Merge branch 'security-pb-protected-tags-remove-group' into 'master'

Remove protected tag access when group is removed Closes #2 See merge request gitlab-org/security/gitlab!8

Merge branch 'security-pb-protected-tags-remove-group' into 'master'
Remove protected tag access when group is removed Closes #2 See merge request gitlab-org/security/gitlab!8
5311b36e · GitLab Release Tools Bot · e3212b93 · 8dffe619 · 5311b36e · 5311b36e
Commit 5311b36e authored Dec 31, 2019 by GitLab Release Tools Bot
3 changed files
--- a/ee/app/models/ee/project_group_link.rb
+++ b/ee/app/models/ee/project_group_link.rb
@@ -15,6 +15,9 @@ module EE
      project.protected_branches.merge_access_by_group(group).destroy_all # rubocop: disable DestroyAll
      project.protected_branches.push_access_by_group(group).destroy_all # rubocop: disable DestroyAll
+      # For protected tags
+      project.protected_tags.create_access_by_group(group).delete_all
      # For protected environments
      project.protected_environments.deploy_access_levels_by_group(group).delete_all
    end

--- a/ee/changelogs/unreleased/security-pb-protected-tags-remove-group.yml
+++ b/ee/changelogs/unreleased/security-pb-protected-tags-remove-group.yml
+---
+title: Remove protected tag access when group is removed
+merge_request:
+author:
+type: security
--- a/ee/spec/models/ee/project_group_link_spec.rb
+++ b/ee/spec/models/ee/project_group_link_spec.rb
@@ -13,16 +13,46 @@ describe ProjectGroupLink do
      project.add_developer(user)
    end
-    it 'removes related protected environment deploy access levels' do
+    shared_examples_for 'deleted related access levels' do |access_level_class|
-      params = attributes_for(:protected_environment,
+      it "removes related #{access_level_class}" do
-                              deploy_access_levels_attributes: [{ group_id: group.id }, { user_id: user.id }])
+        expect { project_group_link.destroy! }.to change(access_level_class, :count).by(-1)
+        expect(access_levels.find_by_group_id(group)).to be_nil
+        expect(access_levels.find_by_user_id(user)).to be_persisted
+      end
+    end
+    context 'protected tags' do
+      let!(:protected_tag) do
+        ProtectedTags::CreateService.new(
+          project,
+          project.owner,
+          attributes_for(
+            :protected_tag,
+            create_access_levels_attributes: [{ group_id: group.id }, { user_id: user.id }]
+          )
+        ).execute
+      end
+      let(:access_levels) { protected_tag.create_access_levels }
+      it_behaves_like 'deleted related access levels', ProtectedTag::CreateAccessLevel
+    end
-      protected_environment = ProtectedEnvironments::CreateService.new(project, user, params).execute
+    context 'protected environments' do
+      let!(:protected_environment) do
+        ProtectedEnvironments::CreateService.new(
+          project,
+          project.owner,
+          attributes_for(
+            :protected_environment,
+            deploy_access_levels_attributes: [{ group_id: group.id }, { user_id: user.id }]
+          )
+        ).execute
+      end
-      expect { project_group_link.destroy! }.to change(ProtectedEnvironment::DeployAccessLevel, :count).by(-1)
+      let(:access_levels) { protected_environment.deploy_access_levels }
-      expect(protected_environment.deploy_access_levels.find_by_group_id(group)).to be_nil
+      it_behaves_like 'deleted related access levels', ProtectedEnvironment::DeployAccessLevel
-      expect(protected_environment.deploy_access_levels.find_by_user_id(user)).to be_persisted
    end
  end
 end