diff options
Diffstat (limited to 'tests/integration/git_test.go')
-rw-r--r-- | tests/integration/git_test.go | 106 |
1 files changed, 80 insertions, 26 deletions
diff --git a/tests/integration/git_test.go b/tests/integration/git_test.go index 993a3d6799..ac56cffe5e 100644 --- a/tests/integration/git_test.go +++ b/tests/integration/git_test.go @@ -360,12 +360,62 @@ func doBranchProtectPRMerge(baseCtx *APITestContext, dstPath string) func(t *tes t.Run("PushProtectedBranch", doGitPushTestRepository(dstPath, "origin", "protected")) ctx := NewAPITestContext(t, baseCtx.Username, baseCtx.Reponame, auth_model.AccessTokenScopeWriteRepository) - t.Run("ProtectProtectedBranchNoWhitelist", doProtectBranch(ctx, "protected", "", "")) - t.Run("GenerateCommit", func(t *testing.T) { + + // Protect branch without any whitelisting + t.Run("ProtectBranchNoWhitelist", func(t *testing.T) { + doProtectBranch(ctx, "protected", "", "", "") + }) + + // Try to push without permissions, which should fail + t.Run("TryPushWithoutPermissions", func(t *testing.T) { + _, err := generateCommitWithNewData(littleSize, dstPath, "user2@example.com", "User Two", "branch-data-file-") + assert.NoError(t, err) + doGitPushTestRepositoryFail(dstPath, "origin", "protected") + }) + + // Set up permissions for normal push but not force push + t.Run("SetupNormalPushPermissions", func(t *testing.T) { + doProtectBranch(ctx, "protected", baseCtx.Username, "", "") + }) + + // Normal push should work + t.Run("NormalPushWithPermissions", func(t *testing.T) { _, err := generateCommitWithNewData(littleSize, dstPath, "user2@example.com", "User Two", "branch-data-file-") assert.NoError(t, err) + doGitPushTestRepository(dstPath, "origin", "protected") + }) + + // Try to force push without force push permissions, which should fail + t.Run("ForcePushWithoutForcePermissions", func(t *testing.T) { + t.Run("CreateDivergentHistory", func(t *testing.T) { + git.NewCommand(git.DefaultContext, "reset", "--hard", "HEAD~1").Run(&git.RunOpts{Dir: dstPath}) + _, err := generateCommitWithNewData(littleSize, dstPath, "user2@example.com", "User Two", "branch-data-file-new") + assert.NoError(t, err) + }) + doGitPushTestRepositoryFail(dstPath, "-f", "origin", "protected") + }) + + // Set up permissions for force push but not normal push + t.Run("SetupForcePushPermissions", func(t *testing.T) { + doProtectBranch(ctx, "protected", "", baseCtx.Username, "") }) - t.Run("FailToPushToProtectedBranch", doGitPushTestRepositoryFail(dstPath, "origin", "protected")) + + // Try to force push without normal push permissions, which should fail + t.Run("ForcePushWithoutNormalPermissions", func(t *testing.T) { + doGitPushTestRepositoryFail(dstPath, "-f", "origin", "protected") + }) + + // Set up permissions for normal and force push (both are required to force push) + t.Run("SetupNormalAndForcePushPermissions", func(t *testing.T) { + doProtectBranch(ctx, "protected", baseCtx.Username, baseCtx.Username, "") + }) + + // Force push should now work + t.Run("ForcePushWithPermissions", func(t *testing.T) { + doGitPushTestRepository(dstPath, "-f", "origin", "protected") + }) + + t.Run("ProtectProtectedBranchNoWhitelist", doProtectBranch(ctx, "protected", "", "", "")) t.Run("PushToUnprotectedBranch", doGitPushTestRepository(dstPath, "origin", "protected:unprotected")) var pr api.PullRequest var err error @@ -387,14 +437,14 @@ func doBranchProtectPRMerge(baseCtx *APITestContext, dstPath string) func(t *tes t.Run("MergePR", doAPIMergePullRequest(ctx, baseCtx.Username, baseCtx.Reponame, pr.Index)) t.Run("PullProtected", doGitPull(dstPath, "origin", "protected")) - t.Run("ProtectProtectedBranchUnprotectedFilePaths", doProtectBranch(ctx, "protected", "", "unprotected-file-*")) + t.Run("ProtectProtectedBranchUnprotectedFilePaths", doProtectBranch(ctx, "protected", "", "", "unprotected-file-*")) t.Run("GenerateCommit", func(t *testing.T) { _, err := generateCommitWithNewData(littleSize, dstPath, "user2@example.com", "User Two", "unprotected-file-") assert.NoError(t, err) }) t.Run("PushUnprotectedFilesToProtectedBranch", doGitPushTestRepository(dstPath, "origin", "protected")) - t.Run("ProtectProtectedBranchWhitelist", doProtectBranch(ctx, "protected", baseCtx.Username, "")) + t.Run("ProtectProtectedBranchWhitelist", doProtectBranch(ctx, "protected", baseCtx.Username, "", "")) t.Run("CheckoutMaster", doGitCheckoutBranch(dstPath, "master")) t.Run("CreateBranchForced", doGitCreateBranch(dstPath, "toforce")) @@ -409,33 +459,37 @@ func doBranchProtectPRMerge(baseCtx *APITestContext, dstPath string) func(t *tes } } -func doProtectBranch(ctx APITestContext, branch, userToWhitelist, unprotectedFilePatterns string) func(t *testing.T) { +func doProtectBranch(ctx APITestContext, branch, userToWhitelistPush, userToWhitelistForcePush, unprotectedFilePatterns string) func(t *testing.T) { // We are going to just use the owner to set the protection. return func(t *testing.T) { csrf := GetCSRF(t, ctx.Session, fmt.Sprintf("/%s/%s/settings/branches", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame))) - if userToWhitelist == "" { - // Change branch to protected - req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/settings/branches/edit", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame)), map[string]string{ - "_csrf": csrf, - "rule_name": branch, - "unprotected_file_patterns": unprotectedFilePatterns, - }) - ctx.Session.MakeRequest(t, req, http.StatusSeeOther) - } else { - user, err := user_model.GetUserByName(db.DefaultContext, userToWhitelist) + formData := map[string]string{ + "_csrf": csrf, + "rule_name": branch, + "unprotected_file_patterns": unprotectedFilePatterns, + } + + if userToWhitelistPush != "" { + user, err := user_model.GetUserByName(db.DefaultContext, userToWhitelistPush) assert.NoError(t, err) - // Change branch to protected - req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/settings/branches/edit", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame)), map[string]string{ - "_csrf": csrf, - "rule_name": branch, - "enable_push": "whitelist", - "enable_whitelist": "on", - "whitelist_users": strconv.FormatInt(user.ID, 10), - "unprotected_file_patterns": unprotectedFilePatterns, - }) - ctx.Session.MakeRequest(t, req, http.StatusSeeOther) + formData["whitelist_users"] = strconv.FormatInt(user.ID, 10) + formData["enable_push"] = "whitelist" + formData["enable_whitelist"] = "on" } + + if userToWhitelistForcePush != "" { + user, err := user_model.GetUserByName(db.DefaultContext, userToWhitelistForcePush) + assert.NoError(t, err) + formData["force_push_allowlist_users"] = strconv.FormatInt(user.ID, 10) + formData["enable_force_push"] = "whitelist" + formData["enable_force_push_allowlist"] = "on" + } + + // Send the request to update branch protection settings + req := NewRequestWithValues(t, "POST", fmt.Sprintf("/%s/%s/settings/branches/edit", url.PathEscape(ctx.Username), url.PathEscape(ctx.Reponame)), formData) + ctx.Session.MakeRequest(t, req, http.StatusSeeOther) + // Check if master branch has been locked successfully flashCookie := ctx.Session.GetCookie(gitea_context.CookieNameFlash) assert.NotNil(t, flashCookie) |