Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/policies/ci/runner_manager_policy_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/policies/ci/runner_manager_policy_spec.rb')
-rw-r--r--spec/policies/ci/runner_manager_policy_spec.rb142
1 files changed, 123 insertions, 19 deletions
diff --git a/spec/policies/ci/runner_manager_policy_spec.rb b/spec/policies/ci/runner_manager_policy_spec.rb
index d7004033ceb..82894e729bf 100644
--- a/spec/policies/ci/runner_manager_policy_spec.rb
+++ b/spec/policies/ci/runner_manager_policy_spec.rb
@@ -2,7 +2,7 @@
require 'spec_helper'
-RSpec.describe Ci::RunnerManagerPolicy, feature_category: :runner_fleet do
+RSpec.describe Ci::RunnerManagerPolicy, feature_category: :fleet_visibility do
let_it_be(:owner) { create(:user) }
describe 'ability :read_runner_manager' do
@@ -13,10 +13,15 @@ RSpec.describe Ci::RunnerManagerPolicy, feature_category: :runner_fleet do
let_it_be_with_reload(:group) { create(:group, name: 'top-level', path: 'top-level') }
let_it_be_with_reload(:subgroup) { create(:group, name: 'subgroup', path: 'subgroup', parent: group) }
let_it_be_with_reload(:project) { create(:project, group: subgroup) }
+ let_it_be_with_reload(:group_without_project) { create(:group, name: 'top-level2', path: 'top-level2') }
let_it_be(:instance_runner) { create(:ci_runner, :instance, :with_runner_manager) }
let_it_be(:group_runner) { create(:ci_runner, :group, :with_runner_manager, groups: [group]) }
+ let_it_be(:subgroup_runner) { create(:ci_runner, :group, :with_runner_manager, groups: [subgroup]) }
let_it_be(:project_runner) { create(:ci_runner, :project, :with_runner_manager, projects: [project]) }
+ let_it_be(:runner_on_group_without_project) do
+ create(:ci_runner, :group, :with_runner_manager, groups: [group_without_project])
+ end
let(:runner_manager) { runner.runner_managers.first }
@@ -31,39 +36,116 @@ RSpec.describe Ci::RunnerManagerPolicy, feature_category: :runner_fleet do
shared_examples 'a policy allowing reading instance runner manager depending on runner sharing' do
context 'with instance runner' do
- let(:runner) { instance_runner }
+ using RSpec::Parameterized::TableSyntax
- it { expect_allowed :read_runner_manager }
+ where(:shared_runners_enabled_on_group, :shared_runners_enabled_on_project, :expect_can_read) do
+ false | false | false
+ false | true | true
+ true | false | true
+ true | true | true
+ end
+
+ with_them do
+ let(:runner) { instance_runner }
- context 'with shared runners disabled on projects' do
before do
- project.update!(shared_runners_enabled: false)
+ group.update!(shared_runners_enabled: shared_runners_enabled_on_group)
+ project.update!(shared_runners_enabled: shared_runners_enabled_on_project)
+ end
+
+ specify do
+ if expect_can_read
+ expect_allowed :read_runner_manager
+ else
+ expect_disallowed :read_runner_manager
+ end
end
+ end
+ end
+ end
+
+ shared_examples 'a policy allowing reading group runner manager depending on runner sharing' do |user_role|
+ let(:group_runners_enabled_on_project) { true }
+
+ before do
+ project.update!(group_runners_enabled: group_runners_enabled_on_project)
+ end
+
+ context 'with group runner' do
+ let(:runner) { group_runner }
+
+ # NOTE: The user is allowed to read the runner manager because:
+ # - the user is a developer+ in the runner's group
+ # - the user is a developer+ in `group/subgroup/project`, and the runner is shared to that project
+ it { expect_allowed :read_runner_manager }
+
+ context 'with sharing of group runners disabled' do
+ let(:group_runners_enabled_on_project) { false }
it { expect_allowed :read_runner_manager }
end
- context 'with shared runners disabled for groups and projects' do
- before do
- group.update!(shared_runners_enabled: false)
- project.update!(shared_runners_enabled: false)
+ context 'when user belongs to subgroup only' do
+ let_it_be(:subgroup_member) { create(:user) }
+
+ let(:user) { subgroup_member }
+
+ context 'with runner visible to group project' do
+ # NOTE: The user is allowed to read the runner manager because the user is a developer+
+ # in `group/subgroup/project`, and the runner is shared to that project
+ it { expect_allowed :read_runner_manager }
+
+ before_all do
+ subgroup.add_member(subgroup_member, user_role)
+ end
+
+ context 'with sharing of group runners disabled' do
+ let(:group_runners_enabled_on_project) { false }
+
+ it { expect_disallowed :read_runner_manager }
+ end
end
+ context 'without projects in group' do
+ let(:runner) { runner_on_group_without_project }
+
+ before_all do
+ subgroup.add_member(subgroup_member, user_role)
+ end
+
+ it { expect_disallowed :read_runner_manager }
+ end
+ end
+
+ context "when user is not #{user_role} in associated group" do
+ let_it_be(:user_with_role) { create(:user) }
+
+ let(:user) { user_with_role }
+
it { expect_disallowed :read_runner_manager }
+
+ context "when user is #{user_role} in a group invited to group as #{user_role}" do
+ let_it_be(:invited_group) { create(:group, name: "#{user_role}s", path: "#{user_role}s") }
+
+ before_all do
+ invited_group.add_developer(user_with_role)
+ create(:group_group_link, :developer, shared_group: group, shared_with_group: invited_group)
+ end
+
+ it { expect_allowed :read_runner_manager }
+ end
end
end
- end
- shared_examples 'a policy allowing reading group runner manager depending on runner sharing' do
- context 'with group runner' do
- let(:runner) { group_runner }
+ context 'when runner is in subgroup' do
+ let(:runner) { subgroup_runner }
+ # NOTE: The user is allowed to read the runner manager because the user is a developer+ in
+ # `group/subgroup/project`, and the runner is shared to that project
it { expect_allowed :read_runner_manager }
context 'with sharing of group runners disabled' do
- before do
- project.update!(group_runners_enabled: false)
- end
+ let(:group_runners_enabled_on_project) { false }
it { expect_disallowed :read_runner_manager }
end
@@ -124,12 +206,34 @@ RSpec.describe Ci::RunnerManagerPolicy, feature_category: :runner_fleet do
it_behaves_like 'a policy allowing reading instance runner manager depending on runner sharing'
- it_behaves_like 'a policy allowing reading group runner manager depending on runner sharing'
+ it_behaves_like 'a policy allowing reading group runner manager depending on runner sharing', :developer
context 'with project runner' do
let(:runner) { project_runner }
- it { expect_disallowed :read_runner_manager }
+ it { expect_allowed :read_runner_manager }
+
+ context 'when user is not developer in parent group' do
+ let_it_be(:developers_group_developer) { create(:user) }
+ let_it_be_with_reload(:developers_group) { create(:group, name: 'developers', path: 'developers') }
+
+ let(:user) { developers_group_developer }
+
+ before_all do
+ create(:project_group_link, :developer, group: developers_group, project: project)
+ developers_group.add_reporter(developers_group_developer)
+ end
+
+ it { expect_disallowed :read_runner_manager }
+
+ context 'when user is developer in a group invited to project as developer' do
+ before_all do
+ developers_group.add_developer(developers_group_developer)
+ end
+
+ it { expect_allowed :read_runner_manager }
+ end
+ end
end
end
@@ -138,7 +242,7 @@ RSpec.describe Ci::RunnerManagerPolicy, feature_category: :runner_fleet do
it_behaves_like 'a policy allowing reading instance runner manager depending on runner sharing'
- it_behaves_like 'a policy allowing reading group runner manager depending on runner sharing'
+ it_behaves_like 'a policy allowing reading group runner manager depending on runner sharing', :maintainer
context 'with project runner' do
let(:runner) { project_runner }
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-15 00:01:01 +0300