File: authorize_proxy_user_service_spec.rb

package info (click to toggle)
gitlab 17.6.5-19
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 629,368 kB
  • sloc: ruby: 1,915,304; javascript: 557,307; sql: 60,639; xml: 6,509; sh: 4,567; makefile: 1,239; python: 406
file content (81 lines) | stat: -rw-r--r-- 3,295 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Clusters::Agents::AuthorizeProxyUserService, feature_category: :deployment_management do
  subject(:service_response) { service.execute }

  let(:service) { described_class.new(user, agent) }
  let(:user) { create(:user) }

  let_it_be(:organization) { create(:group) }
  let_it_be(:configuration_project) { create(:project, group: organization) }
  let_it_be(:agent) { create(:cluster_agent, name: 'the-agent', project: configuration_project) }
  let_it_be(:deployment_project) { create(:project, group: organization) }
  let_it_be(:deployment_group) { create(:group, parent: organization) }

  let(:user_access_config) do
    {
      'user_access' => {
        'access_as' => { 'agent' => {} },
        'projects' => [{ 'id' => deployment_project.full_path }],
        'groups' => [{ 'id' => deployment_group.full_path }]
      }
    }
  end

  before do
    Clusters::Agents::Authorizations::UserAccess::RefreshService.new(agent, config: user_access_config).execute
  end

  it 'returns forbidden when user has no access to any project', :aggregate_failures do
    expect(service_response).to be_error
    expect(service_response.reason).to eq :forbidden
    expect(service_response.message)
      .to eq 'You must be a member of `projects` or `groups` under the `user_access` keyword.'
  end

  context 'when user is member of an authorized group' do
    it 'authorizes developers', :aggregate_failures do
      deployment_group.add_member(user, :developer)
      expect(service_response).to be_success
      expect(service_response.payload[:user]).to include(id: user.id, username: user.username)
      expect(service_response.payload[:agent]).to include(id: agent.id, config_project: { id: agent.project.id })
    end

    it 'does not authorize reporters', :aggregate_failures do
      deployment_group.add_member(user, :reporter)
      expect(service_response).to be_error
      expect(service_response.reason).to eq :forbidden
      expect(service_response.message)
        .to eq 'You must be a member of `projects` or `groups` under the `user_access` keyword.'
    end
  end

  context 'when user is member of an authorized project' do
    it 'authorizes developers', :aggregate_failures do
      deployment_project.add_member(user, :developer)
      expect(service_response).to be_success
      expect(service_response.payload[:user]).to include(id: user.id, username: user.username)
      expect(service_response.payload[:agent]).to include(id: agent.id, config_project: { id: agent.project.id })
    end

    it 'does not authorize reporters', :aggregate_failures do
      deployment_project.add_member(user, :reporter)
      expect(service_response).to be_error
      expect(service_response.reason).to eq :forbidden
      expect(service_response.message)
        .to eq 'You must be a member of `projects` or `groups` under the `user_access` keyword.'
    end
  end

  context 'when config is empty' do
    let(:user_access_config) { {} }

    it 'returns an error', :aggregate_failures do
      expect(service_response).to be_error
      expect(service_response.reason).to eq :forbidden
      expect(service_response.message).to eq '`user_access` keyword is not found in agent config file.'
    end
  end
end