Merge branch 'make-gpg-key-push-rule-eep-only' into 'master'

Make push rule to reject unsigned commits EEP only See merge request gitlab-org/gitlab-ee!3158

Merge branch 'make-gpg-key-push-rule-eep-only' into 'master'
Make push rule to reject unsigned commits EEP only See merge request gitlab-org/gitlab-ee!3158
c2809c54 · Douwe Maan · 717a4db2 · ed5a02c9 · c2809c54 · c2809c54
Commit c2809c54 authored Oct 20, 2017 by Douwe Maan
11 changed files
--- a/app/models/license.rb
+++ b/app/models/license.rb
@@ -47,6 +47,7 @@ class License < ActiveRecord::Base
    object_storage
    service_desk
    variable_environment_scope
+    reject_unsigned_commits
  ].freeze

  EEU_FEATURES = EEP_FEATURES

--- a/app/models/push_rule.rb
+++ b/app/models/push_rule.rb
@@ -22,6 +22,7 @@ class PushRule < ActiveRecord::Base
  end

  def commit_signature_allowed?(commit)
+    return true unless available?(:reject_unsigned_commits)
    return true unless reject_unsigned_commits

    commit.has_signature?
@@ -74,6 +75,14 @@ class PushRule < ActiveRecord::Base
    is_sample?
  end

+  def available?(feature_sym)
+    if global?
+      License.feature_available?(feature_sym)
+    else
+      project&.feature_available?(feature_sym)
+    end
+  end
+
  private

  def data_match?(data, regex)

--- a/app/views/admin/push_rules/show.html.haml
+++ b/app/views/admin/push_rules/show.html.haml
@@ -11,4 +11,4 @@
    .alert.alert-danger
      - @push_rule.errors.full_messages.each do |msg|
        %p= msg
-  = render "shared/push_rules_form", f: f
+  = render "shared/push_rules/form", f: f
--- a/app/views/projects/push_rules/_index.html.haml
+++ b/app/views/projects/push_rules/_index.html.haml
@@ -15,4 +15,4 @@
    = form_for [@project.namespace.becomes(Namespace), @project, @push_rule] do |f|
      = form_errors(@push_rule)

-      = render "shared/push_rules_form", f: f
+      = render "shared/push_rules/form", f: f
--- a/app/views/shared/_push_rules_form.html.haml
+++ b/app/views/shared/_push_rules_form.html.haml
-.form-group
-  = f.check_box :reject_unsigned_commits, class: "pull-left", disabled: !can_change_reject_unsigned_commits?(f.object)
-  .prepend-left-20
-    = f.label :reject_unsigned_commits, class: "label-light append-bottom-0" do
-      Reject unsigned commits
-    %p.light.append-bottom-0
-      = reject_unsigned_commits_description(f.object)
+= render 'shared/push_rules/reject_unsigned_commits_setting', form: f, push_rule: f.object

 .form-group
  = f.check_box :deny_delete_tag, class: "pull-left"

--- a/app/views/shared/push_rules/_reject_unsigned_commits_setting.html.haml
+++ b/app/views/shared/push_rules/_reject_unsigned_commits_setting.html.haml
+- return unless push_rule.available?(:reject_unsigned_commits)
+
+- form = local_assigns.fetch(:form)
+- push_rule = local_assigns.fetch(:push_rule)
+
+.form-group
+  = form.check_box :reject_unsigned_commits, class: "pull-left", disabled: !can_change_reject_unsigned_commits?(push_rule)
+  .prepend-left-20
+    = form.label :reject_unsigned_commits, class: "label-light append-bottom-0" do
+      Reject unsigned commits
+    %p.light.append-bottom-0
+      = reject_unsigned_commits_description(push_rule)
--- a/spec/features/admin/admin_push_rules_spec.rb
+++ b/spec/features/admin/admin_push_rules_spec.rb
+require 'spec_helper'
+
+describe "Admin::PushRules"  do
+  let(:current_user) { create(:admin) }
+
+  before do
+    sign_in(current_user)
+  end
+
+  context 'when reject_unsigned_commits is unlicensed' do
+    before do
+      stub_licensed_features(reject_unsigned_commits: false)
+    end
+
+    it 'does not render the setting checkbox' do
+      visit admin_push_rule_path
+
+      expect(page).not_to have_content('Reject unsigned commits')
+    end
+  end
+
+  context 'when reject_unsigned_commits is licensed' do
+    before do
+      stub_licensed_features(reject_unsigned_commits: true)
+    end
+
+    it 'renders the setting checkbox' do
+      visit admin_push_rule_path
+
+      expect(page).to have_content('Reject unsigned commits')
+    end
+  end
+end
--- a/spec/features/projects/push_rules_spec.rb
+++ b/spec/features/projects/push_rules_spec.rb
+require 'spec_helper'
+
+feature 'Projects > Push Rules', :js do
+  let(:user) { create(:user) }
+  let(:project) { create(:project, :repository, namespace: user.namespace) }
+
+  before do
+    project.team << [user, :master]
+    sign_in(user)
+  end
+
+  describe 'Reject unsigned commits rule' do
+    context 'unlicensed' do
+      before do
+        stub_licensed_features(reject_unsigned_commits: false)
+      end
+
+      it 'does not render the setting checkbox' do
+        visit project_settings_repository_path(project)
+
+        expect(page).not_to have_content('Reject unsigned commits')
+      end
+    end
+
+    context 'licensed' do
+      let(:bronze_plan) { Plan.find_by!(name: 'bronze') }
+      let(:gold_plan) { Plan.find_by!(name: 'gold') }
+
+      before do
+        stub_licensed_features(reject_unsigned_commits: true)
+      end
+
+      it 'renders the setting checkbox' do
+        visit project_settings_repository_path(project)
+
+        expect(page).to have_content('Reject unsigned commits')
+      end
+
+      describe 'with GL.com plans' do
+        before do
+          stub_application_setting(check_namespace_plan: true)
+        end
+
+        context 'when disabled' do
+          it 'does not render the setting checkbox' do
+            project.namespace.update!(plan_id: bronze_plan.id)
+
+            visit project_settings_repository_path(project)
+
+            expect(page).not_to have_content('Reject unsigned commits')
+          end
+        end
+
+        context 'when enabled' do
+          it 'renders the setting checkbox' do
+            project.namespace.update!(plan_id: gold_plan.id)
+
+            visit project_settings_repository_path(project)
+
+            expect(page).to have_content('Reject unsigned commits')
+          end
+        end
+      end
+    end
+  end
+end
--- a/spec/lib/gitlab/checks/change_access_spec.rb
+++ b/spec/lib/gitlab/checks/change_access_spec.rb
@@ -371,6 +371,10 @@ describe Gitlab::Checks::ChangeAccess do
      end

      context 'GPG sign rules' do
+        before do
+          stub_licensed_features(reject_unsigned_commits: true)
+        end
+
        let(:push_rule) { create(:push_rule, reject_unsigned_commits: true) }

        it_behaves_like 'check ignored when push rule unlicensed'

--- a/spec/models/push_rule_spec.rb
+++ b/spec/models/push_rule_spec.rb
@@ -49,9 +49,21 @@ describe PushRule do
  end

  describe '#commit_signature_allowed?' do
+    let!(:premium_license) { create(:license, plan: License::PREMIUM_PLAN) }
    let(:signed_commit) { double(has_signature?: true) }
    let(:unsigned_commit) { double(has_signature?: false) }

+    context 'when feature is not licensed and it is enabled' do
+      before do
+        stub_licensed_features(reject_unsigned_commits: false)
+        global_push_rule.update_attribute(:reject_unsigned_commits, true)
+      end
+
+      it 'accepts unsigned commits' do
+        expect(push_rule.commit_signature_allowed?(unsigned_commit)).to eq(true)
+      end
+    end
+
    context 'when enabled at a global level' do
      before do
        global_push_rule.update_attribute(:reject_unsigned_commits, true)
@@ -124,4 +136,65 @@ describe PushRule do
      end
    end
  end
+
+  describe '#available?' do
+    shared_examples 'an unavailable push_rule' do
+      it 'is not available' do
+        expect(push_rule.available?(:reject_unsigned_commits)).to eq(false)
+      end
+    end
+
+    shared_examples 'an available push_rule' do
+      it 'is available' do
+        expect(push_rule.available?(:reject_unsigned_commits)).to eq(true)
+      end
+    end
+
+    describe 'reject_unsigned_commits' do
+      context 'with the global push_rule' do
+        let(:push_rule) { create(:push_rule_sample) }
+
+        context 'with a EE starter license' do
+          let!(:license) { create(:license, plan: License::STARTER_PLAN) }
+
+          it_behaves_like 'an unavailable push_rule'
+        end
+
+        context 'with a EE premium license' do
+          let!(:license) { create(:license, plan: License::PREMIUM_PLAN) }
+
+          it_behaves_like 'an available push_rule'
+        end
+      end
+
+      context 'with GL.com plans' do
+        let(:group) { create(:group, plan: Plan.find_by!(name: gl_plan)) }
+        let(:project) { create(:project, namespace: group) }
+        let(:push_rule) { create(:push_rule, project: project) }
+
+        before do
+          create(:license, plan: License::PREMIUM_PLAN)
+          stub_application_setting(check_namespace_plan: true)
+        end
+
+        context 'with a Bronze plan' do
+          let(:gl_plan) { ::EE::Namespace::BRONZE_PLAN }
+
+          it_behaves_like 'an unavailable push_rule'
+        end
+
+        context 'with a Silver plan' do
+          let(:gl_plan) { ::EE::Namespace::SILVER_PLAN }
+
+          it_behaves_like 'an available push_rule'
+        end
+
+        context 'with a Gold plan' do
+          let(:gl_plan) { ::EE::Namespace::GOLD_PLAN }
+
+          it_behaves_like 'an available push_rule'
+        end
+      end
+    end
+  end
 end
--- a/spec/support/db_cleaner.rb
+++ b/spec/support/db_cleaner.rb
@@ -14,11 +14,11 @@ RSpec.configure do |config|
  end

  config.before(:each, :js) do
-    DatabaseCleaner.strategy = :truncation, { except: ['licenses'] }
+    DatabaseCleaner.strategy = :truncation, { except: %w[licenses plans] }
  end

  config.before(:each, :truncate) do
-    DatabaseCleaner.strategy = :truncation, { except: ['licenses'] }
+    DatabaseCleaner.strategy = :truncation, { except: %w[licenses plans] }
  end

  config.before(:each, :migration) do