diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-15 21:10:36 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-15 21:10:36 +0300 |
| commit | 99aa31992d4398d35c9df4854f5fb494984a9e0b (patch) | |
| tree | c2ca79f7ea8e5daaf8e62b5d523a986331d97647 /spec/policies | |
| parent | 229395d3af51cd46a9179f2eba142c027d08b208 (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/policies')
| -rw-r--r-- | spec/policies/ci/runner_policy_spec.rb | 160 |
1 files changed, 160 insertions, 0 deletions
diff --git a/spec/policies/ci/runner_policy_spec.rb b/spec/policies/ci/runner_policy_spec.rb new file mode 100644 index 00000000000..880ff0722fa --- /dev/null +++ b/spec/policies/ci/runner_policy_spec.rb @@ -0,0 +1,160 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Ci::RunnerPolicy do + describe 'ability :read_runner' do + let_it_be(:guest) { create(:user) } + let_it_be(:developer) { create(:user) } + let_it_be(:owner) { create(:user) } + + let_it_be(:group1) { create(:group, name: 'top-level', path: 'top-level') } + let_it_be(:subgroup1) { create(:group, name: 'subgroup1', path: 'subgroup1', parent: group1) } + let_it_be(:project1) { create(:project, group: subgroup1) } + let_it_be(:instance_runner) { create(:ci_runner, :instance) } + let_it_be(:group1_runner) { create(:ci_runner, :group, groups: [group1]) } + let_it_be(:project1_runner) { create(:ci_runner, :project, projects: [project1]) } + + subject(:policy) { described_class.new(user, runner) } + + before do + group1.add_guest(guest) + group1.add_developer(developer) + group1.add_owner(owner) + end + + shared_context 'on hierarchy with shared runners disabled' do + around do |example| + group1.update!(shared_runners_enabled: false) + project1.update!(shared_runners_enabled: false) + + example.run + ensure + project1.update!(shared_runners_enabled: true) + group1.update!(shared_runners_enabled: true) + end + end + + shared_context 'on hierarchy with group runners disabled' do + around do |example| + project1.update!(group_runners_enabled: false) + + example.run + ensure + project1.update!(group_runners_enabled: true) + end + end + + shared_examples 'does not allow reading runners on any scope' do + context 'with instance runner' do + let(:runner) { instance_runner } + + it { expect_disallowed :read_runner } + + context 'with shared runners disabled' do + include_context 'on hierarchy with shared runners disabled' do + it { expect_disallowed :read_runner } + end + end + end + + context 'with group runner' do + let(:runner) { group1_runner } + + it { expect_disallowed :read_runner } + + context 'with group runner disabled' do + include_context 'on hierarchy with group runners disabled' do + it { expect_disallowed :read_runner } + end + end + end + + context 'with project runner' do + let(:runner) { project1_runner } + + it { expect_disallowed :read_runner } + end + end + + context 'without access' do + let_it_be(:user) { create(:user) } + + it_behaves_like 'does not allow reading runners on any scope' + end + + context 'with guest access' do + let(:user) { guest } + + it_behaves_like 'does not allow reading runners on any scope' + end + + context 'with developer access' do + let(:user) { developer } + + context 'with instance runner' do + let(:runner) { instance_runner } + + it { expect_allowed :read_runner } + + context 'with shared runners disabled' do + include_context 'on hierarchy with shared runners disabled' do + it { expect_disallowed :read_runner } + end + end + end + + context 'with group runner' do + let(:runner) { group1_runner } + + it { expect_allowed :read_runner } + + context 'with group runner disabled' do + include_context 'on hierarchy with group runners disabled' do + it { expect_disallowed :read_runner } + end + end + end + + context 'with project runner' do + let(:runner) { project1_runner } + + it { expect_disallowed :read_runner } + end + end + + context 'with owner access' do + let(:user) { owner } + + context 'with instance runner' do + let(:runner) { instance_runner } + + context 'with shared runners disabled' do + include_context 'on hierarchy with shared runners disabled' do + it { expect_disallowed :read_runner } + end + end + + it { expect_allowed :read_runner } + end + + context 'with group runner' do + let(:runner) { group1_runner } + + context 'with group runners disabled' do + include_context 'on hierarchy with group runners disabled' do + it { expect_allowed :read_runner } + end + end + + it { expect_allowed :read_runner } + end + + context 'with project runner' do + let(:runner) { project1_runner } + + it { expect_allowed :read_runner } + end + end + end +end |