Move Contribution Analytics related spec in spec/features/groups/group_page_with_external_authorization_service_spec to EE

4 files changed, 114 insertions, 0 deletions

diff --git a/spec/policies/base_policy_spec.rb b/spec/policies/base_policy_spec.rb
index c03d95b34db..09be831dcd5 100644
--- a/spec/policies/base_policy_spec.rb
+++ b/spec/policies/base_policy_spec.rb
@@ -1,6 +1,8 @@
 require 'spec_helper'
 
 describe BasePolicy do
+  include ExternalAuthorizationServiceHelpers
+
   describe '.class_for' do
     it 'detects policy class based on the subject ancestors' do
       expect(DeclarativePolicy.class_for(GenericCommitStatus.new)).to eq(CommitStatusPolicy)
@@ -16,4 +18,25 @@ describe BasePolicy do
       expect(DeclarativePolicy.class_for(:global)).to eq(GlobalPolicy)
     end
   end
+
+  describe 'read cross project' do
+    let(:current_user) { create(:user) }
+    let(:user) { create(:user) }
+
+    subject { described_class.new(current_user, [user]) }
+
+    it { is_expected.to be_allowed(:read_cross_project) }
+
+    context 'when an external authorization service is enabled' do
+      before do
+        enable_external_authorization_service_check
+      end
+
+      it { is_expected.not_to be_allowed(:read_cross_project) }
+
+      it 'allows admins' do
+        expect(described_class.new(build(:admin), nil)).to be_allowed(:read_cross_project)
+      end
+    end
+  end
 end
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index 008d118b557..b149dbcf871 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -1,6 +1,8 @@
 require 'spec_helper'
 
 describe IssuePolicy do
+  include ExternalAuthorizationServiceHelpers
+
   let(:guest) { create(:user) }
   let(:author) { create(:user) }
   let(:assignee) { create(:user) }
@@ -204,4 +206,21 @@ describe IssuePolicy do
       end
     end
   end
+
+  context 'with external authorization enabled' do
+    let(:user) { create(:user) }
+    let(:project) { create(:project, :public) }
+    let(:issue) { create(:issue, project: project) }
+    let(:policies) { described_class.new(user, issue) }
+
+    before do
+      enable_external_authorization_service_check
+    end
+
+    it 'can read the issue iid without accessing the external service' do
+      expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
+
+      expect(policies).to be_allowed(:read_issue_iid)
+    end
+  end
 end
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb
index 1efa70addc2..81279225d61 100644
--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
@@ -1,6 +1,8 @@
 require 'spec_helper'
 
 describe MergeRequestPolicy do
+  include ExternalAuthorizationServiceHelpers
+
   let(:guest) { create(:user) }
   let(:author) { create(:user) }
   let(:developer) { create(:user) }
@@ -47,4 +49,21 @@ describe MergeRequestPolicy do
       expect(permissions(guest, merge_request_locked)).to be_disallowed(:reopen_merge_request)
     end
   end
+
+  context 'with external authorization enabled' do
+    let(:user) { create(:user) }
+    let(:project) { create(:project, :public) }
+    let(:merge_request) { create(:merge_request, source_project: project) }
+    let(:policies) { described_class.new(user, merge_request) }
+
+    before do
+      enable_external_authorization_service_check
+    end
+
+    it 'can read the issue iid without accessing the external service' do
+      expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
+
+      expect(policies).to be_allowed(:read_merge_request_iid)
+    end
+  end
 end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 125ed818bc6..42f8bf3137b 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -1,6 +1,7 @@
 require 'spec_helper'
 
 describe ProjectPolicy do
+  include ExternalAuthorizationServiceHelpers
   include_context 'ProjectPolicy context'
   set(:guest) { create(:user) }
   set(:reporter) { create(:user) }
@@ -292,4 +293,56 @@ describe ProjectPolicy do
              projects: [clusterable])
     end
   end
+
+  context 'reading a project' do
+    it 'allows access when a user has read access to the repo' do
+      expect(described_class.new(owner, project)).to be_allowed(:read_project)
+      expect(described_class.new(developer, project)).to be_allowed(:read_project)
+      expect(described_class.new(admin, project)).to be_allowed(:read_project)
+    end
+
+    it 'never checks the external service' do
+      expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
+
+      expect(described_class.new(owner, project)).to be_allowed(:read_project)
+    end
+
+    context 'with an external authorization service' do
+      before do
+        enable_external_authorization_service_check
+      end
+
+      it 'allows access when the external service allows it' do
+        external_service_allow_access(owner, project)
+        external_service_allow_access(developer, project)
+
+        expect(described_class.new(owner, project)).to be_allowed(:read_project)
+        expect(described_class.new(developer, project)).to be_allowed(:read_project)
+      end
+
+      it 'does not check the external service for admins and allows access' do
+        expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
+
+        expect(described_class.new(admin, project)).to be_allowed(:read_project)
+      end
+
+      it 'prevents all but seeing a public project in a list when access is denied' do
+        [developer, owner, build(:user), nil].each do |user|
+          external_service_deny_access(user, project)
+          policy = described_class.new(user, project)
+
+          expect(policy).not_to be_allowed(:read_project)
+          expect(policy).not_to be_allowed(:owner_access)
+          expect(policy).not_to be_allowed(:change_namespace)
+        end
+      end
+
+      it 'passes the full path to external authorization for logging purposes' do
+        expect(::Gitlab::ExternalAuthorization)
+          .to receive(:access_allowed?).with(owner, 'default_label', project.full_path).and_call_original
+
+        described_class.new(owner, project).allowed?(:read_project)
+      end
+    end
+  end
 end