diff options
Diffstat (limited to 'spec/policies/project_policy_spec.rb')
-rw-r--r-- | spec/policies/project_policy_spec.rb | 142 |
1 files changed, 69 insertions, 73 deletions
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index f3c92751d06..59123c3695a 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -4,6 +4,7 @@ require 'spec_helper' RSpec.describe ProjectPolicy do include ExternalAuthorizationServiceHelpers + include AdminModeHelper include_context 'ProjectPolicy context' let(:project) { public_project } @@ -70,7 +71,7 @@ RSpec.describe ProjectPolicy do context 'when external tracker configured' do it 'does not include the issues permissions' do - create(:jira_service, project: project) + create(:jira_integration, project: project) expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue, :create_incident end @@ -1423,6 +1424,7 @@ RSpec.describe ProjectPolicy do before do current_user.set_ci_job_token_scope!(job) + scope_project.update!(ci_job_token_scope_enabled: true) end context 'when accessing a private project' do @@ -1442,6 +1444,14 @@ RSpec.describe ProjectPolicy do end it { is_expected.to be_disallowed(:guest_access) } + + context 'when job token scope is disabled' do + before do + scope_project.update!(ci_job_token_scope_enabled: false) + end + + it { is_expected.to be_allowed(:guest_access) } + end end end @@ -1462,6 +1472,14 @@ RSpec.describe ProjectPolicy do end it { is_expected.to be_disallowed(:public_access) } + + context 'when job token scope is disabled' do + before do + scope_project.update!(ci_job_token_scope_enabled: false) + end + + it { is_expected.to be_allowed(:public_access) } + end end end end @@ -1469,7 +1487,12 @@ RSpec.describe ProjectPolicy do describe 'container_image policies' do using RSpec::Parameterized::TableSyntax - let(:guest_operations_permissions) { [:read_container_image] } + # These are permissions that admins should not have when the project is private + # or the container registry is private. + let(:admin_excluded_permissions) { [:build_read_container_image] } + + let(:anonymous_operations_permissions) { [:read_container_image] } + let(:guest_operations_permissions) { anonymous_operations_permissions + [:build_read_container_image] } let(:developer_operations_permissions) do guest_operations_permissions + [ @@ -1483,47 +1506,67 @@ RSpec.describe ProjectPolicy do ] end + let(:all_permissions) { maintainer_operations_permissions } + where(:project_visibility, :access_level, :role, :allowed) do + :public | ProjectFeature::ENABLED | :admin | true + :public | ProjectFeature::ENABLED | :owner | true :public | ProjectFeature::ENABLED | :maintainer | true :public | ProjectFeature::ENABLED | :developer | true :public | ProjectFeature::ENABLED | :reporter | true :public | ProjectFeature::ENABLED | :guest | true :public | ProjectFeature::ENABLED | :anonymous | true + :public | ProjectFeature::PRIVATE | :admin | true + :public | ProjectFeature::PRIVATE | :owner | true :public | ProjectFeature::PRIVATE | :maintainer | true :public | ProjectFeature::PRIVATE | :developer | true :public | ProjectFeature::PRIVATE | :reporter | true :public | ProjectFeature::PRIVATE | :guest | false :public | ProjectFeature::PRIVATE | :anonymous | false + :public | ProjectFeature::DISABLED | :admin | false + :public | ProjectFeature::DISABLED | :owner | false :public | ProjectFeature::DISABLED | :maintainer | false :public | ProjectFeature::DISABLED | :developer | false :public | ProjectFeature::DISABLED | :reporter | false :public | ProjectFeature::DISABLED | :guest | false :public | ProjectFeature::DISABLED | :anonymous | false + :internal | ProjectFeature::ENABLED | :admin | true + :internal | ProjectFeature::ENABLED | :owner | true :internal | ProjectFeature::ENABLED | :maintainer | true :internal | ProjectFeature::ENABLED | :developer | true :internal | ProjectFeature::ENABLED | :reporter | true :internal | ProjectFeature::ENABLED | :guest | true :internal | ProjectFeature::ENABLED | :anonymous | false + :internal | ProjectFeature::PRIVATE | :admin | true + :internal | ProjectFeature::PRIVATE | :owner | true :internal | ProjectFeature::PRIVATE | :maintainer | true :internal | ProjectFeature::PRIVATE | :developer | true :internal | ProjectFeature::PRIVATE | :reporter | true :internal | ProjectFeature::PRIVATE | :guest | false :internal | ProjectFeature::PRIVATE | :anonymous | false + :internal | ProjectFeature::DISABLED | :admin | false + :internal | ProjectFeature::DISABLED | :owner | false :internal | ProjectFeature::DISABLED | :maintainer | false :internal | ProjectFeature::DISABLED | :developer | false :internal | ProjectFeature::DISABLED | :reporter | false :internal | ProjectFeature::DISABLED | :guest | false :internal | ProjectFeature::DISABLED | :anonymous | false + :private | ProjectFeature::ENABLED | :admin | true + :private | ProjectFeature::ENABLED | :owner | true :private | ProjectFeature::ENABLED | :maintainer | true :private | ProjectFeature::ENABLED | :developer | true :private | ProjectFeature::ENABLED | :reporter | true :private | ProjectFeature::ENABLED | :guest | false :private | ProjectFeature::ENABLED | :anonymous | false + :private | ProjectFeature::PRIVATE | :admin | true + :private | ProjectFeature::PRIVATE | :owner | true :private | ProjectFeature::PRIVATE | :maintainer | true :private | ProjectFeature::PRIVATE | :developer | true :private | ProjectFeature::PRIVATE | :reporter | true :private | ProjectFeature::PRIVATE | :guest | false :private | ProjectFeature::PRIVATE | :anonymous | false + :private | ProjectFeature::DISABLED | :admin | false + :private | ProjectFeature::DISABLED | :owner | false :private | ProjectFeature::DISABLED | :maintainer | false :private | ProjectFeature::DISABLED | :developer | false :private | ProjectFeature::DISABLED | :reporter | false @@ -1535,96 +1578,49 @@ RSpec.describe ProjectPolicy do let(:current_user) { send(role) } let(:project) { send("#{project_visibility}_project") } - it 'allows/disallows the abilities based on the container_registry feature access level' do + before do + enable_admin_mode!(admin) if role == :admin project.project_feature.update!(container_registry_access_level: access_level) + end + it 'allows/disallows the abilities based on the container_registry feature access level' do if allowed expect_allowed(*permissions_abilities(role)) + expect_disallowed(*(all_permissions - permissions_abilities(role))) else - expect_disallowed(*permissions_abilities(role)) + expect_disallowed(*all_permissions) + end + end + + it 'allows build_read_container_image to admins who are also team members' do + if allowed && role == :admin + project.add_reporter(current_user) + + expect_allowed(:build_read_container_image) end end def permissions_abilities(role) case role - when :maintainer + when :admin + if project_visibility == :private || access_level == ProjectFeature::PRIVATE + maintainer_operations_permissions - admin_excluded_permissions + else + maintainer_operations_permissions + end + when :maintainer, :owner maintainer_operations_permissions when :developer developer_operations_permissions - when :reporter, :guest, :anonymous + when :reporter, :guest guest_operations_permissions + when :anonymous + anonymous_operations_permissions else raise "Unknown role #{role}" end end end - - context 'with read_container_registry_access_level disabled' do - before do - stub_feature_flags(read_container_registry_access_level: false) - end - - where(:project_visibility, :container_registry_enabled, :role, :allowed) do - :public | true | :maintainer | true - :public | true | :developer | true - :public | true | :reporter | true - :public | true | :guest | true - :public | true | :anonymous | true - :public | false | :maintainer | false - :public | false | :developer | false - :public | false | :reporter | false - :public | false | :guest | false - :public | false | :anonymous | false - :internal | true | :maintainer | true - :internal | true | :developer | true - :internal | true | :reporter | true - :internal | true | :guest | true - :internal | true | :anonymous | false - :internal | false | :maintainer | false - :internal | false | :developer | false - :internal | false | :reporter | false - :internal | false | :guest | false - :internal | false | :anonymous | false - :private | true | :maintainer | true - :private | true | :developer | true - :private | true | :reporter | true - :private | true | :guest | false - :private | true | :anonymous | false - :private | false | :maintainer | false - :private | false | :developer | false - :private | false | :reporter | false - :private | false | :guest | false - :private | false | :anonymous | false - end - - with_them do - let(:current_user) { send(role) } - let(:project) { send("#{project_visibility}_project") } - - it 'allows/disallows the abilities based on container_registry_enabled' do - project.update_column(:container_registry_enabled, container_registry_enabled) - - if allowed - expect_allowed(*permissions_abilities(role)) - else - expect_disallowed(*permissions_abilities(role)) - end - end - - def permissions_abilities(role) - case role - when :maintainer - maintainer_operations_permissions - when :developer - developer_operations_permissions - when :reporter, :guest, :anonymous - guest_operations_permissions - else - raise "Unknown role #{role}" - end - end - end - end end describe 'update_runners_registration_token' do |