GitProtocolV2IT: Remove superfluous permission grants in tests

Permission on refs/changes are not respected by the permission backend. Change refs are visible if the change is visible to the user. In these tests, the change was already made visible by pushing them to master, which is visible to registered users. This commit reworks the permission grants to work on All-Projects instead of the test repository. It wipes existing permissions before the test. This makes it more obvious what is happening because the repo under test inherits permissions from All-Projects and setting permissions on that repo means the reader must also understand what permissions are set in All-Projects which makes it harder to know what is going on. Release-Notes: n/a Change-Id: Ib5d3bbfeb4238ef0545024738555d96b3f06acfa (cherry picked from commit 30d43cd7d2b816712578203e64708bcf60b22c19)
author: Patrick Hiesel <hiesel@google.com> 2022-05-06 07:42:58 +0200
committer: David Ostrovsky <david.ostrovsky@gmail.com> 2022-05-11 07:07:29 +0000
commit: 9a0fb8defab2630b12a87d6205818cd198669d4b (patch)
tree: 06488ae637ab974af8d0d325d7635b8645f78fff
parent: 6cf8db2ac5ba8c032409dcbb1250c77c3601d9ed (diff)
1 files changed, 25 insertions, 24 deletions
diff --git a/javatests/com/google/gerrit/integration/git/GitProtocolV2IT.java b/javatests/com/google/gerrit/integration/git/GitProtocolV2IT.java
index acf9a506b3..5544238c15 100644
--- a/javatests/com/google/gerrit/integration/git/GitProtocolV2IT.java
+++ b/javatests/com/google/gerrit/integration/git/GitProtocolV2IT.java
@@ -16,7 +16,7 @@ package com.google.gerrit.integration.git;
 
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.gerrit.acceptance.testsuite.project.TestProjectUpdate.allow;
-import static com.google.gerrit.acceptance.testsuite.project.TestProjectUpdate.deny;
+import static com.google.gerrit.acceptance.testsuite.project.TestProjectUpdate.allowCapability;
 import static java.nio.charset.StandardCharsets.UTF_8;
 
 import com.google.common.collect.ImmutableList;
@@ -27,7 +27,10 @@ import com.google.gerrit.acceptance.GitClientVersion;
 import com.google.gerrit.acceptance.StandaloneSiteTest;
 import com.google.gerrit.acceptance.TestAccount;
 import com.google.gerrit.acceptance.UseSsh;
+import com.google.gerrit.acceptance.testsuite.group.GroupOperations;
 import com.google.gerrit.acceptance.testsuite.project.ProjectOperations;
+import com.google.gerrit.common.data.GlobalCapability;
+import com.google.gerrit.entities.AccountGroup;
 import com.google.gerrit.entities.Change;
 import com.google.gerrit.entities.PatchSet;
 import com.google.gerrit.entities.Permission;
@@ -62,6 +65,7 @@ public class GitProtocolV2IT extends StandaloneSiteTest {
   @Inject private GerritApi gApi;
   @Inject private AccountCreator accountCreator;
   @Inject private ProjectOperations projectOperations;
+  @Inject private GroupOperations groupOperations;
   @Inject private @TestSshServerAddress InetSocketAddress sshAddress;
   @Inject private @GerritServerConfig Config config;
   @Inject private AllProjectsName allProjectsName;
@@ -86,15 +90,20 @@ public class GitProtocolV2IT extends StandaloneSiteTest {
       Project.NameKey project = Project.nameKey("foo");
       gApi.projects().create(project.get());
 
-      // Set up project permission
+      // Clear all permissions for anonymous users. Allow registered users to fetch/push.
+      AccountGroup.UUID admins = groupOperations.newGroup().addMember(admin.id()).create();
       projectOperations
-          .project(project)
+          .project(allProjectsName)
           .forUpdate()
-          .add(deny(Permission.READ).ref("refs/heads/*").group(SystemGroupBackend.ANONYMOUS_USERS))
+          .removeAllAccessSections()
           .add(
               allow(Permission.READ)
                   .ref("refs/heads/master")
                   .group(SystemGroupBackend.REGISTERED_USERS))
+          .add(allow(Permission.READ).ref("refs/*").group(admins))
+          .add(allow(Permission.CREATE).ref("refs/*").group(SystemGroupBackend.REGISTERED_USERS))
+          .add(allow(Permission.PUSH).ref("refs/*").group(SystemGroupBackend.REGISTERED_USERS))
+          .add(allowCapability(GlobalCapability.ADMINISTRATE_SERVER).group(admins))
           .update();
 
       // Retrieve HTTP url
@@ -211,15 +220,17 @@ public class GitProtocolV2IT extends StandaloneSiteTest {
       Project.NameKey allRefsVisibleProject = Project.nameKey("all-refs-visible");
       gApi.projects().create(allRefsVisibleProject.get());
 
-      // Set up project permission to allow reading all refs
+      // Allow registered users to fetch/push. Allow anonymous users to read refs/heads/* which also
+      // allows reading changes.
       projectOperations
-          .project(allRefsVisibleProject)
+          .project(allProjectsName)
           .forUpdate()
+          .removeAllAccessSections()
           .add(allow(Permission.READ).ref("refs/heads/*").group(SystemGroupBackend.ANONYMOUS_USERS))
           .add(
-              allow(Permission.READ)
-                  .ref("refs/changes/*")
-                  .group(SystemGroupBackend.ANONYMOUS_USERS))
+              allow(Permission.READ).ref("refs/heads/*").group(SystemGroupBackend.REGISTERED_USERS))
+          .add(allow(Permission.CREATE).ref("refs/*").group(SystemGroupBackend.REGISTERED_USERS))
+          .add(allow(Permission.PUSH).ref("refs/*").group(SystemGroupBackend.REGISTERED_USERS))
           .update();
 
       // Create new change and retrieve refs for the created patch set
@@ -265,25 +276,15 @@ public class GitProtocolV2IT extends StandaloneSiteTest {
       Project.NameKey privateProject = Project.nameKey("private-project");
       gApi.projects().create(privateProject.get());
 
-      // Disallow general read permissions for anonymous users
+      // Clear all permissions for anonymous users. Allow registered users to fetch/push.
       projectOperations
           .project(allProjectsName)
           .forUpdate()
-          .add(deny(Permission.READ).ref("refs/*").group(SystemGroupBackend.ANONYMOUS_USERS))
+          .removeAllAccessSections()
           .add(
-              allow(Permission.READ)
-                  .ref("refs/heads/master")
-                  .group(SystemGroupBackend.REGISTERED_USERS))
-          .update();
-
-      // Set up project permission to allow registered users fetching changes/*
-      projectOperations
-          .project(privateProject)
-          .forUpdate()
-          .add(
-              allow(Permission.READ)
-                  .ref("refs/changes/*")
-                  .group(SystemGroupBackend.REGISTERED_USERS))
+              allow(Permission.READ).ref("refs/heads/*").group(SystemGroupBackend.REGISTERED_USERS))
+          .add(allow(Permission.CREATE).ref("refs/*").group(SystemGroupBackend.REGISTERED_USERS))
+          .add(allow(Permission.PUSH).ref("refs/*").group(SystemGroupBackend.REGISTERED_USERS))
           .update();
 
       // Create new change and retrieve refs for the created patch set
author	Patrick Hiesel <hiesel@google.com>	2022-05-06 07:42:58 +0200
committer	David Ostrovsky <david.ostrovsky@gmail.com>	2022-05-11 07:07:29 +0000
commit	9a0fb8defab2630b12a87d6205818cd198669d4b (patch)
tree	06488ae637ab974af8d0d325d7635b8645f78fff
parent	6cf8db2ac5ba8c032409dcbb1250c77c3601d9ed (diff)