diff options
Diffstat (limited to 'spec/policies/project_policy_spec.rb')
| -rw-r--r-- | spec/policies/project_policy_spec.rb | 369 |
1 files changed, 340 insertions, 29 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index db643e3a31f..09d54eb9df6 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -29,6 +29,7 @@ describe ProjectPolicy do admin_issue admin_label admin_list read_commit_status read_build read_container_image read_pipeline read_environment read_deployment read_merge_request download_wiki_code read_sentry_issue read_metrics_dashboard_annotation + metrics_dashboard ] end @@ -41,7 +42,7 @@ describe ProjectPolicy do admin_tag admin_milestone admin_merge_request update_merge_request create_commit_status update_commit_status create_build update_build create_pipeline update_pipeline create_merge_request_from create_wiki push_code - resolve_note create_container_image update_container_image destroy_container_image + resolve_note create_container_image update_container_image destroy_container_image daily_statistics create_environment update_environment create_deployment update_deployment create_release update_release create_metrics_dashboard_annotation delete_metrics_dashboard_annotation update_metrics_dashboard_annotation ] @@ -53,7 +54,7 @@ describe ProjectPolicy do admin_snippet admin_project_member admin_note admin_wiki admin_project admin_commit_status admin_build admin_container_image admin_pipeline admin_environment admin_deployment destroy_release add_cluster - daily_statistics read_deploy_token create_deploy_token destroy_deploy_token + read_deploy_token create_deploy_token destroy_deploy_token admin_terraform_state ] end @@ -123,6 +124,7 @@ describe ProjectPolicy do it_behaves_like 'model with wiki policies' do let(:container) { project } + let_it_be(:user) { owner } def set_access_level(access_level) project.project_feature.update_attribute(:wiki_access_level, access_level) @@ -216,16 +218,41 @@ describe ProjectPolicy do project.project_feature.update(builds_access_level: ProjectFeature::DISABLED) end - it 'disallows all permissions except pipeline when the feature is disabled' do - builds_permissions = [ - :create_build, :read_build, :update_build, :admin_build, :destroy_build, - :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, - :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, - :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, - :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment - ] + context 'without metrics_dashboard_allowed' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED) + end - expect_disallowed(*builds_permissions) + it 'disallows all permissions except pipeline when the feature is disabled' do + builds_permissions = [ + :create_build, :read_build, :update_build, :admin_build, :destroy_build, + :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, + :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, + :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, + :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment + ] + + expect_disallowed(*builds_permissions) + end + end + + context 'with metrics_dashboard_allowed' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + it 'disallows all permissions except pipeline and read_environment when the feature is disabled' do + builds_permissions = [ + :create_build, :read_build, :update_build, :admin_build, :destroy_build, + :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, + :create_environment, :update_environment, :admin_environment, :destroy_environment, + :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, + :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment + ] + + expect_disallowed(*builds_permissions) + expect_allowed(:read_environment) + end end end @@ -250,20 +277,49 @@ describe ProjectPolicy do context 'repository feature' do subject { described_class.new(owner, project) } - it 'disallows all permissions when the feature is disabled' do + before do project.project_feature.update(repository_access_level: ProjectFeature::DISABLED) + end - repository_permissions = [ - :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline, - :create_build, :read_build, :update_build, :admin_build, :destroy_build, - :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, - :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, - :create_cluster, :read_cluster, :update_cluster, :admin_cluster, - :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment, - :destroy_release - ] + context 'without metrics_dashboard_allowed' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED) + end - expect_disallowed(*repository_permissions) + it 'disallows all permissions when the feature is disabled' do + repository_permissions = [ + :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline, + :create_build, :read_build, :update_build, :admin_build, :destroy_build, + :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, + :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, + :create_cluster, :read_cluster, :update_cluster, :admin_cluster, + :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment, + :destroy_release + ] + + expect_disallowed(*repository_permissions) + end + end + + context 'with metrics_dashboard_allowed' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + it 'disallows all permissions when the feature is disabled' do + repository_permissions = [ + :create_pipeline, :update_pipeline, :admin_pipeline, :destroy_pipeline, + :create_build, :read_build, :update_build, :admin_build, :destroy_build, + :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, + :create_environment, :update_environment, :admin_environment, :destroy_environment, + :create_cluster, :read_cluster, :update_cluster, :admin_cluster, + :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment, + :destroy_release + ] + + expect_disallowed(*repository_permissions) + expect_allowed(:read_environment) + end end end @@ -273,7 +329,8 @@ describe ProjectPolicy do it_behaves_like 'project policies as developer' it_behaves_like 'project policies as maintainer' it_behaves_like 'project policies as owner' - it_behaves_like 'project policies as admin' + it_behaves_like 'project policies as admin with admin mode' + it_behaves_like 'project policies as admin without admin mode' context 'when a public project has merge requests allowing access' do include ProjectForksHelper @@ -304,7 +361,7 @@ describe ProjectPolicy do expect_allowed(*maintainer_abilities) end - it 'dissallows abilities to a maintainer if the merge request was closed' do + it 'disallows abilities to a maintainer if the merge request was closed' do target_project.add_developer(user) merge_request.close! @@ -348,10 +405,24 @@ describe ProjectPolicy do expect(described_class.new(developer, project)).to be_allowed(:read_project) end - it 'does not check the external service for admins and allows access' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) + context 'with an admin' do + context 'when admin mode is enabled', :enable_admin_mode do + it 'does not check the external service and allows access' do + expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - expect(described_class.new(admin, project)).to be_allowed(:read_project) + expect(described_class.new(admin, project)).to be_allowed(:read_project) + end + end + + context 'when admin mode is disabled' do + it 'checks the external service and allows access' do + external_service_allow_access(admin, project) + + expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?) + + expect(described_class.new(admin, project)).to be_allowed(:read_project) + end + end end it 'prevents all but seeing a public project in a list when access is denied' do @@ -414,7 +485,13 @@ describe ProjectPolicy do context 'admin' do let(:current_user) { admin } - it { expect_allowed(:update_max_artifacts_size) } + context 'when admin mode is enabled', :enable_admin_mode do + it { expect_allowed(:update_max_artifacts_size) } + end + + context 'when admin mode is disabled' do + it { expect_disallowed(:update_max_artifacts_size) } + end end %w(guest reporter developer maintainer owner).each do |role| @@ -446,7 +523,13 @@ describe ProjectPolicy do context 'with admin' do let(:current_user) { admin } - it { is_expected.to be_allowed(:read_prometheus_alerts) } + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:read_prometheus_alerts) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:read_prometheus_alerts) } + end end context 'with owner' do @@ -485,4 +568,232 @@ describe ProjectPolicy do it { is_expected.to be_disallowed(:read_prometheus_alerts) } end end + + describe 'metrics_dashboard feature' do + subject { described_class.new(current_user, project) } + + context 'public project' do + let(:project) { create(:project, :public) } + + context 'feature private' do + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + end + + context 'feature enabled' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_disallowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_disallowed(:create_metrics_user_starred_dashboard) } + end + end + end + + context 'internal project' do + let(:project) { create(:project, :internal) } + + context 'feature private' do + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:metrics_dashboard)} + end + end + + context 'feature enabled' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + end + end + + context 'private project' do + let(:project) { create(:project, :private) } + + context 'feature private' do + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + end + + context 'feature enabled' do + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_allowed(:metrics_dashboard) } + it { is_expected.to be_allowed(:read_prometheus) } + it { is_expected.to be_allowed(:read_deployment) } + it { is_expected.to be_allowed(:read_metrics_user_starred_dashboard) } + it { is_expected.to be_allowed(:create_metrics_user_starred_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + end + end + + context 'feature disabled' do + before do + project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED) + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:metrics_dashboard) } + end + end + end + + context 'deploy token access' do + let!(:project_deploy_token) do + create(:project_deploy_token, project: project, deploy_token: deploy_token) + end + + subject { described_class.new(deploy_token, project) } + + context 'a deploy token with read_package_registry scope' do + let(:deploy_token) { create(:deploy_token, read_package_registry: true) } + + it { is_expected.to be_allowed(:read_package) } + it { is_expected.to be_allowed(:read_project) } + it { is_expected.to be_disallowed(:create_package) } + end + + context 'a deploy token with write_package_registry scope' do + let(:deploy_token) { create(:deploy_token, write_package_registry: true) } + + it { is_expected.to be_allowed(:create_package) } + it { is_expected.to be_allowed(:read_project) } + it { is_expected.to be_disallowed(:destroy_package) } + end + end end |