2022-10-11 01:57:18 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
2023-03-04 22:38:38 +05:30
|
|
|
RSpec.describe Ci::RunnerPolicy, feature_category: :runner do
|
2023-04-23 21:23:45 +05:30
|
|
|
let_it_be(:owner) { create(:user) }
|
|
|
|
|
2022-10-11 01:57:18 +05:30
|
|
|
describe 'ability :read_runner' do
|
|
|
|
let_it_be(:guest) { create(:user) }
|
|
|
|
let_it_be(:developer) { create(:user) }
|
2022-11-25 23:54:43 +05:30
|
|
|
let_it_be(:maintainer) { create(:user) }
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
let_it_be_with_reload(:group) { create(:group, name: 'top-level', path: 'top-level') }
|
|
|
|
let_it_be_with_reload(:subgroup) { create(:group, name: 'subgroup', path: 'subgroup', parent: group) }
|
|
|
|
let_it_be_with_reload(:project) { create(:project, group: subgroup) }
|
|
|
|
|
2022-10-11 01:57:18 +05:30
|
|
|
let_it_be(:instance_runner) { create(:ci_runner, :instance) }
|
2022-11-25 23:54:43 +05:30
|
|
|
let_it_be(:group_runner) { create(:ci_runner, :group, groups: [group]) }
|
|
|
|
let_it_be(:project_runner) { create(:ci_runner, :project, projects: [project]) }
|
2022-10-11 01:57:18 +05:30
|
|
|
|
|
|
|
subject(:policy) { described_class.new(user, runner) }
|
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
before_all do
|
|
|
|
group.add_guest(guest)
|
|
|
|
group.add_developer(developer)
|
|
|
|
group.add_maintainer(maintainer)
|
|
|
|
group.add_owner(owner)
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
shared_examples 'a policy allowing reading instance runner depending on runner sharing' do
|
|
|
|
context 'with instance runner' do
|
|
|
|
let(:runner) { instance_runner }
|
|
|
|
|
|
|
|
it { expect_allowed :read_runner }
|
|
|
|
|
|
|
|
context 'with shared runners disabled on projects' do
|
|
|
|
before do
|
|
|
|
project.update!(shared_runners_enabled: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
it { expect_allowed :read_runner }
|
|
|
|
end
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
context 'with shared runners disabled for groups and projects' do
|
|
|
|
before do
|
|
|
|
group.update!(shared_runners_enabled: false)
|
|
|
|
project.update!(shared_runners_enabled: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
it { expect_disallowed :read_runner }
|
|
|
|
end
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
shared_examples 'a policy allowing reading group runner depending on runner sharing' do
|
|
|
|
context 'with group runner' do
|
|
|
|
let(:runner) { group_runner }
|
|
|
|
|
|
|
|
it { expect_allowed :read_runner }
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
context 'with sharing of group runners disabled' do
|
|
|
|
before do
|
|
|
|
project.update!(group_runners_enabled: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
it { expect_disallowed :read_runner }
|
|
|
|
end
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
shared_examples 'does not allow reading runners on any scope' do
|
|
|
|
context 'with instance runner' do
|
|
|
|
let(:runner) { instance_runner }
|
|
|
|
|
|
|
|
it { expect_disallowed :read_runner }
|
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
context 'with shared runners disabled for groups and projects' do
|
|
|
|
before do
|
|
|
|
group.update!(shared_runners_enabled: false)
|
|
|
|
project.update!(shared_runners_enabled: false)
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
2022-11-25 23:54:43 +05:30
|
|
|
|
|
|
|
it { expect_disallowed :read_runner }
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with group runner' do
|
2022-11-25 23:54:43 +05:30
|
|
|
let(:runner) { group_runner }
|
2022-10-11 01:57:18 +05:30
|
|
|
|
|
|
|
it { expect_disallowed :read_runner }
|
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
context 'with sharing of group runners disabled' do
|
|
|
|
before do
|
|
|
|
project.update!(group_runners_enabled: false)
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
2022-11-25 23:54:43 +05:30
|
|
|
|
|
|
|
it { expect_disallowed :read_runner }
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with project runner' do
|
2022-11-25 23:54:43 +05:30
|
|
|
let(:runner) { project_runner }
|
2022-10-11 01:57:18 +05:30
|
|
|
|
|
|
|
it { expect_disallowed :read_runner }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'without access' do
|
|
|
|
let_it_be(:user) { create(:user) }
|
|
|
|
|
|
|
|
it_behaves_like 'does not allow reading runners on any scope'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with guest access' do
|
|
|
|
let(:user) { guest }
|
|
|
|
|
|
|
|
it_behaves_like 'does not allow reading runners on any scope'
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with developer access' do
|
|
|
|
let(:user) { developer }
|
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
it_behaves_like 'a policy allowing reading instance runner depending on runner sharing'
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
it_behaves_like 'a policy allowing reading group runner depending on runner sharing'
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
context 'with project runner' do
|
|
|
|
let(:runner) { project_runner }
|
|
|
|
|
|
|
|
it { expect_disallowed :read_runner }
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
2022-11-25 23:54:43 +05:30
|
|
|
end
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
context 'with maintainer access' do
|
|
|
|
let(:user) { maintainer }
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
it_behaves_like 'a policy allowing reading instance runner depending on runner sharing'
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
it_behaves_like 'a policy allowing reading group runner depending on runner sharing'
|
2022-10-11 01:57:18 +05:30
|
|
|
|
|
|
|
context 'with project runner' do
|
2022-11-25 23:54:43 +05:30
|
|
|
let(:runner) { project_runner }
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
it { expect_allowed :read_runner }
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with owner access' do
|
|
|
|
let(:user) { owner }
|
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
it_behaves_like 'a policy allowing reading instance runner depending on runner sharing'
|
2022-10-11 01:57:18 +05:30
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
context 'with group runner' do
|
|
|
|
let(:runner) { group_runner }
|
2022-10-11 01:57:18 +05:30
|
|
|
|
|
|
|
it { expect_allowed :read_runner }
|
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
context 'with sharing of group runners disabled' do
|
|
|
|
before do
|
|
|
|
project.update!(group_runners_enabled: false)
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
|
2022-11-25 23:54:43 +05:30
|
|
|
it { expect_allowed :read_runner }
|
|
|
|
end
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
context 'with project runner' do
|
2022-11-25 23:54:43 +05:30
|
|
|
let(:runner) { project_runner }
|
2022-10-11 01:57:18 +05:30
|
|
|
|
|
|
|
it { expect_allowed :read_runner }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2023-04-23 21:23:45 +05:30
|
|
|
|
|
|
|
describe 'ability :read_ephemeral_token' do
|
|
|
|
subject(:policy) { described_class.new(user, runner) }
|
|
|
|
|
|
|
|
let_it_be(:runner) { create(:ci_runner, creator: owner) }
|
|
|
|
|
|
|
|
let(:creator) { owner }
|
|
|
|
|
|
|
|
context 'with request made by creator' do
|
|
|
|
let(:user) { creator }
|
|
|
|
|
|
|
|
it { expect_allowed :read_ephemeral_token }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with request made by another user' do
|
|
|
|
let(:user) { create(:admin) }
|
|
|
|
|
|
|
|
it { expect_disallowed :read_ephemeral_token }
|
|
|
|
end
|
|
|
|
end
|
2022-10-11 01:57:18 +05:30
|
|
|
end
|