129 lines
4.8 KiB
Ruby
129 lines
4.8 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'spec_helper'
|
|
|
|
RSpec.describe Namespaces::ProjectNamespacePolicy, feature_category: :groups_and_projects do
|
|
include ExternalAuthorizationServiceHelpers
|
|
include AdminModeHelper
|
|
|
|
let_it_be(:public_project) { create(:project, :public) }
|
|
let_it_be(:private_project) { create(:project, :private) }
|
|
|
|
subject { described_class.new(current_user, namespace) }
|
|
|
|
it_behaves_like 'checks timelog categories permissions' do
|
|
let(:project) { create(:project) }
|
|
let(:namespace) { project.project_namespace }
|
|
let(:users_container) { project }
|
|
end
|
|
|
|
context 'with read_namespace permissions' do
|
|
let(:project) { public_project }
|
|
let(:owner) { project.creator }
|
|
let(:developer) { create(:user) }
|
|
let(:admin) { create(:admin) }
|
|
let(:namespace) { project.project_namespace }
|
|
|
|
before do
|
|
project.add_developer(developer)
|
|
end
|
|
|
|
it 'allows access when a user has read access to the project' do
|
|
expect(described_class.new(owner, project.project_namespace)).to be_allowed(:read_project, :read_namespace)
|
|
expect(described_class.new(developer, project.project_namespace)).to be_allowed(:read_project, :read_namespace)
|
|
expect(described_class.new(admin, project.project_namespace)).to be_allowed(:read_project, :read_namespace)
|
|
end
|
|
|
|
it 'never checks the external service' do
|
|
expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
|
|
|
|
expect(described_class.new(owner, namespace)).to be_allowed(:read_project, :read_namespace)
|
|
end
|
|
|
|
context 'with an external authorization service' do
|
|
before do
|
|
enable_external_authorization_service_check
|
|
end
|
|
|
|
it 'allows access when the external service allows it' do
|
|
external_service_allow_access(owner, project)
|
|
external_service_allow_access(developer, project)
|
|
|
|
expect(described_class.new(owner, namespace)).to be_allowed(:read_project, :read_namespace)
|
|
expect(described_class.new(developer, namespace)).to be_allowed(:read_project, :read_namespace)
|
|
end
|
|
|
|
context 'with an admin' do
|
|
context 'when admin mode is enabled', :enable_admin_mode do
|
|
it 'does not check the external service and allows access' do
|
|
expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
|
|
|
|
expect(described_class.new(admin, namespace)).to be_allowed(:read_project, :read_namespace)
|
|
end
|
|
end
|
|
|
|
context 'when admin mode is disabled' do
|
|
it 'checks the external service and allows access' do
|
|
external_service_allow_access(admin, project)
|
|
|
|
expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?)
|
|
|
|
expect(described_class.new(admin, namespace)).to be_allowed(:read_project, :read_namespace)
|
|
end
|
|
end
|
|
end
|
|
|
|
it 'prevents all but seeing a public project in a list when access is denied' do
|
|
[developer, owner, build(:user), nil].each do |user|
|
|
external_service_deny_access(user, project)
|
|
policy = described_class.new(user, namespace)
|
|
|
|
expect(policy).not_to be_allowed(:read_project, :read_namespace)
|
|
end
|
|
end
|
|
|
|
it 'passes the full path to external authorization for logging purposes' do
|
|
expect(::Gitlab::ExternalAuthorization)
|
|
.to receive(:access_allowed?).with(owner, 'default_label', project.full_path).and_call_original
|
|
|
|
described_class.new(owner, namespace).allowed?(:read_project, :read_namespace)
|
|
end
|
|
end
|
|
|
|
context 'with support bot user' do
|
|
let(:current_user) { Users::Internal.support_bot }
|
|
|
|
context 'with service desk disabled' do
|
|
it { expect(described_class.new(current_user, namespace)).not_to be_allowed(:read_project, :read_namespace) }
|
|
end
|
|
end
|
|
|
|
context 'with deploy key access actor' do
|
|
context 'when project is private' do
|
|
let(:project) { private_project }
|
|
let!(:deploy_key) { create(:deploy_key, user: owner) }
|
|
|
|
subject { described_class.new(deploy_key, project.project_namespace) }
|
|
|
|
context 'when a read deploy key is enabled in the project' do
|
|
let!(:deploy_keys_project) { create(:deploy_keys_project, project: project, deploy_key: deploy_key) }
|
|
|
|
it { is_expected.to be_disallowed(:read_project, :read_namespace) }
|
|
end
|
|
|
|
context 'when a write deploy key is enabled in the project' do
|
|
let!(:deploy_keys_project) do
|
|
create(:deploy_keys_project, :write_access, project: project, deploy_key: deploy_key)
|
|
end
|
|
|
|
it { is_expected.to be_disallowed(:read_project, :read_namespace) }
|
|
end
|
|
|
|
context 'when the deploy key is not enabled in the project' do
|
|
it { is_expected.to be_disallowed(:read_project, :read_namespace) }
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|