do
# Because of the access level hierarchy, we can assume that
# other access levels below developer role will also not be able to
# create container registry protection rules.
let_it_be(:current_user) { create(:user).tap { |u| project.add_developer(u) } }
it_behaves_like 'an erroneous service response'
it { is_expected.to have_attributes(message: match(/Unauthorized/)) }
end
end
|
