diff options
Diffstat (limited to 'spec/models/clusters/agent_spec.rb')
| -rw-r--r-- | spec/models/clusters/agent_spec.rb | 195 |
1 files changed, 190 insertions, 5 deletions
diff --git a/spec/models/clusters/agent_spec.rb b/spec/models/clusters/agent_spec.rb index de67bdb32aa..10081b955f4 100644 --- a/spec/models/clusters/agent_spec.rb +++ b/spec/models/clusters/agent_spec.rb @@ -2,16 +2,17 @@ require 'spec_helper' -RSpec.describe Clusters::Agent do +RSpec.describe Clusters::Agent, feature_category: :deployment_management do subject { create(:cluster_agent) } it { is_expected.to belong_to(:created_by_user).class_name('User').optional } it { is_expected.to belong_to(:project).class_name('::Project') } it { is_expected.to have_many(:agent_tokens).class_name('Clusters::AgentToken').order(Clusters::AgentToken.arel_table[:last_used_at].desc.nulls_last) } - it { is_expected.to have_many(:group_authorizations).class_name('Clusters::Agents::GroupAuthorization') } - it { is_expected.to have_many(:authorized_groups).through(:group_authorizations) } - it { is_expected.to have_many(:project_authorizations).class_name('Clusters::Agents::ProjectAuthorization') } - it { is_expected.to have_many(:authorized_projects).through(:project_authorizations).class_name('::Project') } + it { is_expected.to have_many(:active_agent_tokens).class_name('Clusters::AgentToken').conditions(status: 0).order(Clusters::AgentToken.arel_table[:last_used_at].desc.nulls_last) } + it { is_expected.to have_many(:ci_access_group_authorizations).class_name('Clusters::Agents::Authorizations::CiAccess::GroupAuthorization') } + it { is_expected.to have_many(:ci_access_authorized_groups).through(:ci_access_group_authorizations) } + it { is_expected.to have_many(:ci_access_project_authorizations).class_name('Clusters::Agents::Authorizations::CiAccess::ProjectAuthorization') } + it { is_expected.to have_many(:ci_access_authorized_projects).through(:ci_access_project_authorizations).class_name('::Project') } it { is_expected.to validate_presence_of(:name) } it { is_expected.to validate_length_of(:name).is_at_most(63) } @@ -163,4 +164,188 @@ RSpec.describe Clusters::Agent do it { is_expected.to be_like_time(event2.recorded_at) } end + + describe '#ci_access_authorized_for?' do + using RSpec::Parameterized::TableSyntax + + let_it_be(:organization) { create(:group) } + let_it_be(:agent_management_project) { create(:project, group: organization) } + let_it_be(:agent) { create(:cluster_agent, project: agent_management_project) } + let_it_be(:deployment_project) { create(:project, group: organization) } + + let(:user) { create(:user) } + + subject { agent.ci_access_authorized_for?(user) } + + it { is_expected.to eq(false) } + + context 'with project-level authorization' do + let!(:authorization) { create(:agent_ci_access_project_authorization, agent: agent, project: deployment_project) } + + where(:user_role, :allowed) do + :guest | false + :reporter | false + :developer | true + :maintainer | true + :owner | true + end + + with_them do + before do + deployment_project.add_member(user, user_role) + end + + it { is_expected.to eq(allowed) } + end + + context 'when expose_authorized_cluster_agents feature flag is disabled' do + before do + stub_feature_flags(expose_authorized_cluster_agents: false) + end + + it { is_expected.to eq(false) } + end + end + + context 'with group-level authorization' do + let!(:authorization) { create(:agent_ci_access_group_authorization, agent: agent, group: organization) } + + where(:user_role, :allowed) do + :guest | false + :reporter | false + :developer | true + :maintainer | true + :owner | true + end + + with_them do + before do + organization.add_member(user, user_role) + end + + it { is_expected.to eq(allowed) } + end + + context 'when expose_authorized_cluster_agents feature flag is disabled' do + before do + stub_feature_flags(expose_authorized_cluster_agents: false) + end + + it { is_expected.to eq(false) } + end + end + end + + describe '#user_access_authorized_for?' do + using RSpec::Parameterized::TableSyntax + + let_it_be(:organization) { create(:group) } + let_it_be(:agent_management_project) { create(:project, group: organization) } + let_it_be(:agent) { create(:cluster_agent, project: agent_management_project) } + let_it_be(:deployment_project) { create(:project, group: organization) } + + let(:user) { create(:user) } + + subject { agent.user_access_authorized_for?(user) } + + it { is_expected.to eq(false) } + + context 'with project-level authorization' do + let!(:authorization) { create(:agent_user_access_project_authorization, agent: agent, project: deployment_project) } + + where(:user_role, :allowed) do + :guest | false + :reporter | false + :developer | true + :maintainer | true + :owner | true + end + + with_them do + before do + deployment_project.add_member(user, user_role) + end + + it { is_expected.to eq(allowed) } + end + + context 'when expose_authorized_cluster_agents feature flag is disabled' do + before do + stub_feature_flags(expose_authorized_cluster_agents: false) + end + + it { is_expected.to eq(false) } + end + end + + context 'with group-level authorization' do + let!(:authorization) { create(:agent_user_access_group_authorization, agent: agent, group: organization) } + + where(:user_role, :allowed) do + :guest | false + :reporter | false + :developer | true + :maintainer | true + :owner | true + end + + with_them do + before do + organization.add_member(user, user_role) + end + + it { is_expected.to eq(allowed) } + end + + context 'when expose_authorized_cluster_agents feature flag is disabled' do + before do + stub_feature_flags(expose_authorized_cluster_agents: false) + end + + it { is_expected.to eq(false) } + end + end + end + + describe '#user_access_config' do + let_it_be(:group) { create(:group) } + let_it_be(:project) { create(:project) } + let_it_be_with_refind(:agent) { create(:cluster_agent, project: project) } + + subject { agent.user_access_config } + + it { is_expected.to be_nil } + + context 'with user_access project authorizations' do + before do + create(:agent_user_access_project_authorization, agent: agent, project: project, config: config) + end + + let(:config) { {} } + + it { is_expected.to eq(config) } + + context 'when access_as keyword exists' do + let(:config) { { 'access_as' => { 'agent' => {} } } } + + it { is_expected.to eq(config) } + end + end + + context 'with user_access group authorizations' do + before do + create(:agent_user_access_group_authorization, agent: agent, group: group, config: config) + end + + let(:config) { {} } + + it { is_expected.to eq(config) } + + context 'when access_as keyword exists' do + let(:config) { { 'access_as' => { 'agent' => {} } } } + + it { is_expected.to eq(config) } + end + end + end end |