debian-mirror-gitlab/spec/models/ci/job_token/scope_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

167 lines
5.1 KiB
Ruby
Raw Permalink Normal View History

2021-09-04 01:27:46 +05:30
# frozen_string_literal: true
require 'spec_helper'
2023-04-23 21:23:45 +05:30
RSpec.describe Ci::JobToken::Scope, feature_category: :continuous_integration, factory_default: :keep do
include Ci::JobTokenScopeHelpers
using RSpec::Parameterized::TableSyntax
let_it_be(:project) { create_default(:project) }
let_it_be(:user) { create_default(:user) }
let_it_be(:namespace) { create_default(:namespace) }
let_it_be(:source_project) do
create(:project,
ci_outbound_job_token_scope_enabled: true,
ci_inbound_job_token_scope_enabled: true
)
end
let(:current_project) { source_project }
2021-09-04 01:27:46 +05:30
2023-04-23 21:23:45 +05:30
let(:scope) { described_class.new(current_project) }
2021-09-04 01:27:46 +05:30
2023-04-23 21:23:45 +05:30
describe '#outbound_projects' do
subject { scope.outbound_projects }
2021-09-04 01:27:46 +05:30
context 'when no projects are added to the scope' do
it 'returns the project defining the scope' do
2023-04-23 21:23:45 +05:30
expect(subject).to contain_exactly(current_project)
2021-09-04 01:27:46 +05:30
end
end
2023-03-04 22:38:38 +05:30
context 'when projects are added to the scope' do
2023-04-23 21:23:45 +05:30
include_context 'with accessible and inaccessible projects'
2021-09-04 01:27:46 +05:30
it 'returns all projects that can be accessed from a given scope' do
2023-04-23 21:23:45 +05:30
expect(subject).to contain_exactly(current_project, outbound_allowlist_project, fully_accessible_project)
2021-09-04 01:27:46 +05:30
end
end
end
2023-04-23 21:23:45 +05:30
describe '#inbound_projects' do
subject { scope.inbound_projects }
2021-09-04 01:27:46 +05:30
2023-04-23 21:23:45 +05:30
context 'when no projects are added to the scope' do
it 'returns the project defining the scope' do
expect(subject).to contain_exactly(current_project)
end
end
context 'when projects are added to the scope' do
include_context 'with accessible and inaccessible projects'
2021-09-04 01:27:46 +05:30
2023-04-23 21:23:45 +05:30
it 'returns all projects that can be accessed from a given scope' do
expect(subject).to contain_exactly(current_project, inbound_allowlist_project)
2023-03-04 22:38:38 +05:30
end
2021-09-04 01:27:46 +05:30
end
2023-04-23 21:23:45 +05:30
end
describe 'add!' do
let_it_be(:new_project) { create(:project) }
2021-09-04 01:27:46 +05:30
2023-04-23 21:23:45 +05:30
subject { scope.add!(new_project, direction: direction, user: user) }
2021-09-04 01:27:46 +05:30
2023-04-23 21:23:45 +05:30
[:inbound, :outbound].each do |d|
2023-06-20 00:43:36 +05:30
context "with #{d}" do
let(:direction) { d }
2021-09-04 01:27:46 +05:30
2023-06-20 00:43:36 +05:30
it 'adds the project' do
subject
2023-04-23 21:23:45 +05:30
2023-06-20 00:43:36 +05:30
expect(scope.send("#{direction}_projects")).to contain_exactly(current_project, new_project)
end
2023-03-04 22:38:38 +05:30
end
2023-04-23 21:23:45 +05:30
end
2023-03-04 22:38:38 +05:30
2023-04-23 21:23:45 +05:30
# Context and before block can go away leaving just the example in 16.0
context 'with inbound only enabled' do
before do
project.ci_cd_settings.update!(job_token_scope_enabled: false)
end
2023-03-04 22:38:38 +05:30
2023-04-23 21:23:45 +05:30
it 'provides access' do
expect do
scope.add!(new_project, direction: :inbound, user: user)
end.to change { described_class.new(new_project).accessible?(current_project) }.from(false).to(true)
2023-03-04 22:38:38 +05:30
end
2023-04-23 21:23:45 +05:30
end
end
RSpec.shared_examples 'enforces outbound scope only' do
include_context 'with accessible and inaccessible projects'
where(:accessed_project, :result) do
ref(:current_project) | true
ref(:inbound_allowlist_project) | false
ref(:unscoped_project1) | false
ref(:unscoped_project2) | false
ref(:outbound_allowlist_project) | true
ref(:inbound_accessible_project) | false
ref(:fully_accessible_project) | true
end
2021-09-04 01:27:46 +05:30
2023-04-23 21:23:45 +05:30
with_them do
it { is_expected.to eq(result) }
end
end
describe 'accessible?' do
subject { scope.accessible?(accessed_project) }
context 'with inbound and outbound scopes enabled' do
context 'when inbound and outbound access setup' do
include_context 'with accessible and inaccessible projects'
where(:accessed_project, :result) do
ref(:current_project) | true
ref(:inbound_allowlist_project) | false
ref(:unscoped_project1) | false
ref(:unscoped_project2) | false
ref(:outbound_allowlist_project) | false
ref(:inbound_accessible_project) | false
ref(:fully_accessible_project) | true
end
with_them do
it 'allows self and projects allowed from both directions' do
is_expected.to eq(result)
end
end
end
end
2023-03-04 22:38:38 +05:30
2023-04-23 21:23:45 +05:30
context 'with inbound scope enabled and outbound scope disabled' do
before do
accessed_project.update!(ci_inbound_job_token_scope_enabled: true)
current_project.update!(ci_outbound_job_token_scope_enabled: false)
2023-03-04 22:38:38 +05:30
end
2023-04-23 21:23:45 +05:30
include_context 'with accessible and inaccessible projects'
2023-03-04 22:38:38 +05:30
2023-04-23 21:23:45 +05:30
where(:accessed_project, :result) do
ref(:current_project) | true
ref(:inbound_allowlist_project) | false
ref(:unscoped_project1) | false
ref(:unscoped_project2) | false
ref(:outbound_allowlist_project) | false
ref(:inbound_accessible_project) | true
ref(:fully_accessible_project) | true
2023-03-04 22:38:38 +05:30
end
2021-09-04 01:27:46 +05:30
2023-04-23 21:23:45 +05:30
with_them do
it { is_expected.to eq(result) }
end
end
2023-03-04 22:38:38 +05:30
2023-04-23 21:23:45 +05:30
context 'with inbound scope disabled and outbound scope enabled' do
before do
accessed_project.update!(ci_inbound_job_token_scope_enabled: false)
current_project.update!(ci_outbound_job_token_scope_enabled: true)
end
2021-09-04 01:27:46 +05:30
2023-04-23 21:23:45 +05:30
include_examples 'enforces outbound scope only'
end
2021-09-04 01:27:46 +05:30
end
end