Commit 462f280f authored by Ramya Authappan's avatar Ramya Authappan

Merge branch 'ml-check-git-errors-to-avoid-false-positives' into 'master'

Check git error msgs to avoid false positives

See merge request gitlab-org/gitlab!29099
parents 6f114149 778cf88f
...@@ -4,7 +4,7 @@ module QA ...@@ -4,7 +4,7 @@ module QA
context 'Create' do context 'Create' do
context 'Push Rules' do context 'Push Rules' do
describe 'using non signed commits' do describe 'using non signed commits' do
before :context do before(:context) do
prepare prepare
@file_name_limitation = 'denied_file' @file_name_limitation = 'denied_file'
...@@ -16,12 +16,12 @@ module QA ...@@ -16,12 +16,12 @@ module QA
Page::Project::Settings::Repository.perform do |repository| Page::Project::Settings::Repository.perform do |repository|
repository.expand_push_rules do |push_rules| repository.expand_push_rules do |push_rules|
push_rules.fill_file_name @file_name_limitation push_rules.fill_file_name(@file_name_limitation)
push_rules.fill_file_size @file_size_limitation push_rules.fill_file_size(@file_size_limitation)
push_rules.fill_author_email @authors_email_limitation push_rules.fill_author_email(@authors_email_limitation)
push_rules.fill_branch_name @branch_name_limitation push_rules.fill_branch_name(@branch_name_limitation)
push_rules.fill_commit_message_rule @needed_phrase_limitation push_rules.fill_commit_message_rule(@needed_phrase_limitation)
push_rules.fill_deny_commit_message_rule @deny_message_phrase_limitation push_rules.fill_deny_commit_message_rule(@deny_message_phrase_limitation)
push_rules.check_prevent_secrets push_rules.check_prevent_secrets
push_rules.check_restrict_author push_rules.check_restrict_author
push_rules.check_deny_delete_tag push_rules.check_deny_delete_tag
...@@ -30,6 +30,10 @@ module QA ...@@ -30,6 +30,10 @@ module QA
end end
end end
it 'allows an unrestricted push' do
expect_no_error_on_push(file: standard_file)
end
it 'restricts files by name and size' do it 'restricts files by name and size' do
large_file = [{ large_file = [{
name: 'file', name: 'file',
...@@ -40,28 +44,31 @@ module QA ...@@ -40,28 +44,31 @@ module QA
content: SecureRandom.hex(100) content: SecureRandom.hex(100)
}] }]
expect_no_error_on_push file: standard_file expect_error_on_push(file: large_file,
expect_error_on_push file: large_file error: 'File "file" is larger than the allowed size of 1 MB')
expect_error_on_push file: wrongly_named_file expect_error_on_push(file: wrongly_named_file,
error: Regexp.escape("File name #{@file_name_limitation} was blacklisted by the pattern #{@file_name_limitation}"))
end end
it 'restricts users by email format' do it 'restricts users by email format' do
gitlab_user = Resource::User.fabricate_or_use(Runtime::Env.gitlab_qa_username_2, Runtime::Env.gitlab_qa_password_2) gitlab_user = Resource::User.fabricate_or_use(Runtime::Env.gitlab_qa_username_2, Runtime::Env.gitlab_qa_password_2)
@project.add_member(gitlab_user) @project.add_member(gitlab_user, Resource::Members::AccessLevel::MAINTAINER)
expect_no_error_on_push file: standard_file expect_error_on_push(file: standard_file, user: gitlab_user,
expect_error_on_push file: standard_file, user: gitlab_user error: Regexp.escape("Committer's email '#{gitlab_user.email}' does not follow the pattern '#{@authors_email_limitation}'"))
end end
it 'restricts branches by branch name' do it 'restricts branches by branch name' do
expect_no_error_on_push file: standard_file expect_error_on_push(file: standard_file, branch: 'forbidden_branch',
expect_error_on_push file: standard_file, branch: 'forbidden_branch' error: Regexp.escape("Branch name does not follow the pattern '#{@branch_name_limitation}'"))
end end
it 'restricts commit by message format' do it 'restricts commit by message format' do
expect_no_error_on_push file: standard_file, commit_message: @needed_phrase_limitation expect_no_error_on_push(file: standard_file, commit_message: @needed_phrase_limitation)
expect_error_on_push file: standard_file, commit_message: 'forbidden message' expect_error_on_push(file: standard_file, commit_message: 'forbidden message',
expect_error_on_push file: standard_file, commit_message: "#{@needed_phrase_limitation} - #{@deny_message_phrase_limitation}" error: Regexp.escape("Commit message does not follow the pattern '#{@needed_phrase_limitation}'"))
expect_error_on_push(file: standard_file, commit_message: "#{@needed_phrase_limitation} - #{@deny_message_phrase_limitation}",
error: Regexp.escape("Commit message contains the forbidden pattern '#{@deny_message_phrase_limitation}'"))
end end
it 'restricts committing files with secrets' do it 'restricts committing files with secrets' do
...@@ -70,13 +77,13 @@ module QA ...@@ -70,13 +77,13 @@ module QA
content: SecureRandom.hex(100) content: SecureRandom.hex(100)
}] }]
expect_no_error_on_push file: standard_file expect_error_on_push(file: secret_file,
expect_error_on_push file: secret_file error: Regexp.escape('File name id_rsa was blacklisted by the pattern id_rsa$'))
end end
it 'restricts commits by user' do it 'restricts commits by user' do
expect_no_error_on_push file: standard_file expect_error_on_push(file: standard_file, user: @root,
expect_error_on_push file: standard_file, user: @root error: Regexp.escape("Author '#{@root.email}' is not a member of team"))
end end
it 'restricts removal of tag' do it 'restricts removal of tag' do
...@@ -86,19 +93,37 @@ module QA ...@@ -86,19 +93,37 @@ module QA
tag.name = 'test_tag' tag.name = 'test_tag'
end end
expect_no_error_on_push file: standard_file expect_error_on_push(file: standard_file, tag: tag.name,
expect_error_on_push file: standard_file, tag: tag.name error: 'You cannot delete a tag')
end
end
describe 'with commits restricted to verified emails' do
before do
prepare
Page::Project::Settings::Repository.perform do |repository|
repository.expand_push_rules do |push_rules|
push_rules.check_committer_restriction
push_rules.click_submit
end
end
end
it 'rejects unverified emails' do
expect_no_error_on_push(file: standard_file)
expect_error_on_push(file: standard_file, user: @root,
error: 'You can only push commits that were committed with one of your own verified emails')
end end
end end
describe 'using signed commits' do describe 'using signed commits' do
before :context do before do
prepare prepare
Page::Project::Settings::Repository.perform do |repository| Page::Project::Settings::Repository.perform do |repository|
repository.expand_push_rules do |push_rules| repository.expand_push_rules do |push_rules|
push_rules.check_reject_unsigned_commits push_rules.check_reject_unsigned_commits
push_rules.check_committer_restriction
push_rules.click_submit push_rules.click_submit
end end
end end
...@@ -107,16 +132,8 @@ module QA ...@@ -107,16 +132,8 @@ module QA
end end
it 'restricts to signed commits' do it 'restricts to signed commits' do
expect_no_error_on_push file: standard_file, gpg: @gpg expect_no_error_on_push(file: standard_file, gpg: @gpg)
expect_error_on_push file: standard_file expect_error_on_push(file: standard_file, error: 'Commit must be signed with a GPG key')
end
it 'restricts commits to current authenticated user' do
gitlab_user = Resource::User.fabricate_or_use(Runtime::Env.gitlab_qa_username_1, Runtime::Env.gitlab_qa_password_1)
@project.add_member(gitlab_user)
expect_no_error_on_push file: standard_file, gpg: @gpg
expect_error_on_push file: standard_file, gpg: @gpg, user: gitlab_user
end end
end end
...@@ -146,10 +163,10 @@ module QA ...@@ -146,10 +163,10 @@ module QA
end.not_to raise_error end.not_to raise_error
end end
def expect_error_on_push(commit_message: 'allowed commit', branch: 'master', file:, user: @creator, tag: nil, gpg: nil) def expect_error_on_push(commit_message: 'allowed commit', branch: 'master', file:, user: @creator, tag: nil, gpg: nil, error: nil)
expect do expect do
push commit_message: commit_message, branch: branch, file: file, user: user, tag: tag, gpg: gpg push commit_message: commit_message, branch: branch, file: file, user: user, tag: tag, gpg: gpg
end.to raise_error(QA::Git::Repository::RepositoryCommandError) end.to raise_error(QA::Git::Repository::RepositoryCommandError, /#{error}/)
end end
def prepare def prepare
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment