From fda6fdd392a3c7169217b1e53bfb75a13e6930f9 Mon Sep 17 00:00:00 2001
From: Thong Kuah <tkuah@gitlab.com>
Date: Mon, 15 Oct 2018 13:42:02 +1300
Subject: Add policy for clusters on group level

- maintainer for group can read, create, update, and admin cluster
- project user, at any level, cannot do anything with group cluster
---
 app/policies/clusters/cluster_policy.rb       |  6 +---
 app/policies/group_policy.rb                  |  4 +++
 app/policies/project_policy.rb                |  2 ++
 spec/policies/clusters/cluster_policy_spec.rb | 42 +++++++++++++++++++++++++++
 spec/policies/group_policy_spec.rb            |  6 +++-
 spec/policies/project_policy_spec.rb          |  4 +--
 6 files changed, 56 insertions(+), 8 deletions(-)

diff --git a/app/policies/clusters/cluster_policy.rb b/app/policies/clusters/cluster_policy.rb
index 147943a3d6c..d6d590687e2 100644
--- a/app/policies/clusters/cluster_policy.rb
+++ b/app/policies/clusters/cluster_policy.rb
@@ -4,11 +4,7 @@ module Clusters
   class ClusterPolicy < BasePolicy
     alias_method :cluster, :subject
 
+    delegate { cluster.group }
     delegate { cluster.project }
-
-    rule { can?(:maintainer_access) }.policy do
-      enable :update_cluster
-      enable :admin_cluster
-    end
   end
 end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 73c93b22c95..6b4e56ef5e4 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -65,6 +65,10 @@ class GroupPolicy < BasePolicy
     enable :create_projects
     enable :admin_pipeline
     enable :admin_build
+    enable :read_cluster
+    enable :create_cluster
+    enable :update_cluster
+    enable :admin_cluster
   end
 
   rule { owner }.policy do
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index a76a083bceb..1c082945299 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -258,6 +258,8 @@ class ProjectPolicy < BasePolicy
     enable :update_pages
     enable :read_cluster
     enable :create_cluster
+    enable :update_cluster
+    enable :admin_cluster
     enable :create_environment_terminal
   end
 
diff --git a/spec/policies/clusters/cluster_policy_spec.rb b/spec/policies/clusters/cluster_policy_spec.rb
index ced969830d8..b2f0ca1bc30 100644
--- a/spec/policies/clusters/cluster_policy_spec.rb
+++ b/spec/policies/clusters/cluster_policy_spec.rb
@@ -24,5 +24,47 @@ describe Clusters::ClusterPolicy, :models do
       it { expect(policy).to be_allowed :update_cluster }
       it { expect(policy).to be_allowed :admin_cluster }
     end
+
+    context 'group cluster' do
+      let(:cluster) { create(:cluster, :group) }
+      let(:group) { cluster.group }
+      let(:project) { create(:project, namespace: group) }
+
+      context 'when group developer' do
+        before do
+          group.add_developer(user)
+        end
+
+        it { expect(policy).to be_disallowed :update_cluster }
+        it { expect(policy).to be_disallowed :admin_cluster }
+      end
+
+      context 'when group maintainer' do
+        before do
+          group.add_maintainer(user)
+        end
+
+        it { expect(policy).to be_allowed :update_cluster }
+        it { expect(policy).to be_allowed :admin_cluster }
+      end
+
+      context 'when project maintainer' do
+        before do
+          project.add_maintainer(user)
+        end
+
+        it { expect(policy).to be_disallowed :update_cluster }
+        it { expect(policy).to be_disallowed :admin_cluster }
+      end
+
+      context 'when project developer' do
+        before do
+          project.add_developer(user)
+        end
+
+        it { expect(policy).to be_disallowed :update_cluster }
+        it { expect(policy).to be_disallowed :admin_cluster }
+      end
+    end
   end
 end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 5e583be457e..9d0093e8159 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -21,7 +21,11 @@ describe GroupPolicy do
 
   let(:maintainer_permissions) do
     [
-      :create_projects
+      :create_projects,
+      :read_cluster,
+      :create_cluster,
+      :update_cluster,
+      :admin_cluster
     ]
   end
 
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index b7ec35d6ec5..d6bc67a9d70 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -163,7 +163,7 @@ describe ProjectPolicy do
         :create_build, :read_build, :update_build, :admin_build, :destroy_build,
         :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
         :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
-        :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
+        :create_cluster, :read_cluster, :update_cluster, :admin_cluster,
         :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
       ]
 
@@ -182,7 +182,7 @@ describe ProjectPolicy do
         :create_build, :read_build, :update_build, :admin_build, :destroy_build,
         :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
         :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
-        :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
+        :create_cluster, :read_cluster, :update_cluster, :admin_cluster,
         :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
       ]
 
-- 
cgit v1.2.1