351 lines
11 KiB
Ruby
351 lines
11 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'spec_helper'
|
|
|
|
RSpec.describe Clusters::Agent, feature_category: :deployment_management do
|
|
subject { create(:cluster_agent) }
|
|
|
|
it { is_expected.to belong_to(:created_by_user).class_name('User').optional }
|
|
it { is_expected.to belong_to(:project).class_name('::Project') }
|
|
it { is_expected.to have_many(:agent_tokens).class_name('Clusters::AgentToken').order(Clusters::AgentToken.arel_table[:last_used_at].desc.nulls_last) }
|
|
it { is_expected.to have_many(:active_agent_tokens).class_name('Clusters::AgentToken').conditions(status: 0).order(Clusters::AgentToken.arel_table[:last_used_at].desc.nulls_last) }
|
|
it { is_expected.to have_many(:ci_access_group_authorizations).class_name('Clusters::Agents::Authorizations::CiAccess::GroupAuthorization') }
|
|
it { is_expected.to have_many(:ci_access_authorized_groups).through(:ci_access_group_authorizations) }
|
|
it { is_expected.to have_many(:ci_access_project_authorizations).class_name('Clusters::Agents::Authorizations::CiAccess::ProjectAuthorization') }
|
|
it { is_expected.to have_many(:ci_access_authorized_projects).through(:ci_access_project_authorizations).class_name('::Project') }
|
|
|
|
it { is_expected.to validate_presence_of(:name) }
|
|
it { is_expected.to validate_length_of(:name).is_at_most(63) }
|
|
it { is_expected.to validate_uniqueness_of(:name).scoped_to(:project_id) }
|
|
|
|
describe 'scopes' do
|
|
describe '.ordered_by_name' do
|
|
let(:names) { %w(agent-d agent-b agent-a agent-c) }
|
|
|
|
subject { described_class.ordered_by_name }
|
|
|
|
before do
|
|
names.each do |name|
|
|
create(:cluster_agent, name: name)
|
|
end
|
|
end
|
|
|
|
it { expect(subject.map(&:name)).to eq(names.sort) }
|
|
end
|
|
|
|
describe '.with_name' do
|
|
let!(:matching_name) { create(:cluster_agent, name: 'matching-name') }
|
|
let!(:other_name) { create(:cluster_agent, name: 'other-name') }
|
|
|
|
subject { described_class.with_name(matching_name.name) }
|
|
|
|
it { is_expected.to contain_exactly(matching_name) }
|
|
end
|
|
|
|
describe '.has_vulnerabilities' do
|
|
let_it_be(:without_vulnerabilities) { create(:cluster_agent, has_vulnerabilities: false) }
|
|
let_it_be(:with_vulnerabilities) { create(:cluster_agent, has_vulnerabilities: true) }
|
|
|
|
context 'when value is not provided' do
|
|
subject { described_class.has_vulnerabilities }
|
|
|
|
it 'returns agents which have vulnerabilities' do
|
|
is_expected.to contain_exactly(with_vulnerabilities)
|
|
end
|
|
end
|
|
|
|
context 'when value is provided' do
|
|
subject { described_class.has_vulnerabilities(value) }
|
|
|
|
context 'as true' do
|
|
let(:value) { true }
|
|
|
|
it 'returns agents which have vulnerabilities' do
|
|
is_expected.to contain_exactly(with_vulnerabilities)
|
|
end
|
|
end
|
|
|
|
context 'as false' do
|
|
let(:value) { false }
|
|
|
|
it 'returns agents which do not have vulnerabilities' do
|
|
is_expected.to contain_exactly(without_vulnerabilities)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'validation' do
|
|
describe 'name validation' do
|
|
it 'rejects names that do not conform to RFC 1123', :aggregate_failures do
|
|
%w[Agent agentA agentAagain gent- -agent agent.a agent/a agent>a].each do |name|
|
|
agent = build(:cluster_agent, name: name)
|
|
|
|
expect(agent).not_to be_valid
|
|
expect(agent.errors[:name]).to eq(["can contain only lowercase letters, digits, and '-', but cannot start or end with '-'"])
|
|
end
|
|
end
|
|
|
|
it 'accepts valid names', :aggregate_failures do
|
|
%w[agent agent123 agent-123].each do |name|
|
|
agent = build(:cluster_agent, name: name)
|
|
|
|
expect(agent).to be_valid
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#has_access_to?' do
|
|
let(:agent) { build(:cluster_agent) }
|
|
|
|
it 'has access to own project' do
|
|
expect(agent.has_access_to?(agent.project)).to be_truthy
|
|
end
|
|
|
|
it 'does not have access to other projects' do
|
|
expect(agent.has_access_to?(create(:project))).to be_falsey
|
|
end
|
|
end
|
|
|
|
describe '#connected?' do
|
|
let_it_be(:agent) { create(:cluster_agent) }
|
|
|
|
let!(:token) { create(:cluster_agent_token, agent: agent, last_used_at: last_used_at) }
|
|
|
|
subject { agent.connected? }
|
|
|
|
context 'agent has never connected' do
|
|
let(:last_used_at) { nil }
|
|
|
|
it { is_expected.to be_falsey }
|
|
end
|
|
|
|
context 'agent has connected, but not recently' do
|
|
let(:last_used_at) { 2.hours.ago }
|
|
|
|
it { is_expected.to be_falsey }
|
|
end
|
|
|
|
context 'agent has connected recently' do
|
|
let(:last_used_at) { 2.minutes.ago }
|
|
|
|
it { is_expected.to be_truthy }
|
|
|
|
context 'agent token has been revoked' do
|
|
before do
|
|
token.revoked!
|
|
end
|
|
|
|
it { is_expected.to be_falsey }
|
|
end
|
|
end
|
|
|
|
context 'agent has multiple tokens' do
|
|
let!(:inactive_token) { create(:cluster_agent_token, agent: agent, last_used_at: 2.hours.ago) }
|
|
let(:last_used_at) { 2.minutes.ago }
|
|
|
|
it { is_expected.to be_truthy }
|
|
end
|
|
end
|
|
|
|
describe '#activity_event_deletion_cutoff' do
|
|
let_it_be(:agent) { create(:cluster_agent) }
|
|
let_it_be(:event1) { create(:agent_activity_event, agent: agent, recorded_at: 1.hour.ago) }
|
|
let_it_be(:event2) { create(:agent_activity_event, agent: agent, recorded_at: 2.hours.ago) }
|
|
let_it_be(:event3) { create(:agent_activity_event, agent: agent, recorded_at: 3.hours.ago) }
|
|
|
|
subject { agent.activity_event_deletion_cutoff }
|
|
|
|
before do
|
|
stub_const("#{described_class}::ACTIVITY_EVENT_LIMIT", 2)
|
|
end
|
|
|
|
it { is_expected.to be_like_time(event2.recorded_at) }
|
|
end
|
|
|
|
describe '#ci_access_authorized_for?' do
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
let_it_be(:organization) { create(:group) }
|
|
let_it_be(:agent_management_project) { create(:project, group: organization) }
|
|
let_it_be(:agent) { create(:cluster_agent, project: agent_management_project) }
|
|
let_it_be(:deployment_project) { create(:project, group: organization) }
|
|
|
|
let(:user) { create(:user) }
|
|
|
|
subject { agent.ci_access_authorized_for?(user) }
|
|
|
|
it { is_expected.to eq(false) }
|
|
|
|
context 'with project-level authorization' do
|
|
let!(:authorization) { create(:agent_ci_access_project_authorization, agent: agent, project: deployment_project) }
|
|
|
|
where(:user_role, :allowed) do
|
|
:guest | false
|
|
:reporter | false
|
|
:developer | true
|
|
:maintainer | true
|
|
:owner | true
|
|
end
|
|
|
|
with_them do
|
|
before do
|
|
deployment_project.add_member(user, user_role)
|
|
end
|
|
|
|
it { is_expected.to eq(allowed) }
|
|
end
|
|
|
|
context 'when expose_authorized_cluster_agents feature flag is disabled' do
|
|
before do
|
|
stub_feature_flags(expose_authorized_cluster_agents: false)
|
|
end
|
|
|
|
it { is_expected.to eq(false) }
|
|
end
|
|
end
|
|
|
|
context 'with group-level authorization' do
|
|
let!(:authorization) { create(:agent_ci_access_group_authorization, agent: agent, group: organization) }
|
|
|
|
where(:user_role, :allowed) do
|
|
:guest | false
|
|
:reporter | false
|
|
:developer | true
|
|
:maintainer | true
|
|
:owner | true
|
|
end
|
|
|
|
with_them do
|
|
before do
|
|
organization.add_member(user, user_role)
|
|
end
|
|
|
|
it { is_expected.to eq(allowed) }
|
|
end
|
|
|
|
context 'when expose_authorized_cluster_agents feature flag is disabled' do
|
|
before do
|
|
stub_feature_flags(expose_authorized_cluster_agents: false)
|
|
end
|
|
|
|
it { is_expected.to eq(false) }
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#user_access_authorized_for?' do
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
let_it_be(:organization) { create(:group) }
|
|
let_it_be(:agent_management_project) { create(:project, group: organization) }
|
|
let_it_be(:agent) { create(:cluster_agent, project: agent_management_project) }
|
|
let_it_be(:deployment_project) { create(:project, group: organization) }
|
|
|
|
let(:user) { create(:user) }
|
|
|
|
subject { agent.user_access_authorized_for?(user) }
|
|
|
|
it { is_expected.to eq(false) }
|
|
|
|
context 'with project-level authorization' do
|
|
let!(:authorization) { create(:agent_user_access_project_authorization, agent: agent, project: deployment_project) }
|
|
|
|
where(:user_role, :allowed) do
|
|
:guest | false
|
|
:reporter | false
|
|
:developer | true
|
|
:maintainer | true
|
|
:owner | true
|
|
end
|
|
|
|
with_them do
|
|
before do
|
|
deployment_project.add_member(user, user_role)
|
|
end
|
|
|
|
it { is_expected.to eq(allowed) }
|
|
end
|
|
|
|
context 'when expose_authorized_cluster_agents feature flag is disabled' do
|
|
before do
|
|
stub_feature_flags(expose_authorized_cluster_agents: false)
|
|
end
|
|
|
|
it { is_expected.to eq(false) }
|
|
end
|
|
end
|
|
|
|
context 'with group-level authorization' do
|
|
let!(:authorization) { create(:agent_user_access_group_authorization, agent: agent, group: organization) }
|
|
|
|
where(:user_role, :allowed) do
|
|
:guest | false
|
|
:reporter | false
|
|
:developer | true
|
|
:maintainer | true
|
|
:owner | true
|
|
end
|
|
|
|
with_them do
|
|
before do
|
|
organization.add_member(user, user_role)
|
|
end
|
|
|
|
it { is_expected.to eq(allowed) }
|
|
end
|
|
|
|
context 'when expose_authorized_cluster_agents feature flag is disabled' do
|
|
before do
|
|
stub_feature_flags(expose_authorized_cluster_agents: false)
|
|
end
|
|
|
|
it { is_expected.to eq(false) }
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#user_access_config' do
|
|
let_it_be(:group) { create(:group) }
|
|
let_it_be(:project) { create(:project) }
|
|
let_it_be_with_refind(:agent) { create(:cluster_agent, project: project) }
|
|
|
|
subject { agent.user_access_config }
|
|
|
|
it { is_expected.to be_nil }
|
|
|
|
context 'with user_access project authorizations' do
|
|
before do
|
|
create(:agent_user_access_project_authorization, agent: agent, project: project, config: config)
|
|
end
|
|
|
|
let(:config) { {} }
|
|
|
|
it { is_expected.to eq(config) }
|
|
|
|
context 'when access_as keyword exists' do
|
|
let(:config) { { 'access_as' => { 'agent' => {} } } }
|
|
|
|
it { is_expected.to eq(config) }
|
|
end
|
|
end
|
|
|
|
context 'with user_access group authorizations' do
|
|
before do
|
|
create(:agent_user_access_group_authorization, agent: agent, group: group, config: config)
|
|
end
|
|
|
|
let(:config) { {} }
|
|
|
|
it { is_expected.to eq(config) }
|
|
|
|
context 'when access_as keyword exists' do
|
|
let(:config) { { 'access_as' => { 'agent' => {} } } }
|
|
|
|
it { is_expected.to eq(config) }
|
|
end
|
|
end
|
|
end
|
|
end
|