Move Contribution Analytics related spec in spec/features/groups/group_page_with_external_authorization_service_spec to EE

3 files changed, 103 insertions, 0 deletions

diff --git a/spec/support/external_authorization_service_helpers.rb b/spec/support/external_authorization_service_helpers.rb
new file mode 100644
index 00000000000..79dd9a3d58e
--- /dev/null
+++ b/spec/support/external_authorization_service_helpers.rb
@@ -0,0 +1,33 @@
+module ExternalAuthorizationServiceHelpers
+  def enable_external_authorization_service_check
+    stub_application_setting(external_authorization_service_enabled: true)
+
+    stub_application_setting(external_authorization_service_url: 'https://authorize.me')
+    stub_application_setting(external_authorization_service_default_label: 'default_label')
+    stub_request(:post, "https://authorize.me").to_return(status: 200)
+  end
+
+  def external_service_set_access(allowed, user, project)
+    enable_external_authorization_service_check
+    classification_label = ::Gitlab::CurrentSettings.current_application_settings
+                             .external_authorization_service_default_label
+
+    # Reload the project so cached licensed features are reloaded
+    if project
+      classification_label = Project.find(project.id).external_authorization_classification_label
+    end
+
+    allow(::Gitlab::ExternalAuthorization)
+      .to receive(:access_allowed?)
+            .with(user, classification_label, any_args)
+            .and_return(allowed)
+  end
+
+  def external_service_allow_access(user, project = nil)
+    external_service_set_access(true, user, project)
+  end
+
+  def external_service_deny_access(user, project = nil)
+    external_service_set_access(false, user, project)
+  end
+end
diff --git a/spec/support/shared_examples/controllers/external_authorization_service_shared_examples.rb b/spec/support/shared_examples/controllers/external_authorization_service_shared_examples.rb
new file mode 100644
index 00000000000..8dd78fd0a25
--- /dev/null
+++ b/spec/support/shared_examples/controllers/external_authorization_service_shared_examples.rb
@@ -0,0 +1,40 @@
+require 'spec_helper'
+
+shared_examples 'disabled when using an external authorization service' do
+  include ExternalAuthorizationServiceHelpers
+
+  it 'works when the feature is not enabled' do
+    subject
+
+    expect(response).to be_success
+  end
+
+  it 'renders a 404 with a message when the feature is enabled' do
+    enable_external_authorization_service_check
+
+    subject
+
+    expect(response).to have_gitlab_http_status(403)
+  end
+end
+
+shared_examples 'unauthorized when external service denies access' do
+  include ExternalAuthorizationServiceHelpers
+
+  it 'allows access when the authorization service allows it' do
+    external_service_allow_access(user, project)
+
+    subject
+
+    # Account for redirects after updates
+    expect(response.status).to be_between(200, 302)
+  end
+
+  it 'allows access when the authorization service denies it' do
+    external_service_deny_access(user, project)
+
+    subject
+
+    expect(response).to have_gitlab_http_status(403)
+  end
+end
diff --git a/spec/support/shared_examples/finders/finder_with_external_authorization_enabled.rb b/spec/support/shared_examples/finders/finder_with_external_authorization_enabled.rb
new file mode 100644
index 00000000000..d7e17cc0b70
--- /dev/null
+++ b/spec/support/shared_examples/finders/finder_with_external_authorization_enabled.rb
@@ -0,0 +1,30 @@
+require 'spec_helper'
+
+shared_examples 'a finder with external authorization service' do
+  include ExternalAuthorizationServiceHelpers
+
+  let(:user) { create(:user) }
+  let(:project) { create(:project) }
+
+  before do
+    project.add_maintainer(user)
+  end
+
+  it 'finds the subject' do
+    expect(described_class.new(user).execute).to include(subject)
+  end
+
+  context 'with an external authorization service' do
+    before do
+      enable_external_authorization_service_check
+    end
+
+    it 'does not include the subject when no project was given' do
+      expect(described_class.new(user).execute).not_to include(subject)
+    end
+
+    it 'includes the subject when a project id was given' do
+      expect(described_class.new(user, project_params).execute).to include(subject)
+    end
+  end
+end