ProtectedBranchPolicy checks unprotect access levels

950b64ca · James Edwards-Jones · 557c6628 · 950b64ca · 950b64ca · 950b64ca
Commit 950b64ca authored Mar 25, 2018 by James Edwards-Jones
10 changed files
--- a/app/models/concerns/protected_ref_access.rb
+++ b/app/models/concerns/protected_ref_access.rb
@@ -4,7 +4,8 @@ module ProtectedRefAccess
  ALLOWED_ACCESS_LEVELS = [
    Gitlab::Access::MASTER,
    Gitlab::Access::DEVELOPER,
-    Gitlab::Access::NO_ACCESS
+    Gitlab::Access::NO_ACCESS,
+    Gitlab::Access::ADMIN
  ].freeze

  HUMAN_ACCESS_LEVELS = {

--- a/app/models/protected_branch.rb
+++ b/app/models/protected_branch.rb
@@ -2,6 +2,7 @@ class ProtectedBranch < ActiveRecord::Base
  include Gitlab::ShellAdapter
  include ProtectedRef
  prepend EE::ProtectedRef
+  prepend EE::ProtectedBranch

  protected_ref_access_levels :merge, :push


--- a/app/policies/protected_branch_policy.rb
+++ b/app/policies/protected_branch_policy.rb
 class ProtectedBranchPolicy < BasePolicy
+  prepend EE::ProtectedBranchPolicy
+
  delegate { @subject.project }

  rule { can?(:admin_project) }.policy do

--- a/ee/app/models/concerns/ee/protected_branch.rb
+++ b/ee/app/models/concerns/ee/protected_branch.rb
@@ -5,5 +5,13 @@ module EE
    included do
      protected_ref_access_levels :unprotect
    end
+
+    def can_unprotect?(user)
+      return true if unprotect_access_levels.empty?
+
+      unprotect_access_levels.any? do |access_level|
+        access_level.check_access(user)
+      end
+    end
  end
 end
--- a/ee/app/models/ee/user.rb
+++ b/ee/app/models/ee/user.rb
@@ -29,8 +29,9 @@ module EE
      has_many :approvers,                dependent: :destroy # rubocop: disable Cop/ActiveRecordDependent

      # Protected Branch Access
-      has_many :protected_branch_merge_access_levels, dependent: :destroy, class_name: ProtectedBranch::MergeAccessLevel # rubocop:disable Cop/ActiveRecordDependent
-      has_many :protected_branch_push_access_levels, dependent: :destroy, class_name: ProtectedBranch::PushAccessLevel # rubocop:disable Cop/ActiveRecordDependent
+      has_many :protected_branch_merge_access_levels, dependent: :destroy, class_name: ::ProtectedBranch::MergeAccessLevel # rubocop:disable Cop/ActiveRecordDependent
+      has_many :protected_branch_push_access_levels, dependent: :destroy, class_name: ::ProtectedBranch::PushAccessLevel # rubocop:disable Cop/ActiveRecordDependent
+      has_many :protected_branch_unprotect_access_levels, dependent: :destroy, class_name: ::ProtectedBranch::UnprotectAccessLevel # rubocop:disable Cop/ActiveRecordDependent
    end

    module ClassMethods

--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -53,6 +53,7 @@ class License < ActiveRecord::Base
    object_storage
    group_saml
    service_desk
+    unprotection_restrictions
    variable_environment_scope
    reject_unsigned_commits
    commit_committer_check

--- a/ee/app/policies/ee/protected_branch_policy.rb
+++ b/ee/app/policies/ee/protected_branch_policy.rb
+module EE
+  module ProtectedBranchPolicy
+    extend ActiveSupport::Concern
+
+    prepended do
+      condition(:can_unprotect) do
+        @subject.can_unprotect?(@user)
+      end
+
+      condition(:unprotect_restrictions_enabled, scope: :subject) do
+        @subject.project.feature_available?(:unprotection_restrictions)
+      end
+
+      rule { unprotect_restrictions_enabled & ~can_unprotect }.policy do
+        prevent :create_protected_branch # Prevent a user creating a rule they wouldn't be able to update or destroy
+        prevent :update_protected_branch
+        prevent :destroy_protected_branch
+      end
+    end
+  end
+end
--- a/ee/spec/models/ee/protected_branch_spec.rb
+++ b/ee/spec/models/ee/protected_branch_spec.rb
+require 'spec_helper'
+
+describe ProtectedBranch do
+  subject { create(:protected_branch) }
+
+  let(:project) { subject.project }
+
+  describe '#can_unprotect?' do
+    let(:user) { create(:user) }
+    let(:admin) { create(:user, :admin) }
+    let(:master) do
+      create(:user).tap { |user| project.add_master(user) }
+    end
+
+    context 'without unprotect_access_levels' do
+      it "doesn't add any additional restriction" do
+        expect(subject.can_unprotect?(user)).to eq true
+      end
+    end
+
+    context 'with access level set to MASTER' do
+      before do
+        subject.unprotect_access_levels.create!(access_level: Gitlab::Access::MASTER)
+      end
+
+      it 'defaults to requiring master access' do
+        expect(subject.can_unprotect?(user)).to eq false
+        expect(subject.can_unprotect?(master)).to eq true
+        expect(subject.can_unprotect?(admin)).to eq true
+      end
+    end
+
+    context 'with access level set to ADMIN' do
+      before do
+        subject.unprotect_access_levels.create!(access_level: Gitlab::Access::ADMIN)
+      end
+
+      it 'prevents access to masters' do
+        expect(subject.can_unprotect?(master)).to eq false
+      end
+
+      it 'grants access to admins' do
+        expect(subject.can_unprotect?(admin)).to eq true
+      end
+    end
+
+    context 'multiple access levels' do
+      before do
+        subject.unprotect_access_levels.create!(user: master)
+        subject.unprotect_access_levels.create!(user: user)
+      end
+
+      it 'grants access if any grant access' do
+        expect(subject.can_unprotect?(user)).to eq true
+      end
+    end
+  end
+end
--- a/ee/spec/policies/protected_branch_policy_spec.rb
+++ b/ee/spec/policies/protected_branch_policy_spec.rb
+require 'spec_helper'
+
+describe ProtectedBranchPolicy do
+  let(:user) { create(:user) }
+  let(:name) { 'feature' }
+  let(:protected_branch) { create(:protected_branch, name: name) }
+  let(:project) { protected_branch.project }
+  let(:allowed_group) { create(:group) }
+
+  subject { described_class.new(user, protected_branch) }
+
+  before do
+    project.add_master(user)
+  end
+
+  context 'when unprotection is limited by access levels' do
+    before do
+      protected_branch.unprotect_access_levels.create!(group: allowed_group)
+    end
+
+    context 'when unprotection restriction feature is unlicensed' do
+      it "users can remove protections" do
+        is_expected.to be_allowed(:update_protected_branch)
+        is_expected.to be_allowed(:destroy_protected_branch)
+      end
+    end
+
+    context 'when unprotection restriction feature is licensed' do
+      before do
+        stub_licensed_features(unprotection_restrictions: true)
+      end
+
+      it "users can't remove protections without specific access" do
+        is_expected.not_to be_allowed(:update_protected_branch)
+        is_expected.not_to be_allowed(:destroy_protected_branch)
+      end
+
+      context "and access levels grant the user control" do
+        before do
+          allowed_group.add_user(user, :guest)
+        end
+
+        it 'users can manage protections' do
+          is_expected.to be_allowed(:update_protected_branch)
+          is_expected.to be_allowed(:update_protected_branch)
+          is_expected.to be_allowed(:destroy_protected_branch)
+        end
+      end
+    end
+  end
+
+  context 'creating restrictions' do
+    let(:unprotect_access_levels) { [{ group_id: allowed_group.id }] }
+    let(:protected_branch) { build(:protected_branch, name: name, unprotect_access_levels_attributes: unprotect_access_levels) }
+
+    before do
+      stub_licensed_features(unprotection_restrictions: true)
+    end
+
+    it "is prevented if the user wouldn't be able to remove the restriction" do
+      is_expected.not_to be_allowed(:create_protected_branch)
+    end
+
+    context 'when the user can remove the restriction' do
+      before do
+        allowed_group.add_user(user, :guest)
+      end
+
+      it "is allowed" do
+        is_expected.to be_allowed(:create_protected_branch)
+      end
+    end
+  end
+end
--- a/lib/gitlab/access.rb
+++ b/lib/gitlab/access.rb
@@ -15,6 +15,7 @@ module Gitlab
    DEVELOPER = 30
    MASTER    = 40
    OWNER     = 50
+    ADMIN     = 60

    # Branch protection settings
    PROTECTION_NONE          = 0