diff options
Diffstat (limited to 'spec/models/ci/job_token/scope_spec.rb')
-rw-r--r-- | spec/models/ci/job_token/scope_spec.rb | 165 |
1 files changed, 129 insertions, 36 deletions
diff --git a/spec/models/ci/job_token/scope_spec.rb b/spec/models/ci/job_token/scope_spec.rb index 37c56973506..9ae061a3702 100644 --- a/spec/models/ci/job_token/scope_spec.rb +++ b/spec/models/ci/job_token/scope_spec.rb @@ -2,78 +2,171 @@ require 'spec_helper' -RSpec.describe Ci::JobToken::Scope, feature_category: :continuous_integration do - let_it_be(:source_project) { create(:project, ci_outbound_job_token_scope_enabled: true) } +RSpec.describe Ci::JobToken::Scope, feature_category: :continuous_integration, factory_default: :keep do + include Ci::JobTokenScopeHelpers + using RSpec::Parameterized::TableSyntax + + let_it_be(:project) { create_default(:project) } + let_it_be(:user) { create_default(:user) } + let_it_be(:namespace) { create_default(:namespace) } + + let_it_be(:source_project) do + create(:project, + ci_outbound_job_token_scope_enabled: true, + ci_inbound_job_token_scope_enabled: true + ) + end + + let(:current_project) { source_project } - let(:scope) { described_class.new(source_project) } + let(:scope) { described_class.new(current_project) } - describe '#all_projects' do - subject(:all_projects) { scope.all_projects } + describe '#outbound_projects' do + subject { scope.outbound_projects } context 'when no projects are added to the scope' do it 'returns the project defining the scope' do - expect(all_projects).to contain_exactly(source_project) + expect(subject).to contain_exactly(current_project) end end context 'when projects are added to the scope' do - include_context 'with scoped projects' + include_context 'with accessible and inaccessible projects' it 'returns all projects that can be accessed from a given scope' do - expect(subject).to contain_exactly(source_project, outbound_scoped_project) + expect(subject).to contain_exactly(current_project, outbound_allowlist_project, fully_accessible_project) end end end - describe '#allows?' do - subject { scope.allows?(includes_project) } + describe '#inbound_projects' do + subject { scope.inbound_projects } - context 'without scoped projects' do - context 'when self referential' do - let(:includes_project) { source_project } + context 'when no projects are added to the scope' do + it 'returns the project defining the scope' do + expect(subject).to contain_exactly(current_project) + end + end + + context 'when projects are added to the scope' do + include_context 'with accessible and inaccessible projects' - it { is_expected.to be_truthy } + it 'returns all projects that can be accessed from a given scope' do + expect(subject).to contain_exactly(current_project, inbound_allowlist_project) end end + end + + describe 'add!' do + let_it_be(:new_project) { create(:project) } - context 'with scoped projects' do - include_context 'with scoped projects' + subject { scope.add!(new_project, direction: direction, user: user) } - context 'when project is in outbound scope' do - let(:includes_project) { outbound_scoped_project } + [:inbound, :outbound].each do |d| + let(:direction) { d } - it { is_expected.to be_truthy } + it 'adds the project' do + subject + + expect(scope.send("#{direction}_projects")).to contain_exactly(current_project, new_project) end + end - context 'when project is in inbound scope' do - let(:includes_project) { inbound_scoped_project } + # Context and before block can go away leaving just the example in 16.0 + context 'with inbound only enabled' do + before do + project.ci_cd_settings.update!(job_token_scope_enabled: false) + end - it { is_expected.to be_falsey } + it 'provides access' do + expect do + scope.add!(new_project, direction: :inbound, user: user) + end.to change { described_class.new(new_project).accessible?(current_project) }.from(false).to(true) end + end + end + + RSpec.shared_examples 'enforces outbound scope only' do + include_context 'with accessible and inaccessible projects' + + where(:accessed_project, :result) do + ref(:current_project) | true + ref(:inbound_allowlist_project) | false + ref(:unscoped_project1) | false + ref(:unscoped_project2) | false + ref(:outbound_allowlist_project) | true + ref(:inbound_accessible_project) | false + ref(:fully_accessible_project) | true + end - context 'when project is linked to a different project' do - let(:includes_project) { unscoped_project1 } + with_them do + it { is_expected.to eq(result) } + end + end + + describe 'accessible?' do + subject { scope.accessible?(accessed_project) } + + context 'with inbound and outbound scopes enabled' do + context 'when inbound and outbound access setup' do + include_context 'with accessible and inaccessible projects' + + where(:accessed_project, :result) do + ref(:current_project) | true + ref(:inbound_allowlist_project) | false + ref(:unscoped_project1) | false + ref(:unscoped_project2) | false + ref(:outbound_allowlist_project) | false + ref(:inbound_accessible_project) | false + ref(:fully_accessible_project) | true + end + + with_them do + it 'allows self and projects allowed from both directions' do + is_expected.to eq(result) + end + end + end + end - it { is_expected.to be_falsey } + context 'with inbound scope enabled and outbound scope disabled' do + before do + accessed_project.update!(ci_inbound_job_token_scope_enabled: true) + current_project.update!(ci_outbound_job_token_scope_enabled: false) end - context 'when project is unlinked to a project' do - let(:includes_project) { unscoped_project2 } + include_context 'with accessible and inaccessible projects' - it { is_expected.to be_falsey } + where(:accessed_project, :result) do + ref(:current_project) | true + ref(:inbound_allowlist_project) | false + ref(:unscoped_project1) | false + ref(:unscoped_project2) | false + ref(:outbound_allowlist_project) | false + ref(:inbound_accessible_project) | true + ref(:fully_accessible_project) | true end - context 'when project scope setting is disabled' do - let(:includes_project) { unscoped_project1 } + with_them do + it { is_expected.to eq(result) } + end + end - before do - source_project.ci_outbound_job_token_scope_enabled = false - end + context 'with inbound scope disabled and outbound scope enabled' do + before do + accessed_project.update!(ci_inbound_job_token_scope_enabled: false) + current_project.update!(ci_outbound_job_token_scope_enabled: true) + end - it 'considers any project to be part of the scope' do - expect(subject).to be_truthy - end + include_examples 'enforces outbound scope only' + end + + context 'when inbound scope flag disabled' do + before do + stub_feature_flags(ci_inbound_job_token_scope: false) end + + include_examples 'enforces outbound scope only' end end end |