1 files changed, 144 insertions, 18 deletions

diff --git a/spec/policies/ci/runner_policy_spec.rb b/spec/policies/ci/runner_policy_spec.rb
index e0a9e3c2870..6259cf6d247 100644
--- a/spec/policies/ci/runner_policy_spec.rb
+++ b/spec/policies/ci/runner_policy_spec.rb
@@ -7,21 +7,26 @@ RSpec.describe Ci::RunnerPolicy, feature_category: :runner do
 
   describe 'ability :read_runner' do
     let_it_be(:guest) { create(:user) }
+    let_it_be(:reporter) { create(:user) }
     let_it_be(:developer) { create(:user) }
     let_it_be(:maintainer) { create(:user) }
 
     let_it_be_with_reload(:group) { create(:group, name: 'top-level', path: 'top-level') }
     let_it_be_with_reload(:subgroup) { create(:group, name: 'subgroup', path: 'subgroup', parent: group) }
     let_it_be_with_reload(:project) { create(:project, group: subgroup) }
+    let_it_be_with_reload(:group_without_project) { create(:group, name: 'top-level2', path: 'top-level2') }
 
     let_it_be(:instance_runner) { create(:ci_runner, :instance) }
     let_it_be(:group_runner) { create(:ci_runner, :group, groups: [group]) }
+    let_it_be(:subgroup_runner) { create(:ci_runner, :group, groups: [subgroup]) }
     let_it_be(:project_runner) { create(:ci_runner, :project, projects: [project]) }
+    let_it_be(:runner_on_group_without_project) { create(:ci_runner, :group, groups: [group_without_project]) }
 
     subject(:policy) { described_class.new(user, runner) }
 
     before_all do
       group.add_guest(guest)
+      group.add_reporter(reporter)
       group.add_developer(developer)
       group.add_maintainer(maintainer)
       group.add_owner(owner)
@@ -29,39 +34,121 @@ RSpec.describe Ci::RunnerPolicy, feature_category: :runner do
 
     shared_examples 'a policy allowing reading instance runner depending on runner sharing' do
       context 'with instance runner' do
-        let(:runner) { instance_runner }
+        using RSpec::Parameterized::TableSyntax
 
-        it { expect_allowed :read_runner }
+        where(:shared_runners_enabled_on_group, :shared_runners_enabled_on_project, :expect_can_read) do
+          false  | false  | false
+          false  | true   | true
+          true   | false  | true
+          true   | true   | true
+        end
+
+        with_them do
+          let(:runner) { instance_runner }
 
-        context 'with shared runners disabled on projects' do
           before do
-            project.update!(shared_runners_enabled: false)
+            group.update!(shared_runners_enabled: shared_runners_enabled_on_group)
+            project.update!(shared_runners_enabled: shared_runners_enabled_on_project)
           end
 
+          specify do
+            if expect_can_read
+              expect_allowed :read_runner
+            else
+              expect_disallowed :read_runner
+            end
+          end
+        end
+      end
+    end
+
+    shared_examples 'a policy allowing reading group runner depending on runner sharing' do |user_role|
+      let(:group_runners_enabled_on_project) { true }
+
+      before do
+        project.update!(group_runners_enabled: group_runners_enabled_on_project)
+      end
+
+      context 'with group runner' do
+        let(:runner) { group_runner }
+
+        # NOTE: The user is allowed to read the runner because:
+        # - the user is a developer+ in the runner's group
+        # - the user is a developer+ in `group/subgroup/project`, and the runner is shared to that project
+        it { expect_allowed :read_runner }
+
+        context 'with sharing of group runners disabled' do
+          let(:group_runners_enabled_on_project) { false }
+
           it { expect_allowed :read_runner }
         end
 
-        context 'with shared runners disabled for groups and projects' do
-          before do
-            group.update!(shared_runners_enabled: false)
-            project.update!(shared_runners_enabled: false)
+        context 'when user belongs to subgroup only' do
+          let_it_be(:subgroup_member) do
+            create(:user).tap { |subgroup_member| subgroup.add_member(subgroup_member, user_role) }
+          end
+
+          let(:user) { subgroup_member }
+
+          context 'with runner visible to group project' do
+            # NOTE: The user is allowed to read the runner because the user is a developer+ in `group/subgroup/project`,
+            # and the runner is shared to that project
+            it { expect_allowed :read_runner }
+
+            context 'with sharing of group runners disabled' do
+              let(:group_runners_enabled_on_project) { false }
+
+              it { expect_disallowed :read_runner }
+            end
           end
 
+          context 'without projects in group' do
+            let(:runner) { runner_on_group_without_project }
+
+            it { expect_disallowed :read_runner }
+          end
+        end
+
+        context "when user is not #{user_role} in associated group" do
+          let_it_be(:user_with_role) { create(:user) }
+
+          let(:user) { user_with_role }
+
           it { expect_disallowed :read_runner }
+
+          context "when user is #{user_role} in a group invited to group as #{user_role}" do
+            let_it_be(:invited_group) { create(:group, name: "#{user_role}s", path: "#{user_role}s") }
+
+            before_all do
+              invited_group.add_member(user_with_role, user_role)
+              create(:group_group_link, :developer, shared_group: group, shared_with_group: invited_group)
+            end
+
+            it { expect_allowed :read_runner }
+          end
+
+          context "when user is a reporter in a group invited to group as #{user_role}" do
+            let_it_be(:invited_group) { create(:group, name: "#{user_role}s", path: "#{user_role}s") }
+
+            before_all do
+              invited_group.add_reporter(user_with_role)
+              create(:group_group_link, user_role, shared_group: group, shared_with_group: invited_group)
+            end
+
+            it { expect_disallowed :read_runner }
+          end
         end
       end
-    end
 
-    shared_examples 'a policy allowing reading group runner depending on runner sharing' do
-      context 'with group runner' do
-        let(:runner) { group_runner }
+      context 'when runner is in subgroup' do
+        let(:runner) { subgroup_runner }
 
+        # NOTE: The user is allowed to read the runner because the user is a developer+ in `group/subgroup/project`,
+        # and the runner is shared to that project
         it { expect_allowed :read_runner }
 
         context 'with sharing of group runners disabled' do
-          before do
-            project.update!(group_runners_enabled: false)
-          end
+          let(:group_runners_enabled_on_project) { false }
 
           it { expect_disallowed :read_runner }
         end
@@ -89,6 +176,17 @@ RSpec.describe Ci::RunnerPolicy, feature_category: :runner do
 
         it { expect_disallowed :read_runner }
 
+        context 'with group invited as maintainer to group containing runner' do
+          let_it_be(:invited_group) { create(:group) }
+          let_it_be(:runner) { create(:ci_runner, :group, groups: [invited_group]) }
+
+          before_all do
+            create(:group_group_link, :maintainer, shared_group: group, shared_with_group: invited_group)
+          end
+
+          it { expect_disallowed :read_runner }
+        end
+
         context 'with sharing of group runners disabled' do
           before do
             project.update!(group_runners_enabled: false)
@@ -117,17 +215,45 @@ RSpec.describe Ci::RunnerPolicy, feature_category: :runner do
       it_behaves_like 'does not allow reading runners on any scope'
     end
 
+    context 'with reporter access' do
+      let(:user) { reporter }
+
+      it_behaves_like 'does not allow reading runners on any scope'
+    end
+
     context 'with developer access' do
       let(:user) { developer }
 
       it_behaves_like 'a policy allowing reading instance runner depending on runner sharing'
 
-      it_behaves_like 'a policy allowing reading group runner depending on runner sharing'
+      it_behaves_like 'a policy allowing reading group runner depending on runner sharing', :developer
 
       context 'with project runner' do
         let(:runner) { project_runner }
 
-        it { expect_disallowed :read_runner }
+        it { expect_allowed :read_runner }
+
+        context 'when user is not developer in parent group' do
+          let_it_be(:developers_group_developer) { create(:user) }
+          let_it_be_with_reload(:developers_group) { create(:group, name: 'developers', path: 'developers') }
+
+          let(:user) { developers_group_developer }
+
+          before_all do
+            create(:project_group_link, :developer, group: developers_group, project: project)
+            developers_group.add_reporter(developers_group_developer)
+          end
+
+          it { expect_disallowed :read_runner }
+
+          context 'when user is developer in a group invited to project as developer' do
+            before_all do
+              developers_group.add_developer(developers_group_developer)
+            end
+
+            it { expect_allowed :read_runner }
+          end
+        end
       end
     end
 
@@ -136,7 +262,7 @@ RSpec.describe Ci::RunnerPolicy, feature_category: :runner do
 
       it_behaves_like 'a policy allowing reading instance runner depending on runner sharing'
 
-      it_behaves_like 'a policy allowing reading group runner depending on runner sharing'
+      it_behaves_like 'a policy allowing reading group runner depending on runner sharing', :maintainer
 
       context 'with project runner' do
         let(:runner) { project_runner }