Add latest changes from gitlab-org/gitlab@master

8 files changed, 387 insertions, 0 deletions

diff --git a/spec/features/groups/navbar_spec.rb b/spec/features/groups/navbar_spec.rb
index b140e680012..b3fb563a202 100644
--- a/spec/features/groups/navbar_spec.rb
+++ b/spec/features/groups/navbar_spec.rb
@@ -19,6 +19,7 @@ RSpec.describe 'Group navbar' do
     stub_config(dependency_proxy: { enabled: false })
     stub_config(registry: { enabled: false })
     stub_feature_flags(harbor_registry_integration: false)
+    stub_feature_flags(observability_group_tab: false)
     stub_group_wikis(false)
     group.add_maintainer(user)
     sign_in(user)
@@ -95,4 +96,16 @@ RSpec.describe 'Group navbar' do
 
     it_behaves_like 'verified navigation bar'
   end
+
+  context 'when observability tab is enabled' do
+    before do
+      stub_feature_flags(observability_group_tab: true)
+
+      insert_observability_nav
+
+      visit group_path(group)
+    end
+
+    it_behaves_like 'verified navigation bar'
+  end
 end
diff --git a/spec/lib/sidebars/groups/menus/observability_menu_spec.rb b/spec/lib/sidebars/groups/menus/observability_menu_spec.rb
new file mode 100644
index 00000000000..3a91b1aea2f
--- /dev/null
+++ b/spec/lib/sidebars/groups/menus/observability_menu_spec.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Sidebars::Groups::Menus::ObservabilityMenu do
+  let_it_be(:owner) { create(:user) }
+  let_it_be(:root_group) do
+    build(:group, :private).tap do |g|
+      g.add_owner(owner)
+    end
+  end
+
+  let(:group) { root_group }
+  let(:user) { owner }
+  let(:context) { Sidebars::Groups::Context.new(current_user: user, container: group) }
+  let(:menu) { described_class.new(context) }
+
+  describe '#render?' do
+    before do
+      allow(menu).to receive(:can?).and_call_original
+    end
+
+    context 'when user can :read_observability' do
+      before do
+        allow(menu).to receive(:can?).with(user, :read_observability, group).and_return(true)
+      end
+
+      it 'returns true' do
+        expect(menu.render?).to eq true
+      end
+    end
+
+    context 'when user cannot :read_observability' do
+      before do
+        allow(menu).to receive(:can?).with(user, :read_observability, group).and_return(false)
+      end
+
+      it 'returns false' do
+        expect(menu.render?).to eq false
+      end
+    end
+  end
+end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 8fb02dc0f68..da0270c15b9 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -916,6 +916,74 @@ RSpec.describe GroupPolicy do
     end
   end
 
+  describe 'observability' do
+    using RSpec::Parameterized::TableSyntax
+
+    let(:allowed) { be_allowed(:read_observability) }
+    let(:disallowed) { be_disallowed(:read_observability) }
+
+    # rubocop:disable Layout/LineLength
+    where(:feature_enabled, :admin_matcher, :owner_matcher, :maintainer_matcher, :developer_matcher, :reporter_matcher, :guest_matcher, :non_member_matcher, :anonymous_matcher) do
+      false | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed)
+      true | ref(:allowed) | ref(:allowed) | ref(:allowed) | ref(:allowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed) | ref(:disallowed)
+    end
+    # rubocop:enable Layout/LineLength
+
+    with_them do
+      before do
+        stub_feature_flags(observability_group_tab: feature_enabled)
+      end
+
+      context 'admin', :enable_admin_mode do
+        let(:current_user) { admin }
+
+        it { is_expected.to admin_matcher }
+      end
+
+      context 'owner' do
+        let(:current_user) { owner }
+
+        it { is_expected.to owner_matcher }
+      end
+
+      context 'maintainer' do
+        let(:current_user) { maintainer }
+
+        it { is_expected.to maintainer_matcher }
+      end
+
+      context 'developer' do
+        let(:current_user) { developer }
+
+        it { is_expected.to developer_matcher }
+      end
+
+      context 'reporter' do
+        let(:current_user) { reporter }
+
+        it { is_expected.to reporter_matcher }
+      end
+
+      context 'with guest' do
+        let(:current_user) { guest }
+
+        it { is_expected.to guest_matcher }
+      end
+
+      context 'with non member' do
+        let(:current_user) { create(:user) }
+
+        it { is_expected.to non_member_matcher }
+      end
+
+      context 'with anonymous' do
+        let(:current_user) { nil }
+
+        it { is_expected.to anonymous_matcher }
+      end
+    end
+  end
+
   describe 'dependency proxy' do
     context 'feature disabled' do
       let(:current_user) { owner }
diff --git a/spec/requests/groups/observability_controller_spec.rb b/spec/requests/groups/observability_controller_spec.rb
new file mode 100644
index 00000000000..9be013d4385
--- /dev/null
+++ b/spec/requests/groups/observability_controller_spec.rb
@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::ObservabilityController do
+  include ContentSecurityPolicyHelpers
+
+  let_it_be(:group) { create(:group) }
+  let_it_be(:user) { create(:user) }
+
+  subject do
+    get group_observability_index_path(group)
+    response
+  end
+
+  describe 'GET #index' do
+    context 'when user is not authenticated' do
+      it 'returns 404' do
+        expect(subject).to have_gitlab_http_status(:not_found)
+      end
+    end
+
+    context 'when observability url is missing' do
+      before do
+        allow(described_class).to receive(:observability_url).and_return("")
+      end
+
+      it 'returns 404' do
+        expect(subject).to have_gitlab_http_status(:not_found)
+      end
+    end
+
+    context 'when user is not a developer' do
+      before do
+        sign_in(user)
+      end
+
+      it 'returns 404' do
+        expect(subject).to have_gitlab_http_status(:not_found)
+      end
+    end
+
+    context 'when user is authenticated and a developer' do
+      before do
+        sign_in(user)
+        group.add_developer(user)
+      end
+
+      it 'returns 200' do
+        expect(subject).to have_gitlab_http_status(:ok)
+      end
+
+      it 'renders the proper layout' do
+        expect(subject).to render_template("layouts/group")
+        expect(subject).to render_template("layouts/fullscreen")
+        expect(subject).not_to render_template('layouts/nav/breadcrumbs')
+        expect(subject).to render_template("nav/sidebar/_group")
+      end
+
+      describe 'iframe' do
+        subject do
+          get group_observability_index_path(group)
+          Nokogiri::HTML.parse(response.body).at_css('iframe#observability-ui-iframe')
+        end
+
+        it 'sets the iframe src to the proper URL' do
+          expect(subject.attributes['src'].value).to eq("https://observe.gitlab.com/-/#{group.id}")
+        end
+
+        it 'when the env is staging, sets the iframe src to the proper URL' do
+          stub_config_setting(url: Gitlab::Saas.staging_com_url)
+          expect(subject.attributes['src'].value).to eq("https://staging.observe.gitlab.com/-/#{group.id}")
+        end
+
+        it 'overrides the iframe src url if specified by OVERRIDE_OBSERVABILITY_URL env' do
+          stub_env('OVERRIDE_OBSERVABILITY_URL', 'http://foo.test')
+
+          expect(subject.attributes['src'].value).to eq("http://foo.test/-/#{group.id}")
+        end
+      end
+
+      describe 'CSP' do
+        before do
+          setup_existing_csp_for_controller(described_class, csp)
+        end
+
+        subject do
+          get group_observability_index_path(group)
+          response.headers['Content-Security-Policy']
+        end
+
+        context 'when there is no CSP config' do
+          let(:csp) { ActionDispatch::ContentSecurityPolicy.new }
+
+          it 'does not add any csp header' do
+            expect(subject).to be_blank
+          end
+        end
+
+        context 'when frame-src exists in the CSP config' do
+          let(:csp) do
+            ActionDispatch::ContentSecurityPolicy.new do |p|
+              p.frame_src 'https://something.test'
+            end
+          end
+
+          it 'appends the proper url to frame-src CSP directives' do
+            expect(subject).to include(
+              "frame-src https://something.test https://observe.gitlab.com 'self'")
+          end
+
+          it 'appends the proper url to frame-src CSP directives when Gilab.staging?' do
+            stub_config_setting(url: Gitlab::Saas.staging_com_url)
+
+            expect(subject).to include(
+              "frame-src https://something.test https://staging.observe.gitlab.com 'self'")
+          end
+
+          it 'appends the proper url to frame-src CSP directives when OVERRIDE_OBSERVABILITY_URL is specified' do
+            stub_env('OVERRIDE_OBSERVABILITY_URL', 'http://foo.test')
+
+            expect(subject).to include(
+              "frame-src https://something.test http://foo.test 'self'")
+          end
+        end
+
+        context 'when self is already present in the policy' do
+          let(:csp) do
+            ActionDispatch::ContentSecurityPolicy.new do |p|
+              p.frame_src "'self'"
+            end
+          end
+
+          it 'does not append self again' do
+            expect(subject).to include(
+              "frame-src 'self' https://observe.gitlab.com;")
+          end
+        end
+
+        context 'when default-src exists in the CSP config' do
+          let(:csp) do
+            ActionDispatch::ContentSecurityPolicy.new do |p|
+              p.default_src 'https://something.test'
+            end
+          end
+
+          it 'does not change default-src' do
+            expect(subject).to include(
+              "default-src https://something.test;")
+          end
+
+          it 'appends the proper url to frame-src CSP directives' do
+            expect(subject).to include(
+              "frame-src https://something.test https://observe.gitlab.com 'self'")
+          end
+
+          it 'appends the proper url to frame-src CSP directives when Gilab.staging?' do
+            stub_config_setting(url: Gitlab::Saas.staging_com_url)
+
+            expect(subject).to include(
+              "frame-src https://something.test https://staging.observe.gitlab.com 'self'")
+          end
+
+          it 'appends the proper url to frame-src CSP directives when OVERRIDE_OBSERVABILITY_URL is specified' do
+            stub_env('OVERRIDE_OBSERVABILITY_URL', 'http://foo.test')
+
+            expect(subject).to include(
+              "frame-src https://something.test http://foo.test 'self'")
+          end
+        end
+
+        context 'when frame-src and default-src exist in the CSP config' do
+          let(:csp) do
+            ActionDispatch::ContentSecurityPolicy.new do |p|
+              p.default_src 'https://something_default.test'
+              p.frame_src 'https://something.test'
+            end
+          end
+
+          it 'appends to frame-src CSP directives' do
+            expect(subject).to include(
+              "frame-src https://something.test https://observe.gitlab.com 'self'")
+            expect(subject).to include(
+              "default-src https://something_default.test")
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/spec/routing/group_routing_spec.rb b/spec/routing/group_routing_spec.rb
index 9f5f821cc61..ae69b222280 100644
--- a/spec/routing/group_routing_spec.rb
+++ b/spec/routing/group_routing_spec.rb
@@ -71,6 +71,10 @@ RSpec.shared_examples 'groups routing' do
   it 'routes to the harbor tags controller' do
     expect(get("groups/#{group_path}/-/harbor/repositories/test/artifacts/test/tags")).to route_to('groups/harbor/tags#index', group_id: group_path, repository_id: 'test', artifact_id: 'test')
   end
+
+  it 'routes to the observability controller' do
+    expect(get("groups/#{group_path}/-/observability")).to route_to('groups/observability#index', group_id: group_path)
+  end
 end
 
 RSpec.describe "Groups", "routing" do
diff --git a/spec/support/helpers/navbar_structure_helper.rb b/spec/support/helpers/navbar_structure_helper.rb
index 3d51c022b39..b44552d6479 100644
--- a/spec/support/helpers/navbar_structure_helper.rb
+++ b/spec/support/helpers/navbar_structure_helper.rb
@@ -85,6 +85,16 @@ module NavbarStructureHelper
     )
   end
 
+  def insert_observability_nav
+    insert_after_nav_item(
+      _('Kubernetes'),
+      new_nav_item: {
+        nav_item: _('Observability'),
+        nav_sub_items: []
+      }
+    )
+  end
+
   def insert_infrastructure_google_cloud_nav
     insert_after_sub_nav_item(
       _('Terraform'),
diff --git a/spec/views/groups/observability.html.haml_spec.rb b/spec/views/groups/observability.html.haml_spec.rb
new file mode 100644
index 00000000000..db280d5a2ba
--- /dev/null
+++ b/spec/views/groups/observability.html.haml_spec.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'groups/observability/index' do
+  let_it_be(:iframe_url) { "foo.test" }
+
+  before do
+    assign(:observability_iframe_src, iframe_url)
+  end
+
+  it 'renders as expected' do
+    render
+    page = Capybara.string(rendered)
+    iframe = page.find('iframe#observability-ui-iframe')
+    expect(iframe['src']).to eq(iframe_url)
+  end
+end
diff --git a/spec/views/layouts/fullscreen.html.haml_spec.rb b/spec/views/layouts/fullscreen.html.haml_spec.rb
index 0ae2c76ebcb..14b382bc238 100644
--- a/spec/views/layouts/fullscreen.html.haml_spec.rb
+++ b/spec/views/layouts/fullscreen.html.haml_spec.rb
@@ -9,5 +9,46 @@ RSpec.describe 'layouts/fullscreen' do
     allow(view).to receive(:current_user_mode).and_return(Gitlab::Auth::CurrentUserMode.new(user))
   end
 
+  it 'renders a flex container' do
+    render
+
+    expect(rendered).to have_selector(".gl--flex-full.gl-h-full")
+    expect(rendered).to have_selector(".gl--flex-full.gl-w-full")
+  end
+
   it_behaves_like 'a layout which reflects the application theme setting'
+
+  describe 'sidebar' do
+    context 'when nav is set' do
+      before do
+        allow(view).to receive(:nav).and_return("admin")
+        render
+      end
+
+      it 'renders the sidebar' do
+        expect(rendered).to render_template("layouts/nav/sidebar/_admin")
+        expect(rendered).to have_selector("aside.nav-sidebar")
+      end
+
+      it 'adds the proper classes' do
+        expect(rendered).to have_selector(".layout-page.gl-mt-0\\!")
+      end
+    end
+
+    describe 'when nav is not set' do
+      before do
+        allow(view).to receive(:nav).and_return(nil)
+        render
+      end
+
+      it 'does not render the sidebar' do
+        expect(rendered).not_to render_template("layouts/nav/sidebar/_admin")
+        expect(rendered).not_to have_selector("aside.nav-sidebar")
+      end
+
+      it 'not add classes' do
+        expect(rendered).not_to have_selector(".layout-page.gl-mt-0\\!")
+      end
+    end
+  end
 end