Add latest changes from gitlab-org/gitlab@13-1-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-06-18 14:18:50 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-06-18 14:18:50 +0300
commit: 8c7f4e9d5f36cff46365a7f8c4b9c21578c1e781 (patch)
tree: a77e7fe7a93de11213032ed4ab1f33a3db51b738 /spec/policies
parent: 00b35af3db1abfe813a778f643dad221aad51fca (diff)
4 files changed, 342 insertions, 54 deletions
diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb
index f29ed26f2aa..5857369a550 100644
--- a/spec/policies/ci/build_policy_spec.rb
+++ b/spec/policies/ci/build_policy_spec.rb
@@ -249,4 +249,129 @@ describe Ci::BuildPolicy do
       end
     end
   end
+
+  describe 'manage a web ide terminal' do
+    let(:build_permissions) { %i[read_web_ide_terminal create_build_terminal update_web_ide_terminal create_build_service_proxy] }
+    let_it_be(:maintainer) { create(:user) }
+    let(:owner) { create(:owner) }
+    let(:admin) { create(:admin) }
+    let(:maintainer) { create(:user) }
+    let(:developer) { create(:user) }
+    let(:reporter) { create(:user) }
+    let(:guest) { create(:user) }
+    let(:project) { create(:project, :public, namespace: owner.namespace) }
+    let(:pipeline) { create(:ci_empty_pipeline, project: project, source: :webide) }
+    let(:build) { create(:ci_build, pipeline: pipeline) }
+
+    before do
+      allow(build).to receive(:has_terminal?).and_return(true)
+
+      project.add_maintainer(maintainer)
+      project.add_developer(developer)
+      project.add_reporter(reporter)
+      project.add_guest(guest)
+    end
+
+    subject { described_class.new(current_user, build) }
+
+    context 'when create_web_ide_terminal access enabled' do
+      context 'with admin' do
+        let(:current_user) { admin }
+
+        context 'when admin mode enabled', :enable_admin_mode do
+          it { expect_allowed(*build_permissions) }
+        end
+
+        context 'when admin mode disabled' do
+          it { expect_disallowed(*build_permissions) }
+        end
+
+        context 'when build is not from a webide pipeline' do
+          let(:pipeline) { create(:ci_empty_pipeline, project: project, source: :chat) }
+
+          it { expect_disallowed(:read_web_ide_terminal, :update_web_ide_terminal, :create_build_service_proxy) }
+        end
+
+        context 'when build has no runner terminal' do
+          before do
+            allow(build).to receive(:has_terminal?).and_return(false)
+          end
+
+          context 'when admin mode enabled', :enable_admin_mode do
+            it { expect_allowed(:read_web_ide_terminal, :update_web_ide_terminal) }
+            it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) }
+          end
+
+          context 'when admin mode disabled' do
+            it { expect_disallowed(:read_web_ide_terminal, :update_web_ide_terminal) }
+            it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) }
+          end
+        end
+
+        context 'feature flag "build_service_proxy" is disabled' do
+          before do
+            stub_feature_flags(build_service_proxy: false)
+          end
+
+          it { expect_disallowed(:create_build_service_proxy) }
+        end
+      end
+
+      shared_examples 'allowed build owner access' do
+        it { expect_disallowed(*build_permissions) }
+
+        context 'when user is the owner of the job' do
+          let(:build) { create(:ci_build, pipeline: pipeline, user: current_user) }
+
+          it { expect_allowed(*build_permissions) }
+        end
+      end
+
+      shared_examples 'forbidden access' do
+        it { expect_disallowed(*build_permissions) }
+
+        context 'when user is the owner of the job' do
+          let(:build) { create(:ci_build, pipeline: pipeline, user: current_user) }
+
+          it { expect_disallowed(*build_permissions) }
+        end
+      end
+
+      context 'with owner' do
+        let(:current_user) { owner }
+
+        it_behaves_like 'allowed build owner access'
+      end
+
+      context 'with maintainer' do
+        let(:current_user) { maintainer }
+
+        it_behaves_like 'allowed build owner access'
+      end
+
+      context 'with developer' do
+        let(:current_user) { developer }
+
+        it_behaves_like 'forbidden access'
+      end
+
+      context 'with reporter' do
+        let(:current_user) { reporter }
+
+        it_behaves_like 'forbidden access'
+      end
+
+      context 'with guest' do
+        let(:current_user) { guest }
+
+        it_behaves_like 'forbidden access'
+      end
+
+      context 'with non member' do
+        let(:current_user) { create(:user) }
+
+        it_behaves_like 'forbidden access'
+      end
+    end
+  end
 end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 9faddfd00e5..6b17a8285a2 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -175,7 +175,7 @@ describe GroupPolicy do
       nested_group.add_guest(developer)
       nested_group.add_guest(maintainer)
 
-      group.owners.destroy_all # rubocop: disable DestroyAll
+      group.owners.destroy_all # rubocop: disable Cop/DestroyAll
 
       group.add_guest(owner)
       nested_group.add_owner(owner)
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index f91d5658626..6ec63ba61ca 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -219,41 +219,16 @@ describe ProjectPolicy do
         project.project_feature.update!(builds_access_level: ProjectFeature::DISABLED)
       end
 
-      context 'without metrics_dashboard_allowed' do
-        before do
-          project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED)
-        end
-
-        it 'disallows all permissions except pipeline when the feature is disabled' do
-          builds_permissions = [
-            :create_build, :read_build, :update_build, :admin_build, :destroy_build,
-            :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
-            :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
-            :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
-            :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
-          ]
-
-          expect_disallowed(*builds_permissions)
-        end
-      end
-
-      context 'with metrics_dashboard_allowed' do
-        before do
-          project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
-        end
+      it 'disallows all permissions except pipeline when the feature is disabled' do
+        builds_permissions = [
+          :create_build, :read_build, :update_build, :admin_build, :destroy_build,
+          :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
+          :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
+          :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
+          :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
+        ]
 
-        it 'disallows all permissions except pipeline and read_environment when the feature is disabled' do
-          builds_permissions = [
-            :create_build, :read_build, :update_build, :admin_build, :destroy_build,
-            :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule,
-            :create_environment, :update_environment, :admin_environment, :destroy_environment,
-            :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster,
-            :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment
-          ]
-
-          expect_disallowed(*builds_permissions)
-          expect_allowed(:read_environment)
-        end
+        expect_disallowed(*builds_permissions)
       end
     end
 
@@ -301,25 +276,8 @@ describe ProjectPolicy do
           )
         end
 
-        context 'without metrics_dashboard_allowed' do
-          before do
-            project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED)
-          end
-
-          it 'disallows all permissions when the feature is disabled' do
-            expect_disallowed(*repository_permissions)
-          end
-        end
-
-        context 'with metrics_dashboard_allowed' do
-          before do
-            project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED)
-          end
-
-          it 'disallows all permissions but read_environment when the feature is disabled' do
-            expect_disallowed(*(repository_permissions - [:read_environment]))
-            expect_allowed(:read_environment)
-          end
+        it 'disallows all permissions' do
+          expect_disallowed(*repository_permissions)
         end
       end
     end
@@ -817,4 +775,121 @@ describe ProjectPolicy do
       it { is_expected.to be_disallowed(:destroy_package) }
     end
   end
+
+  describe 'create_web_ide_terminal' do
+    subject { described_class.new(current_user, project) }
+
+    context 'with admin' do
+      let(:current_user) { admin }
+
+      context 'when admin mode enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:create_web_ide_terminal) }
+      end
+
+      context 'when admin mode disabled' do
+        it { is_expected.to be_disallowed(:create_web_ide_terminal) }
+      end
+    end
+
+    context 'with owner' do
+      let(:current_user) { owner }
+
+      it { is_expected.to be_allowed(:create_web_ide_terminal) }
+    end
+
+    context 'with maintainer' do
+      let(:current_user) { maintainer }
+
+      it { is_expected.to be_allowed(:create_web_ide_terminal) }
+    end
+
+    context 'with developer' do
+      let(:current_user) { developer }
+
+      it { is_expected.to be_disallowed(:create_web_ide_terminal) }
+    end
+
+    context 'with reporter' do
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_disallowed(:create_web_ide_terminal) }
+    end
+
+    context 'with guest' do
+      let(:current_user) { guest }
+
+      it { is_expected.to be_disallowed(:create_web_ide_terminal) }
+    end
+
+    context 'with non member' do
+      let(:current_user) { create(:user) }
+
+      it { is_expected.to be_disallowed(:create_web_ide_terminal) }
+    end
+
+    context 'with anonymous' do
+      let(:current_user) { nil }
+
+      it { is_expected.to be_disallowed(:create_web_ide_terminal) }
+    end
+  end
+
+  describe 'read_repository_graphs' do
+    subject { described_class.new(guest, project) }
+
+    before do
+      allow(subject).to receive(:allowed?).with(:read_repository_graphs).and_call_original
+      allow(subject).to receive(:allowed?).with(:download_code).and_return(can_download_code)
+    end
+
+    context 'when user can download_code' do
+      let(:can_download_code) { true }
+
+      it { is_expected.to be_allowed(:read_repository_graphs) }
+    end
+
+    context 'when user cannot download_code' do
+      let(:can_download_code) { false }
+
+      it { is_expected.to be_disallowed(:read_repository_graphs) }
+    end
+  end
+
+  describe 'read_build_report_results' do
+    subject { described_class.new(guest, project) }
+
+    before do
+      allow(subject).to receive(:allowed?).with(:read_build_report_results).and_call_original
+      allow(subject).to receive(:allowed?).with(:read_build).and_return(can_read_build)
+      allow(subject).to receive(:allowed?).with(:read_pipeline).and_return(can_read_pipeline)
+    end
+
+    context 'when user can read_build and read_pipeline' do
+      let(:can_read_build) { true }
+      let(:can_read_pipeline) { true }
+
+      it { is_expected.to be_allowed(:read_build_report_results) }
+    end
+
+    context 'when user can read_build but cannot read_pipeline' do
+      let(:can_read_build) { true }
+      let(:can_read_pipeline) { false }
+
+      it { is_expected.to be_disallowed(:read_build_report_results) }
+    end
+
+    context 'when user cannot read_build but can read_pipeline' do
+      let(:can_read_build) { false }
+      let(:can_read_pipeline) { true }
+
+      it { is_expected.to be_disallowed(:read_build_report_results) }
+    end
+
+    context 'when user cannot read_build and cannot read_pipeline' do
+      let(:can_read_build) { false }
+      let(:can_read_pipeline) { false }
+
+      it { is_expected.to be_disallowed(:read_build_report_results) }
+    end
+  end
 end
diff --git a/spec/policies/releases/source_policy_spec.rb b/spec/policies/releases/source_policy_spec.rb
new file mode 100644
index 00000000000..1bc6d5415d3
--- /dev/null
+++ b/spec/policies/releases/source_policy_spec.rb
@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Releases::SourcePolicy do
+  using RSpec::Parameterized::TableSyntax
+
+  let(:policy) { described_class.new(user, source) }
+
+  let_it_be(:public_user) { create(:user) }
+  let_it_be(:guest) { create(:user) }
+  let_it_be(:reporter) { create(:user) }
+
+  let(:release) { create(:release, project: project) }
+  let(:source) { release.sources.first }
+
+  shared_examples 'source code access' do
+    it "allows access a release's source code" do
+      expect(policy).to be_allowed(:read_release_sources)
+    end
+  end
+
+  shared_examples 'no source code access' do
+    it "does not allow access a release's source code" do
+      expect(policy).to be_disallowed(:read_release_sources)
+    end
+  end
+
+  context 'a private project' do
+    let_it_be(:project) { create(:project, :private) }
+
+    context 'accessed by a public user' do
+      let(:user) { public_user }
+
+      it_behaves_like 'no source code access'
+    end
+
+    context 'accessed by a user with Guest permissions' do
+      let(:user) { guest }
+
+      before do
+        project.add_guest(user)
+      end
+
+      it_behaves_like 'no source code access'
+    end
+
+    context 'accessed by a user with Reporter permissions' do
+      let(:user) { reporter }
+
+      before do
+        project.add_reporter(user)
+      end
+
+      it_behaves_like 'source code access'
+    end
+  end
+
+  context 'a public project' do
+    let_it_be(:project) { create(:project, :public) }
+
+    context 'accessed by a public user' do
+      let(:user) { public_user }
+
+      it_behaves_like 'source code access'
+    end
+
+    context 'accessed by a user with Guest permissions' do
+      let(:user) { guest }
+
+      before do
+        project.add_guest(user)
+      end
+
+      it_behaves_like 'source code access'
+    end
+
+    context 'accessed by a user with Reporter permissions' do
+      let(:user) { reporter }
+
+      before do
+        project.add_reporter(user)
+      end
+
+      it_behaves_like 'source code access'
+    end
+  end
+end
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-06-18 14:18:50 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-06-18 14:18:50 +0300
commit	8c7f4e9d5f36cff46365a7f8c4b9c21578c1e781 (patch)
tree	a77e7fe7a93de11213032ed4ab1f33a3db51b738 /spec/policies
parent	00b35af3db1abfe813a778f643dad221aad51fca (diff)