diff options
Diffstat (limited to 'spec/policies/group_policy_spec.rb')
-rw-r--r-- | spec/policies/group_policy_spec.rb | 107 |
1 files changed, 73 insertions, 34 deletions
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index cb7884b141e..042dbb09436 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -1110,53 +1110,103 @@ RSpec.describe GroupPolicy, feature_category: :system_access do it { is_expected.to be_allowed(:admin_dependency_proxy) } end + shared_examples 'disallows all dependency proxy access' do + it { is_expected.to be_disallowed(:read_dependency_proxy) } + it { is_expected.to be_disallowed(:admin_dependency_proxy) } + end + + shared_examples 'allows dependency proxy read access but not admin' do + it { is_expected.to be_allowed(:read_dependency_proxy) } + it { is_expected.to be_disallowed(:admin_dependency_proxy) } + end + context 'feature disabled' do let(:current_user) { owner } - it { is_expected.to be_disallowed(:read_dependency_proxy) } - it { is_expected.to be_disallowed(:admin_dependency_proxy) } + before do + stub_config(dependency_proxy: { enabled: false }) + end + + it_behaves_like 'disallows all dependency proxy access' end context 'feature enabled' do before do - stub_config(dependency_proxy: { enabled: true }) + stub_config(dependency_proxy: { enabled: true }, registry: { enabled: true }) end - context 'reporter' do - let(:current_user) { reporter } + context 'human user' do + context 'reporter' do + let(:current_user) { reporter } - it { is_expected.to be_allowed(:read_dependency_proxy) } - it { is_expected.to be_disallowed(:admin_dependency_proxy) } - end + it_behaves_like 'allows dependency proxy read access but not admin' + end - context 'developer' do - let(:current_user) { developer } + context 'developer' do + let(:current_user) { developer } + + it_behaves_like 'allows dependency proxy read access but not admin' + end + + context 'maintainer' do + let(:current_user) { maintainer } + + it_behaves_like 'allows dependency proxy read access but not admin' + it_behaves_like 'disabling admin_package feature flag' + end + + context 'owner' do + let(:current_user) { owner } - it { is_expected.to be_allowed(:read_dependency_proxy) } - it { is_expected.to be_disallowed(:admin_dependency_proxy) } + it { is_expected.to be_allowed(:read_dependency_proxy) } + it { is_expected.to be_allowed(:admin_dependency_proxy) } + + it_behaves_like 'disabling admin_package feature flag' + end end - context 'maintainer' do - let(:current_user) { maintainer } + context 'deploy token user' do + let!(:group_deploy_token) do + create(:group_deploy_token, group: group, deploy_token: deploy_token) + end + + subject { described_class.new(deploy_token, group) } - it { is_expected.to be_allowed(:read_dependency_proxy) } - it { is_expected.to be_disallowed(:admin_dependency_proxy) } + context 'with insufficient scopes' do + let_it_be(:deploy_token) { create(:deploy_token, :group) } - it_behaves_like 'disabling admin_package feature flag' + it_behaves_like 'disallows all dependency proxy access' + end + + context 'with sufficient scopes' do + let_it_be(:deploy_token) { create(:deploy_token, :group, :dependency_proxy_scopes) } + + it_behaves_like 'allows dependency proxy read access but not admin' + end end - context 'owner' do - let(:current_user) { owner } + context 'group access token user' do + let_it_be(:bot_user) { create(:user, :project_bot) } + let_it_be(:token) { create(:personal_access_token, user: bot_user, scopes: [Gitlab::Auth::READ_API_SCOPE]) } + + subject { described_class.new(bot_user, group) } - it { is_expected.to be_allowed(:read_dependency_proxy) } - it { is_expected.to be_allowed(:admin_dependency_proxy) } + context 'not a member of the group' do + it_behaves_like 'disallows all dependency proxy access' + end + + context 'a member of the group' do + before do + group.add_guest(bot_user) + end - it_behaves_like 'disabling admin_package feature flag' + it_behaves_like 'allows dependency proxy read access but not admin' + end end end end - context 'deploy token access' do + context 'deploy token user' do let!(:group_deploy_token) do create(:group_deploy_token, group: group, deploy_token: deploy_token) end @@ -1179,17 +1229,6 @@ RSpec.describe GroupPolicy, feature_category: :system_access do it { is_expected.to be_allowed(:read_group) } it { is_expected.to be_disallowed(:destroy_package) } end - - context 'a deploy token with dependency proxy scopes' do - let_it_be(:deploy_token) { create(:deploy_token, :group, :dependency_proxy_scopes) } - - before do - stub_config(dependency_proxy: { enabled: true }) - end - - it { is_expected.to be_allowed(:read_dependency_proxy) } - it { is_expected.to be_disallowed(:admin_dependency_proxy) } - end end it_behaves_like 'Self-managed Core resource access tokens' |