From 8c7f4e9d5f36cff46365a7f8c4b9c21578c1e781 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 18 Jun 2020 11:18:50 +0000 Subject: Add latest changes from gitlab-org/gitlab@13-1-stable-ee --- spec/policies/ci/build_policy_spec.rb | 125 ++++++++++++++++++ spec/policies/group_policy_spec.rb | 2 +- spec/policies/project_policy_spec.rb | 181 +++++++++++++++++++-------- spec/policies/releases/source_policy_spec.rb | 88 +++++++++++++ 4 files changed, 342 insertions(+), 54 deletions(-) create mode 100644 spec/policies/releases/source_policy_spec.rb (limited to 'spec/policies') diff --git a/spec/policies/ci/build_policy_spec.rb b/spec/policies/ci/build_policy_spec.rb index f29ed26f2aa..5857369a550 100644 --- a/spec/policies/ci/build_policy_spec.rb +++ b/spec/policies/ci/build_policy_spec.rb @@ -249,4 +249,129 @@ describe Ci::BuildPolicy do end end end + + describe 'manage a web ide terminal' do + let(:build_permissions) { %i[read_web_ide_terminal create_build_terminal update_web_ide_terminal create_build_service_proxy] } + let_it_be(:maintainer) { create(:user) } + let(:owner) { create(:owner) } + let(:admin) { create(:admin) } + let(:maintainer) { create(:user) } + let(:developer) { create(:user) } + let(:reporter) { create(:user) } + let(:guest) { create(:user) } + let(:project) { create(:project, :public, namespace: owner.namespace) } + let(:pipeline) { create(:ci_empty_pipeline, project: project, source: :webide) } + let(:build) { create(:ci_build, pipeline: pipeline) } + + before do + allow(build).to receive(:has_terminal?).and_return(true) + + project.add_maintainer(maintainer) + project.add_developer(developer) + project.add_reporter(reporter) + project.add_guest(guest) + end + + subject { described_class.new(current_user, build) } + + context 'when create_web_ide_terminal access enabled' do + context 'with admin' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { expect_allowed(*build_permissions) } + end + + context 'when admin mode disabled' do + it { expect_disallowed(*build_permissions) } + end + + context 'when build is not from a webide pipeline' do + let(:pipeline) { create(:ci_empty_pipeline, project: project, source: :chat) } + + it { expect_disallowed(:read_web_ide_terminal, :update_web_ide_terminal, :create_build_service_proxy) } + end + + context 'when build has no runner terminal' do + before do + allow(build).to receive(:has_terminal?).and_return(false) + end + + context 'when admin mode enabled', :enable_admin_mode do + it { expect_allowed(:read_web_ide_terminal, :update_web_ide_terminal) } + it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) } + end + + context 'when admin mode disabled' do + it { expect_disallowed(:read_web_ide_terminal, :update_web_ide_terminal) } + it { expect_disallowed(:create_build_terminal, :create_build_service_proxy) } + end + end + + context 'feature flag "build_service_proxy" is disabled' do + before do + stub_feature_flags(build_service_proxy: false) + end + + it { expect_disallowed(:create_build_service_proxy) } + end + end + + shared_examples 'allowed build owner access' do + it { expect_disallowed(*build_permissions) } + + context 'when user is the owner of the job' do + let(:build) { create(:ci_build, pipeline: pipeline, user: current_user) } + + it { expect_allowed(*build_permissions) } + end + end + + shared_examples 'forbidden access' do + it { expect_disallowed(*build_permissions) } + + context 'when user is the owner of the job' do + let(:build) { create(:ci_build, pipeline: pipeline, user: current_user) } + + it { expect_disallowed(*build_permissions) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + it_behaves_like 'allowed build owner access' + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it_behaves_like 'allowed build owner access' + end + + context 'with developer' do + let(:current_user) { developer } + + it_behaves_like 'forbidden access' + end + + context 'with reporter' do + let(:current_user) { reporter } + + it_behaves_like 'forbidden access' + end + + context 'with guest' do + let(:current_user) { guest } + + it_behaves_like 'forbidden access' + end + + context 'with non member' do + let(:current_user) { create(:user) } + + it_behaves_like 'forbidden access' + end + end + end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 9faddfd00e5..6b17a8285a2 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -175,7 +175,7 @@ describe GroupPolicy do nested_group.add_guest(developer) nested_group.add_guest(maintainer) - group.owners.destroy_all # rubocop: disable DestroyAll + group.owners.destroy_all # rubocop: disable Cop/DestroyAll group.add_guest(owner) nested_group.add_owner(owner) diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index f91d5658626..6ec63ba61ca 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -219,41 +219,16 @@ describe ProjectPolicy do project.project_feature.update!(builds_access_level: ProjectFeature::DISABLED) end - context 'without metrics_dashboard_allowed' do - before do - project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED) - end - - it 'disallows all permissions except pipeline when the feature is disabled' do - builds_permissions = [ - :create_build, :read_build, :update_build, :admin_build, :destroy_build, - :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, - :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, - :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, - :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment - ] - - expect_disallowed(*builds_permissions) - end - end - - context 'with metrics_dashboard_allowed' do - before do - project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) - end + it 'disallows all permissions except pipeline when the feature is disabled' do + builds_permissions = [ + :create_build, :read_build, :update_build, :admin_build, :destroy_build, + :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, + :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment, + :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, + :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment + ] - it 'disallows all permissions except pipeline and read_environment when the feature is disabled' do - builds_permissions = [ - :create_build, :read_build, :update_build, :admin_build, :destroy_build, - :create_pipeline_schedule, :read_pipeline_schedule, :update_pipeline_schedule, :admin_pipeline_schedule, :destroy_pipeline_schedule, - :create_environment, :update_environment, :admin_environment, :destroy_environment, - :create_cluster, :read_cluster, :update_cluster, :admin_cluster, :destroy_cluster, - :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment - ] - - expect_disallowed(*builds_permissions) - expect_allowed(:read_environment) - end + expect_disallowed(*builds_permissions) end end @@ -301,25 +276,8 @@ describe ProjectPolicy do ) end - context 'without metrics_dashboard_allowed' do - before do - project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::DISABLED) - end - - it 'disallows all permissions when the feature is disabled' do - expect_disallowed(*repository_permissions) - end - end - - context 'with metrics_dashboard_allowed' do - before do - project.project_feature.update(metrics_dashboard_access_level: ProjectFeature::ENABLED) - end - - it 'disallows all permissions but read_environment when the feature is disabled' do - expect_disallowed(*(repository_permissions - [:read_environment])) - expect_allowed(:read_environment) - end + it 'disallows all permissions' do + expect_disallowed(*repository_permissions) end end end @@ -817,4 +775,121 @@ describe ProjectPolicy do it { is_expected.to be_disallowed(:destroy_package) } end end + + describe 'create_web_ide_terminal' do + subject { described_class.new(current_user, project) } + + context 'with admin' do + let(:current_user) { admin } + + context 'when admin mode enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:create_web_ide_terminal) } + end + + context 'when admin mode disabled' do + it { is_expected.to be_disallowed(:create_web_ide_terminal) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:create_web_ide_terminal) } + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(:create_web_ide_terminal) } + end + + context 'with developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:create_web_ide_terminal) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:create_web_ide_terminal) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:create_web_ide_terminal) } + end + + context 'with non member' do + let(:current_user) { create(:user) } + + it { is_expected.to be_disallowed(:create_web_ide_terminal) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_web_ide_terminal) } + end + end + + describe 'read_repository_graphs' do + subject { described_class.new(guest, project) } + + before do + allow(subject).to receive(:allowed?).with(:read_repository_graphs).and_call_original + allow(subject).to receive(:allowed?).with(:download_code).and_return(can_download_code) + end + + context 'when user can download_code' do + let(:can_download_code) { true } + + it { is_expected.to be_allowed(:read_repository_graphs) } + end + + context 'when user cannot download_code' do + let(:can_download_code) { false } + + it { is_expected.to be_disallowed(:read_repository_graphs) } + end + end + + describe 'read_build_report_results' do + subject { described_class.new(guest, project) } + + before do + allow(subject).to receive(:allowed?).with(:read_build_report_results).and_call_original + allow(subject).to receive(:allowed?).with(:read_build).and_return(can_read_build) + allow(subject).to receive(:allowed?).with(:read_pipeline).and_return(can_read_pipeline) + end + + context 'when user can read_build and read_pipeline' do + let(:can_read_build) { true } + let(:can_read_pipeline) { true } + + it { is_expected.to be_allowed(:read_build_report_results) } + end + + context 'when user can read_build but cannot read_pipeline' do + let(:can_read_build) { true } + let(:can_read_pipeline) { false } + + it { is_expected.to be_disallowed(:read_build_report_results) } + end + + context 'when user cannot read_build but can read_pipeline' do + let(:can_read_build) { false } + let(:can_read_pipeline) { true } + + it { is_expected.to be_disallowed(:read_build_report_results) } + end + + context 'when user cannot read_build and cannot read_pipeline' do + let(:can_read_build) { false } + let(:can_read_pipeline) { false } + + it { is_expected.to be_disallowed(:read_build_report_results) } + end + end end diff --git a/spec/policies/releases/source_policy_spec.rb b/spec/policies/releases/source_policy_spec.rb new file mode 100644 index 00000000000..1bc6d5415d3 --- /dev/null +++ b/spec/policies/releases/source_policy_spec.rb @@ -0,0 +1,88 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Releases::SourcePolicy do + using RSpec::Parameterized::TableSyntax + + let(:policy) { described_class.new(user, source) } + + let_it_be(:public_user) { create(:user) } + let_it_be(:guest) { create(:user) } + let_it_be(:reporter) { create(:user) } + + let(:release) { create(:release, project: project) } + let(:source) { release.sources.first } + + shared_examples 'source code access' do + it "allows access a release's source code" do + expect(policy).to be_allowed(:read_release_sources) + end + end + + shared_examples 'no source code access' do + it "does not allow access a release's source code" do + expect(policy).to be_disallowed(:read_release_sources) + end + end + + context 'a private project' do + let_it_be(:project) { create(:project, :private) } + + context 'accessed by a public user' do + let(:user) { public_user } + + it_behaves_like 'no source code access' + end + + context 'accessed by a user with Guest permissions' do + let(:user) { guest } + + before do + project.add_guest(user) + end + + it_behaves_like 'no source code access' + end + + context 'accessed by a user with Reporter permissions' do + let(:user) { reporter } + + before do + project.add_reporter(user) + end + + it_behaves_like 'source code access' + end + end + + context 'a public project' do + let_it_be(:project) { create(:project, :public) } + + context 'accessed by a public user' do + let(:user) { public_user } + + it_behaves_like 'source code access' + end + + context 'accessed by a user with Guest permissions' do + let(:user) { guest } + + before do + project.add_guest(user) + end + + it_behaves_like 'source code access' + end + + context 'accessed by a user with Reporter permissions' do + let(:user) { reporter } + + before do + project.add_reporter(user) + end + + it_behaves_like 'source code access' + end + end +end -- cgit v1.2.3