diff options
Diffstat (limited to 'spec/lib/gitlab/auth_spec.rb')
-rw-r--r-- | spec/lib/gitlab/auth_spec.rb | 118 |
1 files changed, 87 insertions, 31 deletions
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb index 11e9ecdb878..36c87fb4557 100644 --- a/spec/lib/gitlab/auth_spec.rb +++ b/spec/lib/gitlab/auth_spec.rb @@ -21,6 +21,10 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate expect(subject::REPOSITORY_SCOPES).to match_array %i[read_repository write_repository] end + it 'OBSERVABILITY_SCOPES contains all scopes for Observability access' do + expect(subject::OBSERVABILITY_SCOPES).to match_array %i[read_observability write_observability] + end + it 'OPENID_SCOPES contains all scopes for OpenID Connect' do expect(subject::OPENID_SCOPES).to match_array [:openid] end @@ -31,54 +35,103 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate end context 'available_scopes' do - it 'contains all non-default scopes' do + before do stub_container_registry_config(enabled: true) + end - expect(subject.all_available_scopes).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode] + it 'contains all non-default scopes' do + expect(subject.all_available_scopes).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode read_observability write_observability] end - it 'contains for non-admin user all non-default scopes without ADMIN access' do - stub_container_registry_config(enabled: true) - user = create(:user, admin: false) + it 'contains for non-admin user all non-default scopes without ADMIN access and without observability scopes' do + user = build_stubbed(:user, admin: false) expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry] end - it 'contains for admin user all non-default scopes with ADMIN access' do - stub_container_registry_config(enabled: true) - user = create(:user, admin: true) + it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes' do + user = build_stubbed(:user, admin: true) expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode] end + it 'contains for project all resource bot scopes without observability scopes' do + expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry] + end + + it 'contains for group all resource bot scopes' do + group = build_stubbed(:group) + + expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability] + end + + it 'contains for unsupported type no scopes' do + expect(subject.available_scopes_for(:something)).to be_empty + end + it 'optional_scopes contains all non-default scopes' do - stub_container_registry_config(enabled: true) + expect(subject.optional_scopes).to match_array %i[read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode openid profile email read_observability write_observability] + end + + context 'with observability_group_tab feature flag' do + context 'when disabled' do + before do + stub_feature_flags(observability_group_tab: false) + end + + it 'contains for group all resource bot scopes without observability scopes' do + group = build_stubbed(:group) - expect(subject.optional_scopes).to match_array %i[read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode openid profile email] + expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry] + end + end + + context 'when enabled for specific group' do + let(:group) { build_stubbed(:group) } + + before do + stub_feature_flags(observability_group_tab: group) + end + + it 'contains for other group all resource bot scopes including observability scopes' do + expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability] + end + + it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes' do + user = build_stubbed(:user, admin: true) + + expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode] + end + + it 'contains for project all resource bot scopes without observability scopes' do + expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry] + end + + it 'contains for other group all resource bot scopes without observability scopes' do + other_group = build_stubbed(:group) + + expect(subject.available_scopes_for(other_group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry] + end + end end - context 'with feature flag disabled' do + context 'with admin_mode_for_api feature flag disabled' do before do stub_feature_flags(admin_mode_for_api: false) end it 'contains all non-default scopes' do - stub_container_registry_config(enabled: true) - - expect(subject.all_available_scopes).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode] + expect(subject.all_available_scopes).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode read_observability write_observability] end - it 'contains for admin user all non-default scopes with ADMIN access' do - stub_container_registry_config(enabled: true) - user = create(:user, admin: true) + it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes' do + user = build_stubbed(:user, admin: true) expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo] end it 'optional_scopes contains all non-default scopes' do - stub_container_registry_config(enabled: true) - - expect(subject.optional_scopes).to match_array %i[read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode openid profile email] + expect(subject.optional_scopes).to match_array %i[read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode openid profile email read_observability write_observability] end end @@ -120,8 +173,8 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate end end - it 'raises an IpBlacklisted exception' do - expect { subject }.to raise_error(Gitlab::Auth::IpBlacklisted) + it 'raises an IpBlocked exception' do + expect { subject }.to raise_error(Gitlab::Auth::IpBlocked) end end @@ -314,15 +367,17 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate using RSpec::Parameterized::TableSyntax where(:scopes, :abilities) do - 'api' | described_class.full_authentication_abilities - 'read_api' | described_class.read_only_authentication_abilities - 'read_repository' | [:download_code] - 'write_repository' | [:download_code, :push_code] - 'read_user' | [] - 'sudo' | [] - 'openid' | [] - 'profile' | [] - 'email' | [] + 'api' | described_class.full_authentication_abilities + 'read_api' | described_class.read_only_authentication_abilities + 'read_repository' | [:download_code] + 'write_repository' | [:download_code, :push_code] + 'read_user' | [] + 'sudo' | [] + 'openid' | [] + 'profile' | [] + 'email' | [] + 'read_observability' | [] + 'write_observability' | [] end with_them do @@ -1024,6 +1079,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate it { is_expected.to include(*described_class::API_SCOPES - [:read_user]) } it { is_expected.to include(*described_class::REPOSITORY_SCOPES) } it { is_expected.to include(*described_class.registry_scopes) } + it { is_expected.to include(*described_class::OBSERVABILITY_SCOPES) } end private |