diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-02-20 13:49:51 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-02-20 13:49:51 +0000 |
| commit | 71786ddc8e28fbd3cb3fcc4b3ff15e5962a1c82e (patch) | |
| tree | 6a2d93ef3fb2d353bb7739e4b57e6541f51cdd71 /spec/policies | |
| parent | a7253423e3403b8c08f8a161e5937e1488f5f407 (diff) | |
| download | gitlab-ce-71786ddc8e28fbd3cb3fcc4b3ff15e5962a1c82e.tar.gz | |
Add latest changes from gitlab-org/gitlab@15-9-stable-eev15.9.0-rc42
Diffstat (limited to 'spec/policies')
| -rw-r--r-- | spec/policies/ci/runner_policy_spec.rb | 23 | ||||
| -rw-r--r-- | spec/policies/global_policy_spec.rb | 100 | ||||
| -rw-r--r-- | spec/policies/group_policy_spec.rb | 174 | ||||
| -rw-r--r-- | spec/policies/issue_policy_spec.rb | 16 | ||||
| -rw-r--r-- | spec/policies/note_policy_spec.rb | 4 | ||||
| -rw-r--r-- | spec/policies/packages/policies/project_policy_spec.rb | 33 | ||||
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 151 | ||||
| -rw-r--r-- | spec/policies/todo_policy_spec.rb | 2 |
8 files changed, 452 insertions, 51 deletions
diff --git a/spec/policies/ci/runner_policy_spec.rb b/spec/policies/ci/runner_policy_spec.rb index 6039d60ec2f..e0a9e3c2870 100644 --- a/spec/policies/ci/runner_policy_spec.rb +++ b/spec/policies/ci/runner_policy_spec.rb @@ -3,11 +3,12 @@ require 'spec_helper' RSpec.describe Ci::RunnerPolicy, feature_category: :runner do + let_it_be(:owner) { create(:user) } + describe 'ability :read_runner' do let_it_be(:guest) { create(:user) } let_it_be(:developer) { create(:user) } let_it_be(:maintainer) { create(:user) } - let_it_be(:owner) { create(:user) } let_it_be_with_reload(:group) { create(:group, name: 'top-level', path: 'top-level') } let_it_be_with_reload(:subgroup) { create(:group, name: 'subgroup', path: 'subgroup', parent: group) } @@ -170,4 +171,24 @@ RSpec.describe Ci::RunnerPolicy, feature_category: :runner do end end end + + describe 'ability :read_ephemeral_token' do + subject(:policy) { described_class.new(user, runner) } + + let_it_be(:runner) { create(:ci_runner, creator: owner) } + + let(:creator) { owner } + + context 'with request made by creator' do + let(:user) { creator } + + it { expect_allowed :read_ephemeral_token } + end + + context 'with request made by another user' do + let(:user) { create(:admin) } + + it { expect_disallowed :read_ephemeral_token } + end + end end diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index 1538f8a70c8..0575ba3237b 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe GlobalPolicy, feature_category: :security_policies do +RSpec.describe GlobalPolicy, feature_category: :shared do include TermsHelper let_it_be(:admin_user) { create(:admin) } @@ -591,4 +591,102 @@ RSpec.describe GlobalPolicy, feature_category: :security_policies do it { is_expected.to be_disallowed(:log_in) } end end + + describe 'create_instance_runners' do + context 'create_runner_workflow flag enabled' do + before do + stub_feature_flags(create_runner_workflow: true) + end + + context 'admin' do + let(:current_user) { admin_user } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:create_instance_runners) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_instance_runners) } + end + end + + context 'with project_bot' do + let(:current_user) { project_bot } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with migration_bot' do + let(:current_user) { migration_bot } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with security_bot' do + let(:current_user) { security_bot } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with regular user' do + let(:current_user) { user } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + end + + context 'create_runner_workflow flag disabled' do + before do + stub_feature_flags(create_runner_workflow: false) + end + + context 'admin' do + let(:current_user) { admin_user } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_instance_runners) } + end + end + + context 'with project_bot' do + let(:current_user) { project_bot } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with migration_bot' do + let(:current_user) { migration_bot } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with security_bot' do + let(:current_user) { security_bot } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with regular user' do + let(:current_user) { user } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + end + end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 2d4c86845c9..451db9eaf9c 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe GroupPolicy do +RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization do include AdminModeHelper include_context 'GroupPolicy context' @@ -1274,6 +1274,178 @@ RSpec.describe GroupPolicy do end end + describe 'create_group_runners' do + shared_examples 'disallowed when group runner registration disabled' do + context 'with group runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['project']) + group.runner_registration_enabled = runner_registration_enabled + end + + context 'with specific group runner registration enabled' do + let(:runner_registration_enabled) { true } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with specific group runner registration disabled' do + let(:runner_registration_enabled) { false } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + end + end + + context 'create_runner_workflow flag enabled' do + before do + stub_feature_flags(create_runner_workflow: true) + end + + context 'admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:create_group_runners) } + + context 'with specific group runner registration disabled' do + before do + group.runner_registration_enabled = false + end + + it { is_expected.to be_allowed(:create_group_runners) } + end + + context 'with group runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['project']) + group.runner_registration_enabled = runner_registration_enabled + end + + context 'with specific group runner registration enabled' do + let(:runner_registration_enabled) { true } + + it { is_expected.to be_allowed(:create_group_runners) } + end + + context 'with specific group runner registration disabled' do + let(:runner_registration_enabled) { false } + + it { is_expected.to be_allowed(:create_group_runners) } + end + end + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_group_runners) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:create_group_runners) } + + it_behaves_like 'disallowed when group runner registration disabled' + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + end + + context 'with create_runner_workflow flag disabled' do + before do + stub_feature_flags(create_runner_workflow: false) + end + + context 'admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_disallowed(:create_group_runners) } + + context 'with specific group runner registration disabled' do + before do + group.runner_registration_enabled = false + end + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + it_behaves_like 'disallowed when group runner registration disabled' + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_group_runners) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_disallowed(:create_group_runners) } + + it_behaves_like 'disallowed when group runner registration disabled' + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + end + end + describe 'read_group_all_available_runners' do context 'admin' do let(:current_user) { admin } diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index 0040d9dff7e..17558787966 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -425,19 +425,15 @@ RSpec.describe IssuePolicy, feature_category: :team_planning do context 'when accounting for notes widget' do let(:policy) { described_class.new(reporter, note) } - before do - widgets_per_type = WorkItems::Type::WIDGETS_FOR_TYPE.dup - widgets_per_type[:task] = [::WorkItems::Widgets::Description] - stub_const('WorkItems::Type::WIDGETS_FOR_TYPE', widgets_per_type) - end - - context 'and notes widget is disabled for task' do - let(:task) { create(:work_item, :task, project: project) } + context 'and notes widget is disabled for issue' do + before do + WorkItems::Type.default_by_type(:issue).widget_definitions.find_by_widget_type(:notes).update!(disabled: true) + end it 'does not allow accessing notes' do # if notes widget is disabled not even maintainer can access notes - expect(permissions(maintainer, task)).to be_disallowed(:create_note, :read_note, :mark_note_as_internal, :read_internal_note) - expect(permissions(admin, task)).to be_disallowed(:create_note, :read_note, :read_internal_note, :mark_note_as_internal, :set_note_created_at) + expect(permissions(maintainer, issue)).to be_disallowed(:create_note, :read_note, :mark_note_as_internal, :read_internal_note) + expect(permissions(admin, issue)).to be_disallowed(:create_note, :read_note, :read_internal_note, :mark_note_as_internal, :set_note_created_at) end end diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb index f4abe3a223c..b2191e6925d 100644 --- a/spec/policies/note_policy_spec.rb +++ b/spec/policies/note_policy_spec.rb @@ -260,9 +260,7 @@ RSpec.describe NotePolicy, feature_category: :team_planning do let(:policy) { described_class.new(developer, note) } before do - widgets_per_type = WorkItems::Type::WIDGETS_FOR_TYPE.dup - widgets_per_type[:task] = [::WorkItems::Widgets::Description] - stub_const('WorkItems::Type::WIDGETS_FOR_TYPE', widgets_per_type) + WorkItems::Type.default_by_type(:task).widget_definitions.find_by_widget_type(:notes).update!(disabled: true) end context 'when noteable is task' do diff --git a/spec/policies/packages/policies/project_policy_spec.rb b/spec/policies/packages/policies/project_policy_spec.rb index 5d54ee54572..5c267ff5ac5 100644 --- a/spec/policies/packages/policies/project_policy_spec.rb +++ b/spec/policies/packages/policies/project_policy_spec.rb @@ -122,39 +122,6 @@ RSpec.describe Packages::Policies::ProjectPolicy do end end - context 'with feature flag disabled' do - before do - stub_feature_flags(package_registry_access_level: false) - end - - where(:project, :current_user, :expect_to_be_allowed) do - ref(:private_project) | ref(:anonymous) | false - ref(:private_project) | ref(:non_member) | false - ref(:private_project) | ref(:guest) | false - ref(:internal_project) | ref(:anonymous) | false - ref(:public_project) | ref(:admin) | true - ref(:public_project) | ref(:owner) | true - ref(:public_project) | ref(:maintainer) | true - ref(:public_project) | ref(:developer) | true - ref(:public_project) | ref(:reporter) | true - ref(:public_project) | ref(:guest) | true - ref(:public_project) | ref(:non_member) | true - ref(:public_project) | ref(:anonymous) | true - end - - with_them do - it do - project.project_feature.update!(package_registry_access_level: ProjectFeature::PUBLIC) - - if expect_to_be_allowed - is_expected.to be_allowed(:read_package) - else - is_expected.to be_disallowed(:read_package) - end - end - end - end - context 'with admin' do let(:current_user) { admin } diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index a98f091b9fc..b2fb310aca3 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -2478,7 +2478,14 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio before do current_user.set_ci_job_token_scope!(job) current_user.external = external_user - scope_project.update!(ci_outbound_job_token_scope_enabled: token_scope_enabled) + project.update!( + ci_outbound_job_token_scope_enabled: token_scope_enabled, + ci_inbound_job_token_scope_enabled: token_scope_enabled + ) + scope_project.update!( + ci_outbound_job_token_scope_enabled: token_scope_enabled, + ci_inbound_job_token_scope_enabled: token_scope_enabled + ) end it "enforces the expected permissions" do @@ -2732,6 +2739,148 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio end end + describe 'create_project_runners' do + context 'create_runner_workflow flag enabled' do + before do + stub_feature_flags(create_runner_workflow: true) + end + + context 'admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:create_project_runners) } + + context 'with project runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['group']) + end + + it { is_expected.to be_allowed(:create_project_runners) } + end + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:create_project_runners) } + + context 'with project runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['group']) + end + + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(:create_project_runners) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + + context 'create_runner_workflow flag disabled' do + before do + stub_feature_flags(create_runner_workflow: false) + end + + context 'admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_disallowed(:create_project_runners) } + + context 'with project runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['group']) + end + + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_disallowed(:create_project_runners) } + + context 'with project runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['group']) + end + + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + end + describe 'update_sentry_issue' do using RSpec::Parameterized::TableSyntax diff --git a/spec/policies/todo_policy_spec.rb b/spec/policies/todo_policy_spec.rb index fa62f53c628..0230f106f0f 100644 --- a/spec/policies/todo_policy_spec.rb +++ b/spec/policies/todo_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe TodoPolicy, feature_category: :project_management do +RSpec.describe TodoPolicy, feature_category: :team_planning do using RSpec::Parameterized::TableSyntax let_it_be(:project) { create(:project) } |