diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-11-09 21:13:03 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-11-09 21:13:03 +0300 |
commit | 519f46346b22c1b7c1f4c2a4ce902e829354cb62 (patch) | |
tree | 568e97ac17a509445e9e6cf926ebaf47beeba9fb /spec/policies/group_policy_spec.rb | |
parent | 07f3c9525c1df3ae1da995ea4fe6dd66bb61b9fd (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/policies/group_policy_spec.rb')
-rw-r--r-- | spec/policies/group_policy_spec.rb | 107 |
1 files changed, 34 insertions, 73 deletions
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 042dbb09436..cb7884b141e 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -1110,103 +1110,53 @@ RSpec.describe GroupPolicy, feature_category: :system_access do it { is_expected.to be_allowed(:admin_dependency_proxy) } end - shared_examples 'disallows all dependency proxy access' do - it { is_expected.to be_disallowed(:read_dependency_proxy) } - it { is_expected.to be_disallowed(:admin_dependency_proxy) } - end - - shared_examples 'allows dependency proxy read access but not admin' do - it { is_expected.to be_allowed(:read_dependency_proxy) } - it { is_expected.to be_disallowed(:admin_dependency_proxy) } - end - context 'feature disabled' do let(:current_user) { owner } - before do - stub_config(dependency_proxy: { enabled: false }) - end - - it_behaves_like 'disallows all dependency proxy access' + it { is_expected.to be_disallowed(:read_dependency_proxy) } + it { is_expected.to be_disallowed(:admin_dependency_proxy) } end context 'feature enabled' do before do - stub_config(dependency_proxy: { enabled: true }, registry: { enabled: true }) + stub_config(dependency_proxy: { enabled: true }) end - context 'human user' do - context 'reporter' do - let(:current_user) { reporter } - - it_behaves_like 'allows dependency proxy read access but not admin' - end - - context 'developer' do - let(:current_user) { developer } - - it_behaves_like 'allows dependency proxy read access but not admin' - end - - context 'maintainer' do - let(:current_user) { maintainer } - - it_behaves_like 'allows dependency proxy read access but not admin' - it_behaves_like 'disabling admin_package feature flag' - end - - context 'owner' do - let(:current_user) { owner } - - it { is_expected.to be_allowed(:read_dependency_proxy) } - it { is_expected.to be_allowed(:admin_dependency_proxy) } + context 'reporter' do + let(:current_user) { reporter } - it_behaves_like 'disabling admin_package feature flag' - end + it { is_expected.to be_allowed(:read_dependency_proxy) } + it { is_expected.to be_disallowed(:admin_dependency_proxy) } end - context 'deploy token user' do - let!(:group_deploy_token) do - create(:group_deploy_token, group: group, deploy_token: deploy_token) - end - - subject { described_class.new(deploy_token, group) } + context 'developer' do + let(:current_user) { developer } - context 'with insufficient scopes' do - let_it_be(:deploy_token) { create(:deploy_token, :group) } + it { is_expected.to be_allowed(:read_dependency_proxy) } + it { is_expected.to be_disallowed(:admin_dependency_proxy) } + end - it_behaves_like 'disallows all dependency proxy access' - end + context 'maintainer' do + let(:current_user) { maintainer } - context 'with sufficient scopes' do - let_it_be(:deploy_token) { create(:deploy_token, :group, :dependency_proxy_scopes) } + it { is_expected.to be_allowed(:read_dependency_proxy) } + it { is_expected.to be_disallowed(:admin_dependency_proxy) } - it_behaves_like 'allows dependency proxy read access but not admin' - end + it_behaves_like 'disabling admin_package feature flag' end - context 'group access token user' do - let_it_be(:bot_user) { create(:user, :project_bot) } - let_it_be(:token) { create(:personal_access_token, user: bot_user, scopes: [Gitlab::Auth::READ_API_SCOPE]) } - - subject { described_class.new(bot_user, group) } - - context 'not a member of the group' do - it_behaves_like 'disallows all dependency proxy access' - end + context 'owner' do + let(:current_user) { owner } - context 'a member of the group' do - before do - group.add_guest(bot_user) - end + it { is_expected.to be_allowed(:read_dependency_proxy) } + it { is_expected.to be_allowed(:admin_dependency_proxy) } - it_behaves_like 'allows dependency proxy read access but not admin' - end + it_behaves_like 'disabling admin_package feature flag' end end end - context 'deploy token user' do + context 'deploy token access' do let!(:group_deploy_token) do create(:group_deploy_token, group: group, deploy_token: deploy_token) end @@ -1229,6 +1179,17 @@ RSpec.describe GroupPolicy, feature_category: :system_access do it { is_expected.to be_allowed(:read_group) } it { is_expected.to be_disallowed(:destroy_package) } end + + context 'a deploy token with dependency proxy scopes' do + let_it_be(:deploy_token) { create(:deploy_token, :group, :dependency_proxy_scopes) } + + before do + stub_config(dependency_proxy: { enabled: true }) + end + + it { is_expected.to be_allowed(:read_dependency_proxy) } + it { is_expected.to be_disallowed(:admin_dependency_proxy) } + end end it_behaves_like 'Self-managed Core resource access tokens' |