Merge branch 'stable-2.8'

* stable-2.8:
  ReceiveCommits: Fix PUSH permission check for draft changes
  Don't allow project owners to create branches if create is blocked
  Add acceptance test for branch creation
  Wrong button is passed to revert action handler

Conflicts:
	gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/git/BUCK
	gerrit-server/src/test/java/com/google/gerrit/server/project/RefControlTest.java

Change-Id: I11e4b0c846fa60b1bec67c4ca90de3d8fce6df8c

gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/git/BUCK

@@ -1,7 +1,7 @@
 include_defs('//gerrit-acceptance-tests/tests.defs')
 
 acceptance_tests(
-  srcs = ['SubmitOnPushIT.java'],
+  srcs = ['DraftChangeBlockedIT.java', 'SubmitOnPushIT.java'],
   deps = ['//gerrit-acceptance-tests:lib'],
 )
 

gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/git/DraftChangeBlockedIT.java

@@ -0,0 +1,114 @@
+// Copyright (C) 2014 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.acceptance.git;
+
+import static com.google.gerrit.acceptance.GitUtil.cloneProject;
+import static com.google.gerrit.acceptance.GitUtil.createProject;
+import static com.google.gerrit.server.group.SystemGroupBackend.ANONYMOUS_USERS;
+import static com.google.gerrit.server.project.Util.grant;
+
+import com.google.gerrit.acceptance.AbstractDaemonTest;
+import com.google.gerrit.acceptance.AccountCreator;
+import com.google.gerrit.acceptance.PushOneCommit;
+import com.google.gerrit.acceptance.SshSession;
+import com.google.gerrit.common.data.Permission;
+import com.google.gerrit.reviewdb.client.Project;
+import com.google.gerrit.reviewdb.server.ReviewDb;
+import com.google.gerrit.server.config.AllProjectsName;
+import com.google.gerrit.server.git.MetaDataUpdate;
+import com.google.gerrit.server.git.ProjectConfig;
+import com.google.gerrit.server.project.ProjectCache;
+import com.google.gwtorm.server.OrmException;
+import com.google.gwtorm.server.SchemaFactory;
+import com.google.inject.Inject;
+
+import org.eclipse.jgit.api.Git;
+import org.eclipse.jgit.api.errors.GitAPIException;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.IOException;
+
+public class DraftChangeBlockedIT extends AbstractDaemonTest {
+
+  @Inject
+  private AccountCreator accounts;
+
+  @Inject
+  private SchemaFactory<ReviewDb> reviewDbProvider;
+
+  @Inject
+  private ProjectCache projectCache;
+
+  @Inject
+  private AllProjectsName allProjects;
+
+  @Inject
+  private MetaDataUpdate.Server metaDataUpdateFactory;
+
+  @Inject
+  private PushOneCommit.Factory pushFactory;
+
+  private Project.NameKey project;
+  private Git git;
+  private ReviewDb db;
+
+  @Before
+  public void setUp() throws Exception {
+    ProjectConfig cfg = projectCache.checkedGet(allProjects).getConfig();
+    grant(cfg, Permission.PUSH, ANONYMOUS_USERS,
+        "refs/drafts/*").setBlock();
+    saveProjectConfig(cfg);
+
+    project = new Project.NameKey("p");
+    SshSession sshSession = new SshSession(server, admin);
+    createProject(sshSession, project.get());
+
+    db = reviewDbProvider.open();
+    git = cloneProject(sshSession.getUrl() + "/" + project.get());
+    sshSession.close();
+  }
+
+  @Test
+  public void testPushDraftChange_Blocked() throws GitAPIException,
+      OrmException, IOException {
+    // create draft by pushing to 'refs/drafts/'
+    PushOneCommit.Result r = pushTo("refs/drafts/master");
+    r.assertErrorStatus("cannot upload drafts");
+  }
+
+  @Test
+  public void testPushDraftChangeMagic_Blocked() throws GitAPIException,
+      OrmException, IOException {
+    // create draft by using 'draft' option
+    PushOneCommit.Result r = pushTo("refs/for/master%draft");
+    r.assertErrorStatus("cannot upload drafts");
+  }
+
+  private PushOneCommit.Result pushTo(String ref) throws GitAPIException,
+      IOException {
+    PushOneCommit push = pushFactory.create(db, admin.getIdent());
+    return push.to(git, ref);
+  }
+
+  private void saveProjectConfig(ProjectConfig cfg) throws IOException {
+    MetaDataUpdate md = metaDataUpdateFactory.create(allProjects);
+    try {
+      cfg.commit(md);
+    } finally {
+      md.close();
+    }
+  }
+}

gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/project/CreateBranchIT.java

@@ -0,0 +1,181 @@
+// Copyright (C) 2014 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gerrit.acceptance.rest.project;
+
+import static com.google.gerrit.acceptance.GitUtil.createProject;
+import static org.junit.Assert.assertEquals;
+
+import com.google.gerrit.acceptance.AbstractDaemonTest;
+import com.google.gerrit.acceptance.RestResponse;
+import com.google.gerrit.acceptance.RestSession;
+import com.google.gerrit.acceptance.SshSession;
+import com.google.gerrit.acceptance.TestAccount;
+import com.google.gerrit.common.data.AccessSection;
+import com.google.gerrit.common.data.Permission;
+import com.google.gerrit.common.data.PermissionRule;
+import com.google.gerrit.reviewdb.client.Branch;
+import com.google.gerrit.reviewdb.client.Project;
+import com.google.gerrit.server.account.GroupCache;
+import com.google.gerrit.server.config.AllProjectsNameProvider;
+import com.google.gerrit.server.git.MetaDataUpdate;
+import com.google.gerrit.server.git.ProjectConfig;
+import com.google.gerrit.server.group.SystemGroupBackend;
+import com.google.gerrit.server.project.ProjectCache;
+import com.google.inject.Inject;
+
+import org.apache.http.HttpStatus;
+import org.eclipse.jgit.errors.ConfigInvalidException;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.IOException;
+
+public class CreateBranchIT extends AbstractDaemonTest {
+  @Inject
+  private MetaDataUpdate.Server metaDataUpdateFactory;
+
+  @Inject
+  private ProjectCache projectCache;
+
+  @Inject
+  private GroupCache groupCache;
+
+  @Inject
+  private AllProjectsNameProvider allProjects;
+
+  private RestSession userSession;
+
+  private Project.NameKey project;
+  private Branch.NameKey branch;
+
+  @Before
+  public void setUp() throws Exception {
+    TestAccount user = accounts.create("user", "user@example.com", "User");
+    userSession = new RestSession(server, user);
+
+    project = new Project.NameKey("p");
+    branch = new Branch.NameKey(project, "test");
+
+    SshSession sshSession = new SshSession(server, admin);
+    try {
+      createProject(sshSession, project.get(), null, true);
+    } finally {
+      sshSession.close();
+    }
+  }
+
+  @Test
+  public void createBranch_Forbidden() throws IOException {
+    RestResponse r =
+        userSession.put("/projects/" + project.get()
+            + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_FORBIDDEN, r.getStatusCode());
+  }
+
+  @Test
+  public void createBranchByAdmin() throws IOException {
+    RestResponse r =
+        adminSession.put("/projects/" + project.get()
+            + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_CREATED, r.getStatusCode());
+    r.consume();
+
+    r = adminSession.get("/projects/" + project.get()
+        + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_OK, r.getStatusCode());
+  }
+
+  @Test
+  public void branchAlreadyExists_Conflict() throws IOException {
+    RestResponse r =
+        adminSession.put("/projects/" + project.get()
+            + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_CREATED, r.getStatusCode());
+    r.consume();
+
+    r = adminSession.put("/projects/" + project.get()
+        + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_CONFLICT, r.getStatusCode());
+  }
+
+  @Test
+  public void createBranchByProjectOwner() throws IOException,
+      ConfigInvalidException {
+    grantOwner();
+
+    RestResponse r =
+        userSession.put("/projects/" + project.get()
+            + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_CREATED, r.getStatusCode());
+    r.consume();
+
+    r = adminSession.get("/projects/" + project.get()
+        + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_OK, r.getStatusCode());
+  }
+
+  @Test
+  public void createBranchByAdminCreateReferenceBlocked() throws IOException,
+      ConfigInvalidException {
+    blockCreateReference();
+    RestResponse r =
+        adminSession.put("/projects/" + project.get()
+            + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_CREATED, r.getStatusCode());
+    r.consume();
+
+    r = adminSession.get("/projects/" + project.get()
+        + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_OK, r.getStatusCode());
+  }
+
+  @Test
+  public void createBranchByProjectOwnerCreateReferenceBlocked_Forbidden()
+      throws IOException, ConfigInvalidException {
+    grantOwner();
+    blockCreateReference();
+    RestResponse r =
+        userSession.put("/projects/" + project.get()
+            + "/branches/" + branch.getShortName());
+    assertEquals(HttpStatus.SC_FORBIDDEN, r.getStatusCode());
+  }
+
+  private void blockCreateReference() throws IOException, ConfigInvalidException {
+    MetaDataUpdate md = metaDataUpdateFactory.create(allProjects.get());
+    md.setMessage(String.format("Block %s", Permission.CREATE));
+    ProjectConfig config = ProjectConfig.read(md);
+    AccessSection s = config.getAccessSection("refs/*", true);
+    Permission p = s.getPermission(Permission.CREATE, true);
+    PermissionRule rule = new PermissionRule(config.resolve(
+        SystemGroupBackend.getGroup(SystemGroupBackend.ANONYMOUS_USERS)));
+    rule.setBlock();
+    p.add(rule);
+    config.commit(md);
+    projectCache.evict(config.getProject());
+  }
+
+  private void grantOwner() throws IOException, ConfigInvalidException {
+    MetaDataUpdate md = metaDataUpdateFactory.create(project);
+    md.setMessage(String.format("Grant %s", Permission.OWNER));
+    ProjectConfig config = ProjectConfig.read(md);
+    AccessSection s = config.getAccessSection("refs/*", true);
+    Permission p = s.getPermission(Permission.OWNER, true);
+    PermissionRule rule = new PermissionRule(config.resolve(
+        SystemGroupBackend.getGroup(SystemGroupBackend.REGISTERED_USERS)));
+    p.add(rule);
+    config.commit(md);
+    projectCache.evict(config.getProject());
+  }
+}