172 lines
5.3 KiB
Ruby
172 lines
5.3 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'spec_helper'
|
|
|
|
RSpec.describe Ci::JobToken::Scope, feature_category: :continuous_integration, factory_default: :keep do
|
|
include Ci::JobTokenScopeHelpers
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
let_it_be(:project) { create_default(:project) }
|
|
let_it_be(:user) { create_default(:user) }
|
|
let_it_be(:namespace) { create_default(:namespace) }
|
|
|
|
let_it_be(:source_project) do
|
|
create(:project,
|
|
ci_outbound_job_token_scope_enabled: true,
|
|
ci_inbound_job_token_scope_enabled: true
|
|
)
|
|
end
|
|
|
|
let(:current_project) { source_project }
|
|
|
|
let(:scope) { described_class.new(current_project) }
|
|
|
|
describe '#outbound_projects' do
|
|
subject { scope.outbound_projects }
|
|
|
|
context 'when no projects are added to the scope' do
|
|
it 'returns the project defining the scope' do
|
|
expect(subject).to contain_exactly(current_project)
|
|
end
|
|
end
|
|
|
|
context 'when projects are added to the scope' do
|
|
include_context 'with accessible and inaccessible projects'
|
|
|
|
it 'returns all projects that can be accessed from a given scope' do
|
|
expect(subject).to contain_exactly(current_project, outbound_allowlist_project, fully_accessible_project)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#inbound_projects' do
|
|
subject { scope.inbound_projects }
|
|
|
|
context 'when no projects are added to the scope' do
|
|
it 'returns the project defining the scope' do
|
|
expect(subject).to contain_exactly(current_project)
|
|
end
|
|
end
|
|
|
|
context 'when projects are added to the scope' do
|
|
include_context 'with accessible and inaccessible projects'
|
|
|
|
it 'returns all projects that can be accessed from a given scope' do
|
|
expect(subject).to contain_exactly(current_project, inbound_allowlist_project)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'add!' do
|
|
let_it_be(:new_project) { create(:project) }
|
|
|
|
subject { scope.add!(new_project, direction: direction, user: user) }
|
|
|
|
[:inbound, :outbound].each do |d|
|
|
let(:direction) { d }
|
|
|
|
it 'adds the project' do
|
|
subject
|
|
|
|
expect(scope.send("#{direction}_projects")).to contain_exactly(current_project, new_project)
|
|
end
|
|
end
|
|
|
|
# Context and before block can go away leaving just the example in 16.0
|
|
context 'with inbound only enabled' do
|
|
before do
|
|
project.ci_cd_settings.update!(job_token_scope_enabled: false)
|
|
end
|
|
|
|
it 'provides access' do
|
|
expect do
|
|
scope.add!(new_project, direction: :inbound, user: user)
|
|
end.to change { described_class.new(new_project).accessible?(current_project) }.from(false).to(true)
|
|
end
|
|
end
|
|
end
|
|
|
|
RSpec.shared_examples 'enforces outbound scope only' do
|
|
include_context 'with accessible and inaccessible projects'
|
|
|
|
where(:accessed_project, :result) do
|
|
ref(:current_project) | true
|
|
ref(:inbound_allowlist_project) | false
|
|
ref(:unscoped_project1) | false
|
|
ref(:unscoped_project2) | false
|
|
ref(:outbound_allowlist_project) | true
|
|
ref(:inbound_accessible_project) | false
|
|
ref(:fully_accessible_project) | true
|
|
end
|
|
|
|
with_them do
|
|
it { is_expected.to eq(result) }
|
|
end
|
|
end
|
|
|
|
describe 'accessible?' do
|
|
subject { scope.accessible?(accessed_project) }
|
|
|
|
context 'with inbound and outbound scopes enabled' do
|
|
context 'when inbound and outbound access setup' do
|
|
include_context 'with accessible and inaccessible projects'
|
|
|
|
where(:accessed_project, :result) do
|
|
ref(:current_project) | true
|
|
ref(:inbound_allowlist_project) | false
|
|
ref(:unscoped_project1) | false
|
|
ref(:unscoped_project2) | false
|
|
ref(:outbound_allowlist_project) | false
|
|
ref(:inbound_accessible_project) | false
|
|
ref(:fully_accessible_project) | true
|
|
end
|
|
|
|
with_them do
|
|
it 'allows self and projects allowed from both directions' do
|
|
is_expected.to eq(result)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'with inbound scope enabled and outbound scope disabled' do
|
|
before do
|
|
accessed_project.update!(ci_inbound_job_token_scope_enabled: true)
|
|
current_project.update!(ci_outbound_job_token_scope_enabled: false)
|
|
end
|
|
|
|
include_context 'with accessible and inaccessible projects'
|
|
|
|
where(:accessed_project, :result) do
|
|
ref(:current_project) | true
|
|
ref(:inbound_allowlist_project) | false
|
|
ref(:unscoped_project1) | false
|
|
ref(:unscoped_project2) | false
|
|
ref(:outbound_allowlist_project) | false
|
|
ref(:inbound_accessible_project) | true
|
|
ref(:fully_accessible_project) | true
|
|
end
|
|
|
|
with_them do
|
|
it { is_expected.to eq(result) }
|
|
end
|
|
end
|
|
|
|
context 'with inbound scope disabled and outbound scope enabled' do
|
|
before do
|
|
accessed_project.update!(ci_inbound_job_token_scope_enabled: false)
|
|
current_project.update!(ci_outbound_job_token_scope_enabled: true)
|
|
end
|
|
|
|
include_examples 'enforces outbound scope only'
|
|
end
|
|
|
|
context 'when inbound scope flag disabled' do
|
|
before do
|
|
stub_feature_flags(ci_inbound_job_token_scope: false)
|
|
end
|
|
|
|
include_examples 'enforces outbound scope only'
|
|
end
|
|
end
|
|
end
|