PageRenderTime 26ms CodeModel.GetById 18ms RepoModel.GetById 1ms app.codeStats 0ms

/spec/lib/gitlab/project_authorizations_spec.rb

https://gitlab.com/klml/gitlab-ee
Ruby | 311 lines | 236 code | 74 blank | 1 comment | 0 complexity | 6cfa4c820f960400c424dc66d9b720db MD5 | raw file
    

  1. # frozen_string_literal: true
    2. 

  2. 

  3. require 'spec_helper'
    4. 

  4. 

  5. RSpec.describe Gitlab::ProjectAuthorizations do
    6. 

  6.   def map_access_levels(rows)
    7. 

  7.     rows.each_with_object({}) do |row, hash|
    8. 

  8.       hash[row.project_id] = row.access_level
    9. 

  9.     end
    10. 

  10.   end
    11. 

  11. 

  12.   subject(:authorizations) do
    13. 

  13.     described_class.new(user).calculate
    14. 

  14.   end
    15. 

  15. 

  16.   context 'user added to group and project' do
    17. 

  17.     let(:group) { create(:group) }
    18. 

  18.     let!(:other_project) { create(:project) }
    19. 

  19.     let!(:group_project) { create(:project, namespace: group) }
    20. 

  20.     let!(:owned_project) { create(:project) }
    21. 

  21.     let(:user) { owned_project.namespace.owner }
    22. 

  22. 

  23.     before do
    24. 

  24.       other_project.add_reporter(user)
    25. 

  25.       group.add_developer(user)
    26. 

  26.     end
    27. 

  27. 

  28.     it 'returns the correct number of authorizations' do
    29. 

  29.       expect(authorizations.length).to eq(3)
    30. 

  30.     end
    31. 

  31. 

  32.     it 'includes the correct projects' do
    33. 

  33.       expect(authorizations.pluck(:project_id))
    34. 

  34.         .to include(owned_project.id, other_project.id, group_project.id)
    35. 

  35.     end
    36. 

  36. 

  37.     it 'includes the correct access levels' do
    38. 

  38.       mapping = map_access_levels(authorizations)
    39. 

  39. 

  40.       expect(mapping[owned_project.id]).to eq(Gitlab::Access::MAINTAINER)
    41. 

  41.       expect(mapping[other_project.id]).to eq(Gitlab::Access::REPORTER)
    42. 

  42.       expect(mapping[group_project.id]).to eq(Gitlab::Access::DEVELOPER)
    43. 

  43.     end
    44. 

  44.   end
    45. 

  45. 

  46.   context 'unapproved access request' do
    47. 

  47.     let_it_be(:group) { create(:group) }
    48. 

  48.     let_it_be(:user) { create(:user) }
    49. 

  49. 

  50.     subject(:mapping) { map_access_levels(authorizations) }
    51. 

  51. 

  52.     context 'group membership' do
    53. 

  53.       let!(:group_project) { create(:project, namespace: group) }
    54. 

  54. 

  55.       before do
    56. 

  56.         create(:group_member, :developer, :access_request, user: user, group: group)
    57. 

  57.       end
    58. 

  58. 

  59.       it 'does not create authorization' do
    60. 

  60.         expect(mapping[group_project.id]).to be_nil
    61. 

  61.       end
    62. 

  62.     end
    63. 

  63. 

  64.     context 'inherited group membership' do
    65. 

  65.       let!(:sub_group) { create(:group, parent: group) }
    66. 

  66.       let!(:sub_group_project) { create(:project, namespace: sub_group) }
    67. 

  67. 

  68.       before do
    69. 

  69.         create(:group_member, :developer, :access_request, user: user, group: group)
    70. 

  70.       end
    71. 

  71. 

  72.       it 'does not create authorization' do
    73. 

  73.         expect(mapping[sub_group_project.id]).to be_nil
    74. 

  74.       end
    75. 

  75.     end
    76. 

  76. 

  77.     context 'project membership' do
    78. 

  78.       let!(:group_project) { create(:project, namespace: group) }
    79. 

  79. 

  80.       before do
    81. 

  81.         create(:project_member, :developer, :access_request, user: user, project: group_project)
    82. 

  82.       end
    83. 

  83. 

  84.       it 'does not create authorization' do
    85. 

  85.         expect(mapping[group_project.id]).to be_nil
    86. 

  86.       end
    87. 

  87.     end
    88. 

  88. 

  89.     context 'shared group' do
    90. 

  90.       let!(:shared_group) { create(:group) }
    91. 

  91.       let!(:shared_group_project) { create(:project, namespace: shared_group) }
    92. 

  92. 

  93.       before do
    94. 

  94.         create(:group_group_link, shared_group: shared_group, shared_with_group: group)
    95. 

  95.         create(:group_member, :developer, :access_request, user: user, group: group)
    96. 

  96.       end
    97. 

  97. 

  98.       it 'does not create authorization' do
    99. 

  99.         expect(mapping[shared_group_project.id]).to be_nil
    100. 

  100.       end
    101. 

  101.     end
    102. 

  102. 

  103.     context 'shared project' do
    104. 

  104.       let!(:another_group) { create(:group) }
    105. 

  105.       let!(:shared_project) { create(:project, namespace: another_group) }
    106. 

  106. 

  107.       before do
    108. 

  108.         create(:project_group_link, group: group, project: shared_project)
    109. 

  109.         create(:group_member, :developer, :access_request, user: user, group: group)
    110. 

  110.       end
    111. 

  111. 

  112.       it 'does not create authorization' do
    113. 

  113.         expect(mapping[shared_project.id]).to be_nil
    114. 

  114.       end
    115. 

  115.     end
    116. 

  116.   end
    117. 

  117. 

  118.   context 'user with minimal access to group' do
    119. 

  119.     let_it_be(:group) { create(:group) }
    120. 

  120.     let_it_be(:user) { create(:user) }
    121. 

  121. 

  122.     subject(:mapping) { map_access_levels(authorizations) }
    123. 

  123. 

  124.     context 'group membership' do
    125. 

  125.       let!(:group_project) { create(:project, namespace: group) }
    126. 

  126. 

  127.       before do
    128. 

  128.         create(:group_member, :minimal_access, user: user, source: group)
    129. 

  129.       end
    130. 

  130. 

  131.       it 'does not create authorization' do
    132. 

  132.         expect(mapping[group_project.id]).to be_nil
    133. 

  133.       end
    134. 

  134.     end
    135. 

  135. 

  136.     context 'inherited group membership' do
    137. 

  137.       let!(:sub_group) { create(:group, parent: group) }
    138. 

  138.       let!(:sub_group_project) { create(:project, namespace: sub_group) }
    139. 

  139. 

  140.       before do
    141. 

  141.         create(:group_member, :minimal_access, user: user, source: group)
    142. 

  142.       end
    143. 

  143. 

  144.       it 'does not create authorization' do
    145. 

  145.         expect(mapping[sub_group_project.id]).to be_nil
    146. 

  146.       end
    147. 

  147.     end
    148. 

  148. 

  149.     context 'shared group' do
    150. 

  150.       let!(:shared_group) { create(:group) }
    151. 

  151.       let!(:shared_group_project) { create(:project, namespace: shared_group) }
    152. 

  152. 

  153.       before do
    154. 

  154.         create(:group_group_link, shared_group: shared_group, shared_with_group: group)
    155. 

  155.         create(:group_member, :minimal_access, user: user, source: group)
    156. 

  156.       end
    157. 

  157. 

  158.       it 'does not create authorization' do
    159. 

  159.         expect(mapping[shared_group_project.id]).to be_nil
    160. 

  160.       end
    161. 

  161.     end
    162. 

  162. 

  163.     context 'shared project' do
    164. 

  164.       let!(:another_group) { create(:group) }
    165. 

  165.       let!(:shared_project) { create(:project, namespace: another_group) }
    166. 

  166. 

  167.       before do
    168. 

  168.         create(:project_group_link, group: group, project: shared_project)
    169. 

  169.         create(:group_member, :minimal_access, user: user, source: group)
    170. 

  170.       end
    171. 

  171. 

  172.       it 'does not create authorization' do
    173. 

  173.         expect(mapping[shared_project.id]).to be_nil
    174. 

  174.       end
    175. 

  175.     end
    176. 

  176.   end
    177. 

  177. 

  178.   context 'with nested groups' do
    179. 

  179.     let(:group) { create(:group) }
    180. 

  180.     let!(:nested_group) { create(:group, parent: group) }
    181. 

  181.     let!(:nested_project) { create(:project, namespace: nested_group) }
    182. 

  182.     let(:user) { create(:user) }
    183. 

  183. 

  184.     before do
    185. 

  185.       group.add_developer(user)
    186. 

  186.     end
    187. 

  187. 

  188.     it 'includes nested groups' do
    189. 

  189.       expect(authorizations.pluck(:project_id)).to include(nested_project.id)
    190. 

  190.     end
    191. 

  191. 

  192.     it 'inherits access levels when the user is not a member of a nested group' do
    193. 

  193.       mapping = map_access_levels(authorizations)
    194. 

  194. 

  195.       expect(mapping[nested_project.id]).to eq(Gitlab::Access::DEVELOPER)
    196. 

  196.     end
    197. 

  197. 

  198.     it 'uses the greatest access level when a user is a member of a nested group' do
    199. 

  199.       nested_group.add_maintainer(user)
    200. 

  200. 

  201.       mapping = map_access_levels(authorizations)
    202. 

  202. 

  203.       expect(mapping[nested_project.id]).to eq(Gitlab::Access::MAINTAINER)
    204. 

  204.     end
    205. 

  205.   end
    206. 

  206. 

  207.   context 'with shared groups' do
    208. 

  208.     let(:parent_group_user) { create(:user) }
    209. 

  209.     let(:group_user) { create(:user) }
    210. 

  210.     let(:child_group_user) { create(:user) }
    211. 

  211. 

  212.     let_it_be(:group_parent) { create(:group, :private) }
    213. 

  213.     let_it_be(:group) { create(:group, :private, parent: group_parent) }
    214. 

  214.     let_it_be(:group_child) { create(:group, :private, parent: group) }
    215. 

  215. 

  216.     let_it_be(:shared_group_parent) { create(:group, :private) }
    217. 

  217.     let_it_be(:shared_group) { create(:group, :private, parent: shared_group_parent) }
    218. 

  218.     let_it_be(:shared_group_child) { create(:group, :private, parent: shared_group) }
    219. 

  219. 

  220.     let_it_be(:project_parent) { create(:project, group: shared_group_parent) }
    221. 

  221.     let_it_be(:project) { create(:project, group: shared_group) }
    222. 

  222.     let_it_be(:project_child) { create(:project, group: shared_group_child) }
    223. 

  223. 

  224.     before do
    225. 

  225.       group_parent.add_owner(parent_group_user)
    226. 

  226.       group.add_owner(group_user)
    227. 

  227.       group_child.add_owner(child_group_user)
    228. 

  228. 

  229.       create(:group_group_link, shared_group: shared_group, shared_with_group: group)
    230. 

  230.     end
    231. 

  231. 

  232.     context 'group user' do
    233. 

  233.       let(:user) { group_user }
    234. 

  234. 

  235.       it 'creates proper authorizations' do
    236. 

  236.         mapping = map_access_levels(authorizations)
    237. 

  237. 

  238.         expect(mapping[project_parent.id]).to be_nil
    239. 

  239.         expect(mapping[project.id]).to eq(Gitlab::Access::DEVELOPER)
    240. 

  240.         expect(mapping[project_child.id]).to eq(Gitlab::Access::DEVELOPER)
    241. 

  241.       end
    242. 

  242.     end
    243. 

  243. 

  244.     context 'with lower group access level than max access level for share' do
    245. 

  245.       let(:user) { create(:user) }
    246. 

  246. 

  247.       it 'creates proper authorizations' do
    248. 

  248.         group.add_reporter(user)
    249. 

  249. 

  250.         mapping = map_access_levels(authorizations)
    251. 

  251. 

  252.         expect(mapping[project_parent.id]).to be_nil
    253. 

  253.         expect(mapping[project.id]).to eq(Gitlab::Access::REPORTER)
    254. 

  254.         expect(mapping[project_child.id]).to eq(Gitlab::Access::REPORTER)
    255. 

  255.       end
    256. 

  256.     end
    257. 

  257. 

  258.     context 'parent group user' do
    259. 

  259.       let(:user) { parent_group_user }
    260. 

  260. 

  261.       it 'creates proper authorizations' do
    262. 

  262.         mapping = map_access_levels(authorizations)
    263. 

  263. 

  264.         expect(mapping[project_parent.id]).to be_nil
    265. 

  265.         expect(mapping[project.id]).to be_nil
    266. 

  266.         expect(mapping[project_child.id]).to be_nil
    267. 

  267.       end
    268. 

  268.     end
    269. 

  269. 

  270.     context 'child group user' do
    271. 

  271.       let(:user) { child_group_user }
    272. 

  272. 

  273.       it 'creates proper authorizations' do
    274. 

  274.         mapping = map_access_levels(authorizations)
    275. 

  275. 

  276.         expect(mapping[project_parent.id]).to be_nil
    277. 

  277.         expect(mapping[project.id]).to be_nil
    278. 

  278.         expect(mapping[project_child.id]).to be_nil
    279. 

  279.       end
    280. 

  280.     end
    281. 

  281. 

  282.     context 'user without accepted access request' do
    283. 

  283.       let!(:user) { create(:user) }
    284. 

  284. 

  285.       it 'does not have access to group and its projects' do
    286. 

  286.         create(:group_member, :developer, :access_request, user: user, group: group)
    287. 

  287. 

  288.         mapping = map_access_levels(authorizations)
    289. 

  289. 

  290.         expect(mapping[project_parent.id]).to be_nil
    291. 

  291.         expect(mapping[project.id]).to be_nil
    292. 

  292.         expect(mapping[project_child.id]).to be_nil
    293. 

  293.       end
    294. 

  294.     end
    295. 

  295. 

  296.     context 'unrelated project owner' do
    297. 

  297.       let(:common_id) { non_existing_record_id }
    298. 

  298.       let!(:group) { create(:group, id: common_id) }
    299. 

  299.       let!(:unrelated_project) { create(:project, id: common_id) }
    300. 

  300.       let(:user) { unrelated_project.owner }
    301. 

  301. 

  302.       it 'does not have access to group and its projects' do
    303. 

  303.         mapping = map_access_levels(authorizations)
    304. 

  304. 

  305.         expect(mapping[project_parent.id]).to be_nil
    306. 

  306.         expect(mapping[project.id]).to be_nil
    307. 

  307.         expect(mapping[project_child.id]).to be_nil
    308. 

  308.       end
    309. 

  309.     end
    310. 

  310.   end
    311. 

  311. end
    312. 

  312.