diff options
Diffstat (limited to 'spec/controllers/groups')
8 files changed, 166 insertions, 528 deletions
diff --git a/spec/controllers/groups/clusters_controller_spec.rb b/spec/controllers/groups/clusters_controller_spec.rb index 4eeae64b760..4b82c5ceb1c 100644 --- a/spec/controllers/groups/clusters_controller_spec.rb +++ b/spec/controllers/groups/clusters_controller_spec.rb @@ -115,95 +115,6 @@ RSpec.describe Groups::ClustersController do end end - describe 'GET new' do - def go(provider: 'gcp') - get :new, params: { group_id: group, provider: provider } - end - - include_examples ':certificate_based_clusters feature flag controller responses' do - let(:subject) { go } - end - - describe 'functionality for new cluster' do - context 'when omniauth has been configured' do - let(:key) { 'secret-key' } - let(:session_key_for_redirect_uri) do - GoogleApi::CloudPlatform::Client.session_key_for_redirect_uri(key) - end - - before do - allow(SecureRandom).to receive(:hex).and_return(key) - end - - it 'redirects to gcp authorize_url' do - go - - expect(assigns(:authorize_url)).to include(key) - expect(session[session_key_for_redirect_uri]).to eq(new_group_cluster_path(group, provider: :gcp)) - expect(response).to redirect_to(assigns(:authorize_url)) - end - end - - context 'when omniauth has not configured' do - before do - stub_omniauth_setting(providers: []) - end - - it 'does not have authorize_url' do - go - - expect(assigns(:authorize_url)).to be_nil - end - end - - context 'when access token is valid' do - before do - stub_google_api_validate_token - end - - it 'has new object' do - go - - expect(assigns(:gcp_cluster)).to be_an_instance_of(Clusters::ClusterPresenter) - end - end - - context 'when access token is expired' do - before do - stub_google_api_expired_token - end - - it { expect(@valid_gcp_token).to be_falsey } - end - - context 'when access token is not stored in session' do - it { expect(@valid_gcp_token).to be_falsey } - end - end - - describe 'functionality for existing cluster' do - it 'has new object' do - go - - expect(assigns(:user_cluster)).to be_an_instance_of(Clusters::ClusterPresenter) - end - end - - include_examples 'GET new cluster shared examples' - - describe 'security' do - it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) } - it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) } - it { expect { go }.to be_allowed_for(:owner).of(group) } - it { expect { go }.to be_allowed_for(:maintainer).of(group) } - it { expect { go }.to be_denied_for(:developer).of(group) } - it { expect { go }.to be_denied_for(:reporter).of(group) } - it { expect { go }.to be_denied_for(:guest).of(group) } - it { expect { go }.to be_denied_for(:user) } - it { expect { go }.to be_denied_for(:external) } - end - end - it_behaves_like 'GET #metrics_dashboard for dashboard', 'Cluster health' do let(:cluster) { create(:cluster, :provided_by_gcp, cluster_type: :group_type, groups: [group]) } @@ -244,105 +155,6 @@ RSpec.describe Groups::ClustersController do end end - describe 'POST create for new cluster' do - let(:legacy_abac_param) { 'true' } - let(:params) do - { - cluster: { - name: 'new-cluster', - managed: '1', - provider_gcp_attributes: { - gcp_project_id: 'gcp-project-12345', - legacy_abac: legacy_abac_param - } - } - } - end - - def go - post :create_gcp, params: params.merge(group_id: group) - end - - include_examples ':certificate_based_clusters feature flag controller responses' do - let(:subject) { go } - end - - describe 'functionality' do - context 'when access token is valid' do - before do - stub_google_api_validate_token - end - - it 'creates a new cluster' do - expect(ClusterProvisionWorker).to receive(:perform_async) - expect { go }.to change { Clusters::Cluster.count } - .and change { Clusters::Providers::Gcp.count } - - cluster = group.clusters.first - - expect(response).to redirect_to(group_cluster_path(group, cluster)) - expect(cluster).to be_gcp - expect(cluster).to be_kubernetes - expect(cluster.provider_gcp).to be_legacy_abac - expect(cluster).to be_managed - expect(cluster).to be_namespace_per_environment - end - - context 'when legacy_abac param is false' do - let(:legacy_abac_param) { 'false' } - - it 'creates a new cluster with legacy_abac_disabled' do - expect(ClusterProvisionWorker).to receive(:perform_async) - expect { go }.to change { Clusters::Cluster.count } - .and change { Clusters::Providers::Gcp.count } - expect(group.clusters.first.provider_gcp).not_to be_legacy_abac - end - end - end - - context 'when access token is expired' do - before do - stub_google_api_expired_token - end - - it { expect(@valid_gcp_token).to be_falsey } - end - - context 'when access token is not stored in session' do - it { expect(@valid_gcp_token).to be_falsey } - end - end - - describe 'security' do - before do - allow_any_instance_of(described_class) - .to receive(:token_in_session).and_return('token') - allow_any_instance_of(described_class) - .to receive(:expires_at_in_session).and_return(1.hour.since.to_i.to_s) - allow_any_instance_of(GoogleApi::CloudPlatform::Client) - .to receive(:projects_zones_clusters_create) do - double( - 'instance', - self_link: 'projects/gcp-project-12345/zones/us-central1-a/operations/ope-123', - status: 'RUNNING' - ) - end - - allow(WaitForClusterCreationWorker).to receive(:perform_in).and_return(nil) - end - - it('is allowed for admin when admin mode is enabled', :enable_admin_mode) { expect { go }.to be_allowed_for(:admin) } - it('is denied for admin when admin mode is disabled') { expect { go }.to be_denied_for(:admin) } - it { expect { go }.to be_allowed_for(:owner).of(group) } - it { expect { go }.to be_allowed_for(:maintainer).of(group) } - it { expect { go }.to be_denied_for(:developer).of(group) } - it { expect { go }.to be_denied_for(:reporter).of(group) } - it { expect { go }.to be_denied_for(:guest).of(group) } - it { expect { go }.to be_denied_for(:user) } - it { expect { go }.to be_denied_for(:external) } - end - end - describe 'POST create for existing cluster' do let(:params) do { diff --git a/spec/controllers/groups/dependency_proxy_auth_controller_spec.rb b/spec/controllers/groups/dependency_proxy_auth_controller_spec.rb index 50e19d5b482..ed79712f828 100644 --- a/spec/controllers/groups/dependency_proxy_auth_controller_spec.rb +++ b/spec/controllers/groups/dependency_proxy_auth_controller_spec.rb @@ -8,18 +8,6 @@ RSpec.describe Groups::DependencyProxyAuthController do describe 'GET #authenticate' do subject { get :authenticate } - context 'feature flag disabled' do - before do - stub_feature_flags(dependency_proxy_for_private_groups: false) - end - - it 'returns successfully', :aggregate_failures do - subject - - expect(response).to have_gitlab_http_status(:success) - end - end - context 'without JWT' do it 'returns unauthorized with oauth realm', :aggregate_failures do subject diff --git a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb index 61445603a2d..5b4b00106cb 100644 --- a/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb +++ b/spec/controllers/groups/dependency_proxy_for_containers_controller_spec.rb @@ -20,33 +20,9 @@ RSpec.describe Groups::DependencyProxyForContainersController do request.headers['HTTP_AUTHORIZATION'] = nil end - context 'feature flag disabled' do - let_it_be(:group) { create(:group) } - - before do - stub_feature_flags(dependency_proxy_for_private_groups: false) - end - - it { is_expected.to have_gitlab_http_status(:ok) } - end - it { is_expected.to have_gitlab_http_status(:unauthorized) } end - shared_examples 'feature flag disabled with private group' do - before do - stub_feature_flags(dependency_proxy_for_private_groups: false) - end - - it 'returns not found' do - group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) - - subject - - expect(response).to have_gitlab_http_status(:not_found) - end - end - shared_examples 'with invalid path' do context 'with invalid image' do let(:image) { '../path_traversal' } @@ -208,7 +184,6 @@ RSpec.describe Groups::DependencyProxyForContainersController do context 'feature enabled' do it_behaves_like 'without a token' it_behaves_like 'without permission' - it_behaves_like 'feature flag disabled with private group' context 'remote token request fails' do let(:token_response) do @@ -321,7 +296,6 @@ RSpec.describe Groups::DependencyProxyForContainersController do context 'feature enabled' do it_behaves_like 'without a token' it_behaves_like 'without permission' - it_behaves_like 'feature flag disabled with private group' context 'a valid user' do before do diff --git a/spec/controllers/groups/releases_controller_spec.rb b/spec/controllers/groups/releases_controller_spec.rb index 8b08f913e10..9d372114d62 100644 --- a/spec/controllers/groups/releases_controller_spec.rb +++ b/spec/controllers/groups/releases_controller_spec.rb @@ -60,32 +60,6 @@ RSpec.describe Groups::ReleasesController do end end - context 'group_releases_finder_inoperator feature flag' do - before do - sign_in(guest) - end - - it 'calls old code when disabled' do - stub_feature_flags(group_releases_finder_inoperator: false) - - allow(ReleasesFinder).to receive(:new).and_call_original - - index - - expect(ReleasesFinder).to have_received(:new) - end - - it 'calls new code when enabled' do - stub_feature_flags(group_releases_finder_inoperator: true) - - allow(Releases::GroupReleasesFinder).to receive(:new).and_call_original - - index - - expect(Releases::GroupReleasesFinder).to have_received(:new) - end - end - context 'N+1 queries' do it 'avoids N+1 database queries' do control_count = ActiveRecord::QueryRecorder.new { subject }.count diff --git a/spec/controllers/groups/runners_controller_spec.rb b/spec/controllers/groups/runners_controller_spec.rb index a53f09e2afc..77c62c0d930 100644 --- a/spec/controllers/groups/runners_controller_spec.rb +++ b/spec/controllers/groups/runners_controller_spec.rb @@ -194,205 +194,4 @@ RSpec.describe Groups::RunnersController do end end end - - describe '#destroy' do - context 'when user is an owner' do - before do - group.add_owner(user) - end - - it 'destroys the runner and redirects' do - expect_next_instance_of(Ci::Runners::UnregisterRunnerService, runner, user) do |service| - expect(service).to receive(:execute).once.and_call_original - end - - delete :destroy, params: params - - expect(response).to have_gitlab_http_status(:found) - expect(Ci::Runner.find_by(id: runner.id)).to be_nil - end - - it 'destroys the project runner and redirects' do - delete :destroy, params: params_runner_project - - expect(response).to have_gitlab_http_status(:found) - expect(Ci::Runner.find_by(id: runner_project.id)).to be_nil - end - end - - context 'with runner associated with multiple projects' do - let_it_be(:project_2) { create(:project, group: group) } - - let(:runner_project_2) { create(:ci_runner, :project, projects: [project, project_2]) } - let(:params_runner_project_2) { { group_id: group, id: runner_project_2 } } - - context 'when user is an admin', :enable_admin_mode do - let(:user) { create(:user, :admin) } - - before do - sign_in(user) - end - - it 'destroys the project runner and redirects' do - delete :destroy, params: params_runner_project_2 - - expect(response).to have_gitlab_http_status(:found) - expect(Ci::Runner.find_by(id: runner_project_2.id)).to be_nil - end - end - - context 'when user is an owner' do - before do - group.add_owner(user) - end - - it 'does not destroy the project runner' do - delete :destroy, params: params_runner_project_2 - - expect(response).to have_gitlab_http_status(:found) - expect(flash[:alert]).to eq('Runner cannot be deleted, please contact your administrator.') - expect(Ci::Runner.find_by(id: runner_project_2.id)).to be_present - end - end - end - - context 'when user is not an owner' do - before do - group.add_maintainer(user) - end - - it 'responds 404 and does not destroy the runner' do - delete :destroy, params: params - - expect(response).to have_gitlab_http_status(:not_found) - expect(Ci::Runner.find_by(id: runner.id)).to be_present - end - - it 'responds 404 and does not destroy the project runner' do - delete :destroy, params: params_runner_project - - expect(response).to have_gitlab_http_status(:not_found) - expect(Ci::Runner.find_by(id: runner_project.id)).to be_present - end - end - end - - describe '#resume' do - context 'when user is an owner' do - before do - group.add_owner(user) - end - - it 'marks the runner as active, ticks the queue, and redirects' do - runner.update!(active: false) - - expect do - post :resume, params: params - end.to change { runner.ensure_runner_queue_value } - - expect(response).to have_gitlab_http_status(:found) - expect(runner.reload.active).to eq(true) - end - - it 'marks the project runner as active, ticks the queue, and redirects' do - runner_project.update!(active: false) - - expect do - post :resume, params: params_runner_project - end.to change { runner_project.ensure_runner_queue_value } - - expect(response).to have_gitlab_http_status(:found) - expect(runner_project.reload.active).to eq(true) - end - end - - context 'when user is not an owner' do - before do - group.add_maintainer(user) - end - - it 'responds 404 and does not activate the runner' do - runner.update!(active: false) - - expect do - post :resume, params: params - end.not_to change { runner.ensure_runner_queue_value } - - expect(response).to have_gitlab_http_status(:not_found) - expect(runner.reload.active).to eq(false) - end - - it 'responds 404 and does not activate the project runner' do - runner_project.update!(active: false) - - expect do - post :resume, params: params_runner_project - end.not_to change { runner_project.ensure_runner_queue_value } - - expect(response).to have_gitlab_http_status(:not_found) - expect(runner_project.reload.active).to eq(false) - end - end - end - - describe '#pause' do - context 'when user is an owner' do - before do - group.add_owner(user) - end - - it 'marks the runner as inactive, ticks the queue, and redirects' do - runner.update!(active: true) - - expect do - post :pause, params: params - end.to change { runner.ensure_runner_queue_value } - - expect(response).to have_gitlab_http_status(:found) - expect(runner.reload.active).to eq(false) - end - - it 'marks the project runner as inactive, ticks the queue, and redirects' do - runner_project.update!(active: true) - - expect do - post :pause, params: params_runner_project - end.to change { runner_project.ensure_runner_queue_value } - - expect(response).to have_gitlab_http_status(:found) - expect(runner_project.reload.active).to eq(false) - end - end - - context 'when user is not an owner' do - before do - # Disable limit checking - allow(runner).to receive(:runner_scope).and_return(nil) - - group.add_maintainer(user) - end - - it 'responds 404 and does not update the runner or queue' do - runner.update!(active: true) - - expect do - post :pause, params: params - end.not_to change { runner.ensure_runner_queue_value } - - expect(response).to have_gitlab_http_status(:not_found) - expect(runner.reload.active).to eq(true) - end - - it 'responds 404 and does not update the project runner or queue' do - runner_project.update!(active: true) - - expect do - post :pause, params: params - end.not_to change { runner_project.ensure_runner_queue_value } - - expect(response).to have_gitlab_http_status(:not_found) - expect(runner_project.reload.active).to eq(true) - end - end - end end diff --git a/spec/controllers/groups/settings/ci_cd_controller_spec.rb b/spec/controllers/groups/settings/ci_cd_controller_spec.rb index f225d798886..9aa97c37add 100644 --- a/spec/controllers/groups/settings/ci_cd_controller_spec.rb +++ b/spec/controllers/groups/settings/ci_cd_controller_spec.rb @@ -6,14 +6,7 @@ RSpec.describe Groups::Settings::CiCdController do include ExternalAuthorizationServiceHelpers let_it_be(:group) { create(:group) } - let_it_be(:sub_group) { create(:group, parent: group) } let_it_be(:user) { create(:user) } - let_it_be(:project) { create(:project, group: group) } - let_it_be(:project_2) { create(:project, group: sub_group) } - let_it_be(:runner_group) { create(:ci_runner, :group, groups: [group]) } - let_it_be(:runner_project_1) { create(:ci_runner, :project, projects: [project])} - let_it_be(:runner_project_2) { create(:ci_runner, :project, projects: [project_2])} - let_it_be(:runner_project_3) { create(:ci_runner, :project, projects: [project, project_2])} before do sign_in(user) @@ -25,23 +18,11 @@ RSpec.describe Groups::Settings::CiCdController do group.add_owner(user) end - it 'renders show with 200 status code and correct runners' do + it 'renders show with 200 status code' do get :show, params: { group_id: group } expect(response).to have_gitlab_http_status(:ok) expect(response).to render_template(:show) - expect(assigns(:group_runners)).to match_array([runner_group, runner_project_1, runner_project_2, runner_project_3]) - end - - it 'paginates runners' do - stub_const("Groups::Settings::CiCdController::NUMBER_OF_RUNNERS_PER_PAGE", 1) - - create(:ci_runner) - - get :show, params: { group_id: group } - - expect(response).to have_gitlab_http_status(:ok) - expect(assigns(:group_runners).count).to be(1) end end @@ -54,7 +35,6 @@ RSpec.describe Groups::Settings::CiCdController do get :show, params: { group_id: group } expect(response).to have_gitlab_http_status(:not_found) - expect(assigns(:group_runners)).to be_nil end end @@ -72,38 +52,6 @@ RSpec.describe Groups::Settings::CiCdController do end end - describe 'PUT #reset_registration_token' do - subject { put :reset_registration_token, params: { group_id: group } } - - context 'when user is owner' do - before do - group.add_owner(user) - end - - it 'resets runner registration token' do - expect { subject }.to change { group.reload.runners_token } - end - - it 'redirects the user to admin runners page' do - subject - - expect(response).to redirect_to(group_settings_ci_cd_path) - end - end - - context 'when user is not owner' do - before do - group.add_maintainer(user) - end - - it 'renders a 404' do - subject - - expect(response).to have_gitlab_http_status(:not_found) - end - end - end - describe 'PATCH #update_auto_devops' do let(:auto_devops_param) { '1' } @@ -236,25 +184,4 @@ RSpec.describe Groups::Settings::CiCdController do end end end - - describe 'GET #runner_setup_scripts' do - before do - group.add_owner(user) - end - - it 'renders the setup scripts' do - get :runner_setup_scripts, params: { os: 'linux', arch: 'amd64', group_id: group } - - expect(response).to have_gitlab_http_status(:ok) - expect(json_response).to have_key("install") - expect(json_response).to have_key("register") - end - - it 'renders errors if they occur' do - get :runner_setup_scripts, params: { os: 'foo', arch: 'bar', group_id: group } - - expect(response).to have_gitlab_http_status(:bad_request) - expect(json_response).to have_key("errors") - end - end end diff --git a/spec/controllers/groups/shared_projects_controller_spec.rb b/spec/controllers/groups/shared_projects_controller_spec.rb index 528d5c073b7..0c5a3b9df08 100644 --- a/spec/controllers/groups/shared_projects_controller_spec.rb +++ b/spec/controllers/groups/shared_projects_controller_spec.rb @@ -12,9 +12,10 @@ RSpec.describe Groups::SharedProjectsController do Projects::GroupLinks::CreateService.new( project, + group, user, link_group_access: Gitlab::Access::DEVELOPER - ).execute(group) + ).execute end let!(:group) { create(:group) } diff --git a/spec/controllers/groups/uploads_controller_spec.rb b/spec/controllers/groups/uploads_controller_spec.rb index 7dafb813545..8fcc3a7fccf 100644 --- a/spec/controllers/groups/uploads_controller_spec.rb +++ b/spec/controllers/groups/uploads_controller_spec.rb @@ -35,6 +35,169 @@ RSpec.describe Groups::UploadsController do end end + describe "GET #show" do + let(:filename) { "rails_sample.jpg" } + let(:user) { create(:user) } + let(:jpg) { fixture_file_upload('spec/fixtures/rails_sample.jpg', 'image/jpg') } + let(:txt) { fixture_file_upload('spec/fixtures/doc_sample.txt', 'text/plain') } + let(:secret) { FileUploader.generate_secret } + let(:uploader_class) { FileUploader } + + let(:upload_service) do + UploadService.new(model, jpg, uploader_class).execute + end + + let(:show_upload) do + get :show, params: params.merge(secret: secret, filename: filename) + end + + before do + allow(FileUploader).to receive(:generate_secret).and_return(secret) + + allow_next_instance_of(FileUploader) do |instance| + allow(instance).to receive(:image?).and_return(true) + end + + upload_service + end + + context 'when the group is public' do + before do + model.update_attribute(:visibility_level, Gitlab::VisibilityLevel::PUBLIC) + end + + context "when not signed in" do + context "enforce_auth_checks_on_uploads feature flag" do + context "with flag enabled" do + before do + stub_feature_flags(enforce_auth_checks_on_uploads: true) + end + + it "responds with appropriate status" do + show_upload + + expect(response).to have_gitlab_http_status(:ok) + end + end + + context "with flag disabled" do + before do + stub_feature_flags(enforce_auth_checks_on_uploads: false) + end + + it "responds with status 200" do + show_upload + + expect(response).to have_gitlab_http_status(:ok) + end + end + end + end + + context "when signed in" do + before do + sign_in(user) + end + + context "when the user doesn't have access to the model" do + context "enforce_auth_checks_on_uploads feature flag" do + context "with flag enabled" do + before do + stub_feature_flags(enforce_auth_checks_on_uploads: true) + end + + it "responds with status 200" do + show_upload + + expect(response).to have_gitlab_http_status(:ok) + end + end + end + + context "with flag disabled" do + before do + stub_feature_flags(enforce_auth_checks_on_uploads: false) + end + + it "responds with status 200" do + show_upload + + expect(response).to have_gitlab_http_status(:ok) + end + end + end + end + end + + context 'when the group is private' do + before do + model.update_attribute(:visibility_level, Gitlab::VisibilityLevel::PRIVATE) + end + + context "when not signed in" do + context "enforce_auth_checks_on_uploads feature flag" do + context "with flag enabled" do + before do + stub_feature_flags(enforce_auth_checks_on_uploads: true) + end + + it "responds with appropriate status" do + show_upload + + expect(response).to have_gitlab_http_status(:ok) + end + end + + context "with flag disabled" do + before do + stub_feature_flags(enforce_auth_checks_on_uploads: false) + end + + it "responds with status 200" do + show_upload + + expect(response).to have_gitlab_http_status(:ok) + end + end + end + end + + context "when signed in" do + before do + sign_in(user) + end + + context "when the user doesn't have access to the model" do + context "enforce_auth_checks_on_uploads feature flag" do + context "with flag enabled" do + before do + stub_feature_flags(enforce_auth_checks_on_uploads: true) + end + + it "responds with status 200" do + show_upload + + expect(response).to have_gitlab_http_status(:ok) + end + end + end + + context "with flag disabled" do + before do + stub_feature_flags(enforce_auth_checks_on_uploads: false) + end + + it "responds with status 200" do + show_upload + + expect(response).to have_gitlab_http_status(:ok) + end + end + end + end + end + end + def post_authorize(verified: true) request.headers.merge!(workhorse_internal_api_request_header) if verified |