diff options
| author | Andreas Brandl <abrandl@gitlab.com> | 2019-04-05 13:02:56 +0000 |
|---|---|---|
| committer | Andreas Brandl <abrandl@gitlab.com> | 2019-04-05 13:02:56 +0000 |
| commit | 46b1b9c1d61c269588bd3cd4203420608ddd7f0b (patch) | |
| tree | a877f5366d3367e1264e96f3f5e8a4b23bdbd62a /spec/policies | |
| parent | 7a48a06cf3b454021aa466464686fee8c82d6862 (diff) | |
| download | gitlab-ce-46b1b9c1d61c269588bd3cd4203420608ddd7f0b.tar.gz | |
Revert "Merge branch 'if-57131-external_auth_to_ce' into 'master'"
This reverts merge request !26823
Diffstat (limited to 'spec/policies')
| -rw-r--r-- | spec/policies/base_policy_spec.rb | 23 | ||||
| -rw-r--r-- | spec/policies/issue_policy_spec.rb | 19 | ||||
| -rw-r--r-- | spec/policies/merge_request_policy_spec.rb | 19 | ||||
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 53 |
4 files changed, 0 insertions, 114 deletions
diff --git a/spec/policies/base_policy_spec.rb b/spec/policies/base_policy_spec.rb index 09be831dcd5..c03d95b34db 100644 --- a/spec/policies/base_policy_spec.rb +++ b/spec/policies/base_policy_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe BasePolicy do - include ExternalAuthorizationServiceHelpers - describe '.class_for' do it 'detects policy class based on the subject ancestors' do expect(DeclarativePolicy.class_for(GenericCommitStatus.new)).to eq(CommitStatusPolicy) @@ -18,25 +16,4 @@ describe BasePolicy do expect(DeclarativePolicy.class_for(:global)).to eq(GlobalPolicy) end end - - describe 'read cross project' do - let(:current_user) { create(:user) } - let(:user) { create(:user) } - - subject { described_class.new(current_user, [user]) } - - it { is_expected.to be_allowed(:read_cross_project) } - - context 'when an external authorization service is enabled' do - before do - enable_external_authorization_service_check - end - - it { is_expected.not_to be_allowed(:read_cross_project) } - - it 'allows admins' do - expect(described_class.new(build(:admin), nil)).to be_allowed(:read_cross_project) - end - end - end end diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index b149dbcf871..008d118b557 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe IssuePolicy do - include ExternalAuthorizationServiceHelpers - let(:guest) { create(:user) } let(:author) { create(:user) } let(:assignee) { create(:user) } @@ -206,21 +204,4 @@ describe IssuePolicy do end end end - - context 'with external authorization enabled' do - let(:user) { create(:user) } - let(:project) { create(:project, :public) } - let(:issue) { create(:issue, project: project) } - let(:policies) { described_class.new(user, issue) } - - before do - enable_external_authorization_service_check - end - - it 'can read the issue iid without accessing the external service' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(policies).to be_allowed(:read_issue_iid) - end - end end diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb index 81279225d61..1efa70addc2 100644 --- a/spec/policies/merge_request_policy_spec.rb +++ b/spec/policies/merge_request_policy_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe MergeRequestPolicy do - include ExternalAuthorizationServiceHelpers - let(:guest) { create(:user) } let(:author) { create(:user) } let(:developer) { create(:user) } @@ -49,21 +47,4 @@ describe MergeRequestPolicy do expect(permissions(guest, merge_request_locked)).to be_disallowed(:reopen_merge_request) end end - - context 'with external authorization enabled' do - let(:user) { create(:user) } - let(:project) { create(:project, :public) } - let(:merge_request) { create(:merge_request, source_project: project) } - let(:policies) { described_class.new(user, merge_request) } - - before do - enable_external_authorization_service_check - end - - it 'can read the issue iid without accessing the external service' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(policies).to be_allowed(:read_merge_request_iid) - end - end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 42f8bf3137b..125ed818bc6 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -1,7 +1,6 @@ require 'spec_helper' describe ProjectPolicy do - include ExternalAuthorizationServiceHelpers include_context 'ProjectPolicy context' set(:guest) { create(:user) } set(:reporter) { create(:user) } @@ -293,56 +292,4 @@ describe ProjectPolicy do projects: [clusterable]) end end - - context 'reading a project' do - it 'allows access when a user has read access to the repo' do - expect(described_class.new(owner, project)).to be_allowed(:read_project) - expect(described_class.new(developer, project)).to be_allowed(:read_project) - expect(described_class.new(admin, project)).to be_allowed(:read_project) - end - - it 'never checks the external service' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(described_class.new(owner, project)).to be_allowed(:read_project) - end - - context 'with an external authorization service' do - before do - enable_external_authorization_service_check - end - - it 'allows access when the external service allows it' do - external_service_allow_access(owner, project) - external_service_allow_access(developer, project) - - expect(described_class.new(owner, project)).to be_allowed(:read_project) - expect(described_class.new(developer, project)).to be_allowed(:read_project) - end - - it 'does not check the external service for admins and allows access' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(described_class.new(admin, project)).to be_allowed(:read_project) - end - - it 'prevents all but seeing a public project in a list when access is denied' do - [developer, owner, build(:user), nil].each do |user| - external_service_deny_access(user, project) - policy = described_class.new(user, project) - - expect(policy).not_to be_allowed(:read_project) - expect(policy).not_to be_allowed(:owner_access) - expect(policy).not_to be_allowed(:change_namespace) - end - end - - it 'passes the full path to external authorization for logging purposes' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(owner, 'default_label', project.full_path).and_call_original - - described_class.new(owner, project).allowed?(:read_project) - end - end - end end |