Add tests to the API call

This commits tests API calls and policies related to
reject_unsigned_commit property of the push_rules API endpoint.

3 files changed, 23 insertions, 9 deletions

diff --git a/ee/lib/api/project_push_rule.rb b/ee/lib/api/project_push_rule.rb
index 167d1a2f21d..b02e96e5314 100644
--- a/ee/lib/api/project_push_rule.rb
+++ b/ee/lib/api/project_push_rule.rb
@@ -5,11 +5,7 @@ module API
     before { authenticate! }
     before { authorize_admin_project }
     before { check_project_feature_available!(:push_rules) }
-    before do
-      if params.has_key?(:commit_committer_check)
-        authorize! :change_commit_committer_check, user_project
-      end
-    end
+    before { authorize_change_param(user_project, :commit_committer_check, :reject_unsigned_commits) }
 
     params do
       requires :id, type: String, desc: 'The ID of a project'
@@ -27,10 +23,12 @@ module API
           optional :file_name_regex, type: String, desc: 'All commited filenames must not match this'
           optional :max_file_size, type: Integer, desc: 'Maximum file size (MB)'
           optional :commit_committer_check, type: Boolean, desc: 'Users may only push their own commits'
+          optional :reject_unsigned_commits, type: Boolean, desc: 'Only GPG signed commits can be pushed to this project'
           at_least_one_of :deny_delete_tag, :member_check, :prevent_secrets,
                           :commit_message_regex, :commit_message_negative_regex, :branch_name_regex, :author_email_regex,
                           :file_name_regex, :max_file_size,
-                          :commit_committer_check
+                          :commit_committer_check,
+                          :reject_unsigned_commits
         end
       end
 
diff --git a/ee/lib/ee/api/entities.rb b/ee/lib/ee/api/entities.rb
index ddb9c559861..d92ddf52a59 100644
--- a/ee/lib/ee/api/entities.rb
+++ b/ee/lib/ee/api/entities.rb
@@ -21,6 +21,16 @@ module EE
         end
       end
 
+      module EntityHelpers
+        def can_read(attr, &block)
+          ->(obj, opts) { Ability.allowed?(opts[:user], "read_#{attr}".to_sym, yield(obj)) }
+        end
+
+        def expose_restricted(attr, &block)
+          expose attr, if: can_read(attr, &block)
+        end
+      end
+
       module UserPublic
         extend ActiveSupport::Concern
 
@@ -206,13 +216,13 @@ module EE
       # EE-specific entities #
       ########################
       class ProjectPushRule < Grape::Entity
+        extend EntityHelpers
         expose :id, :project_id, :created_at
         expose :commit_message_regex, :commit_message_negative_regex, :branch_name_regex, :deny_delete_tag
         expose :member_check, :prevent_secrets, :author_email_regex
         expose :file_name_regex, :max_file_size
-        expose :commit_committer_check, if: ->(rule, opts) do
-          Ability.allowed?(opts[:user], :read_commit_committer_check, rule.project)
-        end
+        expose_restricted :commit_committer_check, &:project
+        expose_restricted :reject_unsigned_commits, &:project
       end
 
       class LdapGroupLink < Grape::Entity
diff --git a/ee/lib/ee/api/helpers.rb b/ee/lib/ee/api/helpers.rb
index 42346cc96ea..206b44cace2 100644
--- a/ee/lib/ee/api/helpers.rb
+++ b/ee/lib/ee/api/helpers.rb
@@ -50,6 +50,12 @@ module EE
         not_found! unless user_project.feature_available?(feature)
       end
 
+      def authorize_change_param(subject, *keys)
+        keys.each do |key|
+          authorize!("change_#{key}".to_sym, subject) if params.has_key?(key)
+        end
+      end
+
       def check_sha_param!(params, merge_request)
         if params[:sha] && merge_request.diff_head_sha != params[:sha]
           render_api_error!("SHA does not match HEAD of source branch: #{merge_request.diff_head_sha}", 409)