# -*- coding: utf-8 -*- require 'spec_helper' describe API::API, api: true do include ApiHelpers let(:user) { create(:user) } let(:user2) { create(:user) } let(:user3) { create(:user) } let(:admin) { create(:admin) } let(:project) { create(:project, creator_id: user.id, namespace: user.namespace) } let(:project2) { create(:project, path: 'project2', creator_id: user.id, namespace: user.namespace) } let(:project3) { create(:project, path: 'project3', creator_id: user.id, namespace: user.namespace) } let(:snippet) { create(:project_snippet, author: user, project: project, title: 'example') } let(:project_member) { create(:project_member, user: user, project: project, access_level: ProjectMember::MASTER) } let(:project_member2) { create(:project_member, user: user3, project: project, access_level: ProjectMember::DEVELOPER) } let(:user4) { create(:user) } let(:project3) do create(:project, name: 'second_project', path: 'second_project', creator_id: user.id, namespace: user.namespace, merge_requests_enabled: false, issues_enabled: false, wiki_enabled: false, snippets_enabled: false, visibility_level: 0) end let(:project_member3) do create(:project_member, user: user4, project: project3, access_level: ProjectMember::MASTER) end let(:project4) do create(:project, name: 'third_project', path: 'third_project', creator_id: user4.id, namespace: user4.namespace) end describe 'GET /projects' do before { project } context 'when unauthenticated' do it 'should return authentication error' do get api('/projects') response.status.should == 401 end end context 'when authenticated' do it 'should return an array of projects' do get api('/projects', user) response.status.should == 200 json_response.should be_an Array json_response.first['name'].should == project.name json_response.first['owner']['username'].should == user.username end context 'and using search' do it 'should return searched project' do get api('/projects', user), { search: project.name } response.status.should eq(200) json_response.should be_an Array json_response.length.should eq(1) end end context 'and using sorting' do before do project2 project3 end it 'should return the correct order when sorted by id' do get api('/projects', user), { order_by: 'id', sort: 'desc'} response.status.should eq(200) json_response.should be_an Array json_response.first['id'].should eq(project3.id) end end end end describe 'GET /projects/all' do before { project } context 'when unauthenticated' do it 'should return authentication error' do get api('/projects/all') response.status.should == 401 end end context 'when authenticated as regular user' do it 'should return authentication error' do get api('/projects/all', user) response.status.should == 403 end end context 'when authenticated as admin' do it 'should return an array of all projects' do get api('/projects/all', admin) response.status.should == 200 json_response.should be_an Array project_name = project.name json_response.detect { |project| project['name'] == project_name }['name'].should == project_name json_response.detect { |project| project['owner']['username'] == user.username }['owner']['username'].should == user.username end end end describe 'POST /projects' do context 'maximum number of projects reached' do before do (1..user2.projects_limit).each do |project| post api('/projects', user2), name: "foo#{project}" end end it 'should not create new project' do expect { post api('/projects', user2), name: 'foo' }.to change {Project.count}.by(0) end end it 'should create new project without path' do expect { post api('/projects', user), name: 'foo' }.to change {Project.count}.by(1) end it 'should not create new project without name' do expect { post api('/projects', user) }.to_not change {Project.count} end it 'should return a 400 error if name not given' do post api('/projects', user) response.status.should == 400 end it 'should create last project before reaching project limit' do (1..user2.projects_limit-1).each { |p| post api('/projects', user2), name: "foo#{p}" } post api('/projects', user2), name: 'foo' response.status.should == 201 end it 'should respond with 201 on success' do post api('/projects', user), name: 'foo' response.status.should == 201 end it 'should respond with 400 if name is not given' do post api('/projects', user) response.status.should == 400 end it 'should return a 403 error if project limit reached' do (1..user.projects_limit).each do |p| post api('/projects', user), name: "foo#{p}" end post api('/projects', user), name: 'bar' response.status.should == 403 end it 'should assign attributes to project' do project = attributes_for(:project, { path: 'camelCasePath', description: Faker::Lorem.sentence, issues_enabled: false, merge_requests_enabled: false, wiki_enabled: false }) post api('/projects', user), project project.each_pair do |k,v| json_response[k.to_s].should == v end end it 'should set a project as public' do project = attributes_for(:project, :public) post api('/projects', user), project json_response['public'].should be_true json_response['visibility_level'].should == Gitlab::VisibilityLevel::PUBLIC end it 'should set a project as public using :public' do project = attributes_for(:project, { public: true }) post api('/projects', user), project json_response['public'].should be_true json_response['visibility_level'].should == Gitlab::VisibilityLevel::PUBLIC end it 'should set a project as internal' do project = attributes_for(:project, :internal) post api('/projects', user), project json_response['public'].should be_false json_response['visibility_level'].should == Gitlab::VisibilityLevel::INTERNAL end it 'should set a project as internal overriding :public' do project = attributes_for(:project, :internal, { public: true }) post api('/projects', user), project json_response['public'].should be_false json_response['visibility_level'].should == Gitlab::VisibilityLevel::INTERNAL end it 'should set a project as private' do project = attributes_for(:project, :private) post api('/projects', user), project json_response['public'].should be_false json_response['visibility_level'].should == Gitlab::VisibilityLevel::PRIVATE end it 'should set a project as private using :public' do project = attributes_for(:project, { public: false }) post api('/projects', user), project json_response['public'].should be_false json_response['visibility_level'].should == Gitlab::VisibilityLevel::PRIVATE end end describe 'POST /projects/user/:id' do before { project } before { admin } it 'should create new project without path' do expect { post api("/projects/user/#{user.id}", admin), name: 'foo' }.to change {Project.count}.by(1) end it 'should not create new project without name' do expect { post api("/projects/user/#{user.id}", admin) }.to_not change {Project.count} end it 'should respond with 201 on success' do post api("/projects/user/#{user.id}", admin), name: 'foo' response.status.should == 201 end it 'should respond with 400 on failure' do post api("/projects/user/#{user.id}", admin) response.status.should == 400 json_response['message']['name'].should == [ 'can\'t be blank', 'is too short (minimum is 0 characters)', Gitlab::Regex.project_regex_message ] json_response['message']['path'].should == [ 'can\'t be blank', 'is too short (minimum is 0 characters)', Gitlab::Regex.send(:default_regex_message) ] end it 'should assign attributes to project' do project = attributes_for(:project, { description: Faker::Lorem.sentence, issues_enabled: false, merge_requests_enabled: false, wiki_enabled: false }) post api("/projects/user/#{user.id}", admin), project project.each_pair do |k,v| next if k == :path json_response[k.to_s].should == v end end it 'should set a project as public' do project = attributes_for(:project, :public) post api("/projects/user/#{user.id}", admin), project json_response['public'].should be_true json_response['visibility_level'].should == Gitlab::VisibilityLevel::PUBLIC end it 'should set a project as public using :public' do project = attributes_for(:project, { public: true }) post api("/projects/user/#{user.id}", admin), project json_response['public'].should be_true json_response['visibility_level'].should == Gitlab::VisibilityLevel::PUBLIC end it 'should set a project as internal' do project = attributes_for(:project, :internal) post api("/projects/user/#{user.id}", admin), project json_response['public'].should be_false json_response['visibility_level'].should == Gitlab::VisibilityLevel::INTERNAL end it 'should set a project as internal overriding :public' do project = attributes_for(:project, :internal, { public: true }) post api("/projects/user/#{user.id}", admin), project json_response['public'].should be_false json_response['visibility_level'].should == Gitlab::VisibilityLevel::INTERNAL end it 'should set a project as private' do project = attributes_for(:project, :private) post api("/projects/user/#{user.id}", admin), project json_response['public'].should be_false json_response['visibility_level'].should == Gitlab::VisibilityLevel::PRIVATE end it 'should set a project as private using :public' do project = attributes_for(:project, { public: false }) post api("/projects/user/#{user.id}", admin), project json_response['public'].should be_false json_response['visibility_level'].should == Gitlab::VisibilityLevel::PRIVATE end end describe 'GET /projects/:id' do before { project } before { project_member } it 'should return a project by id' do get api("/projects/#{project.id}", user) response.status.should == 200 json_response['name'].should == project.name json_response['owner']['username'].should == user.username end it 'should return a project by path name' do get api("/projects/#{project.id}", user) response.status.should == 200 json_response['name'].should == project.name end it 'should return a 404 error if not found' do get api('/projects/42', user) response.status.should == 404 json_response['message'].should == '404 Project Not Found' end it 'should return a 404 error if user is not a member' do other_user = create(:user) get api("/projects/#{project.id}", other_user) response.status.should == 404 end describe 'permissions' do context 'personal project' do before do project.team << [user, :master] get api("/projects/#{project.id}", user) end it { response.status.should == 200 } it { json_response['permissions']['project_access']['access_level'].should == Gitlab::Access::MASTER } it { json_response['permissions']['group_access'].should be_nil } end context 'group project' do before do project2 = create(:project, group: create(:group)) project2.group.add_owner(user) get api("/projects/#{project2.id}", user) end it { response.status.should == 200 } it { json_response['permissions']['project_access'].should be_nil } it { json_response['permissions']['group_access']['access_level'].should == Gitlab::Access::OWNER } end end end describe 'GET /projects/:id/events' do before { project_member } it 'should return a project events' do get api("/projects/#{project.id}/events", user) response.status.should == 200 json_event = json_response.first json_event['action_name'].should == 'joined' json_event['project_id'].to_i.should == project.id json_event['author_username'].should == user.username end it 'should return a 404 error if not found' do get api('/projects/42/events', user) response.status.should == 404 json_response['message'].should == '404 Project Not Found' end it 'should return a 404 error if user is not a member' do other_user = create(:user) get api("/projects/#{project.id}/events", other_user) response.status.should == 404 end end describe 'GET /projects/:id/snippets' do before { snippet } it 'should return an array of project snippets' do get api("/projects/#{project.id}/snippets", user) response.status.should == 200 json_response.should be_an Array json_response.first['title'].should == snippet.title end end describe 'GET /projects/:id/snippets/:snippet_id' do it 'should return a project snippet' do get api("/projects/#{project.id}/snippets/#{snippet.id}", user) response.status.should == 200 json_response['title'].should == snippet.title end it 'should return a 404 error if snippet id not found' do get api("/projects/#{project.id}/snippets/1234", user) response.status.should == 404 end end describe 'POST /projects/:id/snippets' do it 'should create a new project snippet' do post api("/projects/#{project.id}/snippets", user), title: 'api test', file_name: 'sample.rb', code: 'test' response.status.should == 201 json_response['title'].should == 'api test' end it 'should return a 400 error if title is not given' do post api("/projects/#{project.id}/snippets", user), file_name: 'sample.rb', code: 'test' response.status.should == 400 end it 'should return a 400 error if file_name not given' do post api("/projects/#{project.id}/snippets", user), title: 'api test', code: 'test' response.status.should == 400 end it 'should return a 400 error if code not given' do post api("/projects/#{project.id}/snippets", user), title: 'api test', file_name: 'sample.rb' response.status.should == 400 end end describe 'PUT /projects/:id/snippets/:shippet_id' do it 'should update an existing project snippet' do put api("/projects/#{project.id}/snippets/#{snippet.id}", user), code: 'updated code' response.status.should == 200 json_response['title'].should == 'example' snippet.reload.content.should == 'updated code' end it 'should update an existing project snippet with new title' do put api("/projects/#{project.id}/snippets/#{snippet.id}", user), title: 'other api test' response.status.should == 200 json_response['title'].should == 'other api test' end end describe 'DELETE /projects/:id/snippets/:snippet_id' do before { snippet } it 'should delete existing project snippet' do expect { delete api("/projects/#{project.id}/snippets/#{snippet.id}", user) }.to change { Snippet.count }.by(-1) response.status.should == 200 end it 'should return 404 when deleting unknown snippet id' do delete api("/projects/#{project.id}/snippets/1234", user) response.status.should == 404 end end describe 'GET /projects/:id/snippets/:snippet_id/raw' do it 'should get a raw project snippet' do get api("/projects/#{project.id}/snippets/#{snippet.id}/raw", user) response.status.should == 200 end it 'should return a 404 error if raw project snippet not found' do get api("/projects/#{project.id}/snippets/5555/raw", user) response.status.should == 404 end end describe :deploy_keys do let(:deploy_keys_project) { create(:deploy_keys_project, project: project) } let(:deploy_key) { deploy_keys_project.deploy_key } describe 'GET /projects/:id/keys' do before { deploy_key } it 'should return array of ssh keys' do get api("/projects/#{project.id}/keys", user) response.status.should == 200 json_response.should be_an Array json_response.first['title'].should == deploy_key.title end end describe 'GET /projects/:id/keys/:key_id' do it 'should return a single key' do get api("/projects/#{project.id}/keys/#{deploy_key.id}", user) response.status.should == 200 json_response['title'].should == deploy_key.title end it 'should return 404 Not Found with invalid ID' do get api("/projects/#{project.id}/keys/404", user) response.status.should == 404 end end describe 'POST /projects/:id/keys' do it 'should not create an invalid ssh key' do post api("/projects/#{project.id}/keys", user), { title: 'invalid key' } response.status.should == 400 json_response['message']['key'].should == [ 'can\'t be blank', 'is too short (minimum is 0 characters)', 'is invalid' ] end it 'should not create a key without title' do post api("/projects/#{project.id}/keys", user), key: 'some key' response.status.should == 400 json_response['message']['title'].should == [ 'can\'t be blank', 'is too short (minimum is 0 characters)' ] end it 'should create new ssh key' do key_attrs = attributes_for :key expect { post api("/projects/#{project.id}/keys", user), key_attrs }.to change{ project.deploy_keys.count }.by(1) end end describe 'DELETE /projects/:id/keys/:key_id' do before { deploy_key } it 'should delete existing key' do expect { delete api("/projects/#{project.id}/keys/#{deploy_key.id}", user) }.to change{ project.deploy_keys.count }.by(-1) end it 'should return 404 Not Found with invalid ID' do delete api("/projects/#{project.id}/keys/404", user) response.status.should == 404 end end end describe :fork_admin do let(:project_fork_target) { create(:project) } let(:project_fork_source) { create(:project, :public) } describe 'POST /projects/:id/fork/:forked_from_id' do let(:new_project_fork_source) { create(:project, :public) } it "shouldn't available for non admin users" do post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", user) response.status.should == 403 end it 'should allow project to be forked from an existing project' do project_fork_target.forked?.should_not be_true post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", admin) response.status.should == 201 project_fork_target.reload project_fork_target.forked_from_project.id.should == project_fork_source.id project_fork_target.forked_project_link.should_not be_nil project_fork_target.forked?.should be_true end it 'should fail if forked_from project which does not exist' do post api("/projects/#{project_fork_target.id}/fork/9999", admin) response.status.should == 404 end it 'should fail with 409 if already forked' do post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", admin) project_fork_target.reload project_fork_target.forked_from_project.id.should == project_fork_source.id post api("/projects/#{project_fork_target.id}/fork/#{new_project_fork_source.id}", admin) response.status.should == 409 project_fork_target.reload project_fork_target.forked_from_project.id.should == project_fork_source.id project_fork_target.forked?.should be_true end end describe 'DELETE /projects/:id/fork' do it "shouldn't available for non admin users" do delete api("/projects/#{project_fork_target.id}/fork", user) response.status.should == 403 end it 'should make forked project unforked' do post api("/projects/#{project_fork_target.id}/fork/#{project_fork_source.id}", admin) project_fork_target.reload project_fork_target.forked_from_project.should_not be_nil project_fork_target.forked?.should be_true delete api("/projects/#{project_fork_target.id}/fork", admin) response.status.should == 200 project_fork_target.reload project_fork_target.forked_from_project.should be_nil project_fork_target.forked?.should_not be_true end it 'should be idempotent if not forked' do project_fork_target.forked_from_project.should be_nil delete api("/projects/#{project_fork_target.id}/fork", admin) response.status.should == 200 project_fork_target.reload.forked_from_project.should be_nil end end end describe 'GET /projects/search/:query' do let!(:query) { 'query'} let!(:search) { create(:empty_project, name: query, creator_id: user.id, namespace: user.namespace) } let!(:pre) { create(:empty_project, name: "pre_#{query}", creator_id: user.id, namespace: user.namespace) } let!(:post) { create(:empty_project, name: "#{query}_post", creator_id: user.id, namespace: user.namespace) } let!(:pre_post) { create(:empty_project, name: "pre_#{query}_post", creator_id: user.id, namespace: user.namespace) } let!(:unfound) { create(:empty_project, name: 'unfound', creator_id: user.id, namespace: user.namespace) } let!(:internal) { create(:empty_project, :internal, name: "internal #{query}") } let!(:unfound_internal) { create(:empty_project, :internal, name: 'unfound internal') } let!(:public) { create(:empty_project, :public, name: "public #{query}") } let!(:unfound_public) { create(:empty_project, :public, name: 'unfound public') } context 'when unauthenticated' do it 'should return authentication error' do get api("/projects/search/#{query}") response.status.should == 401 end end context 'when authenticated' do it 'should return an array of projects' do get api("/projects/search/#{query}",user) response.status.should == 200 json_response.should be_an Array json_response.size.should == 6 json_response.each {|project| project['name'].should =~ /.*query.*/} end end context 'when authenticated as a different user' do it 'should return matching public projects' do get api("/projects/search/#{query}", user2) response.status.should == 200 json_response.should be_an Array json_response.size.should == 2 json_response.each {|project| project['name'].should =~ /(internal|public) query/} end end end describe 'PUT /projects/:id̈́' do before { project } before { user } before { user3 } before { user4 } before { project3 } before { project4 } before { project_member3 } before { project_member2 } context 'when unauthenticated' do it 'should return authentication error' do project_param = { name: 'bar' } put api("/projects/#{project.id}"), project_param response.status.should == 401 end end context 'when authenticated as project owner' do it 'should update name' do project_param = { name: 'bar' } put api("/projects/#{project.id}", user), project_param response.status.should == 200 project_param.each_pair do |k, v| json_response[k.to_s].should == v end end it 'should update visibility_level' do project_param = { visibility_level: 20 } put api("/projects/#{project3.id}", user), project_param response.status.should == 200 project_param.each_pair do |k, v| json_response[k.to_s].should == v end end it 'should not update name to existing name' do project_param = { name: project3.name } put api("/projects/#{project.id}", user), project_param response.status.should == 400 json_response['message']['name'].should == ['has already been taken'] end it 'should update path & name to existing path & name in different namespace' do project_param = { path: project4.path, name: project4.name } put api("/projects/#{project3.id}", user), project_param response.status.should == 200 project_param.each_pair do |k, v| json_response[k.to_s].should == v end end end context 'when authenticated as project master' do it 'should update path' do project_param = { path: 'bar' } put api("/projects/#{project3.id}", user4), project_param response.status.should == 200 project_param.each_pair do |k, v| json_response[k.to_s].should == v end end it 'should update other attributes' do project_param = { issues_enabled: true, wiki_enabled: true, snippets_enabled: true, merge_requests_enabled: true, description: 'new description' } put api("/projects/#{project3.id}", user4), project_param response.status.should == 200 project_param.each_pair do |k, v| json_response[k.to_s].should == v end end it 'should not update path to existing path' do project_param = { path: project.path } put api("/projects/#{project3.id}", user4), project_param response.status.should == 400 json_response['message']['path'].should == ['has already been taken'] end it 'should not update name' do project_param = { name: 'bar' } put api("/projects/#{project3.id}", user4), project_param response.status.should == 403 end it 'should not update visibility_level' do project_param = { visibility_level: 20 } put api("/projects/#{project3.id}", user4), project_param response.status.should == 403 end end context 'when authenticated as project developer' do it 'should not update other attributes' do project_param = { path: 'bar', issues_enabled: true, wiki_enabled: true, snippets_enabled: true, merge_requests_enabled: true, description: 'new description' } put api("/projects/#{project.id}", user3), project_param response.status.should == 403 end end end describe 'DELETE /projects/:id' do context 'when authenticated as user' do it 'should remove project' do expect(GitlabShellWorker).to( receive(:perform_async).with(:remove_repository, /#{project.path_with_namespace}/) ).twice delete api("/projects/#{project.id}", user) response.status.should == 200 end it 'should not remove a project if not an owner' do user3 = create(:user) project.team << [user3, :developer] delete api("/projects/#{project.id}", user3) response.status.should == 403 end it 'should not remove a non existing project' do delete api('/projects/1328', user) response.status.should == 404 end it 'should not remove a project not attached to user' do delete api("/projects/#{project.id}", user2) response.status.should == 404 end end context 'when authenticated as admin' do it 'should remove any existing project' do delete api("/projects/#{project.id}", admin) response.status.should == 200 end it 'should not remove a non existing project' do delete api('/projects/1328', admin) response.status.should == 404 end end end end