summaryrefslogtreecommitdiff
path: root/spec/finders/clusters/agent_authorizations_finder_spec.rb
blob: 687906db0d729fdb81637b6c55b617f75109df84 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Clusters::AgentAuthorizationsFinder do
  describe '#execute' do
    let_it_be(:top_level_group) { create(:group) }
    let_it_be(:subgroup1) { create(:group, parent: top_level_group) }
    let_it_be(:subgroup2) { create(:group, parent: subgroup1) }
    let_it_be(:bottom_level_group) { create(:group, parent: subgroup2) }

    let_it_be(:agent_configuration_project) { create(:project, namespace: subgroup1) }
    let_it_be(:requesting_project, reload: true) { create(:project, namespace: bottom_level_group) }

    let_it_be(:staging_agent) { create(:cluster_agent, project: agent_configuration_project) }
    let_it_be(:production_agent) { create(:cluster_agent, project: agent_configuration_project) }

    subject { described_class.new(requesting_project).execute }

    shared_examples_for 'access_as' do
      let(:config) { { access_as: { access_as => {} } } }

      context 'agent' do
        let(:access_as) { :agent }

        it { is_expected.to match_array [authorization] }
      end

      context 'impersonate' do
        let(:access_as) { :impersonate }

        it { is_expected.to be_empty }
      end

      context 'ci_user' do
        let(:access_as) { :ci_user }

        it { is_expected.to be_empty }
      end

      context 'ci_job' do
        let(:access_as) { :ci_job }

        it { is_expected.to be_empty }
      end
    end

    describe 'project authorizations' do
      context 'agent configuration project does not share a root namespace with the given project' do
        let(:unrelated_agent) { create(:cluster_agent) }

        before do
          create(:agent_project_authorization, agent: unrelated_agent, project: requesting_project)
        end

        it { is_expected.to be_empty }
      end

      context 'with project authorizations present' do
        let!(:authorization) { create(:agent_project_authorization, agent: production_agent, project: requesting_project) }

        it { is_expected.to match_array [authorization] }
      end

      context 'with overlapping authorizations' do
        let!(:agent) { create(:cluster_agent, project: requesting_project) }
        let!(:project_authorization) { create(:agent_project_authorization, agent: agent, project: requesting_project) }
        let!(:group_authorization) { create(:agent_group_authorization, agent: agent, group: bottom_level_group) }

        it { is_expected.to match_array [project_authorization] }
      end

      it_behaves_like 'access_as' do
        let!(:authorization) { create(:agent_project_authorization, agent: production_agent, project: requesting_project, config: config) }
      end
    end

    describe 'implicit authorizations' do
      let!(:associated_agent) { create(:cluster_agent, project: requesting_project) }

      it 'returns authorizations for agents directly associated with the project' do
        expect(subject.count).to eq(1)

        authorization = subject.first
        expect(authorization).to be_a(Clusters::Agents::ImplicitAuthorization)
        expect(authorization.agent).to eq(associated_agent)
      end
    end

    describe 'authorized groups' do
      context 'agent configuration project is outside the requesting project hierarchy' do
        let(:unrelated_agent) { create(:cluster_agent) }

        before do
          create(:agent_group_authorization, agent: unrelated_agent, group: top_level_group)
        end

        it { is_expected.to be_empty }
      end

      context 'multiple agents are authorized for the same group' do
        let!(:staging_auth) { create(:agent_group_authorization, agent: staging_agent, group: bottom_level_group) }
        let!(:production_auth) { create(:agent_group_authorization, agent: production_agent, group: bottom_level_group) }

        it 'returns authorizations for all agents' do
          expect(subject).to contain_exactly(staging_auth, production_auth)
        end
      end

      context 'a single agent is authorized to more than one matching group' do
        let!(:bottom_level_auth) { create(:agent_group_authorization, agent: production_agent, group: bottom_level_group) }
        let!(:top_level_auth) { create(:agent_group_authorization, agent: production_agent, group: top_level_group) }

        it 'picks the authorization for the closest group to the requesting project' do
          expect(subject).to contain_exactly(bottom_level_auth)
        end
      end

      it_behaves_like 'access_as' do
        let!(:authorization) { create(:agent_group_authorization, agent: production_agent, group: top_level_group, config: config) }
      end
    end
  end
end
View Lorry Controller Status