Projects and groups badges API

app/models/badge.rb

+class Badge < ActiveRecord::Base
+  # This structure sets the placeholders that the urls
+  # can have. This hash also sets which action to ask when
+  # the placeholder is found.
+  PLACEHOLDERS = {
+    'project_path' => :full_path,
+    'project_id' => :id,
+    'default_branch' => :default_branch,
+    'commit_sha' => ->(project) { project.commit&.sha }
+  }.freeze
+
+  # This regex is built dynamically using the keys from the PLACEHOLDER struct.
+  # So, we can easily add new placeholder just by modifying the PLACEHOLDER hash.
+  # This regex will build the new PLACEHOLDER_REGEX with the new information
+  PLACEHOLDERS_REGEX = /(#{PLACEHOLDERS.keys.join('|')})/.freeze
+
+  default_scope { order_created_at_asc }
+
+  scope :order_created_at_asc, -> { reorder(created_at: :asc) }
+
+  validates :link_url, :image_url, url_placeholder: { protocols: %w(http https), placeholder_regex: PLACEHOLDERS_REGEX }
+  validates :type, presence: true
+
+  def rendered_link_url(project = nil)
+    build_rendered_url(link_url, project)
+  end
+
+  def rendered_image_url(project = nil)
+    build_rendered_url(image_url, project)
+  end
+
+  private
+
+  def build_rendered_url(url, project = nil)
+    return url unless valid? && project
+
+    Gitlab::StringPlaceholderReplacer.replace_string_placeholders(url, PLACEHOLDERS_REGEX) do |arg|
+      replace_placeholder_action(PLACEHOLDERS[arg], project)
+    end
+  end
+
+  # The action param represents the :symbol or Proc to call in order
+  # to retrieve the return value from the project.
+  # This method checks if it is a Proc and use the call method, and if it is
+  # a symbol just send the action
+  def replace_placeholder_action(action, project)
+    return unless project
+
+    action.is_a?(Proc) ? action.call(project) : project.public_send(action) # rubocop:disable GitlabSecurity/PublicSend
+  end
+end

app/models/badges/group_badge.rb

+class GroupBadge < Badge
+  belongs_to :group
+
+  validates :group, presence: true
+end

app/models/badges/project_badge.rb

+class ProjectBadge < Badge
+  belongs_to :project
+
+  validates :project, presence: true
+
+  def rendered_link_url(project = nil)
+    project ||= self.project
+    super
+  end
+
+  def rendered_image_url(project = nil)
+    project ||= self.project
+    super
+  end
+end

app/models/group.rb

@@ -31,6 +31,8 @@ class Group < Namespace
 
   has_many :uploads, as: :model, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
 
+  has_many :badges, class_name: 'GroupBadge'
+
   accepts_nested_attributes_for :variables, allow_destroy: true
 
   validate :visibility_level_allowed_by_projects

app/models/project.rb

@@ -221,6 +221,8 @@ class Project < ActiveRecord::Base
   has_one :auto_devops, class_name: 'ProjectAutoDevops'
   has_many :custom_attributes, class_name: 'ProjectCustomAttribute'
 
+  has_many :project_badges, class_name: 'ProjectBadge'
+
   accepts_nested_attributes_for :variables, allow_destroy: true
   accepts_nested_attributes_for :project_feature, update_only: true
   accepts_nested_attributes_for :import_data
@@ -1766,6 +1768,17 @@ class Project < ActiveRecord::Base
       .set(import_jid, StuckImportJobsWorker::IMPORT_JOBS_EXPIRATION)
   end
 
+  def badges
+    return project_badges unless group
+
+    group_badges_rel = GroupBadge.where(group: group.self_and_ancestors)
+
+    union = Gitlab::SQL::Union.new([project_badges.select(:id),
+                                    group_badges_rel.select(:id)])
+
+    Badge.where("id IN (#{union.to_sql})") # rubocop:disable GitlabSecurity/SqlInjection
+  end
+
   private
 
   def storage

app/services/badges/base_service.rb

+module Badges
+  class BaseService
+    protected
+
+    attr_accessor :params
+
+    def initialize(params = {})
+      @params = params.dup
+    end
+  end
+end

app/services/badges/build_service.rb

+module Badges
+  class BuildService < Badges::BaseService
+    # returns the created badge
+    def execute(source)
+      if source.is_a?(Group)
+        GroupBadge.new(params.merge(group: source))
+      else
+        ProjectBadge.new(params.merge(project: source))
+      end
+    end
+  end
+end

app/services/badges/create_service.rb

+module Badges
+  class CreateService < Badges::BaseService
+    # returns the created badge
+    def execute(source)
+      badge = Badges::BuildService.new(params).execute(source)
+
+      badge.tap { |b| b.save }
+    end
+  end
+end

app/services/badges/update_service.rb

+module Badges
+  class UpdateService < Badges::BaseService
+    # returns the updated badge
+    def execute(badge)
+      if params.present?
+        badge.update_attributes(params)
+      end
+
+      badge
+    end
+  end
+end

app/validators/url_placeholder_validator.rb

+# UrlValidator
+#
+# Custom validator for URLs.
+#
+# By default, only URLs for the HTTP(S) protocols will be considered valid.
+# Provide a `:protocols` option to configure accepted protocols.
+#
+# Also, this validator can help you validate urls with placeholders inside.
+# Usually, if you have a url like 'http://www.example.com/%{project_path}' the
+# URI parser will reject that URL format. Provide a `:placeholder_regex` option
+# to configure accepted placeholders.
+#
+# Example:
+#
+#   class User < ActiveRecord::Base
+#     validates :personal_url, url: true
+#
+#     validates :ftp_url, url: { protocols: %w(ftp) }
+#
+#     validates :git_url, url: { protocols: %w(http https ssh git) }
+#
+#     validates :placeholder_url, url: { placeholder_regex: /(project_path|project_id|default_branch)/ }
+#   end
+#
+class UrlPlaceholderValidator < UrlValidator
+  def validate_each(record, attribute, value)
+    placeholder_regex = self.options[:placeholder_regex]
+    value = value.gsub(/%{#{placeholder_regex}}/, 'foo') if placeholder_regex && value
+
+    super(record, attribute, value)
+  end
+end

app/views/projects/_home_panel.html.haml

@@ -23,6 +23,12 @@
             - deleted_message = s_('ForkedFromProjectPath|Forked from %{project_name} (deleted)')
             = deleted_message % { project_name: fork_source_name(@project) }
 
+    .project-badges
+      - @project.badges.each do |badge|
+        - badge_link_url = badge.rendered_link_url(@project)
+        %a{ href: badge_link_url, target: '_blank', rel: 'noopener noreferrer' }
+          %img{ src: badge.rendered_image_url(@project), alt: badge_link_url }
+
     .project-repo-buttons
       .count-buttons
         = render 'projects/buttons/star'

changelogs/unreleased/fj-41174-projects-groups-badges-api.yml

+---
+title: Implemented badge API endpoints
+merge_request: 17082
+author:
+type: added

config/application.rb

@@ -26,6 +26,7 @@ module Gitlab
     # This is a nice reference article on autoloading/eager loading:
     # http://blog.arkency.com/2014/11/dont-forget-about-eager-load-when-extending-autoload
     config.eager_load_paths.push(*%W[#{config.root}/lib
+                                     #{config.root}/app/models/badges
                                      #{config.root}/app/models/hooks
                                      #{config.root}/app/models/members
                                      #{config.root}/app/models/project_services

db/migrate/20180214093516_create_badges.rb

+class CreateBadges < ActiveRecord::Migration
+  DOWNTIME = false
+
+  def change
+    create_table :badges do |t|
+      t.string     :link_url, null: false
+      t.string     :image_url, null: false
+      t.references :project, index: true, foreign_key: { on_delete: :cascade }, null: true
+      t.integer    :group_id, index: true, null: true
+      t.string     :type, null: false
+
+      t.timestamps_with_timezone null: false
+    end
+
+    add_foreign_key :badges, :namespaces, column: :group_id, on_delete: :cascade
+  end
+end

db/schema.rb

@@ -183,6 +183,19 @@ ActiveRecord::Schema.define(version: 20180304204842) do
   add_index "award_emoji", ["awardable_type", "awardable_id"], name: "index_award_emoji_on_awardable_type_and_awardable_id", using: :btree
   add_index "award_emoji", ["user_id", "name"], name: "index_award_emoji_on_user_id_and_name", using: :btree
 
+  create_table "badges", force: :cascade do |t|
+    t.string "link_url", null: false
+    t.string "image_url", null: false
+    t.integer "project_id"
+    t.integer "group_id"
+    t.string "type", null: false
+    t.datetime_with_timezone "created_at", null: false
+    t.datetime_with_timezone "updated_at", null: false
+  end
+
+  add_index "badges", ["group_id"], name: "index_badges_on_group_id", using: :btree
+  add_index "badges", ["project_id"], name: "index_badges_on_project_id", using: :btree
+
   create_table "boards", force: :cascade do |t|
     t.integer "project_id", null: false
     t.datetime "created_at", null: false
@@ -1969,6 +1982,8 @@ ActiveRecord::Schema.define(version: 20180304204842) do
   add_index "web_hooks", ["project_id"], name: "index_web_hooks_on_project_id", using: :btree
   add_index "web_hooks", ["type"], name: "index_web_hooks_on_type", using: :btree
 
+  add_foreign_key "badges", "namespaces", column: "group_id", on_delete: :cascade
+  add_foreign_key "badges", "projects", on_delete: :cascade
   add_foreign_key "boards", "projects", name: "fk_f15266b5f9", on_delete: :cascade
   add_foreign_key "chat_teams", "namespaces", on_delete: :cascade
   add_foreign_key "ci_build_trace_section_names", "projects", on_delete: :cascade

doc/api/README.md

@@ -24,6 +24,7 @@ following locations:
 - [GitLab CI Config templates](templates/gitlab_ci_ymls.md)
 - [Groups](groups.md)
 - [Group Access Requests](access_requests.md)
+- [Group Badges](group_badges.md)
 - [Group Members](members.md)
 - [Issues](issues.md)
 - [Issue Boards](boards.md)
@@ -43,6 +44,7 @@ following locations:
 - [Pipeline Schedules](pipeline_schedules.md)
 - [Projects](projects.md) including setting Webhooks
 - [Project Access Requests](access_requests.md)
+- [Project Badges](project_badges.md)
 - [Project import/export](project_import_export.md)
 - [Project Members](members.md)
 - [Project Snippets](project_snippets.md)

doc/api/group_badges.md

+# Group badges API
+
+## Placeholder tokens
+
+Badges support placeholders that will be replaced in real time in both the link and image URL. The allowed placeholders are:
+
+- **%{project_path}**: will be replaced by the project path.
+- **%{project_id}**: will be replaced by the project id.
+- **%{default_branch}**: will be replaced by the project default branch.
+- **%{commit_sha}**: will be replaced by the last project's commit sha.
+
+Because these enpoints aren't inside a project's context, the information used to replace the placeholders will be
+from the first group's project by creation date. If the group hasn't got any project the original URL with the placeholders will be returned.
+
+## List all badges of a group
+
+Gets a list of a group's badges.
+
+```
+GET /groups/:id/badges
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) owned by the authenticated user |
+
+```bash
+curl --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/groups/:id/badges
+```
+
+Example response:
+
+```json
+[
+  {
+    "id": 1,
+    "link_url": "http://example.com/ci_status.svg?project=%{project_path}&ref=%{default_branch}",
+    "image_url": "https://shields.io/my/badge",
+    "rendered_link_url": "http://example.com/ci_status.svg?project=example-org/example-project&ref=master",
+    "rendered_image_url": "https://shields.io/my/badge",
+    "kind": "group"
+  },
+  {
+    "id": 2,
+    "link_url": "http://example.com/ci_status.svg?project=%{project_path}&ref=%{default_branch}",
+    "image_url": "https://shields.io/my/badge",
+    "rendered_link_url": "http://example.com/ci_status.svg?project=example-org/example-project&ref=master",
+    "rendered_image_url": "https://shields.io/my/badge",
+    "kind": "group"
+  },
+]
+```
+
+## Get a badge of a group
+
+Gets a badge of a group.
+
+```
+GET /groups/:id/badges/:badge_id
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `badge_id` | integer | yes   | The badge ID |
+
+```bash
+curl --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/groups/:id/badges/:badge_id
+```
+
+Example response:
+
+```json
+{
+  "id": 1,
+  "link_url": "http://example.com/ci_status.svg?project=%{project_path}&ref=%{default_branch}",
+  "image_url": "https://shields.io/my/badge",
+  "rendered_link_url": "http://example.com/ci_status.svg?project=example-org/example-project&ref=master",
+  "rendered_image_url": "https://shields.io/my/badge",
+  "kind": "group"
+}
+```
+
+## Add a badge to a group
+
+Adds a badge to a group.
+
+```
+POST /groups/:id/badges
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `link_url` | string         | yes | URL of the badge link |
+| `image_url` | string | yes | URL of the badge image |
+
+```bash
+curl --request POST --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" --data "link_url=https://gitlab.com/gitlab-org/gitlab-ce/commits/master&image_url=https://shields.io/my/badge1&position=0" https://gitlab.example.com/api/v4/groups/:id/badges
+```
+
+Example response:
+
+```json
+{
+  "id": 1,
+  "link_url": "https://gitlab.com/gitlab-org/gitlab-ce/commits/master",
+  "image_url": "https://shields.io/my/badge1",
+  "rendered_link_url": "https://gitlab.com/gitlab-org/gitlab-ce/commits/master",
+  "rendered_image_url": "https://shields.io/my/badge1",
+  "kind": "group"
+}
+```
+
+## Edit a badge of a group
+
+Updates a badge of a group.
+
+```
+PUT /groups/:id/badges/:badge_id
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `badge_id` | integer | yes   | The badge ID |
+| `link_url` | string         | no | URL of the badge link |
+| `image_url` | string | no | URL of the badge image |
+
+```bash
+curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/groups/:id/badges/:badge_id
+```
+
+Example response:
+
+```json
+{
+  "id": 1,
+  "link_url": "https://gitlab.com/gitlab-org/gitlab-ce/commits/master",
+  "image_url": "https://shields.io/my/badge",
+  "rendered_link_url": "https://gitlab.com/gitlab-org/gitlab-ce/commits/master",
+  "rendered_image_url": "https://shields.io/my/badge",
+  "kind": "group"
+}
+```
+
+## Remove a badge from a group
+
+Removes a badge from a group.
+
+```
+DELETE /groups/:id/badges/:badge_id
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `badge_id` | integer | yes   | The badge ID |
+
+```bash
+curl --request DELETE --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/groups/:id/badges/:badge_id
+```
+
+## Preview a badge from a group
+
+Returns how the `link_url` and `image_url` final URLs would be after resolving the placeholder interpolation.
+
+```
+GET /groups/:id/badges/render
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `link_url` | string         | yes | URL of the badge link|
+| `image_url` | string | yes | URL of the badge image |
+
+```bash
+curl --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/groups/:id/badges/render?link_url=http%3A%2F%2Fexample.com%2Fci_status.svg%3Fproject%3D%25%7Bproject_path%7D%26ref%3D%25%7Bdefault_branch%7D&image_url=https%3A%2F%2Fshields.io%2Fmy%2Fbadge
+```
+
+Example response:
+
+```json
+{  
+  "link_url": "http://example.com/ci_status.svg?project=%{project_path}&ref=%{default_branch}",
+  "image_url": "https://shields.io/my/badge",
+  "rendered_link_url": "http://example.com/ci_status.svg?project=example-org/example-project&ref=master",
+  "rendered_image_url": "https://shields.io/my/badge",
+}
+```

doc/api/groups.md

@@ -525,3 +525,7 @@ And to switch pages add:
 ```
 
 [ce-15142]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/15142
+
+## Group badges
+
+Read more in the [Group Badges](group_badges.md) documentation.

doc/api/project_badges.md

+# Project badges API
+
+## Placeholder tokens
+
+Badges support placeholders that will be replaced in real time in both the link and image URL. The allowed placeholders are:
+
+- **%{project_path}**: will be replaced by the project path.
+- **%{project_id}**: will be replaced by the project id.
+- **%{default_branch}**: will be replaced by the project default branch.
+- **%{commit_sha}**: will be replaced by the last project's commit sha.
+
+## List all badges of a project
+
+Gets a list of a project's badges and its group badges.
+
+```
+GET /projects/:id/badges
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user |
+
+```bash
+curl --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/:id/badges
+```
+
+Example response:
+
+```json
+[
+  {
+    "id": 1,
+    "link_url": "http://example.com/ci_status.svg?project=%{project_path}&ref=%{default_branch}",
+    "image_url": "https://shields.io/my/badge",
+    "rendered_link_url": "http://example.com/ci_status.svg?project=example-org/example-project&ref=master",
+    "rendered_image_url": "https://shields.io/my/badge",
+    "kind": "project"
+  },
+  {
+    "id": 2,
+    "link_url": "http://example.com/ci_status.svg?project=%{project_path}&ref=%{default_branch}",
+    "image_url": "https://shields.io/my/badge",
+    "rendered_link_url": "http://example.com/ci_status.svg?project=example-org/example-project&ref=master",
+    "rendered_image_url": "https://shields.io/my/badge",
+    "kind": "group"
+  },
+]
+```
+
+## Get a badge of a project
+
+Gets a badge of a project.
+
+```
+GET /projects/:id/badges/:badge_id
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `badge_id` | integer | yes   | The badge ID |
+
+```bash
+curl --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/:id/badges/:badge_id
+```
+
+Example response:
+
+```json
+{
+  "id": 1,
+  "link_url": "http://example.com/ci_status.svg?project=%{project_path}&ref=%{default_branch}",
+  "image_url": "https://shields.io/my/badge",
+  "rendered_link_url": "http://example.com/ci_status.svg?project=example-org/example-project&ref=master",
+  "rendered_image_url": "https://shields.io/my/badge",
+  "kind": "project"
+}
+```
+
+## Add a badge to a project
+
+Adds a badge to a project.
+
+```
+POST /projects/:id/badges
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the project ](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `link_url` | string         | yes | URL of the badge link |
+| `image_url` | string | yes | URL of the badge image |
+
+```bash
+curl --request POST --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" --data "link_url=https://gitlab.com/gitlab-org/gitlab-ce/commits/master&image_url=https://shields.io/my/badge1&position=0" https://gitlab.example.com/api/v4/projects/:id/badges
+```
+
+Example response:
+
+```json
+{
+  "id": 1,
+  "link_url": "https://gitlab.com/gitlab-org/gitlab-ce/commits/master",
+  "image_url": "https://shields.io/my/badge1",
+  "rendered_link_url": "https://gitlab.com/gitlab-org/gitlab-ce/commits/master",
+  "rendered_image_url": "https://shields.io/my/badge1",
+  "kind": "project"
+}
+```
+
+## Edit a badge of a project
+
+Updates a badge of a project.
+
+```
+PUT /projects/:id/badges/:badge_id
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `badge_id` | integer | yes   | The badge ID |
+| `link_url` | string         | no | URL of the badge link |
+| `image_url` | string | no | URL of the badge image |
+
+```bash
+curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/:id/badges/:badge_id
+```
+
+Example response:
+
+```json
+{
+  "id": 1,
+  "link_url": "https://gitlab.com/gitlab-org/gitlab-ce/commits/master",
+  "image_url": "https://shields.io/my/badge",
+  "rendered_link_url": "https://gitlab.com/gitlab-org/gitlab-ce/commits/master",
+  "rendered_image_url": "https://shields.io/my/badge",
+  "kind": "project"
+}
+```
+
+## Remove a badge from a project
+
+Removes a badge from a project. Only project's badges will be removed by using this endpoint.
+
+```
+DELETE /projects/:id/badges/:badge_id
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `badge_id` | integer | yes   | The badge ID |
+
+```bash
+curl --request DELETE --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/:id/badges/:badge_id
+```
+
+## Preview a badge from a project
+
+Returns how the `link_url` and `image_url` final URLs would be after resolving the placeholder interpolation.
+
+```
+GET /projects/:id/badges/render
+```
+
+| Attribute | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `id`      | integer/string | yes | The ID or [URL-encoded path of the project](README.md#namespaced-path-encoding) owned by the authenticated user |
+| `link_url` | string         | yes | URL of the badge link|
+| `image_url` | string | yes | URL of the badge image |
+
+```bash
+curl --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/:id/badges/render?link_url=http%3A%2F%2Fexample.com%2Fci_status.svg%3Fproject%3D%25%7Bproject_path%7D%26ref%3D%25%7Bdefault_branch%7D&image_url=https%3A%2F%2Fshields.io%2Fmy%2Fbadge
+```
+
+Example response:
+
+```json
+{  
+  "link_url": "http://example.com/ci_status.svg?project=%{project_path}&ref=%{default_branch}",
+  "image_url": "https://shields.io/my/badge",
+  "rendered_link_url": "http://example.com/ci_status.svg?project=example-org/example-project&ref=master",
+  "rendered_image_url": "https://shields.io/my/badge",
+}
+```

doc/api/projects.md

@@ -1340,3 +1340,7 @@ Read more in the [Project import/export](project_import_export.md) documentation
 ## Project members
 
 Read more in the [Project members](members.md) documentation.
+
+## Project badges
+
+Read more in the [Project Badges](project_badges.md) documentation.

lib/api/api.rb

@@ -108,6 +108,7 @@ module API
     mount ::API::AccessRequests
     mount ::API::Applications
     mount ::API::AwardEmoji
+    mount ::API::Badges
     mount ::API::Boards
     mount ::API::Branches
     mount ::API::BroadcastMessages

lib/api/badges.rb

+module API
+  class Badges < Grape::API
+    include PaginationParams
+
+    before { authenticate_non_get! }
+
+    helpers ::API::Helpers::BadgesHelpers
+
+    helpers do
+      def find_source_if_admin(source_type)
+        source = find_source(source_type, params[:id])
+
+        authorize_admin_source!(source_type, source)
+
+        source
+      end
+    end
+
+    %w[group project].each do |source_type|
+      params do
+        requires :id, type: String, desc: "The ID of a #{source_type}"
+      end
+      resource source_type.pluralize, requirements: API::PROJECT_ENDPOINT_REQUIREMENTS do
+        desc "Gets a list of #{source_type} badges viewable by the authenticated user." do
+          detail 'This feature was introduced in GitLab 10.6.'
+          success Entities::Badge
+        end
+        params do
+          use :pagination
+        end
+        get ":id/badges" do
+          source = find_source(source_type, params[:id])
+
+          present_badges(source, paginate(source.badges))
+        end
+
+        desc "Preview a badge from a #{source_type}." do
+          detail 'This feature was introduced in GitLab 10.6.'
+          success Entities::BasicBadgeDetails
+        end
+        params do
+          requires :link_url, type: String, desc: 'URL of the badge link'
+          requires :image_url, type: String, desc: 'URL of the badge image'
+        end
+        get ":id/badges/render" do
+          authenticate!
+
+          source = find_source_if_admin(source_type)
+
+          badge = ::Badges::BuildService.new(declared_params(include_missing: false))
+                                        .execute(source)
+
+          if badge.valid?
+            present_badges(source, badge, with: Entities::BasicBadgeDetails)
+          else
+            render_validation_error!(badge)
+          end
+        end
+
+        desc "Gets a badge of a #{source_type}." do
+          detail 'This feature was introduced in GitLab 10.6.'
+          success Entities::Badge
+        end
+        params do
+          requires :badge_id, type: Integer, desc: 'The badge ID'
+        end
+        get ":id/badges/:badge_id" do
+          source = find_source(source_type, params[:id])
+          badge = find_badge(source)
+
+          present_badges(source, badge)
+        end
+
+        desc "Adds a badge to a #{source_type}." do
+          detail 'This feature was introduced in GitLab 10.6.'
+          success Entities::Badge
+        end
+        params do
+          requires :link_url, type: String, desc: 'URL of the badge link'
+          requires :image_url, type: String, desc: 'URL of the badge image'
+        end
+        post ":id/badges" do
+          source = find_source_if_admin(source_type)
+
+          badge = ::Badges::CreateService.new(declared_params(include_missing: false)).execute(source)
+
+          if badge.persisted?
+            present_badges(source, badge)
+          else
+            render_validation_error!(badge)
+          end
+        end
+
+        desc "Updates a badge of a #{source_type}." do
+          detail 'This feature was introduced in GitLab 10.6.'
+          success Entities::Badge
+        end
+        params do
+          optional :link_url, type: String, desc: 'URL of the badge link'
+          optional :image_url, type: String, desc: 'URL of the badge image'
+        end
+        put ":id/badges/:badge_id" do
+          source = find_source_if_admin(source_type)
+
+          badge = ::Badges::UpdateService.new(declared_params(include_missing: false))
+                                         .execute(find_badge(source))
+
+          if badge.valid?
+            present_badges(source, badge)
+          else
+            render_validation_error!(badge)
+          end
+        end
+
+        desc 'Removes a badge from a project or group.' do
+          detail 'This feature was introduced in GitLab 10.6.'
+        end
+        params do
+          requires :badge_id, type: Integer, desc: 'The badge ID'
+        end
+        delete ":id/badges/:badge_id" do
+          source = find_source_if_admin(source_type)
+          badge = find_badge(source)
+
+          if badge.is_a?(GroupBadge) && source.is_a?(Project)
+            error!('To delete a Group badge please use the Group endpoint', 403)
+          end
+
+          destroy_conditionally!(badge)
+        end
+      end
+    end
+  end
+end

lib/api/entities.rb

@@ -1235,5 +1235,23 @@ module API
       expose :startline
       expose :project_id
     end
+
+    class BasicBadgeDetails < Grape::Entity
+      expose :link_url
+      expose :image_url
+      expose :rendered_link_url do |badge, options|
+        badge.rendered_link_url(options.fetch(:project, nil))
+      end
+      expose :rendered_image_url do |badge, options|
+        badge.rendered_image_url(options.fetch(:project, nil))
+      end
+    end
+
+    class Badge < BasicBadgeDetails
+      expose :id
+      expose :kind do |badge|
+        badge.type == 'ProjectBadge' ? 'project' : 'group'
+      end
+    end
   end
 end

lib/api/helpers/badges_helpers.rb

+module API
+  module Helpers
+    module BadgesHelpers
+      include ::API::Helpers::MembersHelpers
+
+      def find_badge(source)
+        source.badges.find(params[:badge_id])
+      end
+
+      def present_badges(source, records, options = {})
+        entity_type = options[:with] || Entities::Badge
+        badge_params = badge_source_params(source).merge(with: entity_type)
+
+        present records, badge_params
+      end
+
+      def badge_source_params(source)
+        project = if source.is_a?(Project)
+                    source
+                  else
+                    GroupProjectsFinder.new(group: source, current_user: current_user).execute.first
+                  end
+
+        { project: project }
+      end
+    end
+  end
+end

lib/gitlab/import_export/import_export.yml

@@ -65,6 +65,7 @@ project_tree:
     - :create_access_levels
   - :project_feature
   - :custom_attributes
+  - :project_badges
 
 # Only include the following attributes for the models specified.
 included_attributes:
@@ -125,6 +126,8 @@ excluded_attributes:
     - :when
   push_event_payload:
     - :event_id
+  project_badges:
+    - :group_id
 
 methods:
   labels:
@@ -147,3 +150,5 @@ methods:
     - :action
   push_event_payload:
     - :action
+  project_badges:
+    - :type

lib/gitlab/import_export/relation_factory.rb

@@ -16,7 +16,8 @@ module Gitlab
                     priorities: :label_priorities,
                     auto_devops: :project_auto_devops,
                     label: :project_label,
-                    custom_attributes: 'ProjectCustomAttribute' }.freeze
+                    custom_attributes: 'ProjectCustomAttribute',
+                    project_badges: 'Badge' }.freeze
 
       USER_REFERENCES = %w[author_id assignee_id updated_by_id user_id created_by_id last_edited_by_id merge_user_id resolved_by_id].freeze
 

lib/gitlab/string_placeholder_replacer.rb

+module Gitlab
+  class StringPlaceholderReplacer
+    # This method accepts the following paras
+    # - string: the string to be analyzed
+    # - placeholder_regex: i.e. /%{project_path|project_id|default_branch|commit_sha}/
+    # - block: this block will be called with each placeholder found in the string using
+    # the placeholder regex. If the result of the block is nil, the original
+    # placeholder will be returned.
+
+    def self.replace_string_placeholders(string, placeholder_regex = nil, &block)
+      return string if string.blank? || placeholder_regex.blank? || !block_given?
+
+      replace_placeholders(string, placeholder_regex, &block)
+    end
+
+    class << self
+      private
+
+      # If the result of the block is nil, then the placeholder is returned
+      def replace_placeholders(string, placeholder_regex, &block)
+        string.gsub(/%{(#{placeholder_regex})}/) do |arg|
+          yield($~[1]) || arg
+        end
+      end
+    end
+  end
+end

spec/factories/badge.rb

+FactoryBot.define do
+  trait :base_badge do
+    link_url { generate(:url) }
+    image_url { generate(:url) }
+  end
+
+  factory :project_badge, traits: [:base_badge], class: ProjectBadge do
+    project
+  end
+
+  factory :group_badge, aliases: [:badge], traits: [:base_badge], class: GroupBadge do
+    group
+  end
+end

spec/lib/gitlab/import_export/all_models.yml

@@ -277,6 +277,7 @@ project:
 - fork_network
 - custom_attributes
 - lfs_file_locks
+- project_badges
 award_emoji:
 - awardable
 - user
@@ -293,3 +294,5 @@ issue_assignees:
 - assignee
 lfs_file_locks:
 - user
+project_badges:
+- project

spec/lib/gitlab/import_export/project_tree_restorer_spec.rb

@@ -129,6 +129,10 @@ describe Gitlab::ImportExport::ProjectTreeRestorer do
         expect(@project.custom_attributes.count).to eq(2)
       end
 
+      it 'has badges' do
+        expect(@project.project_badges.count).to eq(2)
+      end
+
       it 'restores the correct service' do
         expect(CustomIssueTrackerService.first).not_to be_nil
       end

spec/lib/gitlab/import_export/project_tree_saver_spec.rb

@@ -180,6 +180,10 @@ describe Gitlab::ImportExport::ProjectTreeSaver do
         expect(saved_project_json['custom_attributes'].count).to eq(2)
       end
 
+      it 'has badges' do
+        expect(saved_project_json['project_badges'].count).to eq(2)
+      end
+
       it 'does not complain about non UTF-8 characters in MR diff files' do
         ActiveRecord::Base.connection.execute("UPDATE merge_request_diff_files SET diff = '---\n- :diff: !binary |-\n    LS0tIC9kZXYvbnVsbAorKysgYi9pbWFnZXMvbnVjb3IucGRmCkBAIC0wLDAg\n    KzEsMTY3OSBAQAorJVBERi0xLjUNJeLjz9MNCisxIDAgb2JqDTw8L01ldGFk\n    YXR'")
 
@@ -288,6 +292,9 @@ describe Gitlab::ImportExport::ProjectTreeSaver do
     create(:project_custom_attribute, project: project)
     create(:project_custom_attribute, project: project)
 
+    create(:project_badge, project: project)
+    create(:project_badge, project: project)
+
     project
   end
 

spec/lib/gitlab/import_export/safe_model_attributes.yml

@@ -536,3 +536,12 @@ LfsFileLock:
 - user_id
 - project_id
 - created_at
+Badge:
+- id
+- link_url
+- image_url
+- project_id
+- group_id
+- created_at
+- updated_at
+- type

spec/lib/gitlab/string_placeholder_replacer_spec.rb

+require 'spec_helper'
+
+describe Gitlab::StringPlaceholderReplacer do
+  describe '.render_url' do
+    it 'returns the nil if the string is blank' do
+      expect(described_class.replace_string_placeholders(nil, /whatever/)).to be_blank
+    end
+
+    it 'returns the string if the placeholder regex' do
+      expect(described_class.replace_string_placeholders('whatever')).to eq 'whatever'
+    end
+
+    it 'returns the string if no block given' do
+      expect(described_class.replace_string_placeholders('whatever', /whatever/)).to eq 'whatever'
+    end
+
+    context 'when all params are valid' do
+      let(:string) { '%{path}/%{id}/%{branch}' }
+      let(:regex) { /(path|id)/ }
+
+      it 'replaces each placeholders with the block result' do
+        result = described_class.replace_string_placeholders(string, regex) do |arg|
+          'WHATEVER'
+        end
+
+        expect(result).to eq 'WHATEVER/WHATEVER/%{branch}'
+      end
+
+      it 'does not replace the placeholder if the block result is nil' do
+        result = described_class.replace_string_placeholders(string, regex) do |arg|
+          arg == 'path' ? nil : 'WHATEVER'
+        end
+
+        expect(result).to eq '%{path}/WHATEVER/%{branch}'
+      end
+    end
+  end
+end

spec/models/badge_spec.rb

+require 'spec_helper'
+
+describe Badge do
+  let(:placeholder_url) { 'http://www.example.com/%{project_path}/%{project_id}/%{default_branch}/%{commit_sha}' }
+
+  describe 'validations' do
+    # Requires the let variable url_sym
+    shared_examples 'placeholder url' do
+      let(:badge) { build(:badge) }
+
+      it 'allows url with http protocol' do
+        badge[url_sym] = 'http://www.example.com'
+
+        expect(badge).to be_valid
+      end
+
+      it 'allows url with https protocol' do
+        badge[url_sym] = 'https://www.example.com'
+
+        expect(badge).to be_valid
+      end
+
+      it 'cannot be empty' do
+        badge[url_sym] = ''
+
+        expect(badge).not_to be_valid
+      end
+
+      it 'cannot be nil' do
+        badge[url_sym] = nil
+
+        expect(badge).not_to be_valid
+      end
+
+      it 'accept badges placeholders' do
+        badge[url_sym] = placeholder_url
+
+        expect(badge).to be_valid
+      end
+
+      it 'sanitize url' do
+        badge[url_sym] = 'javascript:alert(1)'
+
+        expect(badge).not_to be_valid
+      end
+    end
+
+    context 'link_url format' do
+      let(:url_sym) { :link_url }
+
+      it_behaves_like 'placeholder url'
+    end
+
+    context 'image_url format' do
+      let(:url_sym) { :image_url }
+
+      it_behaves_like 'placeholder url'
+    end
+  end
+
+  shared_examples 'rendered_links' do
+    it 'should use the project information to populate the url placeholders' do
+      stub_project_commit_info(project)
+
+      expect(badge.public_send("rendered_#{method}", project)).to eq "http://www.example.com/#{project.full_path}/#{project.id}/master/whatever"
+    end
+
+    it 'returns the url if the project used is nil' do
+      expect(badge.public_send("rendered_#{method}", nil)).to eq placeholder_url
+    end
+
+    def stub_project_commit_info(project)
+      allow(project).to receive(:commit).and_return(double('Commit', sha: 'whatever'))
+      allow(project).to receive(:default_branch).and_return('master')
+    end
+  end
+
+  context 'methods' do
+    let(:badge) { build(:badge, link_url: placeholder_url, image_url: placeholder_url) }
+    let!(:project) { create(:project) }
+
+    context '#rendered_link_url' do
+      let(:method) { :link_url }
+
+      it_behaves_like 'rendered_links'
+    end
+
+    context '#rendered_image_url' do
+      let(:method) { :image_url }
+
+      it_behaves_like 'rendered_links'
+    end
+  end
+end

spec/models/badges/group_badge_spec.rb

+require 'spec_helper'
+
+describe GroupBadge do
+  describe 'associations' do
+    it { is_expected.to belong_to(:group) }
+  end
+
+  describe 'validations' do
+    it { is_expected.to validate_presence_of(:group) }
+  end
+end

spec/models/badges/project_badge_spec.rb

+require 'spec_helper'
+
+describe ProjectBadge do
+  let(:placeholder_url) { 'http://www.example.com/%{project_path}/%{project_id}/%{default_branch}/%{commit_sha}' }
+
+  describe 'associations' do
+    it { is_expected.to belong_to(:project) }
+  end
+
+  describe 'validations' do
+    it { is_expected.to validate_presence_of(:project) }
+  end
+
+  shared_examples 'rendered_links' do
+    it 'should use the badge project information to populate the url placeholders' do
+      stub_project_commit_info(project)
+
+      expect(badge.public_send("rendered_#{method}")).to eq "http://www.example.com/#{project.full_path}/#{project.id}/master/whatever"
+    end
+
+    def stub_project_commit_info(project)
+      allow(project).to receive(:commit).and_return(double('Commit', sha: 'whatever'))
+      allow(project).to receive(:default_branch).and_return('master')
+    end
+  end
+
+  context 'methods' do
+    let(:badge) { build(:project_badge, link_url: placeholder_url, image_url: placeholder_url) }
+    let!(:project) { badge.project }
+
+    context '#rendered_link_url' do
+      let(:method) { :link_url }
+
+      it_behaves_like 'rendered_links'
+    end
+
+    context '#rendered_image_url' do
+      let(:method) { :image_url }
+
+      it_behaves_like 'rendered_links'
+    end
+  end
+end

spec/models/group_spec.rb

@@ -18,6 +18,7 @@ describe Group do
     it { is_expected.to have_many(:uploads).dependent(:destroy) }
     it { is_expected.to have_one(:chat_team) }
     it { is_expected.to have_many(:custom_attributes).class_name('GroupCustomAttribute') }
+    it { is_expected.to have_many(:badges).class_name('GroupBadge') }
 
     describe '#members & #requesters' do
       let(:requester) { create(:user) }

spec/models/project_spec.rb

@@ -80,6 +80,7 @@ describe Project do
     it { is_expected.to have_many(:members_and_requesters) }
     it { is_expected.to have_many(:clusters) }
     it { is_expected.to have_many(:custom_attributes).class_name('ProjectCustomAttribute') }
+    it { is_expected.to have_many(:project_badges).class_name('ProjectBadge') }
     it { is_expected.to have_many(:lfs_file_locks) }
 
     context 'after initialized' do
@@ -3331,4 +3332,36 @@ describe Project do
       end.not_to raise_error # Sidekiq::Worker::EnqueueFromTransactionError
     end
   end
+
+  describe '#badges' do
+    let(:project_group) { create(:group) }
+    let(:project) {  create(:project, path: 'avatar', namespace: project_group) }
+
+    before do
+      create_list(:project_badge, 2, project: project)
+      create(:group_badge, group: project_group)
+    end
+
+    it 'returns the project and the project group badges' do
+      create(:group_badge, group: create(:group))
+
+      expect(Badge.count).to eq 4
+      expect(project.badges.count).to eq 3
+    end
+
+    if Group.supports_nested_groups?
+      context 'with nested_groups' do
+        let(:parent_group) { create(:group) }
+
+        before do
+          create_list(:group_badge, 2, group: project_group)
+          project_group.update(parent: parent_group)
+        end
+
+        it 'returns the project and the project nested groups badges' do
+          expect(project.badges.count).to eq 5
+        end
+      end
+    end
+  end
 end

spec/requests/api/badges_spec.rb

+require 'spec_helper'
+
+describe API::Badges do
+  let(:master) { create(:user, username: 'master_user') }
+  let(:developer) { create(:user) }
+  let(:access_requester) { create(:user) }
+  let(:stranger) { create(:user) }
+  let(:project_group) { create(:group) }
+  let(:project) { setup_project }
+  let!(:group) { setup_group }
+
+  shared_context 'source helpers' do
+    def get_source(source_type)
+      source_type == 'project' ? project : group
+    end
+  end
+
+  shared_examples 'GET /:sources/:id/badges' do |source_type|
+    include_context 'source helpers'
+
+    let(:source) { get_source(source_type) }
+
+    context "with :sources == #{source_type.pluralize}" do
+      it_behaves_like 'a 404 response when source is private' do
+        let(:route) { get api("/#{source_type.pluralize}/#{source.id}/badges", stranger) }
+      end
+
+      %i[master developer access_requester stranger].each do |type|
+        context "when authenticated as a #{type}" do
+          it 'returns 200' do
+            user = public_send(type)
+            badges_count = source_type == 'project' ? 3 : 2
+
+            get api("/#{source_type.pluralize}/#{source.id}/badges", user)
+
+            expect(response).to have_gitlab_http_status(200)
+            expect(response).to include_pagination_headers
+            expect(json_response).to be_an Array
+            expect(json_response.size).to eq(badges_count)
+          end
+        end
+      end
+
+      it 'avoids N+1 queries' do
+        # Establish baseline
+        get api("/#{source_type.pluralize}/#{source.id}/badges", master)
+
+        control = ActiveRecord::QueryRecorder.new do
+          get api("/#{source_type.pluralize}/#{source.id}/badges", master)
+        end
+
+        project.add_developer(create(:user))
+
+        expect do
+          get api("/#{source_type.pluralize}/#{source.id}/badges", master)
+        end.not_to exceed_query_limit(control)
+      end
+    end
+  end
+
+  shared_examples 'GET /:sources/:id/badges/:badge_id' do |source_type|
+    include_context 'source helpers'
+
+    let(:source) { get_source(source_type) }
+
+    context "with :sources == #{source_type.pluralize}" do
+      it_behaves_like 'a 404 response when source is private' do
+        let(:route) { get api("/#{source_type.pluralize}/#{source.id}/badges/#{developer.id}", stranger) }
+      end
+
+      context 'when authenticated as a non-member' do
+        %i[master developer access_requester stranger].each do |type|
+          let(:badge) { source.badges.first }
+
+          context "as a #{type}" do
+            it 'returns 200' do
+              user = public_send(type)
+
+              get api("/#{source_type.pluralize}/#{source.id}/badges/#{badge.id}", user)
+
+              expect(response).to have_gitlab_http_status(200)
+              expect(json_response['id']).to eq(badge.id)
+              expect(json_response['link_url']).to eq(badge.link_url)
+              expect(json_response['rendered_link_url']).to eq(badge.rendered_link_url)
+              expect(json_response['image_url']).to eq(badge.image_url)
+              expect(json_response['rendered_image_url']).to eq(badge.rendered_image_url)
+              expect(json_response['kind']).to eq source_type
+            end
+          end
+        end
+      end
+    end
+  end
+
+  shared_examples 'POST /:sources/:id/badges' do |source_type|
+    include_context 'source helpers'
+
+    let(:source) { get_source(source_type) }
+    let(:example_url) { 'http://www.example.com' }
+    let(:example_url2) { 'http://www.example1.com' }
+
+    context "with :sources == #{source_type.pluralize}" do
+      it_behaves_like 'a 404 response when source is private' do
+        let(:route) do
+          post api("/#{source_type.pluralize}/#{source.id}/badges", stranger),
+               link_url: example_url, image_url: example_url2
+        end
+      end
+
+      context 'when authenticated as a non-member or member with insufficient rights' do
+        %i[access_requester stranger developer].each do |type|
+          context "as a #{type}" do
+            it 'returns 403' do
+              user = public_send(type)
+
+              post api("/#{source_type.pluralize}/#{source.id}/badges", user),
+                   link_url: example_url, image_url: example_url2
+
+              expect(response).to have_gitlab_http_status(403)
+            end
+          end
+        end
+      end
+
+      context 'when authenticated as a master/owner' do
+        it 'creates a new badge' do
+          expect do
+            post api("/#{source_type.pluralize}/#{source.id}/badges", master),
+                link_url: example_url, image_url: example_url2
+
+            expect(response).to have_gitlab_http_status(201)
+          end.to change { source.badges.count }.by(1)
+
+          expect(json_response['link_url']).to eq(example_url)
+          expect(json_response['image_url']).to eq(example_url2)
+          expect(json_response['kind']).to eq source_type
+        end
+      end
+
+      it 'returns 400 when link_url is not given' do
+        post api("/#{source_type.pluralize}/#{source.id}/badges", master),
+             link_url: example_url
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+
+      it 'returns 400 when image_url is not given' do
+        post api("/#{source_type.pluralize}/#{source.id}/badges", master),
+             image_url: example_url2
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+
+      it 'returns 400 when link_url or image_url is not valid' do
+        post api("/#{source_type.pluralize}/#{source.id}/badges", master),
+             link_url: 'whatever', image_url: 'whatever'
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+    end
+  end
+
+  shared_examples 'PUT /:sources/:id/badges/:badge_id' do |source_type|
+    include_context 'source helpers'
+
+    let(:source) { get_source(source_type) }
+
+    context "with :sources == #{source_type.pluralize}" do
+      let(:badge) { source.badges.first }
+      let(:example_url) { 'http://www.example.com' }
+      let(:example_url2) { 'http://www.example1.com' }
+
+      it_behaves_like 'a 404 response when source is private' do
+        let(:route) do
+          put api("/#{source_type.pluralize}/#{source.id}/badges/#{badge.id}", stranger),
+              link_url: example_url
+        end
+      end
+
+      context 'when authenticated as a non-member or member with insufficient rights' do
+        %i[access_requester stranger developer].each do |type|
+          context "as a #{type}" do
+            it 'returns 403' do
+              user = public_send(type)
+
+              put api("/#{source_type.pluralize}/#{source.id}/badges/#{badge.id}", user),
+                  link_url: example_url
+
+              expect(response).to have_gitlab_http_status(403)
+            end
+          end
+        end
+      end
+
+      context 'when authenticated as a master/owner' do
+        it 'updates the member' do
+          put api("/#{source_type.pluralize}/#{source.id}/badges/#{badge.id}", master),
+              link_url: example_url, image_url: example_url2
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['link_url']).to eq(example_url)
+          expect(json_response['image_url']).to eq(example_url2)
+          expect(json_response['kind']).to eq source_type
+        end
+      end
+
+      it 'returns 400 when link_url or image_url is not valid' do
+        put api("/#{source_type.pluralize}/#{source.id}/badges/#{badge.id}", master),
+            link_url: 'whatever', image_url: 'whatever'
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+    end
+  end
+
+  shared_examples 'DELETE /:sources/:id/badges/:badge_id' do |source_type|
+    include_context 'source helpers'
+
+    let(:source) { get_source(source_type) }
+
+    context "with :sources == #{source_type.pluralize}" do
+      let(:badge) { source.badges.first }
+
+      it_behaves_like 'a 404 response when source is private' do
+        let(:route) { delete api("/#{source_type.pluralize}/#{source.id}/badges/#{badge.id}", stranger) }
+      end
+
+      context 'when authenticated as a non-member or member with insufficient rights' do
+        %i[access_requester developer stranger].each do |type|
+          context "as a #{type}" do
+            it 'returns 403' do
+              user = public_send(type)
+
+              delete api("/#{source_type.pluralize}/#{source.id}/badges/#{badge.id}", user)
+
+              expect(response).to have_gitlab_http_status(403)
+            end
+          end
+        end
+      end
+
+      context 'when authenticated as a master/owner' do
+        it 'deletes the badge' do
+          expect do
+            delete api("/#{source_type.pluralize}/#{source.id}/badges/#{badge.id}", master)
+
+            expect(response).to have_gitlab_http_status(204)
+          end.to change { source.badges.count }.by(-1)
+        end
+
+        it_behaves_like '412 response' do
+          let(:request) { api("/#{source_type.pluralize}/#{source.id}/badges/#{badge.id}", master) }
+        end
+      end
+
+      it 'returns 404 if badge does not exist' do
+        delete api("/#{source_type.pluralize}/#{source.id}/badges/123", master)
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+  end
+
+  shared_examples 'GET /:sources/:id/badges/render' do |source_type|
+    include_context 'source helpers'
+
+    let(:source) { get_source(source_type) }
+    let(:example_url) { 'http://www.example.com' }
+    let(:example_url2) { 'http://www.example1.com' }
+
+    context "with :sources == #{source_type.pluralize}" do
+      it_behaves_like 'a 404 response when source is private' do
+        let(:route) do
+          get api("/#{source_type.pluralize}/#{source.id}/badges/render?link_url=#{example_url}&image_url=#{example_url2}", stranger)
+        end
+      end
+
+      context 'when authenticated as a non-member or member with insufficient rights' do
+        %i[access_requester stranger developer].each do |type|
+          context "as a #{type}" do
+            it 'returns 403' do
+              user = public_send(type)
+
+              get api("/#{source_type.pluralize}/#{source.id}/badges/render?link_url=#{example_url}&image_url=#{example_url2}", user)
+
+              expect(response).to have_gitlab_http_status(403)
+            end
+          end
+        end
+      end
+
+      context 'when authenticated as a master/owner' do
+        it 'gets the rendered badge values' do
+          get api("/#{source_type.pluralize}/#{source.id}/badges/render?link_url=#{example_url}&image_url=#{example_url2}", master)
+
+          expect(response).to have_gitlab_http_status(200)
+
+          expect(json_response.keys).to contain_exactly('link_url', 'rendered_link_url', 'image_url', 'rendered_image_url')
+          expect(json_response['link_url']).to eq(example_url)
+          expect(json_response['image_url']).to eq(example_url2)
+          expect(json_response['rendered_link_url']).to eq(example_url)
+          expect(json_response['rendered_image_url']).to eq(example_url2)
+        end
+      end
+
+      it 'returns 400 when link_url is not given' do
+        get api("/#{source_type.pluralize}/#{source.id}/badges/render?link_url=#{example_url}", master)
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+
+      it 'returns 400 when image_url is not given' do
+        get api("/#{source_type.pluralize}/#{source.id}/badges/render?image_url=#{example_url}", master)
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+
+      it 'returns 400 when link_url or image_url is not valid' do
+        get api("/#{source_type.pluralize}/#{source.id}/badges/render?link_url=whatever&image_url=whatever", master)
+
+        expect(response).to have_gitlab_http_status(400)
+      end
+    end
+  end
+
+  context 'when deleting a badge' do
+    context 'and the source is a project' do
+      it 'cannot delete badges owned by the project group' do
+        delete api("/projects/#{project.id}/badges/#{project_group.badges.first.id}", master)
+
+        expect(response).to have_gitlab_http_status(403)
+      end
+    end
+  end
+
+  describe 'Endpoints' do
+    %w(project group).each do |source_type|
+      it_behaves_like 'GET /:sources/:id/badges', source_type
+      it_behaves_like 'GET /:sources/:id/badges/:badge_id', source_type
+      it_behaves_like 'GET /:sources/:id/badges/render', source_type
+      it_behaves_like 'POST /:sources/:id/badges', source_type
+      it_behaves_like 'PUT /:sources/:id/badges/:badge_id', source_type
+      it_behaves_like 'DELETE /:sources/:id/badges/:badge_id', source_type
+    end
+  end
+
+  def setup_project
+    create(:project, :public, :access_requestable, creator_id: master.id, namespace: project_group) do |project|
+      project.add_developer(developer)
+      project.add_master(master)
+      project.request_access(access_requester)
+      project.project_badges << build(:project_badge, project: project)
+      project.project_badges << build(:project_badge, project: project)
+      project_group.badges << build(:group_badge, group: group)
+    end
+  end
+
+  def setup_group
+    create(:group, :public, :access_requestable) do |group|
+      group.add_developer(developer)
+      group.add_owner(master)
+      group.request_access(access_requester)
+      group.badges << build(:group_badge, group: group)
+      group.badges << build(:group_badge, group: group)
+    end
+  end
+end

spec/validators/url_placeholder_validator_spec.rb

+require 'spec_helper'
+
+describe UrlPlaceholderValidator do
+  let(:validator) { described_class.new(attributes: [:link_url],  **options) }
+  let!(:badge) { build(:badge) }
+  let(:placeholder_url) { 'http://www.example.com/%{project_path}/%{project_id}/%{default_branch}/%{commit_sha}' }
+
+  subject { validator.validate_each(badge, :link_url, badge.link_url) }
+
+  describe '#validates_each' do
+    context 'with no options' do
+      let(:options) { {} }
+
+      it 'allows http and https protocols by default' do
+        expect(validator.send(:default_options)[:protocols]).to eq %w(http https)
+      end
+
+      it 'checks that the url structure is valid' do
+        badge.link_url = placeholder_url
+
+        subject
+
+        expect(badge.errors.empty?).to be false
+      end
+    end
+
+    context 'with placeholder regex' do
+      let(:options) { { placeholder_regex: /(project_path|project_id|commit_sha|default_branch)/ } }
+
+      it 'checks that the url is valid and obviate placeholders that match regex' do
+        badge.link_url = placeholder_url
+
+        subject
+
+        expect(badge.errors.empty?).to be true
+      end
+    end
+  end
+end

spec/validators/url_validator_spec.rb

+require 'spec_helper'
+
+describe UrlValidator do
+  let(:validator) { described_class.new(attributes: [:link_url],  **options) }
+  let!(:badge) { build(:badge) }
+
+  subject { validator.validate_each(badge, :link_url, badge.link_url) }
+
+  describe '#validates_each' do
+    context 'with no options' do
+      let(:options) { {} }
+
+      it 'allows http and https protocols by default' do
+        expect(validator.send(:default_options)[:protocols]).to eq %w(http https)
+      end
+
+      it 'checks that the url structure is valid' do
+        badge.link_url = 'http://www.google.es/%{whatever}'
+
+        subject
+
+        expect(badge.errors.empty?).to be false
+      end
+    end
+
+    context 'with protocols' do
+      let(:options) { { protocols: %w(http) } }
+
+      it 'allows urls with the defined protocols' do
+        badge.link_url = 'http://www.example.com'
+
+        subject
+
+        expect(badge.errors.empty?).to be true
+      end
+
+      it 'add error if the url protocol does not match the selected ones' do
+        badge.link_url = 'https://www.example.com'
+
+        subject
+
+        expect(badge.errors.empty?).to be false
+      end
+    end
+  end
+end

spec/views/projects/_home_panel.html.haml_spec.rb

 require 'spec_helper'
 
 describe 'projects/_home_panel' do
-  let(:project) { create(:project, :public) }
+  let(:group) { create(:group) }
+  let(:project) { create(:project, :public, namespace: group) }
 
   let(:notification_settings) do
     user&.notification_settings_for(project)
@@ -35,4 +36,55 @@ describe 'projects/_home_panel' do
       expect(rendered).not_to have_selector('.notification_dropdown')
     end
   end
+
+  context 'when project' do
+    let!(:user) { create(:user) }
+    let(:badges) { project.badges }
+
+    context 'has no badges' do
+      it 'should not render any badge' do
+        render
+
+        expect(rendered).to have_selector('.project-badges')
+        expect(rendered).not_to have_selector('.project-badges > a')
+      end
+    end
+
+    shared_examples 'show badges' do
+      it 'should render the all badges' do
+        render
+
+        expect(rendered).to have_selector('.project-badges a')
+
+        badges.each do |badge|
+          expect(rendered).to have_link(href: badge.rendered_link_url)
+        end
+      end
+    end
+
+    context 'only has group badges' do
+      before do
+        create(:group_badge, group: project.group)
+      end
+
+      it_behaves_like 'show badges'
+    end
+
+    context 'only has project badges' do
+      before do
+        create(:project_badge, project: project)
+      end
+
+      it_behaves_like 'show badges'
+    end
+
+    context 'has both group and project badges' do
+      before do
+        create(:project_badge, project: project)
+        create(:group_badge, group: project.group)
+      end
+
+      it_behaves_like 'show badges'
+    end
+  end
 end