Add latest changes from gitlab-org/gitlab@master

2 files changed, 176 insertions, 0 deletions

diff --git a/spec/services/clusters/create_service_spec.rb b/spec/services/clusters/create_service_spec.rb
index ecf0a9c9dce..3dd25be2a3d 100644
--- a/spec/services/clusters/create_service_spec.rb
+++ b/spec/services/clusters/create_service_spec.rb
@@ -59,4 +59,92 @@ describe Clusters::CreateService do
       end
     end
   end
+
+  context 'when params includes :management_project_id' do
+    subject(:cluster) { described_class.new(user, params).execute(access_token: access_token) }
+
+    let(:params) do
+      {
+        name: 'test-cluster',
+        provider_type: :gcp,
+        provider_gcp_attributes: {
+          gcp_project_id: 'gcp-project',
+          zone: 'us-central1-a',
+          num_nodes: 1,
+          machine_type: 'machine_type-a',
+          legacy_abac: 'true'
+        },
+        clusterable: clusterable,
+        management_project_id: management_project_id
+      }
+    end
+
+    let(:clusterable) { project }
+    let(:management_project_id) { management_project.id }
+    let(:management_project_namespace) { project.namespace }
+    let(:management_project) { create(:project, namespace: management_project_namespace) }
+
+    shared_examples 'invalid project or cluster permissions' do
+      it 'does not persist the cluster and adds errors' do
+        expect(cluster).not_to be_persisted
+
+        expect(cluster.errors[:management_project_id]).to include('Project does not exist or you don\'t have permission to perform this action')
+      end
+    end
+
+    shared_examples 'setting a management project' do
+      context 'when user is authorized to adminster manangement_project' do
+        before do
+          management_project.add_maintainer(user)
+        end
+
+        it 'persists the cluster' do
+          expect(cluster).to be_persisted
+
+          expect(cluster.management_project).to eq(management_project)
+        end
+      end
+
+      context 'when user is not authorized to adminster manangement_project' do
+        include_examples 'invalid project or cluster permissions'
+      end
+    end
+
+    shared_examples 'setting a management project outside of scope' do
+      context 'when manangement_project is outside of the namespace scope' do
+        let(:management_project_namespace) { create(:group) }
+
+        it 'does not persist the cluster' do
+          expect(cluster).not_to be_persisted
+
+          expect(cluster.errors[:management_project_id]).to include('Project does not exist or you don\'t have permission to perform this action')
+        end
+      end
+    end
+
+    context 'management_project is non-existent' do
+      let(:management_project_id) { 0 }
+
+      include_examples 'invalid project or cluster permissions'
+    end
+
+    context 'project cluster' do
+      include_examples 'setting a management project'
+      include_examples 'setting a management project outside of scope'
+    end
+
+    context 'group cluster' do
+      let(:management_project_namespace) { create(:group) }
+      let(:clusterable) { management_project_namespace }
+
+      include_examples 'setting a management project'
+      include_examples 'setting a management project outside of scope'
+    end
+
+    context 'instance cluster' do
+      let(:clusterable) { Clusters::Instance.new }
+
+      include_examples 'setting a management project'
+    end
+  end
 end
diff --git a/spec/services/clusters/management/validate_management_project_permissions_service_spec.rb b/spec/services/clusters/management/validate_management_project_permissions_service_spec.rb
new file mode 100644
index 00000000000..1bcebe2e2ac
--- /dev/null
+++ b/spec/services/clusters/management/validate_management_project_permissions_service_spec.rb
@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Clusters::Management::ValidateManagementProjectPermissionsService do
+  describe '#execute' do
+    subject { described_class.new(user).execute(cluster, management_project_id) }
+
+    let(:cluster) { build(:cluster, :project, projects: [create(:project)]) }
+    let(:user) { create(:user) }
+
+    context 'when management_project_id is nil' do
+      let(:management_project_id) { nil }
+
+      it { is_expected.to be true }
+    end
+
+    context 'when management_project_id is not nil' do
+      let(:management_project_id) { management_project.id }
+      let(:management_project_namespace) { create(:group) }
+      let(:management_project) { create(:project, namespace: management_project_namespace) }
+
+      context 'when management_project does not exist' do
+        let(:management_project_id) { 0 }
+
+        it 'adds errors to the cluster and returns false' do
+          is_expected.to eq false
+
+          expect(cluster.errors[:management_project_id]).to include('Project does not exist or you don\'t have permission to perform this action')
+        end
+      end
+
+      shared_examples 'management project is in scope' do
+        context 'when user is authorized to administer manangement_project' do
+          before do
+            management_project.add_maintainer(user)
+          end
+
+          it 'adds no error and returns true' do
+            is_expected.to eq true
+
+            expect(cluster.errors).to be_empty
+          end
+        end
+
+        context 'when user is not authorized to adminster manangement_project' do
+          it 'adds an error and returns false' do
+            is_expected.to eq false
+
+            expect(cluster.errors[:management_project_id]).to include('Project does not exist or you don\'t have permission to perform this action')
+          end
+        end
+      end
+
+      shared_examples 'management project is out of scope' do
+        context 'when manangement_project is outside of the namespace scope' do
+          let(:management_project_namespace) { create(:group) }
+
+          it 'adds an error and returns false' do
+            is_expected.to eq false
+
+            expect(cluster.errors[:management_project_id]).to include('Project does not exist or you don\'t have permission to perform this action')
+          end
+        end
+      end
+
+      context 'project cluster' do
+        let(:cluster) { build(:cluster, :project, projects: [create(:project, namespace: management_project_namespace)]) }
+
+        include_examples 'management project is in scope'
+        include_examples 'management project is out of scope'
+      end
+
+      context 'group cluster' do
+        let(:cluster) { build(:cluster, :group, groups: [management_project_namespace]) }
+
+        include_examples 'management project is in scope'
+        include_examples 'management project is out of scope'
+      end
+
+      context 'instance cluster' do
+        let(:cluster) { build(:cluster, :instance) }
+
+        include_examples 'management project is in scope'
+      end
+    end
+  end
+end