Protected Tags per user/group EE tests

spec/factories/protected_tags.rb

@@ -7,16 +7,38 @@ FactoryGirl.define do
       protected_tag.create_access_levels.new(access_level: Gitlab::Access::MASTER)
     end
 
+    transient do
+      authorize_user_to_create nil
+      authorize_group_to_create nil
+    end
+
+    trait :remove_default_access_levels do
+      after(:build) do |protected_tag|
+        protected_tag.create_access_levels = []
+      end
+    end
+
     trait :developers_can_create do
       after(:create) do |protected_tag|
-        protected_tag.create_access_levels.first.update!(access_level: Gitlab::Access::DEVELOPER)
+        protected_tag.create_access_levels.create!(access_level: Gitlab::Access::DEVELOPER)
       end
     end
 
     trait :no_one_can_create do
       after(:create) do |protected_tag|
-        protected_tag.create_access_levels.first.update!(access_level: Gitlab::Access::NO_ACCESS)
+        protected_tag.create_access_levels.create!(access_level: Gitlab::Access::NO_ACCESS)
       end
     end
+
+    trait :masters_can_create do
+      after(:create) do |protected_tag|
+        protected_tag.create_access_levels.create!(access_level: Gitlab::Access::MASTER)
+      end
+    end
+
+    after(:create) do |protected_tag, evaluator|
+      protected_tag.create_access_levels.create!(user: evaluator.authorize_user_to_create) if evaluator.authorize_user_to_create
+      protected_tag.create_access_levels.create!(group: evaluator.authorize_group_to_create) if evaluator.authorize_group_to_create
+    end
   end
 end

spec/factories/protected_tags/create_access_levels.rb

+FactoryGirl.define do
+  factory :protected_tag_create_access_level, class: ProtectedTag::CreateAccessLevel do
+    user nil
+    group nil
+    protected_tag
+    access_level { Gitlab::Access::DEVELOPER }
+  end
+end

spec/features/protected_tags/access_control_ee_spec.rb

+RSpec.shared_examples "protected tags > access control > EE" do
+  let(:users) { create_list(:user, 5) }
+  let(:groups) { create_list(:group, 5) }
+  let(:roles) { ProtectedTag::CreateAccessLevel.human_access_levels.except(0) }
+
+  before do
+    users.each { |user| project.team << [user, :developer] }
+    groups.each { |group| project.project_group_links.create(group: group, group_access: Gitlab::Access::DEVELOPER) }
+  end
+
+  it "allows creating protected tags that roles, users, and groups can create" do
+    visit namespace_project_protected_tags_path(project.namespace, project)
+
+    set_protected_tag_name('master')
+    set_allowed_to('create', users.map(&:name))
+    set_allowed_to('create', groups.map(&:name))
+    set_allowed_to('create', roles.values)
+
+    click_on "Protect"
+
+    within(".protected-tags-list") { expect(page).to have_content('master') }
+    expect(ProtectedTag.count).to eq(1)
+
+    roles.each { |(access_type_id, _)| expect(ProtectedTag.last.send("create_access_levels".to_sym).map(&:access_level)).to include(access_type_id) }
+    users.each { |user| expect(ProtectedTag.last.send("create_access_levels".to_sym).map(&:user_id)).to include(user.id) }
+    groups.each { |group| expect(ProtectedTag.last.send("create_access_levels".to_sym).map(&:group_id)).to include(group.id) }
+  end
+
+  it "allows updating protected tags so that roles and users can create it" do
+    visit namespace_project_protected_tags_path(project.namespace, project)
+
+    set_protected_tag_name('master')
+    set_allowed_to('create')
+
+    click_on "Protect"
+
+    set_allowed_to('create', users.map(&:name), form: ".js-protected-tag-edit-form")
+    set_allowed_to('create', groups.map(&:name), form: ".js-protected-tag-edit-form")
+    set_allowed_to('create', roles.values, form: ".js-protected-tag-edit-form")
+
+    wait_for_ajax
+
+    expect(ProtectedTag.count).to eq(1)
+
+    roles.each { |(access_type_id, _)| expect(ProtectedTag.last.send("create_access_levels".to_sym).map(&:access_level)).to include(access_type_id) }
+    users.each { |user| expect(ProtectedTag.last.send("create_access_levels".to_sym).map(&:user_id)).to include(user.id) }
+    groups.each { |group| expect(ProtectedTag.last.send("create_access_levels".to_sym).map(&:group_id)).to include(group.id) }
+  end
+
+  it "allows updating protected tags so that roles and users cannot create it" do
+    visit namespace_project_protected_tags_path(project.namespace, project)
+
+    set_protected_tag_name('master')
+
+    users.each { |user| set_allowed_to('create', user.name) }
+    roles.each { |(_, access_type_name)| set_allowed_to('create', access_type_name) }
+    groups.each { |group| set_allowed_to('create', group.name) }
+
+    click_on "Protect"
+
+    users.each { |user| set_allowed_to('create', user.name, form: ".js-protected-tag-edit-form") }
+    groups.each { |group| set_allowed_to('create', group.name, form: ".js-protected-tag-edit-form") }
+    roles.each { |(_, access_type_name)| set_allowed_to('create', access_type_name, form: ".js-protected-tag-edit-form") }
+
+    wait_for_ajax
+
+    expect(ProtectedTag.count).to eq(1)
+    expect(ProtectedTag.last.send("create_access_levels".to_sym)).to be_empty
+  end
+
+  it "prepends selected users that can create" do
+    users = create_list(:user, 21)
+    users.each { |user| project.team << [user, :developer] }
+
+    visit namespace_project_protected_tags_path(project.namespace, project)
+
+    # Create Protected Tag
+    set_protected_tag_name('master')
+    set_allowed_to('create', roles.values)
+
+    click_on 'Protect'
+
+    # Update Protected Tag
+    within(".protected-tags-list") do
+      find(".js-allowed-to-create").click
+      find(".dropdown-input-field").set(users.last.name) # Find a user that is not loaded
+
+      expect(page).to have_selector('.dropdown-header', count: 3)
+
+      %w{Roles Groups Users}.each_with_index do |header, index|
+        expect(all('.dropdown-header')[index]).to have_content(header)
+      end
+
+      wait_for_ajax
+
+      click_on users.last.name
+      find(".js-allowed-to-create").click # close
+    end
+
+    wait_for_ajax
+
+    # Verify the user is appended in the dropdown
+    find(".protected-tags-list .js-allowed-to-create").click
+    expect(page).to have_selector '.dropdown-content .is-active', text: users.last.name
+
+    expect(ProtectedTag.count).to eq(1)
+    roles.each { |(access_type_id, _)| expect(ProtectedTag.last.send("create_access_levels".to_sym).map(&:access_level)).to include(access_type_id) }
+    expect(ProtectedTag.last.send("create_access_levels".to_sym).map(&:user_id)).to include(users.last.id)
+  end
+
+  context 'When updating a protected tag' do
+    it 'discards other roles when choosing "No one"' do
+      visit namespace_project_protected_tags_path(project.namespace, project)
+
+      set_protected_tag_name('fix')
+      set_allowed_to('push', roles.values)
+
+      click_on "Protect"
+
+      wait_for_ajax
+
+      roles.each do |(access_type_id, _)|
+        expect(ProtectedTag.last.push_access_levels.map(&:access_level)).to include(access_type_id)
+      end
+
+      expect(ProtectedTag.last.push_access_levels.map(&:access_level)).not_to include(0)
+
+      set_allowed_to('push', 'No one', form: '.js-protected-tag-edit-form')
+
+      wait_for_ajax
+
+      roles.each do |(access_type_id, _)|
+        expect(ProtectedTag.last.push_access_levels.map(&:access_level)).not_to include(access_type_id)
+      end
+
+      expect(ProtectedTag.last.push_access_levels.map(&:access_level)).to include(0)
+    end
+  end
+
+  context 'When creating a protected tag' do
+    it 'discards other roles when choosing "No one"' do
+      visit namespace_project_protected_tags_path(project.namespace, project)
+
+      set_protected_tag_name('master')
+      set_allowed_to('push', ProtectedTag::PushAccessLevel.human_access_levels.values) # Last item (No one) should deselect the other ones
+
+      click_on "Protect"
+
+      wait_for_ajax
+
+      roles.each do |(access_type_id, _)|
+        expect(ProtectedTag.last.push_access_levels.map(&:access_level)).not_to include(access_type_id)
+      end
+
+      expect(ProtectedTag.last.push_access_levels.map(&:access_level)).to include(0)
+    end
+  end
+end

spec/features/protected_tags_spec.rb

 require 'spec_helper'
 Dir["./spec/features/protected_tags/*.rb"].sort.each { |f| require f }
 
-feature 'Projected Tags', feature: true, js: true do
+feature 'Protected Tags', feature: true, js: true do
   include WaitForAjax
 
   let(:user) { create(:user, :admin) }
@@ -9,6 +9,17 @@ feature 'Projected Tags', feature: true, js: true do
 
   before { login_as(user) }
 
+  def set_allowed_to(operation, option = 'Masters', form: '#new_protected_tag')
+    within form do
+      find(".js-allowed-to-#{operation}").click
+      wait_for_ajax
+
+      Array(option).each { |opt| click_on(opt) }
+
+      find(".js-allowed-to-#{operation}").click # needed to submit form in some cases
+    end
+  end
+
   def set_protected_tag_name(tag_name)
     find(".js-protected-tag-select").click
     find(".dropdown-input-field").set(tag_name)
@@ -19,6 +30,7 @@ feature 'Projected Tags', feature: true, js: true do
     it "allows creating explicit protected tags" do
       visit namespace_project_protected_tags_path(project.namespace, project)
       set_protected_tag_name('some-tag')
+      set_allowed_to('create')
       click_on "Protect"
 
       within(".protected-tags-list") { expect(page).to have_content('some-tag') }
@@ -32,6 +44,7 @@ feature 'Projected Tags', feature: true, js: true do
 
       visit namespace_project_protected_tags_path(project.namespace, project)
       set_protected_tag_name('some-tag')
+      set_allowed_to('create')
       click_on "Protect"
 
       within(".protected-tags-list") { expect(page).to have_content(commit.id[0..7]) }
@@ -40,6 +53,7 @@ feature 'Projected Tags', feature: true, js: true do
     it "displays an error message if the named tag does not exist" do
       visit namespace_project_protected_tags_path(project.namespace, project)
       set_protected_tag_name('some-tag')
+      set_allowed_to('create')
       click_on "Protect"
 
       within(".protected-tags-list") { expect(page).to have_content('tag was removed') }
@@ -50,6 +64,7 @@ feature 'Projected Tags', feature: true, js: true do
     it "allows creating protected tags with a wildcard" do
       visit namespace_project_protected_tags_path(project.namespace, project)
       set_protected_tag_name('*-stable')
+      set_allowed_to('create')
       click_on "Protect"
 
       within(".protected-tags-list") { expect(page).to have_content('*-stable') }
@@ -63,6 +78,7 @@ feature 'Projected Tags', feature: true, js: true do
 
       visit namespace_project_protected_tags_path(project.namespace, project)
       set_protected_tag_name('*-stable')
+      set_allowed_to('create')
       click_on "Protect"
 
       within(".protected-tags-list") { expect(page).to have_content("2 matching tags") }
@@ -75,6 +91,7 @@ feature 'Projected Tags', feature: true, js: true do
 
       visit namespace_project_protected_tags_path(project.namespace, project)
       set_protected_tag_name('*-stable')
+      set_allowed_to('create')
       click_on "Protect"
 
       visit namespace_project_protected_tags_path(project.namespace, project)
@@ -89,6 +106,6 @@ feature 'Projected Tags', feature: true, js: true do
   end
 
   describe "access control" do
-    include_examples "protected tags > access control > CE"
+    include_examples "protected tags > access control > EE"
   end
 end