Merge branch '217924_dry_up_vulnerability_exports_api_spec' into 'master'

Remove duplicated test cases for vulnerability exports API

Closes #217924

See merge request gitlab-org/gitlab!34920

ee/spec/requests/api/vulnerability_exports_spec.rb

@@ -12,70 +12,10 @@ RSpec.describe API::VulnerabilityExports do
   let_it_be(:user) { create(:user) }
   let_it_be(:project) { create(:project, :with_vulnerability) }
 
-  describe 'POST /security/projects/:id/vulnerability_exports' do
-    let(:format) { 'csv' }
-    let(:request_path) { "/security/projects/#{project.id}/vulnerability_exports" }
-
-    subject(:create_vulnerability_export) { post api(request_path, user), params: { export_format: format } }
-
-    context 'with an authorized user with proper permissions' do
-      before do
-        project.add_developer(user)
-      end
-
-      context 'when format is csv' do
-        it 'returns information about new vulnerability export' do
-          create_vulnerability_export
-
-          expect(response).to have_gitlab_http_status(:created)
-          expect(response).to match_response_schema('public_api/v4/vulnerability_export', dir: 'ee')
-        end
-
-        it 'schedules job for export' do
-          expect(::VulnerabilityExports::ExportWorker).to receive(:perform_async).with(anything)
-
-          create_vulnerability_export
-        end
-      end
-
-      context 'when format is invalid' do
-        let(:format) { 'invalid' }
-
-        it 'returns error message' do
-          create_vulnerability_export
-
-          expect(response).to have_gitlab_http_status(:bad_request)
-          expect(json_response).to eq('error' => 'export_format does not have a valid value')
-        end
-
-        it 'does not schedule a job for export' do
-          expect(::VulnerabilityExports::ExportWorker).not_to receive(:perform_async)
-
-          create_vulnerability_export
-        end
-      end
-
-      it_behaves_like 'forbids access to vulnerability API endpoint in case of disabled features'
-    end
-
-    describe 'permissions' do
-      it { expect { create_vulnerability_export }.to be_allowed_for(:admin) }
-      it { expect { create_vulnerability_export }.to be_allowed_for(:owner).of(project) }
-      it { expect { create_vulnerability_export }.to be_allowed_for(:maintainer).of(project) }
-      it { expect { create_vulnerability_export }.to be_allowed_for(:developer).of(project) }
-      it { expect { create_vulnerability_export }.to be_allowed_for(:auditor) }
-
-      it { expect { create_vulnerability_export }.to be_denied_for(:reporter).of(project) }
-      it { expect { create_vulnerability_export }.to be_denied_for(:guest).of(project) }
-      it { expect { create_vulnerability_export }.to be_denied_for(:anonymous) }
-    end
-  end
-
-  describe 'POST /security/groups/:id/vulnerability_exports' do
-    let_it_be(:group) { create(:group) }
-
+  shared_examples 'creating export for exportable' do
     let(:format) { 'csv' }
-    let(:request_path) { "/security/groups/#{group.id}/vulnerability_exports" }
+    let(:deny_setup) {}
+    let(:permission_setup) {}
 
     subject(:create_vulnerability_export) { post api(request_path, user), params: { export_format: format } }
 
@@ -92,6 +32,10 @@ RSpec.describe API::VulnerabilityExports do
 
     context 'when the request fulfills the requirements' do
       context 'when the user is not authorized to take the action' do
+        before do
+          deny_setup
+        end
+
         it 'responds with 403 forbidden' do
           create_vulnerability_export
 
@@ -104,7 +48,7 @@ RSpec.describe API::VulnerabilityExports do
 
         before do
           allow(VulnerabilityExports::CreateService).to receive(:new).and_return(mock_service_object)
-          group.add_developer(user)
+          permission_setup
         end
 
         context 'when the export creation succeeds' do
@@ -130,60 +74,49 @@ RSpec.describe API::VulnerabilityExports do
           end
         end
       end
-    end
-
-    it_behaves_like 'forbids access to vulnerability API endpoint in case of disabled features'
-  end
-
-  describe 'POST /security/vulnerability_exports' do
-    let(:format) { 'csv' }
-    let(:request_path) { "/security/vulnerability_exports" }
-
-    subject(:create_vulnerability_export) { post api(request_path, user), params: { export_format: format } }
-
-    context 'when the request does not fulfill the requirements' do
-      let(:format) { 'exif' }
 
-      it 'responds with bad_request' do
-        create_vulnerability_export
-
-        expect(response).to have_gitlab_http_status(:bad_request)
-        expect(json_response).to eq('error' => 'export_format does not have a valid value')
+      it_behaves_like 'forbids access to vulnerability API endpoint in case of disabled features' do
+        before do
+          permission_setup
+        end
       end
     end
+  end
 
-    context 'when the request fulfills the requirements' do
-      let(:mock_service_object) { instance_double(VulnerabilityExports::CreateService, execute: vulnerability_export) }
-
-      before do
-        allow(VulnerabilityExports::CreateService).to receive(:new).and_return(mock_service_object)
-      end
-
-      context 'when the export creation succeeds' do
-        let(:vulnerability_export) { create(:vulnerability_export) }
-
-        it 'returns information about new vulnerability export' do
-          create_vulnerability_export
-
-          expect(response).to have_gitlab_http_status(:created)
-          expect(response).to match_response_schema('public_api/v4/vulnerability_export', dir: 'ee')
-        end
+  describe 'POST /security/projects/:id/vulnerability_exports' do
+    it_behaves_like 'creating export for exportable' do
+      let(:request_path) { "/security/projects/#{project.id}/vulnerability_exports" }
+      let(:deny_setup) { project.add_guest(user) }
+      let(:permission_setup) { project.add_developer(user) }
+
+      describe 'permissions' do
+        it { expect { create_vulnerability_export }.to be_allowed_for(:admin) }
+        it { expect { create_vulnerability_export }.to be_allowed_for(:owner).of(project) }
+        it { expect { create_vulnerability_export }.to be_allowed_for(:maintainer).of(project) }
+        it { expect { create_vulnerability_export }.to be_allowed_for(:developer).of(project) }
+        it { expect { create_vulnerability_export }.to be_allowed_for(:auditor) }
+
+        it { expect { create_vulnerability_export }.to be_denied_for(:reporter).of(project) }
+        it { expect { create_vulnerability_export }.to be_denied_for(:guest).of(project) }
+        it { expect { create_vulnerability_export }.to be_denied_for(:anonymous) }
       end
+    end
+  end
 
-      context 'when the export creation fails' do
-        let(:errors) { instance_double(ActiveModel::Errors, any?: true, messages: ['foo']) }
-        let(:vulnerability_export) { instance_double(Vulnerabilities::Export, persisted?: false, errors: errors) }
-
-        it 'returns the error message' do
-          create_vulnerability_export
+  describe 'POST /security/groups/:id/vulnerability_exports' do
+    let_it_be(:group) { create(:group) }
 
-          expect(response).to have_gitlab_http_status(:bad_request)
-          expect(json_response).to eq('message' => ['foo'])
-        end
-      end
+    it_behaves_like 'creating export for exportable' do
+      let(:request_path) { "/security/groups/#{group.id}/vulnerability_exports" }
+      let(:permission_setup) { group.add_developer(user) }
     end
+  end
 
-    it_behaves_like 'forbids access to vulnerability API endpoint in case of disabled features'
+  describe 'POST /security/vulnerability_exports' do
+    it_behaves_like 'creating export for exportable' do
+      let(:request_path) { "/security/vulnerability_exports" }
+      let(:deny_setup) { allow(InstanceSecurityDashboard).to receive(:new).and_return(nil) }
+    end
   end
 
   describe 'GET /security/vulnerability_exports/:id' do