diff options
Diffstat (limited to 'spec/services')
| -rw-r--r-- | spec/services/application_settings/update_service_spec.rb | 35 | ||||
| -rw-r--r-- | spec/services/notification_service_spec.rb | 41 | ||||
| -rw-r--r-- | spec/services/projects/create_service_spec.rb | 37 | ||||
| -rw-r--r-- | spec/services/projects/update_service_spec.rb | 41 |
4 files changed, 154 insertions, 0 deletions
diff --git a/spec/services/application_settings/update_service_spec.rb b/spec/services/application_settings/update_service_spec.rb index a4a733eff77..258e5635113 100644 --- a/spec/services/application_settings/update_service_spec.rb +++ b/spec/services/application_settings/update_service_spec.rb @@ -1,6 +1,8 @@ require 'spec_helper' describe ApplicationSettings::UpdateService do + include ExternalAuthorizationServiceHelpers + let(:application_settings) { create(:application_setting) } let(:admin) { create(:user, :admin) } let(:params) { {} } @@ -143,4 +145,37 @@ describe ApplicationSettings::UpdateService do end end end + + context 'when external authorization is enabled' do + before do + enable_external_authorization_service_check + end + + it 'does not save the settings with an error if the service denies access' do + expect(::Gitlab::ExternalAuthorization) + .to receive(:access_allowed?).with(admin, 'new-label') { false } + + described_class.new(application_settings, admin, { external_authorization_service_default_label: 'new-label' }).execute + + expect(application_settings.errors[:external_authorization_service_default_label]).to be_present + end + + it 'saves the setting when the user has access to the label' do + expect(::Gitlab::ExternalAuthorization) + .to receive(:access_allowed?).with(admin, 'new-label') { true } + + described_class.new(application_settings, admin, { external_authorization_service_default_label: 'new-label' }).execute + + # Read the attribute directly to avoid the stub from + # `enable_external_authorization_service_check` + expect(application_settings[:external_authorization_service_default_label]).to eq('new-label') + end + + it 'does not validate the label if it was not passed' do + expect(::Gitlab::ExternalAuthorization) + .not_to receive(:access_allowed?) + + described_class.new(application_settings, admin, { home_page_url: 'http://foo.bar' }).execute + end + end end diff --git a/spec/services/notification_service_spec.rb b/spec/services/notification_service_spec.rb index 9ba4a11104a..794a4b4ccd3 100644 --- a/spec/services/notification_service_spec.rb +++ b/spec/services/notification_service_spec.rb @@ -2,6 +2,7 @@ require 'spec_helper' describe NotificationService, :mailer do include EmailSpec::Matchers + include ExternalAuthorizationServiceHelpers include NotificationHelpers let(:notification) { described_class.new } @@ -2217,6 +2218,46 @@ describe NotificationService, :mailer do end end + context 'with external authorization service' do + let(:issue) { create(:issue) } + let(:project) { issue.project } + let(:note) { create(:note, noteable: issue, project: project) } + let(:member) { create(:user) } + + subject { NotificationService.new } + + before do + project.add_maintainer(member) + member.global_notification_setting.update!(level: :watch) + end + + it 'sends email when the service is not enabled' do + expect(Notify).to receive(:new_issue_email).at_least(:once).with(member.id, issue.id, nil).and_call_original + + subject.new_issue(issue, member) + end + + context 'when the service is enabled' do + before do + enable_external_authorization_service_check + end + + it 'does not send an email' do + expect(Notify).not_to receive(:new_issue_email) + + subject.new_issue(issue, member) + end + + it 'still delivers email to admins' do + member.update!(admin: true) + + expect(Notify).to receive(:new_issue_email).at_least(:once).with(member.id, issue.id, nil).and_call_original + + subject.new_issue(issue, member) + end + end + end + def build_team(project) @u_watcher = create_global_setting_for(create(:user), :watch) @u_participating = create_global_setting_for(create(:user), :participating) diff --git a/spec/services/projects/create_service_spec.rb b/spec/services/projects/create_service_spec.rb index e8418b09dc2..e1ec932918e 100644 --- a/spec/services/projects/create_service_spec.rb +++ b/spec/services/projects/create_service_spec.rb @@ -1,6 +1,7 @@ require 'spec_helper' describe Projects::CreateService, '#execute' do + include ExternalAuthorizationServiceHelpers include GitHelpers let(:gitlab_shell) { Gitlab::Shell.new } @@ -344,6 +345,42 @@ describe Projects::CreateService, '#execute' do expect(rugged.config['gitlab.fullpath']).to eq project.full_path end + context 'with external authorization enabled' do + before do + enable_external_authorization_service_check + end + + it 'does not save the project with an error if the service denies access' do + expect(::Gitlab::ExternalAuthorization) + .to receive(:access_allowed?).with(user, 'new-label', any_args) { false } + + project = create_project(user, opts.merge({ external_authorization_classification_label: 'new-label' })) + + expect(project.errors[:external_authorization_classification_label]).to be_present + expect(project).not_to be_persisted + end + + it 'saves the project when the user has access to the label' do + expect(::Gitlab::ExternalAuthorization) + .to receive(:access_allowed?).with(user, 'new-label', any_args) { true } + + project = create_project(user, opts.merge({ external_authorization_classification_label: 'new-label' })) + + expect(project).to be_persisted + expect(project.external_authorization_classification_label).to eq('new-label') + end + + it 'does not save the project when the user has no access to the default label and no label is provided' do + expect(::Gitlab::ExternalAuthorization) + .to receive(:access_allowed?).with(user, 'default_label', any_args) { false } + + project = create_project(user, opts) + + expect(project.errors[:external_authorization_classification_label]).to be_present + expect(project).not_to be_persisted + end + end + def create_project(user, opts) Projects::CreateService.new(user, opts).execute end diff --git a/spec/services/projects/update_service_spec.rb b/spec/services/projects/update_service_spec.rb index 90eaea9c872..95eb17b5e3a 100644 --- a/spec/services/projects/update_service_spec.rb +++ b/spec/services/projects/update_service_spec.rb @@ -1,6 +1,7 @@ require 'spec_helper' describe Projects::UpdateService do + include ExternalAuthorizationServiceHelpers include ProjectForksHelper let(:user) { create(:user) } @@ -361,6 +362,46 @@ describe Projects::UpdateService do call_service end end + + context 'with external authorization enabled' do + before do + enable_external_authorization_service_check + end + + it 'does not save the project with an error if the service denies access' do + expect(::Gitlab::ExternalAuthorization) + .to receive(:access_allowed?).with(user, 'new-label') { false } + + result = update_project(project, user, { external_authorization_classification_label: 'new-label' }) + + expect(result[:message]).to be_present + expect(result[:status]).to eq(:error) + end + + it 'saves the new label if the service allows access' do + expect(::Gitlab::ExternalAuthorization) + .to receive(:access_allowed?).with(user, 'new-label') { true } + + result = update_project(project, user, { external_authorization_classification_label: 'new-label' }) + + expect(result[:status]).to eq(:success) + expect(project.reload.external_authorization_classification_label).to eq('new-label') + end + + it 'checks the default label when the classification label was cleared' do + expect(::Gitlab::ExternalAuthorization) + .to receive(:access_allowed?).with(user, 'default_label') { true } + + update_project(project, user, { external_authorization_classification_label: '' }) + end + + it 'does not check the label when it does not change' do + expect(::Gitlab::ExternalAuthorization) + .not_to receive(:access_allowed?) + + update_project(project, user, { name: 'New name' }) + end + end end describe '#run_auto_devops_pipeline?' do |