3469 lines
121 KiB
Ruby
3469 lines
121 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'spec_helper'
|
|
|
|
RSpec.describe Group do
|
|
include ReloadHelpers
|
|
include StubGitlabCalls
|
|
|
|
let!(:group) { create(:group) }
|
|
|
|
describe 'associations' do
|
|
it { is_expected.to have_many :projects }
|
|
it { is_expected.to have_many(:group_members).dependent(:destroy) }
|
|
it { is_expected.to have_many(:users).through(:group_members) }
|
|
it { is_expected.to have_many(:owners).through(:group_members) }
|
|
it { is_expected.to have_many(:requesters).dependent(:destroy) }
|
|
it { is_expected.to have_many(:members_and_requesters) }
|
|
it { is_expected.to have_many(:project_group_links).dependent(:destroy) }
|
|
it { is_expected.to have_many(:shared_projects).through(:project_group_links) }
|
|
it { is_expected.to have_many(:notification_settings).dependent(:destroy) }
|
|
it { is_expected.to have_many(:labels).class_name('GroupLabel') }
|
|
it { is_expected.to have_many(:variables).class_name('Ci::GroupVariable') }
|
|
it { is_expected.to have_many(:uploads) }
|
|
it { is_expected.to have_one(:chat_team) }
|
|
it { is_expected.to have_many(:custom_attributes).class_name('GroupCustomAttribute') }
|
|
it { is_expected.to have_many(:badges).class_name('GroupBadge') }
|
|
it { is_expected.to have_many(:cluster_groups).class_name('Clusters::Group') }
|
|
it { is_expected.to have_many(:clusters).class_name('Clusters::Cluster') }
|
|
it { is_expected.to have_many(:container_repositories) }
|
|
it { is_expected.to have_many(:milestones) }
|
|
it { is_expected.to have_many(:group_deploy_keys) }
|
|
it { is_expected.to have_many(:integrations) }
|
|
it { is_expected.to have_one(:dependency_proxy_setting) }
|
|
it { is_expected.to have_one(:dependency_proxy_image_ttl_policy) }
|
|
it { is_expected.to have_many(:dependency_proxy_blobs) }
|
|
it { is_expected.to have_many(:dependency_proxy_manifests) }
|
|
it { is_expected.to have_many(:debian_distributions).class_name('Packages::Debian::GroupDistribution').dependent(:destroy) }
|
|
it { is_expected.to have_many(:daily_build_group_report_results).class_name('Ci::DailyBuildGroupReportResult') }
|
|
it { is_expected.to have_many(:group_callouts).class_name('Users::GroupCallout').with_foreign_key(:group_id) }
|
|
it { is_expected.to have_many(:bulk_import_exports).class_name('BulkImports::Export') }
|
|
it { is_expected.to have_many(:contacts).class_name('CustomerRelations::Contact') }
|
|
it { is_expected.to have_many(:organizations).class_name('CustomerRelations::Organization') }
|
|
it { is_expected.to have_one(:crm_settings) }
|
|
it { is_expected.to have_one(:group_feature) }
|
|
it { is_expected.to have_one(:harbor_integration) }
|
|
|
|
describe '#members & #requesters' do
|
|
let(:requester) { create(:user) }
|
|
let(:developer) { create(:user) }
|
|
|
|
before do
|
|
group.request_access(requester)
|
|
group.add_developer(developer)
|
|
end
|
|
|
|
it_behaves_like 'members and requesters associations' do
|
|
let(:namespace) { group }
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'modules' do
|
|
subject { described_class }
|
|
|
|
it { is_expected.to include_module(Referable) }
|
|
end
|
|
|
|
describe 'validations' do
|
|
it { is_expected.to validate_presence_of :name }
|
|
it { is_expected.not_to allow_value('colon:in:path').for(:path) } # This is to validate that a specially crafted name cannot bypass a pattern match. See !72555
|
|
it { is_expected.to allow_value('group test_4').for(:name) }
|
|
it { is_expected.not_to allow_value('test/../foo').for(:name) }
|
|
it { is_expected.not_to allow_value('<script>alert("Attack!")</script>').for(:name) }
|
|
it { is_expected.to validate_presence_of :path }
|
|
it { is_expected.not_to validate_presence_of :owner }
|
|
it { is_expected.to validate_presence_of :two_factor_grace_period }
|
|
it { is_expected.to validate_numericality_of(:two_factor_grace_period).is_greater_than_or_equal_to(0) }
|
|
|
|
context 'validating the parent of a group' do
|
|
context 'when the group has no parent' do
|
|
it 'allows a group to have no parent associated with it' do
|
|
group = build(:group)
|
|
|
|
expect(group).to be_valid
|
|
end
|
|
end
|
|
|
|
context 'when the group has a parent' do
|
|
it 'does not allow a group to have a namespace as its parent' do
|
|
group = build(:group, parent: build(:namespace))
|
|
|
|
expect(group).not_to be_valid
|
|
expect(group.errors[:parent_id].first).to eq('user namespace cannot be the parent of another namespace')
|
|
end
|
|
|
|
it 'allows a group to have another group as its parent' do
|
|
group = build(:group, parent: build(:group))
|
|
|
|
expect(group).to be_valid
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'path validation' do
|
|
it 'rejects paths reserved on the root namespace when the group has no parent' do
|
|
group = build(:group, path: 'api')
|
|
|
|
expect(group).not_to be_valid
|
|
end
|
|
|
|
it 'allows root paths when the group has a parent' do
|
|
group = build(:group, path: 'api', parent: create(:group))
|
|
|
|
expect(group).to be_valid
|
|
end
|
|
|
|
it 'rejects any wildcard paths when not a top level group' do
|
|
group = build(:group, path: 'tree', parent: create(:group))
|
|
|
|
expect(group).not_to be_valid
|
|
end
|
|
end
|
|
|
|
describe '#notification_settings' do
|
|
let(:user) { create(:user) }
|
|
let(:group) { create(:group) }
|
|
let(:sub_group) { create(:group, parent_id: group.id) }
|
|
|
|
before do
|
|
group.add_developer(user)
|
|
sub_group.add_maintainer(user)
|
|
end
|
|
|
|
it 'also gets notification settings from parent groups' do
|
|
expect(sub_group.notification_settings.size).to eq(2)
|
|
expect(sub_group.notification_settings).to include(group.notification_settings.first)
|
|
end
|
|
|
|
context 'when sub group is deleted' do
|
|
it 'does not delete parent notification settings' do
|
|
expect do
|
|
sub_group.destroy!
|
|
end.to change { NotificationSetting.count }.by(-1)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#notification_email_for' do
|
|
let(:user) { create(:user) }
|
|
let(:group) { create(:group) }
|
|
let(:subgroup) { create(:group, parent: group) }
|
|
|
|
let(:group_notification_email) { 'user+group@example.com' }
|
|
let(:subgroup_notification_email) { 'user+subgroup@example.com' }
|
|
|
|
before do
|
|
create(:email, :confirmed, user: user, email: group_notification_email)
|
|
create(:email, :confirmed, user: user, email: subgroup_notification_email)
|
|
end
|
|
|
|
subject { subgroup.notification_email_for(user) }
|
|
|
|
context 'when both group notification emails are set' do
|
|
it 'returns subgroup notification email' do
|
|
create(:notification_setting, user: user, source: group, notification_email: group_notification_email)
|
|
create(:notification_setting, user: user, source: subgroup, notification_email: subgroup_notification_email)
|
|
|
|
is_expected.to eq(subgroup_notification_email)
|
|
end
|
|
end
|
|
|
|
context 'when subgroup notification email is blank' do
|
|
it 'returns parent group notification email' do
|
|
create(:notification_setting, user: user, source: group, notification_email: group_notification_email)
|
|
create(:notification_setting, user: user, source: subgroup, notification_email: '')
|
|
|
|
is_expected.to eq(group_notification_email)
|
|
end
|
|
end
|
|
|
|
context 'when only the parent group notification email is set' do
|
|
it 'returns parent group notification email' do
|
|
create(:notification_setting, user: user, source: group, notification_email: group_notification_email)
|
|
|
|
is_expected.to eq(group_notification_email)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#visibility_level_allowed_by_parent' do
|
|
let(:parent) { create(:group, :internal) }
|
|
let(:sub_group) { build(:group, parent_id: parent.id) }
|
|
|
|
context 'without a parent' do
|
|
it 'is valid' do
|
|
sub_group.parent_id = nil
|
|
|
|
expect(sub_group).to be_valid
|
|
end
|
|
end
|
|
|
|
context 'with a parent' do
|
|
context 'when visibility of sub group is greater than the parent' do
|
|
it 'is invalid' do
|
|
sub_group.visibility_level = Gitlab::VisibilityLevel::PUBLIC
|
|
|
|
expect(sub_group).to be_invalid
|
|
end
|
|
end
|
|
|
|
context 'when visibility of sub group is lower or equal to the parent' do
|
|
[Gitlab::VisibilityLevel::INTERNAL, Gitlab::VisibilityLevel::PRIVATE].each do |level|
|
|
it 'is valid' do
|
|
sub_group.visibility_level = level
|
|
|
|
expect(sub_group).to be_valid
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#visibility_level_allowed_by_projects' do
|
|
let!(:internal_group) { create(:group, :internal) }
|
|
let!(:internal_project) { create(:project, :internal, group: internal_group) }
|
|
|
|
context 'when group has a lower visibility' do
|
|
it 'is invalid' do
|
|
internal_group.visibility_level = Gitlab::VisibilityLevel::PRIVATE
|
|
|
|
expect(internal_group).to be_invalid
|
|
expect(internal_group.errors[:visibility_level]).to include('private is not allowed since this group contains projects with higher visibility.')
|
|
end
|
|
end
|
|
|
|
context 'when group has a higher visibility' do
|
|
it 'is valid' do
|
|
internal_group.visibility_level = Gitlab::VisibilityLevel::PUBLIC
|
|
|
|
expect(internal_group).to be_valid
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#visibility_level_allowed_by_sub_groups' do
|
|
let!(:internal_group) { create(:group, :internal) }
|
|
let!(:internal_sub_group) { create(:group, :internal, parent: internal_group) }
|
|
|
|
context 'when parent group has a lower visibility' do
|
|
it 'is invalid' do
|
|
internal_group.visibility_level = Gitlab::VisibilityLevel::PRIVATE
|
|
|
|
expect(internal_group).to be_invalid
|
|
expect(internal_group.errors[:visibility_level]).to include('private is not allowed since there are sub-groups with higher visibility.')
|
|
end
|
|
end
|
|
|
|
context 'when parent group has a higher visibility' do
|
|
it 'is valid' do
|
|
internal_group.visibility_level = Gitlab::VisibilityLevel::PUBLIC
|
|
|
|
expect(internal_group).to be_valid
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#two_factor_authentication_allowed' do
|
|
let_it_be_with_reload(:group) { create(:group) }
|
|
|
|
context 'for a parent group' do
|
|
it 'is valid' do
|
|
group.require_two_factor_authentication = true
|
|
|
|
expect(group).to be_valid
|
|
end
|
|
end
|
|
|
|
context 'for a child group' do
|
|
let(:sub_group) { create(:group, parent: group) }
|
|
|
|
it 'is valid when parent group allows' do
|
|
sub_group.require_two_factor_authentication = true
|
|
|
|
expect(sub_group).to be_valid
|
|
end
|
|
|
|
it 'is invalid when parent group blocks' do
|
|
group.namespace_settings.update!(allow_mfa_for_subgroups: false)
|
|
sub_group.require_two_factor_authentication = true
|
|
|
|
expect(sub_group).to be_invalid
|
|
expect(sub_group.errors[:require_two_factor_authentication]).to include('is forbidden by a top-level group')
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
it_behaves_like 'a BulkUsersByEmailLoad model'
|
|
|
|
context 'after initialized' do
|
|
it 'has a group_feature' do
|
|
expect(described_class.new.group_feature).to be_present
|
|
end
|
|
end
|
|
|
|
context 'when creating a new project' do
|
|
let_it_be(:group) { create(:group) }
|
|
|
|
it 'automatically creates the groups feature for the group' do
|
|
expect(group.group_feature).to be_an_instance_of(Groups::FeatureSetting)
|
|
expect(group.group_feature).to be_persisted
|
|
end
|
|
end
|
|
|
|
context 'traversal_ids on create' do
|
|
context 'default traversal_ids' do
|
|
let(:group) { build(:group) }
|
|
|
|
before do
|
|
group.save!
|
|
group.reload
|
|
end
|
|
|
|
it { expect(group.traversal_ids).to eq [group.id] }
|
|
end
|
|
|
|
context 'has a parent' do
|
|
let(:parent) { create(:group) }
|
|
let(:group) { build(:group, parent: parent) }
|
|
|
|
before do
|
|
group.save!
|
|
reload_models(parent, group)
|
|
end
|
|
|
|
it { expect(parent.traversal_ids).to eq [parent.id] }
|
|
it { expect(group.traversal_ids).to eq [parent.id, group.id] }
|
|
end
|
|
|
|
context 'has a parent update before save' do
|
|
let(:parent) { create(:group) }
|
|
let(:group) { build(:group, parent: parent) }
|
|
let!(:new_grandparent) { create(:group) }
|
|
|
|
before do
|
|
parent.update!(parent: new_grandparent)
|
|
group.save!
|
|
reload_models(parent, group)
|
|
end
|
|
|
|
it 'avoid traversal_ids race condition' do
|
|
expect(parent.traversal_ids).to eq [new_grandparent.id, parent.id]
|
|
expect(group.traversal_ids).to eq [new_grandparent.id, parent.id, group.id]
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'traversal_ids on update' do
|
|
context 'parent is updated' do
|
|
let(:new_parent) { create(:group) }
|
|
|
|
subject {group.update!(parent: new_parent, name: 'new name') }
|
|
|
|
it_behaves_like 'update on column', :traversal_ids
|
|
end
|
|
|
|
context 'parent is not updated' do
|
|
subject { group.update!(name: 'new name') }
|
|
|
|
it_behaves_like 'no update on column', :traversal_ids
|
|
end
|
|
end
|
|
|
|
context 'traversal_ids on ancestral update' do
|
|
context 'update multiple ancestors before save' do
|
|
let(:parent) { create(:group) }
|
|
let(:group) { create(:group, parent: parent) }
|
|
let!(:new_grandparent) { create(:group) }
|
|
let!(:new_parent) { create(:group) }
|
|
|
|
before do
|
|
group.parent = new_parent
|
|
new_parent.update!(parent: new_grandparent)
|
|
|
|
group.save!
|
|
reload_models(parent, group, new_grandparent, new_parent)
|
|
end
|
|
|
|
it 'avoids traversal_ids race condition' do
|
|
expect(parent.traversal_ids).to eq [parent.id]
|
|
expect(group.traversal_ids).to eq [new_grandparent.id, new_parent.id, group.id]
|
|
expect(new_grandparent.traversal_ids).to eq [new_grandparent.id]
|
|
expect(new_parent.traversal_ids).to eq [new_grandparent.id, new_parent.id]
|
|
end
|
|
end
|
|
|
|
context 'assign a new parent' do
|
|
let!(:group) { create(:group, parent: old_parent) }
|
|
let(:recorded_queries) { ActiveRecord::QueryRecorder.new }
|
|
|
|
subject do
|
|
recorded_queries.record do
|
|
group.update!(parent: new_parent)
|
|
end
|
|
end
|
|
|
|
context 'within the same hierarchy' do
|
|
let!(:root) { create(:group).reload }
|
|
let!(:old_parent) { create(:group, parent: root) }
|
|
let!(:new_parent) { create(:group, parent: root) }
|
|
|
|
context 'with FOR NO KEY UPDATE lock' do
|
|
before do
|
|
subject
|
|
reload_models(old_parent, new_parent, group)
|
|
end
|
|
|
|
it 'updates traversal_ids' do
|
|
expect(group.traversal_ids).to eq [root.id, new_parent.id, group.id]
|
|
end
|
|
|
|
it_behaves_like 'hierarchy with traversal_ids'
|
|
it_behaves_like 'locked row' do
|
|
let(:row) { root }
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'to another hierarchy' do
|
|
let!(:old_parent) { create(:group) }
|
|
let!(:new_parent) { create(:group) }
|
|
let!(:group) { create(:group, parent: old_parent) }
|
|
|
|
before do
|
|
subject
|
|
reload_models(old_parent, new_parent, group)
|
|
end
|
|
|
|
it 'updates traversal_ids' do
|
|
expect(group.traversal_ids).to eq [new_parent.id, group.id]
|
|
end
|
|
|
|
it_behaves_like 'locked rows' do
|
|
let(:rows) { [old_parent, new_parent] }
|
|
end
|
|
|
|
context 'old hierarchy' do
|
|
let(:root) { old_parent.root_ancestor }
|
|
|
|
it_behaves_like 'hierarchy with traversal_ids'
|
|
end
|
|
|
|
context 'new hierarchy' do
|
|
let(:root) { new_parent.root_ancestor }
|
|
|
|
it_behaves_like 'hierarchy with traversal_ids'
|
|
end
|
|
end
|
|
|
|
context 'from being a root ancestor' do
|
|
let!(:old_parent) { nil }
|
|
let!(:new_parent) { create(:group) }
|
|
|
|
before do
|
|
subject
|
|
reload_models(old_parent, new_parent, group)
|
|
end
|
|
|
|
it 'updates traversal_ids' do
|
|
expect(group.traversal_ids).to eq [new_parent.id, group.id]
|
|
end
|
|
|
|
it_behaves_like 'locked rows' do
|
|
let(:rows) { [group, new_parent] }
|
|
end
|
|
|
|
it_behaves_like 'hierarchy with traversal_ids' do
|
|
let(:root) { new_parent }
|
|
end
|
|
end
|
|
|
|
context 'to being a root ancestor' do
|
|
let!(:old_parent) { create(:group) }
|
|
let!(:new_parent) { nil }
|
|
|
|
before do
|
|
subject
|
|
reload_models(old_parent, new_parent, group)
|
|
end
|
|
|
|
it 'updates traversal_ids' do
|
|
expect(group.traversal_ids).to eq [group.id]
|
|
end
|
|
|
|
it_behaves_like 'locked rows' do
|
|
let(:rows) { [old_parent, group] }
|
|
end
|
|
|
|
it_behaves_like 'hierarchy with traversal_ids' do
|
|
let(:root) { group }
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'assigning a new grandparent' do
|
|
let!(:old_grandparent) { create(:group) }
|
|
let!(:new_grandparent) { create(:group) }
|
|
let!(:parent_group) { create(:group, parent: old_grandparent) }
|
|
let!(:group) { create(:group, parent: parent_group) }
|
|
|
|
before do
|
|
parent_group.update!(parent: new_grandparent)
|
|
end
|
|
|
|
it 'updates traversal_ids for all descendants' do
|
|
expect(parent_group.reload.traversal_ids).to eq [new_grandparent.id, parent_group.id]
|
|
expect(group.reload.traversal_ids).to eq [new_grandparent.id, parent_group.id, group.id]
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'traversal queries' do
|
|
let_it_be(:group, reload: true) { create(:group, :nested) }
|
|
|
|
context 'recursive' do
|
|
before do
|
|
stub_feature_flags(use_traversal_ids: false)
|
|
end
|
|
|
|
it_behaves_like 'namespace traversal'
|
|
|
|
describe '#self_and_descendants' do
|
|
it { expect(group.self_and_descendants.to_sql).not_to include 'traversal_ids @>' }
|
|
end
|
|
|
|
describe '#self_and_descendant_ids' do
|
|
it { expect(group.self_and_descendant_ids.to_sql).not_to include 'traversal_ids @>' }
|
|
end
|
|
|
|
describe '#descendants' do
|
|
it { expect(group.descendants.to_sql).not_to include 'traversal_ids @>' }
|
|
end
|
|
|
|
describe '#self_and_hierarchy' do
|
|
it { expect(group.self_and_hierarchy.to_sql).not_to include 'traversal_ids @>' }
|
|
end
|
|
|
|
describe '#ancestors' do
|
|
it { expect(group.ancestors.to_sql).not_to include 'traversal_ids <@' }
|
|
end
|
|
|
|
describe '#ancestors_upto' do
|
|
it { expect(group.ancestors_upto.to_sql).not_to include "WITH ORDINALITY" }
|
|
end
|
|
|
|
describe '.shortest_traversal_ids_prefixes' do
|
|
it { expect { described_class.shortest_traversal_ids_prefixes }.to raise_error /Feature not supported since the `:use_traversal_ids` is disabled/ }
|
|
end
|
|
end
|
|
|
|
context 'linear' do
|
|
it_behaves_like 'namespace traversal'
|
|
|
|
describe '#self_and_descendants' do
|
|
it { expect(group.self_and_descendants.to_sql).to include 'traversal_ids @>' }
|
|
end
|
|
|
|
describe '#self_and_descendant_ids' do
|
|
it { expect(group.self_and_descendant_ids.to_sql).to include 'traversal_ids @>' }
|
|
end
|
|
|
|
describe '#descendants' do
|
|
it { expect(group.descendants.to_sql).to include 'traversal_ids @>' }
|
|
end
|
|
|
|
describe '#self_and_hierarchy' do
|
|
it { expect(group.self_and_hierarchy.to_sql).to include 'traversal_ids @>' }
|
|
end
|
|
|
|
describe '#ancestors' do
|
|
it { expect(group.ancestors.to_sql).to include "\"namespaces\".\"id\" = #{group.parent_id}" }
|
|
|
|
it 'hierarchy order' do
|
|
expect(group.ancestors(hierarchy_order: :asc).to_sql).to include 'ORDER BY "depth" ASC'
|
|
end
|
|
|
|
context 'ancestor linear queries feature flag disabled' do
|
|
before do
|
|
stub_feature_flags(use_traversal_ids_for_ancestors: false)
|
|
end
|
|
|
|
it { expect(group.ancestors.to_sql).not_to include 'traversal_ids <@' }
|
|
end
|
|
end
|
|
|
|
describe '#ancestors_upto' do
|
|
it { expect(group.ancestors_upto.to_sql).to include "WITH ORDINALITY" }
|
|
end
|
|
|
|
describe '.shortest_traversal_ids_prefixes' do
|
|
subject { filter.shortest_traversal_ids_prefixes }
|
|
|
|
context 'for many top-level namespaces' do
|
|
let!(:top_level_groups) { create_list(:group, 4) }
|
|
|
|
context 'when querying all groups' do
|
|
let(:filter) { described_class.id_in(top_level_groups) }
|
|
|
|
it "returns all traversal_ids" do
|
|
is_expected.to contain_exactly(
|
|
*top_level_groups.map { |group| [group.id] }
|
|
)
|
|
end
|
|
end
|
|
|
|
context 'when querying selected groups' do
|
|
let(:filter) { described_class.id_in(top_level_groups.first) }
|
|
|
|
it "returns only a selected traversal_ids" do
|
|
is_expected.to contain_exactly([top_level_groups.first.id])
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'for namespace hierarchy' do
|
|
let!(:group_a) { create(:group) }
|
|
let!(:group_a_sub_1) { create(:group, parent: group_a) }
|
|
let!(:group_a_sub_2) { create(:group, parent: group_a) }
|
|
let!(:group_b) { create(:group) }
|
|
let!(:group_b_sub_1) { create(:group, parent: group_b) }
|
|
let!(:group_c) { create(:group) }
|
|
|
|
context 'when querying all groups' do
|
|
let(:filter) { described_class.id_in([group_a, group_a_sub_1, group_a_sub_2, group_b, group_b_sub_1, group_c]) }
|
|
|
|
it 'returns only shortest prefixes of top-level groups' do
|
|
is_expected.to contain_exactly(
|
|
[group_a.id],
|
|
[group_b.id],
|
|
[group_c.id]
|
|
)
|
|
end
|
|
end
|
|
|
|
context 'when sub-group is reparented' do
|
|
let(:filter) { described_class.id_in([group_b_sub_1, group_c]) }
|
|
|
|
before do
|
|
group_b_sub_1.update!(parent: group_c)
|
|
end
|
|
|
|
it 'returns a proper shortest prefix of a new group' do
|
|
is_expected.to contain_exactly(
|
|
[group_c.id]
|
|
)
|
|
end
|
|
end
|
|
|
|
context 'when querying sub-groups' do
|
|
let(:filter) { described_class.id_in([group_a_sub_1, group_b_sub_1, group_c]) }
|
|
|
|
it 'returns sub-groups as they are shortest prefixes' do
|
|
is_expected.to contain_exactly(
|
|
[group_a.id, group_a_sub_1.id],
|
|
[group_b.id, group_b_sub_1.id],
|
|
[group_c.id]
|
|
)
|
|
end
|
|
end
|
|
|
|
context 'when querying group and sub-group of this group' do
|
|
let(:filter) { described_class.id_in([group_a, group_a_sub_1, group_c]) }
|
|
|
|
it 'returns parent groups as this contains all sub-groups' do
|
|
is_expected.to contain_exactly(
|
|
[group_a.id],
|
|
[group_c.id]
|
|
)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'when project namespace exists in the group' do
|
|
let!(:project) { create(:project, group: group) }
|
|
let!(:project_namespace) { project.project_namespace }
|
|
|
|
it 'filters out project namespace' do
|
|
expect(group.descendants.find_by_id(project_namespace.id)).to be_nil
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '.without_integration' do
|
|
let(:another_group) { create(:group) }
|
|
let(:instance_integration) { build(:jira_integration, :instance) }
|
|
|
|
before do
|
|
create(:jira_integration, :group, group: group)
|
|
create(:integrations_slack, :group, group: another_group)
|
|
end
|
|
|
|
it 'returns groups without integration' do
|
|
expect(Group.without_integration(instance_integration)).to contain_exactly(another_group)
|
|
end
|
|
end
|
|
|
|
describe '.public_or_visible_to_user' do
|
|
let!(:private_group) { create(:group, :private) }
|
|
let!(:internal_group) { create(:group, :internal) }
|
|
|
|
subject { described_class.public_or_visible_to_user(user) }
|
|
|
|
context 'when user is nil' do
|
|
let!(:user) { nil }
|
|
|
|
it { is_expected.to match_array([group]) }
|
|
end
|
|
|
|
context 'when user' do
|
|
let!(:user) { create(:user) }
|
|
|
|
context 'when user does not have access to any private group' do
|
|
it { is_expected.to match_array([internal_group, group]) }
|
|
end
|
|
|
|
context 'when user is a member of private group' do
|
|
before do
|
|
private_group.add_member(user, Gitlab::Access::DEVELOPER)
|
|
end
|
|
|
|
it { is_expected.to match_array([private_group, internal_group, group]) }
|
|
end
|
|
|
|
context 'when user is a member of private subgroup' do
|
|
let!(:private_subgroup) { create(:group, :private, parent: private_group) }
|
|
|
|
before do
|
|
private_subgroup.add_member(user, Gitlab::Access::DEVELOPER)
|
|
end
|
|
|
|
it { is_expected.to match_array([private_subgroup, internal_group, group]) }
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'scopes' do
|
|
let_it_be(:private_group) { create(:group, :private) }
|
|
let_it_be(:internal_group) { create(:group, :internal) }
|
|
let_it_be(:user1) { create(:user) }
|
|
let_it_be(:user2) { create(:user) }
|
|
|
|
describe 'public_only' do
|
|
subject { described_class.public_only.to_a }
|
|
|
|
it { is_expected.to eq([group]) }
|
|
end
|
|
|
|
describe 'public_and_internal_only' do
|
|
subject { described_class.public_and_internal_only.to_a }
|
|
|
|
it { is_expected.to match_array([group, internal_group]) }
|
|
end
|
|
|
|
describe 'non_public_only' do
|
|
subject { described_class.non_public_only.to_a }
|
|
|
|
it { is_expected.to match_array([private_group, internal_group]) }
|
|
end
|
|
|
|
describe 'private_only' do
|
|
subject { described_class.private_only.to_a }
|
|
|
|
it { is_expected.to match_array([private_group]) }
|
|
end
|
|
|
|
describe 'with_onboarding_progress' do
|
|
subject { described_class.with_onboarding_progress }
|
|
|
|
it 'joins onboarding_progress' do
|
|
create(:onboarding_progress, namespace: group)
|
|
|
|
expect(subject).to eq([group])
|
|
end
|
|
end
|
|
|
|
describe 'for_authorized_group_members' do
|
|
let_it_be(:group_member1) { create(:group_member, source: private_group, user_id: user1.id, access_level: Gitlab::Access::OWNER) }
|
|
|
|
it do
|
|
result = described_class.for_authorized_group_members([user1.id, user2.id])
|
|
|
|
expect(result).to match_array([private_group])
|
|
end
|
|
end
|
|
|
|
describe 'for_authorized_project_members' do
|
|
let_it_be(:project) { create(:project, group: internal_group) }
|
|
let_it_be(:project_member1) { create(:project_member, source: project, user_id: user1.id, access_level: Gitlab::Access::DEVELOPER) }
|
|
|
|
it do
|
|
result = described_class.for_authorized_project_members([user1.id, user2.id])
|
|
|
|
expect(result).to match_array([internal_group])
|
|
end
|
|
end
|
|
|
|
describe 'by_ids_or_paths' do
|
|
let(:group_path) { 'group_path' }
|
|
let!(:group) { create(:group, path: group_path) }
|
|
let(:group_id) { group.id }
|
|
|
|
it 'returns matching records based on paths' do
|
|
expect(described_class.by_ids_or_paths(nil, [group_path])).to match_array([group])
|
|
end
|
|
|
|
it 'returns matching records based on ids' do
|
|
expect(described_class.by_ids_or_paths([group_id], nil)).to match_array([group])
|
|
end
|
|
|
|
it 'returns matching records based on both paths and ids' do
|
|
new_group = create(:group)
|
|
|
|
expect(described_class.by_ids_or_paths([new_group.id], [group_path])).to match_array([group, new_group])
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#to_reference' do
|
|
it 'returns a String reference to the object' do
|
|
expect(group.to_reference).to eq "@#{group.name}"
|
|
end
|
|
end
|
|
|
|
describe '#users' do
|
|
it { expect(group.users).to eq(group.owners) }
|
|
end
|
|
|
|
describe '#human_name' do
|
|
it { expect(group.human_name).to eq(group.name) }
|
|
end
|
|
|
|
describe '#add_user' do
|
|
let(:user) { create(:user) }
|
|
|
|
it 'adds the user with a blocking refresh by default' do
|
|
expect_next_instance_of(GroupMember) do |member|
|
|
expect(member).to receive(:refresh_member_authorized_projects).with(blocking: true)
|
|
end
|
|
|
|
group.add_member(user, GroupMember::MAINTAINER)
|
|
|
|
expect(group.group_members.maintainers.map(&:user)).to include(user)
|
|
end
|
|
|
|
it 'passes the blocking refresh value to member' do
|
|
expect_next_instance_of(GroupMember) do |member|
|
|
expect(member).to receive(:refresh_member_authorized_projects).with(blocking: false)
|
|
end
|
|
|
|
group.add_member(user, GroupMember::MAINTAINER, blocking_refresh: false)
|
|
end
|
|
end
|
|
|
|
describe '#add_users' do
|
|
let(:user) { create(:user) }
|
|
|
|
before do
|
|
group.add_members([user.id], GroupMember::GUEST)
|
|
end
|
|
|
|
it "updates the group permission" do
|
|
expect(group.group_members.guests.map(&:user)).to include(user)
|
|
group.add_members([user.id], GroupMember::DEVELOPER)
|
|
expect(group.group_members.developers.map(&:user)).to include(user)
|
|
expect(group.group_members.guests.map(&:user)).not_to include(user)
|
|
end
|
|
|
|
context 'when `tasks_to_be_done` and `tasks_project_id` are passed' do
|
|
let!(:project) { create(:project, group: group) }
|
|
|
|
before do
|
|
group.add_members([create(:user)], :developer, tasks_to_be_done: %w(ci code), tasks_project_id: project.id)
|
|
end
|
|
|
|
it 'creates a member_task with the correct attributes', :aggregate_failures do
|
|
member = group.group_members.last
|
|
|
|
expect(member.tasks_to_be_done).to match_array([:ci, :code])
|
|
expect(member.member_task.project).to eq(project)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#avatar_type' do
|
|
let(:user) { create(:user) }
|
|
|
|
before do
|
|
group.add_member(user, GroupMember::MAINTAINER)
|
|
end
|
|
|
|
it "is true if avatar is image" do
|
|
group.update_attribute(:avatar, 'uploads/avatar.png')
|
|
expect(group.avatar_type).to be_truthy
|
|
end
|
|
|
|
it "is false if avatar is html page" do
|
|
group.update_attribute(:avatar, 'uploads/avatar.html')
|
|
group.avatar_type
|
|
|
|
expect(group.errors.added?(:avatar, "file format is not supported. Please try one of the following supported formats: png, jpg, jpeg, gif, bmp, tiff, ico, webp")).to be true
|
|
end
|
|
end
|
|
|
|
describe '#avatar_url' do
|
|
let!(:group) { create(:group, :with_avatar) }
|
|
let(:user) { create(:user) }
|
|
|
|
context 'when avatar file is uploaded' do
|
|
before do
|
|
group.add_maintainer(user)
|
|
end
|
|
|
|
it 'shows correct avatar url' do
|
|
expect(group.avatar_url).to eq(group.avatar.url)
|
|
expect(group.avatar_url(only_path: false)).to eq([Gitlab.config.gitlab.url, group.avatar.url].join)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '.search' do
|
|
it 'returns groups with a matching name' do
|
|
expect(described_class.search(group.name)).to eq([group])
|
|
end
|
|
|
|
it 'returns groups with a partially matching name' do
|
|
expect(described_class.search(group.name[0..2])).to eq([group])
|
|
end
|
|
|
|
it 'returns groups with a matching name regardless of the casing' do
|
|
expect(described_class.search(group.name.upcase)).to eq([group])
|
|
end
|
|
|
|
it 'returns groups with a matching path' do
|
|
expect(described_class.search(group.path)).to eq([group])
|
|
end
|
|
|
|
it 'returns groups with a partially matching path' do
|
|
expect(described_class.search(group.path[0..2])).to eq([group])
|
|
end
|
|
|
|
it 'returns groups with a matching path regardless of the casing' do
|
|
expect(described_class.search(group.path.upcase)).to eq([group])
|
|
end
|
|
end
|
|
|
|
describe '#has_owner?' do
|
|
before do
|
|
@members = setup_group_members(group)
|
|
create(:group_member, :invited, :owner, group: group)
|
|
end
|
|
|
|
it { expect(group.has_owner?(@members[:owner])).to be_truthy }
|
|
it { expect(group.has_owner?(@members[:maintainer])).to be_falsey }
|
|
it { expect(group.has_owner?(@members[:developer])).to be_falsey }
|
|
it { expect(group.has_owner?(@members[:reporter])).to be_falsey }
|
|
it { expect(group.has_owner?(@members[:guest])).to be_falsey }
|
|
it { expect(group.has_owner?(@members[:requester])).to be_falsey }
|
|
it { expect(group.has_owner?(nil)).to be_falsey }
|
|
end
|
|
|
|
describe '#has_maintainer?' do
|
|
before do
|
|
@members = setup_group_members(group)
|
|
create(:group_member, :invited, :maintainer, group: group)
|
|
end
|
|
|
|
it { expect(group.has_maintainer?(@members[:owner])).to be_falsey }
|
|
it { expect(group.has_maintainer?(@members[:maintainer])).to be_truthy }
|
|
it { expect(group.has_maintainer?(@members[:developer])).to be_falsey }
|
|
it { expect(group.has_maintainer?(@members[:reporter])).to be_falsey }
|
|
it { expect(group.has_maintainer?(@members[:guest])).to be_falsey }
|
|
it { expect(group.has_maintainer?(@members[:requester])).to be_falsey }
|
|
it { expect(group.has_maintainer?(nil)).to be_falsey }
|
|
end
|
|
|
|
describe '#last_owner?' do
|
|
before do
|
|
@members = setup_group_members(group)
|
|
end
|
|
|
|
it { expect(group.last_owner?(@members[:owner])).to be_truthy }
|
|
|
|
context 'there is also a project_bot owner' do
|
|
before do
|
|
group.add_member(create(:user, :project_bot), GroupMember::OWNER)
|
|
end
|
|
|
|
it { expect(group.last_owner?(@members[:owner])).to be_truthy }
|
|
end
|
|
|
|
context 'with two owners' do
|
|
before do
|
|
create(:group_member, :owner, group: group)
|
|
end
|
|
|
|
it { expect(group.last_owner?(@members[:owner])).to be_falsy }
|
|
end
|
|
|
|
context 'with owners from a parent' do
|
|
before do
|
|
parent_group = create(:group)
|
|
create(:group_member, :owner, group: parent_group)
|
|
group.update!(parent: parent_group)
|
|
end
|
|
|
|
it { expect(group.last_owner?(@members[:owner])).to be_falsy }
|
|
end
|
|
end
|
|
|
|
describe '#member_last_blocked_owner?' do
|
|
let_it_be(:blocked_user) { create(:user, :blocked) }
|
|
|
|
let(:member) { blocked_user.group_members.last }
|
|
|
|
before do
|
|
group.add_member(blocked_user, GroupMember::OWNER)
|
|
end
|
|
|
|
context 'when last_blocked_owner is set' do
|
|
before do
|
|
expect(group).not_to receive(:members_with_parents)
|
|
end
|
|
|
|
it 'returns true' do
|
|
member.last_blocked_owner = true
|
|
|
|
expect(group.member_last_blocked_owner?(member)).to be(true)
|
|
end
|
|
|
|
it 'returns false' do
|
|
member.last_blocked_owner = false
|
|
|
|
expect(group.member_last_blocked_owner?(member)).to be(false)
|
|
end
|
|
end
|
|
|
|
context 'when last_blocked_owner is not set' do
|
|
it { expect(group.member_last_blocked_owner?(member)).to be(true) }
|
|
|
|
context 'with another active owner' do
|
|
before do
|
|
group.add_member(create(:user), GroupMember::OWNER)
|
|
end
|
|
|
|
it { expect(group.member_last_blocked_owner?(member)).to be(false) }
|
|
end
|
|
|
|
context 'with 2 blocked owners' do
|
|
before do
|
|
group.add_member(create(:user, :blocked), GroupMember::OWNER)
|
|
end
|
|
|
|
it { expect(group.member_last_blocked_owner?(member)).to be(false) }
|
|
end
|
|
|
|
context 'with owners from a parent' do
|
|
before do
|
|
parent_group = create(:group)
|
|
create(:group_member, :owner, group: parent_group)
|
|
group.update!(parent: parent_group)
|
|
end
|
|
|
|
it { expect(group.member_last_blocked_owner?(member)).to be(false) }
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'when analyzing blocked owners' do
|
|
let_it_be(:blocked_user) { create(:user, :blocked) }
|
|
|
|
describe '#single_blocked_owner?' do
|
|
context 'when there is only one blocked owner' do
|
|
before do
|
|
group.add_member(blocked_user, GroupMember::OWNER)
|
|
end
|
|
|
|
it 'returns true' do
|
|
expect(group.single_blocked_owner?).to eq(true)
|
|
end
|
|
end
|
|
|
|
context 'when there are multiple blocked owners' do
|
|
let_it_be(:blocked_user_2) { create(:user, :blocked) }
|
|
|
|
before do
|
|
group.add_member(blocked_user, GroupMember::OWNER)
|
|
group.add_member(blocked_user_2, GroupMember::OWNER)
|
|
end
|
|
|
|
it 'returns true' do
|
|
expect(group.single_blocked_owner?).to eq(false)
|
|
end
|
|
end
|
|
|
|
context 'when there are no blocked owners' do
|
|
it 'returns false' do
|
|
expect(group.single_blocked_owner?).to eq(false)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#blocked_owners' do
|
|
let_it_be(:user) { create(:user) }
|
|
|
|
before do
|
|
group.add_member(blocked_user, GroupMember::OWNER)
|
|
group.add_member(user, GroupMember::OWNER)
|
|
end
|
|
|
|
it 'has only blocked owners' do
|
|
expect(group.blocked_owners.map(&:user)).to match([blocked_user])
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#all_owners_excluding_project_bots' do
|
|
let_it_be(:user) { create(:user) }
|
|
|
|
context 'when there is only one owner' do
|
|
let!(:owner) do
|
|
group.add_member(user, GroupMember::OWNER)
|
|
end
|
|
|
|
it 'returns the owner' do
|
|
expect(group.all_owners_excluding_project_bots).to contain_exactly(owner)
|
|
end
|
|
|
|
context 'and there is also a project_bot owner' do
|
|
before do
|
|
group.add_member(create(:user, :project_bot), GroupMember::OWNER)
|
|
end
|
|
|
|
it 'returns only the human owner' do
|
|
expect(group.all_owners_excluding_project_bots).to contain_exactly(owner)
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'when there are multiple owners' do
|
|
let_it_be(:user_2) { create(:user) }
|
|
|
|
let!(:owner) do
|
|
group.add_member(user, GroupMember::OWNER)
|
|
end
|
|
|
|
let!(:owner2) do
|
|
group.add_member(user_2, GroupMember::OWNER)
|
|
end
|
|
|
|
it 'returns both owners' do
|
|
expect(group.all_owners_excluding_project_bots).to contain_exactly(owner, owner2)
|
|
end
|
|
|
|
context 'and there is also a project_bot owner' do
|
|
before do
|
|
group.add_member(create(:user, :project_bot), GroupMember::OWNER)
|
|
end
|
|
|
|
it 'returns only the human owners' do
|
|
expect(group.all_owners_excluding_project_bots).to contain_exactly(owner, owner2)
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'when there are no owners' do
|
|
it 'returns false' do
|
|
expect(group.all_owners_excluding_project_bots).to be_empty
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#member_last_owner?' do
|
|
let_it_be(:user) { create(:user) }
|
|
|
|
let(:member) { group.members.last }
|
|
|
|
before do
|
|
group.add_member(user, GroupMember::OWNER)
|
|
end
|
|
|
|
context 'when last_owner is set' do
|
|
before do
|
|
expect(group).not_to receive(:last_owner?)
|
|
end
|
|
|
|
it 'returns true' do
|
|
member.last_owner = true
|
|
|
|
expect(group.member_last_owner?(member)).to be(true)
|
|
end
|
|
|
|
it 'returns false' do
|
|
member.last_owner = false
|
|
|
|
expect(group.member_last_owner?(member)).to be(false)
|
|
end
|
|
end
|
|
|
|
context 'when last_owner is not set' do
|
|
it 'returns true' do
|
|
expect(group).to receive(:last_owner?).and_call_original
|
|
|
|
expect(group.member_last_owner?(member)).to be(true)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#lfs_enabled?' do
|
|
context 'LFS enabled globally' do
|
|
before do
|
|
allow(Gitlab.config.lfs).to receive(:enabled).and_return(true)
|
|
end
|
|
|
|
it 'returns true when nothing is set' do
|
|
expect(group.lfs_enabled?).to be_truthy
|
|
end
|
|
|
|
it 'returns false when set to false' do
|
|
group.update_attribute(:lfs_enabled, false)
|
|
|
|
expect(group.lfs_enabled?).to be_falsey
|
|
end
|
|
|
|
it 'returns true when set to true' do
|
|
group.update_attribute(:lfs_enabled, true)
|
|
|
|
expect(group.lfs_enabled?).to be_truthy
|
|
end
|
|
end
|
|
|
|
context 'LFS disabled globally' do
|
|
before do
|
|
allow(Gitlab.config.lfs).to receive(:enabled).and_return(false)
|
|
end
|
|
|
|
it 'returns false when nothing is set' do
|
|
expect(group.lfs_enabled?).to be_falsey
|
|
end
|
|
|
|
it 'returns false when set to false' do
|
|
group.update_attribute(:lfs_enabled, false)
|
|
|
|
expect(group.lfs_enabled?).to be_falsey
|
|
end
|
|
|
|
it 'returns false when set to true' do
|
|
group.update_attribute(:lfs_enabled, true)
|
|
|
|
expect(group.lfs_enabled?).to be_falsey
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#owners' do
|
|
let(:owner) { create(:user) }
|
|
let(:developer) { create(:user) }
|
|
|
|
it 'returns the owners of a Group' do
|
|
group.add_owner(owner)
|
|
group.add_developer(developer)
|
|
|
|
expect(group.owners).to eq([owner])
|
|
end
|
|
end
|
|
|
|
def setup_group_members(group)
|
|
members = {
|
|
owner: create(:user),
|
|
maintainer: create(:user),
|
|
developer: create(:user),
|
|
reporter: create(:user),
|
|
guest: create(:user),
|
|
requester: create(:user)
|
|
}
|
|
|
|
group.add_member(members[:owner], GroupMember::OWNER)
|
|
group.add_member(members[:maintainer], GroupMember::MAINTAINER)
|
|
group.add_member(members[:developer], GroupMember::DEVELOPER)
|
|
group.add_member(members[:reporter], GroupMember::REPORTER)
|
|
group.add_member(members[:guest], GroupMember::GUEST)
|
|
group.request_access(members[:requester])
|
|
|
|
members
|
|
end
|
|
|
|
describe '#web_url' do
|
|
it 'returns the canonical URL' do
|
|
expect(group.web_url).to include("groups/#{group.name}")
|
|
end
|
|
|
|
context 'nested group' do
|
|
let(:nested_group) { create(:group, :nested) }
|
|
|
|
it { expect(nested_group.web_url).to include("groups/#{nested_group.full_path}") }
|
|
end
|
|
end
|
|
|
|
describe 'nested group' do
|
|
subject { build(:group, :nested) }
|
|
|
|
it { is_expected.to be_valid }
|
|
it { expect(subject.parent).to be_kind_of(described_class) }
|
|
end
|
|
|
|
describe '#max_member_access_for_user' do
|
|
let_it_be(:group_user) { create(:user) }
|
|
|
|
context 'with user in the group' do
|
|
before do
|
|
group.add_owner(group_user)
|
|
end
|
|
|
|
it 'returns correct access level' do
|
|
expect(group.max_member_access_for_user(group_user)).to eq(Gitlab::Access::OWNER)
|
|
end
|
|
end
|
|
|
|
context 'when user is nil' do
|
|
it 'returns NO_ACCESS' do
|
|
expect(group.max_member_access_for_user(nil)).to eq(Gitlab::Access::NO_ACCESS)
|
|
end
|
|
end
|
|
|
|
context 'evaluating admin access level' do
|
|
let_it_be(:admin) { create(:admin) }
|
|
|
|
context 'when admin mode is enabled', :enable_admin_mode do
|
|
it 'returns OWNER by default' do
|
|
expect(group.max_member_access_for_user(admin)).to eq(Gitlab::Access::OWNER)
|
|
end
|
|
end
|
|
|
|
context 'when admin mode is disabled' do
|
|
it 'returns NO_ACCESS' do
|
|
expect(group.max_member_access_for_user(admin)).to eq(Gitlab::Access::NO_ACCESS)
|
|
end
|
|
end
|
|
|
|
it 'returns NO_ACCESS when only concrete membership should be considered' do
|
|
expect(group.max_member_access_for_user(admin, only_concrete_membership: true))
|
|
.to eq(Gitlab::Access::NO_ACCESS)
|
|
end
|
|
end
|
|
|
|
context 'group shared with another group' do
|
|
let_it_be(:parent_group_user) { create(:user) }
|
|
let_it_be(:child_group_user) { create(:user) }
|
|
|
|
let_it_be(:group_parent) { create(:group, :private) }
|
|
let_it_be(:group) { create(:group, :private, parent: group_parent) }
|
|
let_it_be(:group_child) { create(:group, :private, parent: group) }
|
|
|
|
let_it_be(:shared_group_parent) { create(:group, :private) }
|
|
let_it_be(:shared_group) { create(:group, :private, parent: shared_group_parent) }
|
|
let_it_be(:shared_group_child) { create(:group, :private, parent: shared_group) }
|
|
|
|
before do
|
|
group_parent.add_owner(parent_group_user)
|
|
group.add_owner(group_user)
|
|
group_child.add_owner(child_group_user)
|
|
|
|
create(:group_group_link, { shared_with_group: group,
|
|
shared_group: shared_group,
|
|
group_access: GroupMember::DEVELOPER })
|
|
end
|
|
|
|
context 'with user in the group' do
|
|
it 'returns correct access level' do
|
|
expect(shared_group_parent.max_member_access_for_user(group_user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
expect(shared_group.max_member_access_for_user(group_user)).to eq(Gitlab::Access::DEVELOPER)
|
|
expect(shared_group_child.max_member_access_for_user(group_user)).to eq(Gitlab::Access::DEVELOPER)
|
|
end
|
|
|
|
context 'with lower group access level than max access level for share' do
|
|
let(:user) { create(:user) }
|
|
|
|
it 'returns correct access level' do
|
|
group.add_reporter(user)
|
|
|
|
expect(shared_group_parent.max_member_access_for_user(user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
expect(shared_group.max_member_access_for_user(user)).to eq(Gitlab::Access::REPORTER)
|
|
expect(shared_group_child.max_member_access_for_user(user)).to eq(Gitlab::Access::REPORTER)
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'with user in the parent group' do
|
|
it 'returns correct access level' do
|
|
expect(shared_group_parent.max_member_access_for_user(parent_group_user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
expect(shared_group.max_member_access_for_user(parent_group_user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
expect(shared_group_child.max_member_access_for_user(parent_group_user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
end
|
|
end
|
|
|
|
context 'with user in the child group' do
|
|
it 'returns correct access level' do
|
|
expect(shared_group_parent.max_member_access_for_user(child_group_user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
expect(shared_group.max_member_access_for_user(child_group_user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
expect(shared_group_child.max_member_access_for_user(child_group_user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
end
|
|
end
|
|
|
|
context 'unrelated project owner' do
|
|
let(:common_id) { [Project.maximum(:id).to_i, Namespace.maximum(:id).to_i].max + 999 }
|
|
let!(:group) { create(:group, id: common_id) }
|
|
let!(:unrelated_project) { create(:project, id: common_id) }
|
|
let(:user) { unrelated_project.first_owner }
|
|
|
|
it 'returns correct access level' do
|
|
expect(shared_group_parent.max_member_access_for_user(user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
expect(shared_group.max_member_access_for_user(user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
expect(shared_group_child.max_member_access_for_user(user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
end
|
|
end
|
|
|
|
context 'user without accepted access request' do
|
|
let!(:user) { create(:user) }
|
|
|
|
before do
|
|
create(:group_member, :developer, :access_request, user: user, group: group)
|
|
end
|
|
|
|
it 'returns correct access level' do
|
|
expect(shared_group_parent.max_member_access_for_user(user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
expect(shared_group.max_member_access_for_user(user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
expect(shared_group_child.max_member_access_for_user(user)).to eq(Gitlab::Access::NO_ACCESS)
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'multiple groups shared with group' do
|
|
let(:user) { create(:user) }
|
|
let(:group) { create(:group, :private) }
|
|
let(:shared_group_parent) { create(:group, :private) }
|
|
let(:shared_group) { create(:group, :private, parent: shared_group_parent) }
|
|
|
|
before do
|
|
group.add_owner(user)
|
|
|
|
create(:group_group_link, { shared_with_group: group,
|
|
shared_group: shared_group,
|
|
group_access: GroupMember::DEVELOPER })
|
|
create(:group_group_link, { shared_with_group: group,
|
|
shared_group: shared_group_parent,
|
|
group_access: GroupMember::MAINTAINER })
|
|
end
|
|
|
|
it 'returns correct access level' do
|
|
expect(shared_group.max_member_access_for_user(user)).to eq(Gitlab::Access::MAINTAINER)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#direct_members' do
|
|
let_it_be(:group) { create(:group, :nested) }
|
|
let_it_be(:maintainer) { group.parent.add_member(create(:user), GroupMember::MAINTAINER) }
|
|
let_it_be(:developer) { group.add_member(create(:user), GroupMember::DEVELOPER) }
|
|
|
|
it 'does not return members of the parent' do
|
|
expect(group.direct_members).not_to include(maintainer)
|
|
end
|
|
|
|
it 'returns the direct member of the group' do
|
|
expect(group.direct_members).to include(developer)
|
|
end
|
|
|
|
context 'group sharing' do
|
|
let!(:shared_group) { create(:group) }
|
|
|
|
before do
|
|
create(:group_group_link, shared_group: shared_group, shared_with_group: group)
|
|
end
|
|
|
|
it 'does not return members of the shared_with group' do
|
|
expect(shared_group.direct_members).not_to(
|
|
include(developer))
|
|
end
|
|
end
|
|
end
|
|
|
|
shared_examples_for 'members_with_parents' do
|
|
let!(:group) { create(:group, :nested) }
|
|
let!(:maintainer) { group.parent.add_member(create(:user), GroupMember::MAINTAINER) }
|
|
let!(:developer) { group.add_member(create(:user), GroupMember::DEVELOPER) }
|
|
let!(:pending_maintainer) { create(:group_member, :awaiting, :maintainer, group: group.parent) }
|
|
let!(:pending_developer) { create(:group_member, :awaiting, :developer, group: group) }
|
|
|
|
it 'returns parents active members' do
|
|
expect(group.members_with_parents).to include(developer)
|
|
expect(group.members_with_parents).to include(maintainer)
|
|
expect(group.members_with_parents).not_to include(pending_developer)
|
|
expect(group.members_with_parents).not_to include(pending_maintainer)
|
|
end
|
|
|
|
context 'group sharing' do
|
|
let!(:shared_group) { create(:group) }
|
|
|
|
before do
|
|
create(:group_group_link, shared_group: shared_group, shared_with_group: group)
|
|
end
|
|
|
|
it 'returns shared with group active members' do
|
|
expect(shared_group.members_with_parents).to(
|
|
include(developer))
|
|
expect(shared_group.members_with_parents).not_to(
|
|
include(pending_developer))
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#members_with_parents' do
|
|
it_behaves_like 'members_with_parents'
|
|
end
|
|
|
|
describe '#authorizable_members_with_parents' do
|
|
let(:group) { create(:group) }
|
|
|
|
it_behaves_like 'members_with_parents'
|
|
|
|
context 'members with associated user but also having invite_token' do
|
|
let!(:member) { create(:group_member, :developer, :invited, user: create(:user), group: group) }
|
|
|
|
it 'includes such members in the result' do
|
|
expect(group.authorizable_members_with_parents).to include(member)
|
|
end
|
|
end
|
|
|
|
context 'invited members' do
|
|
let!(:member) { create(:group_member, :developer, :invited, group: group) }
|
|
|
|
it 'does not include such members in the result' do
|
|
expect(group.authorizable_members_with_parents).not_to include(member)
|
|
end
|
|
end
|
|
|
|
context 'members from group shares' do
|
|
let(:shared_group) { group }
|
|
let(:shared_with_group) { create(:group) }
|
|
|
|
before do
|
|
create(:group_group_link, shared_group: shared_group, shared_with_group: shared_with_group)
|
|
end
|
|
|
|
context 'an invited member that is part of the shared_with_group' do
|
|
let!(:member) { create(:group_member, :developer, :invited, group: shared_with_group) }
|
|
|
|
it 'does not include such members in the result' do
|
|
expect(shared_group.authorizable_members_with_parents).not_to(
|
|
include(member))
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#members_from_self_and_ancestors_with_effective_access_level' do
|
|
let!(:group_parent) { create(:group, :private) }
|
|
let!(:group) { create(:group, :private, parent: group_parent) }
|
|
let!(:group_child) { create(:group, :private, parent: group) }
|
|
|
|
let!(:user) { create(:user) }
|
|
|
|
let(:parent_group_access_level) { Gitlab::Access::REPORTER }
|
|
let(:group_access_level) { Gitlab::Access::DEVELOPER }
|
|
let(:child_group_access_level) { Gitlab::Access::MAINTAINER }
|
|
|
|
before do
|
|
create(:group_member, user: user, group: group_parent, access_level: parent_group_access_level)
|
|
create(:group_member, user: user, group: group, access_level: group_access_level)
|
|
create(:group_member, :minimal_access, user: create(:user), source: group)
|
|
create(:group_member, user: user, group: group_child, access_level: child_group_access_level)
|
|
end
|
|
|
|
it 'returns effective access level for user' do
|
|
expect(group_parent.members_from_self_and_ancestors_with_effective_access_level.as_json).to(
|
|
contain_exactly(
|
|
hash_including('user_id' => user.id, 'access_level' => parent_group_access_level)
|
|
)
|
|
)
|
|
expect(group.members_from_self_and_ancestors_with_effective_access_level.as_json).to(
|
|
contain_exactly(
|
|
hash_including('user_id' => user.id, 'access_level' => group_access_level)
|
|
)
|
|
)
|
|
expect(group_child.members_from_self_and_ancestors_with_effective_access_level.as_json).to(
|
|
contain_exactly(
|
|
hash_including('user_id' => user.id, 'access_level' => child_group_access_level)
|
|
)
|
|
)
|
|
end
|
|
end
|
|
|
|
context 'members-related methods' do
|
|
let!(:group) { create(:group, :nested) }
|
|
let!(:sub_group) { create(:group, parent: group) }
|
|
let!(:maintainer) { group.parent.add_member(create(:user), GroupMember::MAINTAINER) }
|
|
let!(:developer) { group.add_member(create(:user), GroupMember::DEVELOPER) }
|
|
let!(:other_developer) { group.add_member(create(:user), GroupMember::DEVELOPER) }
|
|
|
|
describe '#direct_and_indirect_members' do
|
|
it 'returns parents members' do
|
|
expect(group.direct_and_indirect_members).to include(developer)
|
|
expect(group.direct_and_indirect_members).to include(maintainer)
|
|
end
|
|
|
|
it 'returns descendant members' do
|
|
expect(group.direct_and_indirect_members).to include(other_developer)
|
|
end
|
|
end
|
|
|
|
describe '#direct_and_indirect_members_with_inactive' do
|
|
let!(:maintainer_blocked) { group.parent.add_member(create(:user, :blocked), GroupMember::MAINTAINER) }
|
|
|
|
it 'returns parents members' do
|
|
expect(group.direct_and_indirect_members_with_inactive).to include(developer)
|
|
expect(group.direct_and_indirect_members_with_inactive).to include(maintainer)
|
|
expect(group.direct_and_indirect_members_with_inactive).to include(maintainer_blocked)
|
|
end
|
|
|
|
it 'returns descendant members' do
|
|
expect(group.direct_and_indirect_members_with_inactive).to include(other_developer)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#users_with_descendants' do
|
|
let(:user_a) { create(:user) }
|
|
let(:user_b) { create(:user) }
|
|
|
|
let(:group) { create(:group) }
|
|
let(:nested_group) { create(:group, parent: group) }
|
|
let(:deep_nested_group) { create(:group, parent: nested_group) }
|
|
|
|
it 'returns member users on every nest level without duplication' do
|
|
group.add_developer(user_a)
|
|
nested_group.add_developer(user_b)
|
|
deep_nested_group.add_maintainer(user_a)
|
|
|
|
expect(group.users_with_descendants).to contain_exactly(user_a, user_b)
|
|
expect(nested_group.users_with_descendants).to contain_exactly(user_a, user_b)
|
|
expect(deep_nested_group.users_with_descendants).to contain_exactly(user_a)
|
|
end
|
|
end
|
|
|
|
context 'user-related methods' do
|
|
let(:user_a) { create(:user) }
|
|
let(:user_b) { create(:user) }
|
|
let(:user_c) { create(:user) }
|
|
let(:user_d) { create(:user) }
|
|
|
|
let(:group) { create(:group) }
|
|
let(:nested_group) { create(:group, parent: group) }
|
|
let(:deep_nested_group) { create(:group, parent: nested_group) }
|
|
let(:project) { create(:project, namespace: group) }
|
|
|
|
before do
|
|
group.add_developer(user_a)
|
|
group.add_developer(user_c)
|
|
nested_group.add_developer(user_b)
|
|
deep_nested_group.add_developer(user_a)
|
|
project.add_developer(user_d)
|
|
end
|
|
|
|
describe '#direct_and_indirect_users' do
|
|
it 'returns member users on every nest level without duplication' do
|
|
expect(group.direct_and_indirect_users).to contain_exactly(user_a, user_b, user_c, user_d)
|
|
expect(nested_group.direct_and_indirect_users).to contain_exactly(user_a, user_b, user_c)
|
|
expect(deep_nested_group.direct_and_indirect_users).to contain_exactly(user_a, user_b, user_c)
|
|
end
|
|
|
|
it 'does not return members of projects belonging to ancestor groups' do
|
|
expect(nested_group.direct_and_indirect_users).not_to include(user_d)
|
|
end
|
|
end
|
|
|
|
describe '#direct_and_indirect_users_with_inactive' do
|
|
let(:user_blocked_1) { create(:user, :blocked) }
|
|
let(:user_blocked_2) { create(:user, :blocked) }
|
|
let(:user_blocked_3) { create(:user, :blocked) }
|
|
let(:project_in_group) { create(:project, namespace: nested_group) }
|
|
|
|
before do
|
|
group.add_developer(user_blocked_1)
|
|
nested_group.add_developer(user_blocked_1)
|
|
deep_nested_group.add_developer(user_blocked_2)
|
|
project_in_group.add_developer(user_blocked_3)
|
|
end
|
|
|
|
it 'returns member users on every nest level without duplication' do
|
|
expect(group.direct_and_indirect_users_with_inactive).to contain_exactly(user_a, user_b, user_c, user_d, user_blocked_1, user_blocked_2, user_blocked_3)
|
|
expect(nested_group.direct_and_indirect_users_with_inactive).to contain_exactly(user_a, user_b, user_c, user_blocked_1, user_blocked_2, user_blocked_3)
|
|
expect(deep_nested_group.direct_and_indirect_users_with_inactive).to contain_exactly(user_a, user_b, user_c, user_blocked_1, user_blocked_2)
|
|
end
|
|
|
|
it 'returns members of projects belonging to group' do
|
|
expect(nested_group.direct_and_indirect_users_with_inactive).to include(user_blocked_3)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#project_users_with_descendants' do
|
|
let(:user_a) { create(:user) }
|
|
let(:user_b) { create(:user) }
|
|
let(:user_c) { create(:user) }
|
|
|
|
let(:group) { create(:group) }
|
|
let(:nested_group) { create(:group, parent: group) }
|
|
let(:deep_nested_group) { create(:group, parent: nested_group) }
|
|
let(:project_a) { create(:project, namespace: group) }
|
|
let(:project_b) { create(:project, namespace: nested_group) }
|
|
let(:project_c) { create(:project, namespace: deep_nested_group) }
|
|
|
|
it 'returns members of all projects in group and subgroups' do
|
|
project_a.add_developer(user_a)
|
|
project_b.add_developer(user_b)
|
|
project_c.add_developer(user_c)
|
|
|
|
expect(group.project_users_with_descendants).to contain_exactly(user_a, user_b, user_c)
|
|
expect(nested_group.project_users_with_descendants).to contain_exactly(user_b, user_c)
|
|
expect(deep_nested_group.project_users_with_descendants).to contain_exactly(user_c)
|
|
end
|
|
end
|
|
|
|
describe '#refresh_members_authorized_projects' do
|
|
let_it_be(:group) { create(:group, :nested) }
|
|
let_it_be(:parent_group_user) { create(:user) }
|
|
let_it_be(:group_user) { create(:user) }
|
|
|
|
before do
|
|
group.parent.add_maintainer(parent_group_user)
|
|
group.add_developer(group_user)
|
|
end
|
|
|
|
context 'users for which authorizations refresh is executed' do
|
|
it 'processes authorizations refresh for all members of the group' do
|
|
expect(UserProjectAccessChangedService).to receive(:new).with(contain_exactly(group_user.id, parent_group_user.id)).and_call_original
|
|
|
|
group.refresh_members_authorized_projects
|
|
end
|
|
|
|
context 'when explicitly specified to run only for direct members' do
|
|
it 'processes authorizations refresh only for direct members of the group' do
|
|
expect(UserProjectAccessChangedService).to receive(:new).with(contain_exactly(group_user.id)).and_call_original
|
|
|
|
group.refresh_members_authorized_projects(direct_members_only: true)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#users_ids_of_direct_members' do
|
|
let_it_be(:group) { create(:group, :nested) }
|
|
let_it_be(:parent_group_user) { create(:user) }
|
|
let_it_be(:group_user) { create(:user) }
|
|
|
|
before do
|
|
group.parent.add_maintainer(parent_group_user)
|
|
group.add_developer(group_user)
|
|
end
|
|
|
|
it 'does not return user ids of the members of the parent' do
|
|
expect(group.users_ids_of_direct_members).not_to include(parent_group_user.id)
|
|
end
|
|
|
|
it 'returns the user ids of the direct member of the group' do
|
|
expect(group.users_ids_of_direct_members).to include(group_user.id)
|
|
end
|
|
|
|
context 'group sharing' do
|
|
let!(:shared_group) { create(:group) }
|
|
|
|
before do
|
|
create(:group_group_link, shared_group: shared_group, shared_with_group: group)
|
|
end
|
|
|
|
it 'does not return the user ids of members of the shared_with group' do
|
|
expect(shared_group.users_ids_of_direct_members).not_to(
|
|
include(group_user.id))
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#user_ids_for_project_authorizations' do
|
|
it 'returns the user IDs for which to refresh authorizations' do
|
|
maintainer = create(:user)
|
|
developer = create(:user)
|
|
|
|
group.add_member(maintainer, GroupMember::MAINTAINER)
|
|
group.add_member(developer, GroupMember::DEVELOPER)
|
|
|
|
expect(group.user_ids_for_project_authorizations)
|
|
.to include(maintainer.id, developer.id)
|
|
end
|
|
|
|
context 'group sharing' do
|
|
let_it_be(:group) { create(:group) }
|
|
let_it_be(:group_user) { create(:user) }
|
|
let_it_be(:shared_group) { create(:group) }
|
|
|
|
before do
|
|
group.add_developer(group_user)
|
|
create(:group_group_link, shared_group: shared_group, shared_with_group: group)
|
|
end
|
|
|
|
it 'returns the user IDs for shared with group members' do
|
|
expect(shared_group.user_ids_for_project_authorizations).to(
|
|
include(group_user.id))
|
|
end
|
|
end
|
|
|
|
context 'distinct user ids' do
|
|
let_it_be(:subgroup) { create(:group, :nested) }
|
|
let_it_be(:user) { create(:user) }
|
|
let_it_be(:shared_with_group) { create(:group) }
|
|
let_it_be(:other_subgroup_user) { create(:user) }
|
|
|
|
before do
|
|
create(:group_group_link, shared_group: subgroup, shared_with_group: shared_with_group)
|
|
subgroup.add_maintainer(other_subgroup_user)
|
|
|
|
# `user` is added as a direct member of the parent group, the subgroup
|
|
# and another group shared with the subgroup.
|
|
subgroup.parent.add_maintainer(user)
|
|
subgroup.add_developer(user)
|
|
shared_with_group.add_guest(user)
|
|
end
|
|
|
|
it 'returns only distinct user ids of users for which to refresh authorizations' do
|
|
expect(subgroup.user_ids_for_project_authorizations).to(
|
|
contain_exactly(user.id, other_subgroup_user.id))
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#update_two_factor_requirement' do
|
|
let(:user) { create(:user) }
|
|
|
|
context 'group membership' do
|
|
before do
|
|
group.add_member(user, GroupMember::OWNER)
|
|
end
|
|
|
|
it 'is called when require_two_factor_authentication is changed' do
|
|
expect_any_instance_of(User).to receive(:update_two_factor_requirement)
|
|
|
|
group.update!(require_two_factor_authentication: true)
|
|
end
|
|
|
|
it 'is called when two_factor_grace_period is changed' do
|
|
expect_any_instance_of(User).to receive(:update_two_factor_requirement)
|
|
|
|
group.update!(two_factor_grace_period: 23)
|
|
end
|
|
|
|
it 'is not called when other attributes are changed' do
|
|
expect_any_instance_of(User).not_to receive(:update_two_factor_requirement)
|
|
|
|
group.update!(description: 'foobar')
|
|
end
|
|
|
|
it 'calls #update_two_factor_requirement on each group member' do
|
|
other_user = create(:user)
|
|
group.add_member(other_user, GroupMember::OWNER)
|
|
|
|
calls = 0
|
|
allow_any_instance_of(User).to receive(:update_two_factor_requirement) do
|
|
calls += 1
|
|
end
|
|
|
|
group.update!(require_two_factor_authentication: true, two_factor_grace_period: 23)
|
|
|
|
expect(calls).to eq 2
|
|
end
|
|
end
|
|
|
|
context 'sub groups and projects' do
|
|
it 'enables two_factor_requirement for group member' do
|
|
group.add_member(user, GroupMember::OWNER)
|
|
|
|
group.update!(require_two_factor_authentication: true)
|
|
|
|
expect(user.reload.require_two_factor_authentication_from_group).to be_truthy
|
|
end
|
|
|
|
context 'expanded group members' do
|
|
let(:indirect_user) { create(:user) }
|
|
|
|
context 'two_factor_requirement is enabled' do
|
|
context 'two_factor_requirement is also enabled for ancestor group' do
|
|
it 'enables two_factor_requirement for subgroup member' do
|
|
subgroup = create(:group, :nested, parent: group)
|
|
subgroup.add_member(indirect_user, GroupMember::OWNER)
|
|
|
|
group.update!(require_two_factor_authentication: true)
|
|
|
|
expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_truthy
|
|
end
|
|
end
|
|
|
|
context 'two_factor_requirement is disabled for ancestor group' do
|
|
it 'enables two_factor_requirement for subgroup member' do
|
|
subgroup = create(:group, :nested, parent: group, require_two_factor_authentication: true)
|
|
subgroup.add_member(indirect_user, GroupMember::OWNER)
|
|
|
|
group.update!(require_two_factor_authentication: false)
|
|
|
|
expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_truthy
|
|
end
|
|
|
|
it 'enable two_factor_requirement for ancestor group member' do
|
|
ancestor_group = create(:group)
|
|
ancestor_group.add_member(indirect_user, GroupMember::OWNER)
|
|
group.update!(parent: ancestor_group)
|
|
|
|
group.update!(require_two_factor_authentication: true)
|
|
|
|
expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_truthy
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'two_factor_requirement is disabled' do
|
|
context 'two_factor_requirement is enabled for ancestor group' do
|
|
it 'enables two_factor_requirement for subgroup member' do
|
|
subgroup = create(:group, :nested, parent: group)
|
|
subgroup.add_member(indirect_user, GroupMember::OWNER)
|
|
|
|
group.update!(require_two_factor_authentication: true)
|
|
|
|
expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_truthy
|
|
end
|
|
end
|
|
|
|
context 'two_factor_requirement is also disabled for ancestor group' do
|
|
it 'disables two_factor_requirement for subgroup member' do
|
|
subgroup = create(:group, :nested, parent: group)
|
|
subgroup.add_member(indirect_user, GroupMember::OWNER)
|
|
|
|
group.update!(require_two_factor_authentication: false)
|
|
|
|
expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_falsey
|
|
end
|
|
|
|
it 'disables two_factor_requirement for ancestor group member' do
|
|
ancestor_group = create(:group, require_two_factor_authentication: false)
|
|
indirect_user.update!(require_two_factor_authentication_from_group: true)
|
|
ancestor_group.add_member(indirect_user, GroupMember::OWNER)
|
|
|
|
group.update!(require_two_factor_authentication: false)
|
|
|
|
expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_falsey
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'project members' do
|
|
it 'does not enable two_factor_requirement for child project member' do
|
|
project = create(:project, group: group)
|
|
project.add_maintainer(user)
|
|
|
|
group.update!(require_two_factor_authentication: true)
|
|
|
|
expect(user.reload.require_two_factor_authentication_from_group).to be_falsey
|
|
end
|
|
|
|
it 'does not enable two_factor_requirement for subgroup child project member' do
|
|
subgroup = create(:group, :nested, parent: group)
|
|
project = create(:project, group: subgroup)
|
|
project.add_maintainer(user)
|
|
|
|
group.update!(require_two_factor_authentication: true)
|
|
|
|
expect(user.reload.require_two_factor_authentication_from_group).to be_falsey
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#path_changed_hook' do
|
|
let(:system_hook_service) { SystemHooksService.new }
|
|
|
|
context 'for a new group' do
|
|
let(:group) { build(:group) }
|
|
|
|
before do
|
|
expect(group).to receive(:system_hook_service).and_return(system_hook_service)
|
|
end
|
|
|
|
it 'does not trigger system hook' do
|
|
expect(system_hook_service).to receive(:execute_hooks_for).with(group, :create)
|
|
|
|
group.save!
|
|
end
|
|
end
|
|
|
|
context 'for an existing group' do
|
|
let(:group) { create(:group, path: 'old-path') }
|
|
|
|
context 'when the path is changed' do
|
|
let(:new_path) { 'very-new-path' }
|
|
|
|
it 'triggers the rename system hook' do
|
|
expect(group).to receive(:system_hook_service).and_return(system_hook_service)
|
|
expect(system_hook_service).to receive(:execute_hooks_for).with(group, :rename)
|
|
|
|
group.update!(path: new_path)
|
|
end
|
|
end
|
|
|
|
context 'when the path is not changed' do
|
|
it 'does not trigger system hook' do
|
|
expect(group).not_to receive(:system_hook_service)
|
|
|
|
group.update!(name: 'new name')
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#ci_variables_for' do
|
|
let(:project) { create(:project, group: group) }
|
|
let(:environment_scope) { '*' }
|
|
|
|
let!(:ci_variable) do
|
|
create(:ci_group_variable, value: 'secret', group: group, environment_scope: environment_scope)
|
|
end
|
|
|
|
let!(:protected_variable) do
|
|
create(:ci_group_variable, :protected, value: 'protected', group: group)
|
|
end
|
|
|
|
subject { group.ci_variables_for('ref', project) }
|
|
|
|
it 'memoizes the result by ref and environment', :request_store do
|
|
scoped_variable = create(:ci_group_variable, value: 'secret', group: group, environment_scope: 'scoped')
|
|
|
|
expect(project).to receive(:protected_for?).with('ref').once.and_return(true)
|
|
expect(project).to receive(:protected_for?).with('other').twice.and_return(false)
|
|
|
|
2.times do
|
|
expect(group.ci_variables_for('ref', project, environment: 'production')).to contain_exactly(ci_variable, protected_variable)
|
|
expect(group.ci_variables_for('other', project)).to contain_exactly(ci_variable)
|
|
expect(group.ci_variables_for('other', project, environment: 'scoped')).to contain_exactly(ci_variable, scoped_variable)
|
|
end
|
|
end
|
|
|
|
shared_examples 'ref is protected' do
|
|
it 'contains all the variables' do
|
|
is_expected.to contain_exactly(ci_variable, protected_variable)
|
|
end
|
|
end
|
|
|
|
context 'when the ref is not protected' do
|
|
before do
|
|
stub_application_setting(
|
|
default_branch_protection: Gitlab::Access::PROTECTION_NONE)
|
|
end
|
|
|
|
it 'contains only the CI variables' do
|
|
is_expected.to contain_exactly(ci_variable)
|
|
end
|
|
end
|
|
|
|
context 'when the ref is a protected branch' do
|
|
before do
|
|
allow(project).to receive(:protected_for?).with('ref').and_return(true)
|
|
end
|
|
|
|
it_behaves_like 'ref is protected'
|
|
end
|
|
|
|
context 'when the ref is a protected tag' do
|
|
before do
|
|
allow(project).to receive(:protected_for?).with('ref').and_return(true)
|
|
end
|
|
|
|
it_behaves_like 'ref is protected'
|
|
end
|
|
|
|
context 'when environment name is specified' do
|
|
let(:environment) { 'review/name' }
|
|
|
|
subject do
|
|
group.ci_variables_for('ref', project, environment: environment)
|
|
end
|
|
|
|
context 'when environment scope is exactly matched' do
|
|
let(:environment_scope) { 'review/name' }
|
|
|
|
it { is_expected.to contain_exactly(ci_variable) }
|
|
end
|
|
|
|
context 'when environment scope is matched by wildcard' do
|
|
let(:environment_scope) { 'review/*' }
|
|
|
|
it { is_expected.to contain_exactly(ci_variable) }
|
|
end
|
|
|
|
context 'when environment scope does not match' do
|
|
let(:environment_scope) { 'review/*/special' }
|
|
|
|
it { is_expected.not_to contain_exactly(ci_variable) }
|
|
end
|
|
|
|
context 'when environment scope has _' do
|
|
let(:environment_scope) { '*_*' }
|
|
|
|
it 'does not treat it as wildcard' do
|
|
is_expected.not_to contain_exactly(ci_variable)
|
|
end
|
|
|
|
context 'when environment name contains underscore' do
|
|
let(:environment) { 'foo_bar/test' }
|
|
let(:environment_scope) { 'foo_bar/*' }
|
|
|
|
it 'matches literally for _' do
|
|
is_expected.to contain_exactly(ci_variable)
|
|
end
|
|
end
|
|
end
|
|
|
|
# The environment name and scope cannot have % at the moment,
|
|
# but we're considering relaxing it and we should also make sure
|
|
# it doesn't break in case some data sneaked in somehow as we're
|
|
# not checking this integrity in database level.
|
|
context 'when environment scope has %' do
|
|
it 'does not treat it as wildcard' do
|
|
ci_variable.update_attribute(:environment_scope, '*%*')
|
|
|
|
is_expected.not_to contain_exactly(ci_variable)
|
|
end
|
|
|
|
context 'when environment name contains a percent' do
|
|
let(:environment) { 'foo%bar/test' }
|
|
|
|
it 'matches literally for %' do
|
|
ci_variable.update_attribute(:environment_scope, 'foo%bar/*')
|
|
|
|
is_expected.to contain_exactly(ci_variable)
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'when variables with the same name have different environment scopes' do
|
|
let!(:partially_matched_variable) do
|
|
create(:ci_group_variable,
|
|
key: ci_variable.key,
|
|
value: 'partial',
|
|
environment_scope: 'review/*',
|
|
group: group)
|
|
end
|
|
|
|
let!(:perfectly_matched_variable) do
|
|
create(:ci_group_variable,
|
|
key: ci_variable.key,
|
|
value: 'prefect',
|
|
environment_scope: 'review/name',
|
|
group: group)
|
|
end
|
|
|
|
it 'puts variables matching environment scope more in the end' do
|
|
is_expected.to eq(
|
|
[ci_variable,
|
|
partially_matched_variable,
|
|
perfectly_matched_variable])
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'when group has children' do
|
|
let(:group_child) { create(:group, parent: group) }
|
|
let(:group_child_2) { create(:group, parent: group_child) }
|
|
let(:group_child_3) { create(:group, parent: group_child_2) }
|
|
let(:variable_child) { create(:ci_group_variable, group: group_child) }
|
|
let(:variable_child_2) { create(:ci_group_variable, group: group_child_2) }
|
|
let(:variable_child_3) { create(:ci_group_variable, group: group_child_3) }
|
|
|
|
before do
|
|
allow(project).to receive(:protected_for?).with('ref').and_return(true)
|
|
end
|
|
|
|
context 'traversal queries' do
|
|
shared_examples 'correct ancestor order' do
|
|
it 'returns all variables belong to the group and parent groups' do
|
|
expected_array1 = [protected_variable, ci_variable]
|
|
expected_array2 = [variable_child, variable_child_2, variable_child_3]
|
|
got_array = group_child_3.ci_variables_for('ref', project).to_a
|
|
|
|
expect(got_array.shift(2)).to contain_exactly(*expected_array1)
|
|
expect(got_array).to eq(expected_array2)
|
|
end
|
|
end
|
|
|
|
context 'recursive' do
|
|
before do
|
|
stub_feature_flags(use_traversal_ids: false)
|
|
end
|
|
|
|
include_examples 'correct ancestor order'
|
|
end
|
|
|
|
context 'linear' do
|
|
before do
|
|
stub_feature_flags(use_traversal_ids: true)
|
|
|
|
group_child_3.reload # make sure traversal_ids are reloaded
|
|
end
|
|
|
|
include_examples 'correct ancestor order'
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#highest_group_member' do
|
|
let(:nested_group) { create(:group, parent: group) }
|
|
let(:nested_group_2) { create(:group, parent: nested_group) }
|
|
let(:user) { create(:user) }
|
|
|
|
subject(:highest_group_member) { nested_group_2.highest_group_member(user) }
|
|
|
|
context 'when the user is not a member of any group in the hierarchy' do
|
|
it 'returns nil' do
|
|
expect(highest_group_member).to be_nil
|
|
end
|
|
end
|
|
|
|
context 'when the user is only a member of one group in the hierarchy' do
|
|
before do
|
|
nested_group.add_developer(user)
|
|
end
|
|
|
|
it 'returns that group member' do
|
|
expect(highest_group_member.access_level).to eq(Gitlab::Access::DEVELOPER)
|
|
end
|
|
end
|
|
|
|
context 'when the user is a member of several groups in the hierarchy' do
|
|
before do
|
|
group.add_owner(user)
|
|
nested_group.add_developer(user)
|
|
nested_group_2.add_maintainer(user)
|
|
end
|
|
|
|
it 'returns the group member with the highest access level' do
|
|
expect(highest_group_member.access_level).to eq(Gitlab::Access::OWNER)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#bots' do
|
|
subject { group.bots }
|
|
|
|
let_it_be(:group) { create(:group) }
|
|
let_it_be(:project_bot) { create(:user, :project_bot) }
|
|
let_it_be(:user) { create(:user) }
|
|
|
|
before_all do
|
|
[project_bot, user].each do |member|
|
|
group.add_maintainer(member)
|
|
end
|
|
end
|
|
|
|
it { is_expected.to contain_exactly(project_bot) }
|
|
it { is_expected.not_to include(user) }
|
|
end
|
|
|
|
describe '#related_group_ids' do
|
|
let(:nested_group) { create(:group, parent: group) }
|
|
let(:shared_with_group) { create(:group, parent: group) }
|
|
|
|
before do
|
|
create(:group_group_link, shared_group: nested_group,
|
|
shared_with_group: shared_with_group)
|
|
end
|
|
|
|
subject(:related_group_ids) { nested_group.related_group_ids }
|
|
|
|
it 'returns id' do
|
|
expect(related_group_ids).to include(nested_group.id)
|
|
end
|
|
|
|
it 'returns ancestor id' do
|
|
expect(related_group_ids).to include(group.id)
|
|
end
|
|
|
|
it 'returns shared with group id' do
|
|
expect(related_group_ids).to include(shared_with_group.id)
|
|
end
|
|
|
|
context 'with more than one ancestor group' do
|
|
let(:ancestor_group) { create(:group) }
|
|
|
|
before do
|
|
group.update!(parent: ancestor_group)
|
|
end
|
|
|
|
it 'returns all ancestor group ids' do
|
|
expect(related_group_ids).to(
|
|
include(group.id, ancestor_group.id))
|
|
end
|
|
end
|
|
|
|
context 'with more than one shared with group' do
|
|
let(:another_shared_with_group) { create(:group, parent: group) }
|
|
|
|
before do
|
|
create(:group_group_link, shared_group: nested_group,
|
|
shared_with_group: another_shared_with_group)
|
|
end
|
|
|
|
it 'returns all shared with group ids' do
|
|
expect(related_group_ids).to(
|
|
include(shared_with_group.id, another_shared_with_group.id))
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'with uploads' do
|
|
it_behaves_like 'model with uploads', true do
|
|
let(:model_object) { create(:group, :with_avatar) }
|
|
let(:upload_attribute) { :avatar }
|
|
let(:uploader_class) { AttachmentUploader }
|
|
end
|
|
end
|
|
|
|
describe '#first_auto_devops_config' do
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
let(:group) { create(:group) }
|
|
|
|
subject(:fetch_config) { group.first_auto_devops_config }
|
|
|
|
where(:instance_value, :group_value, :config) do
|
|
# Instance level enabled
|
|
true | nil | { status: true, scope: :instance }
|
|
true | true | { status: true, scope: :group }
|
|
true | false | { status: false, scope: :group }
|
|
|
|
# Instance level disabled
|
|
false | nil | { status: false, scope: :instance }
|
|
false | true | { status: true, scope: :group }
|
|
false | false | { status: false, scope: :group }
|
|
end
|
|
|
|
with_them do
|
|
before do
|
|
stub_application_setting(auto_devops_enabled: instance_value)
|
|
|
|
group.update_attribute(:auto_devops_enabled, group_value)
|
|
end
|
|
|
|
it { is_expected.to eq(config) }
|
|
end
|
|
|
|
context 'with parent groups' do
|
|
let(:parent) { create(:group) }
|
|
|
|
where(:instance_value, :parent_value, :group_value, :config) do
|
|
# Instance level enabled
|
|
true | nil | nil | { status: true, scope: :instance }
|
|
true | nil | true | { status: true, scope: :group }
|
|
true | nil | false | { status: false, scope: :group }
|
|
|
|
true | true | nil | { status: true, scope: :group }
|
|
true | true | true | { status: true, scope: :group }
|
|
true | true | false | { status: false, scope: :group }
|
|
|
|
true | false | nil | { status: false, scope: :group }
|
|
true | false | true | { status: true, scope: :group }
|
|
true | false | false | { status: false, scope: :group }
|
|
|
|
# Instance level disable
|
|
false | nil | nil | { status: false, scope: :instance }
|
|
false | nil | true | { status: true, scope: :group }
|
|
false | nil | false | { status: false, scope: :group }
|
|
|
|
false | true | nil | { status: true, scope: :group }
|
|
false | true | true | { status: true, scope: :group }
|
|
false | true | false | { status: false, scope: :group }
|
|
|
|
false | false | nil | { status: false, scope: :group }
|
|
false | false | true | { status: true, scope: :group }
|
|
false | false | false | { status: false, scope: :group }
|
|
end
|
|
|
|
with_them do
|
|
def define_cache_expectations(cache_key)
|
|
if group_value.nil?
|
|
expect(Rails.cache).to receive(:fetch).with(start_with(cache_key), expires_in: 1.day)
|
|
else
|
|
expect(Rails.cache).not_to receive(:fetch).with(start_with(cache_key), expires_in: 1.day)
|
|
end
|
|
end
|
|
|
|
before do
|
|
stub_application_setting(auto_devops_enabled: instance_value)
|
|
|
|
group.update!(
|
|
auto_devops_enabled: group_value,
|
|
parent: parent
|
|
)
|
|
parent.update!(auto_devops_enabled: parent_value)
|
|
|
|
group.reload # Reload so we get the populated traversal IDs
|
|
end
|
|
|
|
it { is_expected.to eq(config) }
|
|
|
|
it 'caches the parent config when group auto_devops_enabled is nil' do
|
|
cache_key = "namespaces:{#{group.traversal_ids.first}}:first_auto_devops_config:#{group.id}"
|
|
define_cache_expectations(cache_key)
|
|
|
|
fetch_config
|
|
end
|
|
end
|
|
|
|
context 'cache expiration' do
|
|
before do
|
|
group.update!(parent: parent)
|
|
|
|
reload_models(parent)
|
|
end
|
|
|
|
it 'clears both self and descendant cache when the parent value is updated' do
|
|
expect(Rails.cache).to receive(:delete_multi)
|
|
.with(
|
|
match_array([
|
|
start_with("namespaces:{#{parent.traversal_ids.first}}:first_auto_devops_config:#{parent.id}"),
|
|
start_with("namespaces:{#{parent.traversal_ids.first}}:first_auto_devops_config:#{group.id}")
|
|
])
|
|
)
|
|
|
|
parent.update!(auto_devops_enabled: true)
|
|
end
|
|
|
|
it 'only clears self cache when there are no dependents' do
|
|
expect(Rails.cache).to receive(:delete_multi)
|
|
.with([start_with("namespaces:{#{group.traversal_ids.first}}:first_auto_devops_config:#{group.id}")])
|
|
|
|
group.update!(auto_devops_enabled: true)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#auto_devops_enabled?' do
|
|
subject { group.auto_devops_enabled? }
|
|
|
|
context 'when auto devops is explicitly enabled on group' do
|
|
let(:group) { create(:group, :auto_devops_enabled) }
|
|
|
|
it { is_expected.to be_truthy }
|
|
end
|
|
|
|
context 'when auto devops is explicitly disabled on group' do
|
|
let(:group) { create(:group, :auto_devops_disabled) }
|
|
|
|
it { is_expected.to be_falsy }
|
|
end
|
|
|
|
context 'when auto devops is implicitly enabled or disabled' do
|
|
before do
|
|
stub_application_setting(auto_devops_enabled: false)
|
|
|
|
group.update!(parent: parent_group)
|
|
end
|
|
|
|
context 'when auto devops is enabled on root group' do
|
|
let(:root_group) { create(:group, :auto_devops_enabled) }
|
|
let(:subgroup) { create(:group, parent: root_group) }
|
|
let(:parent_group) { create(:group, parent: subgroup) }
|
|
|
|
it { is_expected.to be_truthy }
|
|
end
|
|
|
|
context 'when auto devops is disabled on root group' do
|
|
let(:root_group) { create(:group, :auto_devops_disabled) }
|
|
let(:subgroup) { create(:group, parent: root_group) }
|
|
let(:parent_group) { create(:group, parent: subgroup) }
|
|
|
|
it { is_expected.to be_falsy }
|
|
end
|
|
|
|
context 'when auto devops is disabled on parent group and enabled on root group' do
|
|
let(:root_group) { create(:group, :auto_devops_enabled) }
|
|
let(:parent_group) { create(:group, :auto_devops_disabled, parent: root_group) }
|
|
|
|
it { is_expected.to be_falsy }
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'project_creation_level' do
|
|
it 'outputs the default one if it is nil' do
|
|
group = create(:group, project_creation_level: nil)
|
|
|
|
expect(group.project_creation_level).to eq(Gitlab::CurrentSettings.default_project_creation)
|
|
end
|
|
end
|
|
|
|
describe 'subgroup_creation_level' do
|
|
it 'defaults to maintainers' do
|
|
expect(group.subgroup_creation_level)
|
|
.to eq(Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
|
|
end
|
|
end
|
|
|
|
describe '#access_request_approvers_to_be_notified' do
|
|
let_it_be(:group) { create(:group, :public) }
|
|
|
|
it 'returns a maximum of ten owners of the group in recent_sign_in descending order' do
|
|
limit = 2
|
|
stub_const("Member::ACCESS_REQUEST_APPROVERS_TO_BE_NOTIFIED_LIMIT", limit)
|
|
users = create_list(:user, limit + 1, :with_sign_ins)
|
|
active_owners = users.map do |user|
|
|
create(:group_member, :owner, group: group, user: user)
|
|
end
|
|
|
|
active_owners_in_recent_sign_in_desc_order = group.members_and_requesters
|
|
.id_in(active_owners)
|
|
.order_recent_sign_in.limit(limit)
|
|
|
|
expect(group.access_request_approvers_to_be_notified).to eq(active_owners_in_recent_sign_in_desc_order)
|
|
end
|
|
|
|
it 'returns active, non_invited, non_requested owners of the group' do
|
|
owner = create(:group_member, :owner, source: group)
|
|
|
|
create(:group_member, :maintainer, group: group)
|
|
create(:group_member, :owner, :invited, group: group)
|
|
create(:group_member, :owner, :access_request, group: group)
|
|
create(:group_member, :owner, :blocked, group: group)
|
|
|
|
expect(group.access_request_approvers_to_be_notified.to_a).to eq([owner])
|
|
end
|
|
end
|
|
|
|
describe '.groups_including_descendants_by' do
|
|
let_it_be(:parent_group1) { create(:group) }
|
|
let_it_be(:parent_group2) { create(:group) }
|
|
let_it_be(:extra_group) { create(:group) }
|
|
let_it_be(:child_group1) { create(:group, parent: parent_group1) }
|
|
let_it_be(:child_group2) { create(:group, parent: parent_group1) }
|
|
let_it_be(:child_group3) { create(:group, parent: parent_group2) }
|
|
|
|
subject { described_class.groups_including_descendants_by([parent_group2.id, parent_group1.id]) }
|
|
|
|
shared_examples 'returns the expected groups for a group and its descendants' do
|
|
specify { is_expected.to contain_exactly(parent_group1, parent_group2, child_group1, child_group2, child_group3) }
|
|
end
|
|
|
|
it_behaves_like 'returns the expected groups for a group and its descendants'
|
|
end
|
|
|
|
describe '.preset_root_ancestor_for' do
|
|
let_it_be(:rootgroup, reload: true) { create(:group) }
|
|
let_it_be(:subgroup, reload: true) { create(:group, parent: rootgroup) }
|
|
let_it_be(:subgroup2, reload: true) { create(:group, parent: subgroup) }
|
|
|
|
it 'does noting for single group' do
|
|
expect(subgroup).not_to receive(:self_and_ancestors)
|
|
|
|
described_class.preset_root_ancestor_for([subgroup])
|
|
end
|
|
|
|
it 'sets the same root_ancestor for multiple groups' do
|
|
expect(subgroup).not_to receive(:self_and_ancestors)
|
|
expect(subgroup2).not_to receive(:self_and_ancestors)
|
|
|
|
described_class.preset_root_ancestor_for([rootgroup, subgroup, subgroup2])
|
|
|
|
expect(subgroup.root_ancestor).to eq(rootgroup)
|
|
expect(subgroup2.root_ancestor).to eq(rootgroup)
|
|
end
|
|
end
|
|
|
|
describe '#update_shared_runners_setting!' do
|
|
context 'enabled' do
|
|
subject { group.update_shared_runners_setting!('enabled') }
|
|
|
|
context 'group that its ancestors have shared runners disabled' do
|
|
let_it_be(:parent, reload: true) { create(:group, :shared_runners_disabled) }
|
|
let_it_be(:group, reload: true) { create(:group, :shared_runners_disabled, parent: parent) }
|
|
let_it_be(:project, reload: true) { create(:project, shared_runners_enabled: false, group: group) }
|
|
|
|
it 'raises exception' do
|
|
expect { subject }
|
|
.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: Shared runners enabled cannot be enabled because parent group has shared Runners disabled')
|
|
end
|
|
|
|
it 'does not enable shared runners' do
|
|
expect do
|
|
subject rescue nil
|
|
|
|
parent.reload
|
|
group.reload
|
|
project.reload
|
|
end.to not_change { parent.shared_runners_enabled }
|
|
.and not_change { group.shared_runners_enabled }
|
|
.and not_change { project.shared_runners_enabled }
|
|
end
|
|
end
|
|
|
|
context 'root group with shared runners disabled' do
|
|
let_it_be(:group) { create(:group, :shared_runners_disabled) }
|
|
let_it_be(:sub_group) { create(:group, :shared_runners_disabled, parent: group) }
|
|
let_it_be(:project) { create(:project, shared_runners_enabled: false, group: sub_group) }
|
|
|
|
it 'enables shared Runners only for itself' do
|
|
expect { subject_and_reload(group, sub_group, project) }
|
|
.to change { group.shared_runners_enabled }.from(false).to(true)
|
|
.and not_change { sub_group.shared_runners_enabled }
|
|
.and not_change { project.shared_runners_enabled }
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'disabled_and_unoverridable' do
|
|
let_it_be(:group) { create(:group) }
|
|
let_it_be(:sub_group) { create(:group, :shared_runners_disabled, :allow_descendants_override_disabled_shared_runners, parent: group) }
|
|
let_it_be(:sub_group_2) { create(:group, parent: group) }
|
|
let_it_be(:project) { create(:project, group: group, shared_runners_enabled: true) }
|
|
let_it_be(:project_2) { create(:project, group: sub_group_2, shared_runners_enabled: true) }
|
|
|
|
subject { group.update_shared_runners_setting!(Namespace::SR_DISABLED_AND_UNOVERRIDABLE) }
|
|
|
|
it 'disables shared Runners for all descendant groups and projects' do
|
|
expect { subject_and_reload(group, sub_group, sub_group_2, project, project_2) }
|
|
.to change { group.shared_runners_enabled }.from(true).to(false)
|
|
.and not_change { group.allow_descendants_override_disabled_shared_runners }
|
|
.and not_change { sub_group.shared_runners_enabled }
|
|
.and change { sub_group.allow_descendants_override_disabled_shared_runners }.from(true).to(false)
|
|
.and change { sub_group_2.shared_runners_enabled }.from(true).to(false)
|
|
.and not_change { sub_group_2.allow_descendants_override_disabled_shared_runners }
|
|
.and change { project.shared_runners_enabled }.from(true).to(false)
|
|
.and change { project_2.shared_runners_enabled }.from(true).to(false)
|
|
end
|
|
|
|
context 'with override on self' do
|
|
let_it_be(:group) { create(:group, :shared_runners_disabled, :allow_descendants_override_disabled_shared_runners) }
|
|
|
|
it 'disables it' do
|
|
expect { subject_and_reload(group) }
|
|
.to not_change { group.shared_runners_enabled }
|
|
.and change { group.allow_descendants_override_disabled_shared_runners }.from(true).to(false)
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'disabled_with_override' do
|
|
subject { group.update_shared_runners_setting!(Namespace::SR_DISABLED_WITH_OVERRIDE) }
|
|
|
|
context 'top level group' do
|
|
let_it_be(:group) { create(:group, :shared_runners_disabled) }
|
|
let_it_be(:sub_group) { create(:group, :shared_runners_disabled, parent: group) }
|
|
let_it_be(:project) { create(:project, shared_runners_enabled: false, group: sub_group) }
|
|
|
|
it 'enables allow descendants to override only for itself' do
|
|
expect { subject_and_reload(group, sub_group, project) }
|
|
.to change { group.allow_descendants_override_disabled_shared_runners }.from(false).to(true)
|
|
.and not_change { group.shared_runners_enabled }
|
|
.and not_change { sub_group.allow_descendants_override_disabled_shared_runners }
|
|
.and not_change { sub_group.shared_runners_enabled }
|
|
.and not_change { project.shared_runners_enabled }
|
|
end
|
|
end
|
|
|
|
context 'group that its ancestors have shared Runners disabled but allows to override' do
|
|
let_it_be(:parent) { create(:group, :shared_runners_disabled, :allow_descendants_override_disabled_shared_runners) }
|
|
let_it_be(:group) { create(:group, :shared_runners_disabled, parent: parent) }
|
|
let_it_be(:project) { create(:project, shared_runners_enabled: false, group: group) }
|
|
|
|
it 'enables allow descendants to override' do
|
|
expect { subject_and_reload(parent, group, project) }
|
|
.to not_change { parent.allow_descendants_override_disabled_shared_runners }
|
|
.and not_change { parent.shared_runners_enabled }
|
|
.and change { group.allow_descendants_override_disabled_shared_runners }.from(false).to(true)
|
|
.and not_change { group.shared_runners_enabled }
|
|
.and not_change { project.shared_runners_enabled }
|
|
end
|
|
end
|
|
|
|
context 'when parent does not allow' do
|
|
let_it_be(:parent, reload: true) { create(:group, :shared_runners_disabled, allow_descendants_override_disabled_shared_runners: false ) }
|
|
let_it_be(:group, reload: true) { create(:group, :shared_runners_disabled, allow_descendants_override_disabled_shared_runners: false, parent: parent) }
|
|
|
|
it 'raises exception' do
|
|
expect { subject }
|
|
.to raise_error(ActiveRecord::RecordInvalid, 'Validation failed: Allow descendants override disabled shared runners cannot be enabled because parent group does not allow it')
|
|
end
|
|
|
|
it 'does not allow descendants to override' do
|
|
expect do
|
|
subject rescue nil
|
|
|
|
parent.reload
|
|
group.reload
|
|
end.to not_change { parent.allow_descendants_override_disabled_shared_runners }
|
|
.and not_change { parent.shared_runners_enabled }
|
|
.and not_change { group.allow_descendants_override_disabled_shared_runners }
|
|
.and not_change { group.shared_runners_enabled }
|
|
end
|
|
end
|
|
|
|
context 'top level group that has shared Runners enabled' do
|
|
let_it_be(:group) { create(:group, shared_runners_enabled: true) }
|
|
let_it_be(:sub_group) { create(:group, shared_runners_enabled: true, parent: group) }
|
|
let_it_be(:project) { create(:project, shared_runners_enabled: true, group: sub_group) }
|
|
|
|
it 'enables allow descendants to override & disables shared runners everywhere' do
|
|
expect { subject_and_reload(group, sub_group, project) }
|
|
.to change { group.shared_runners_enabled }.from(true).to(false)
|
|
.and change { group.allow_descendants_override_disabled_shared_runners }.from(false).to(true)
|
|
.and change { sub_group.shared_runners_enabled }.from(true).to(false)
|
|
.and change { project.shared_runners_enabled }.from(true).to(false)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe "#default_branch_name" do
|
|
context "when group.namespace_settings does not have a default branch name" do
|
|
it "returns nil" do
|
|
expect(group.default_branch_name).to be_nil
|
|
end
|
|
end
|
|
|
|
context "when group.namespace_settings has a default branch name" do
|
|
let(:example_branch_name) { "example_branch_name" }
|
|
|
|
before do
|
|
allow(group.namespace_settings)
|
|
.to receive(:default_branch_name)
|
|
.and_return(example_branch_name)
|
|
end
|
|
|
|
it "returns the default branch name" do
|
|
expect(group.default_branch_name).to eq(example_branch_name)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#membership_locked?' do
|
|
it 'returns false' do
|
|
expect(build(:group)).not_to be_membership_locked
|
|
end
|
|
end
|
|
|
|
describe '#first_owner' do
|
|
let(:group) { build(:group) }
|
|
|
|
context 'the group has owners' do
|
|
before do
|
|
group.add_owner(create(:user))
|
|
group.add_owner(create(:user))
|
|
end
|
|
|
|
it 'is the first owner' do
|
|
expect(group.first_owner)
|
|
.to eq(group.owners.first)
|
|
.and be_a(User)
|
|
end
|
|
end
|
|
|
|
context 'the group has a parent' do
|
|
let(:parent) { build(:group) }
|
|
|
|
before do
|
|
group.parent = parent
|
|
parent.add_owner(create(:user))
|
|
end
|
|
|
|
it 'is the first owner of the parent' do
|
|
expect(group.first_owner)
|
|
.to eq(parent.first_owner)
|
|
.and be_a(User)
|
|
end
|
|
end
|
|
|
|
context 'we fallback to group.owner' do
|
|
before do
|
|
group.owner = build(:user)
|
|
end
|
|
|
|
it 'is the group.owner' do
|
|
expect(group.first_owner)
|
|
.to eq(group.owner)
|
|
.and be_a(User)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#parent_allows_two_factor_authentication?' do
|
|
it 'returns true for top-level group' do
|
|
expect(group.parent_allows_two_factor_authentication?).to eq(true)
|
|
end
|
|
|
|
context 'for subgroup' do
|
|
let(:subgroup) { create(:group, parent: group) }
|
|
|
|
it 'returns true if parent group allows two factor authentication for its descendants' do
|
|
expect(subgroup.parent_allows_two_factor_authentication?).to eq(true)
|
|
end
|
|
|
|
it 'returns true if parent group allows two factor authentication for its descendants' do
|
|
group.namespace_settings.update!(allow_mfa_for_subgroups: false)
|
|
|
|
expect(subgroup.parent_allows_two_factor_authentication?).to eq(false)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'has_project_with_service_desk_enabled?' do
|
|
let_it_be(:group) { create(:group, :private) }
|
|
|
|
subject { group.has_project_with_service_desk_enabled? }
|
|
|
|
before do
|
|
allow(Gitlab::ServiceDesk).to receive(:supported?).and_return(true)
|
|
end
|
|
|
|
context 'when service desk is enabled' do
|
|
context 'for top level group' do
|
|
let_it_be(:project) { create(:project, group: group, service_desk_enabled: true) }
|
|
|
|
it { is_expected.to eq(true) }
|
|
|
|
context 'when service desk is not supported' do
|
|
before do
|
|
allow(Gitlab::ServiceDesk).to receive(:supported?).and_return(false)
|
|
end
|
|
|
|
it { is_expected.to eq(false) }
|
|
end
|
|
end
|
|
|
|
context 'for subgroup project' do
|
|
let_it_be(:subgroup) { create(:group, :private, parent: group)}
|
|
let_it_be(:project) { create(:project, group: subgroup, service_desk_enabled: true) }
|
|
|
|
it { is_expected.to eq(true) }
|
|
end
|
|
end
|
|
|
|
context 'when none of group child projects has service desk enabled' do
|
|
let_it_be(:project) { create(:project, group: group, service_desk_enabled: false) }
|
|
|
|
before do
|
|
project.update!(service_desk_enabled: false)
|
|
end
|
|
|
|
it { is_expected.to eq(false) }
|
|
end
|
|
end
|
|
|
|
describe 'with Debian Distributions' do
|
|
subject { create(:group) }
|
|
|
|
it_behaves_like 'model with Debian distributions'
|
|
end
|
|
|
|
describe '.ids_with_disabled_email' do
|
|
let_it_be(:parent_1) { create(:group, emails_disabled: true) }
|
|
let_it_be(:child_1) { create(:group, parent: parent_1) }
|
|
|
|
let_it_be(:parent_2) { create(:group, emails_disabled: false) }
|
|
let_it_be(:child_2) { create(:group, parent: parent_2) }
|
|
|
|
let_it_be(:other_group) { create(:group, emails_disabled: false) }
|
|
|
|
shared_examples 'returns namespaces with disabled email' do
|
|
subject(:group_ids_where_email_is_disabled) { described_class.ids_with_disabled_email([child_1, child_2, other_group]) }
|
|
|
|
it { is_expected.to eq(Set.new([child_1.id])) }
|
|
end
|
|
|
|
it_behaves_like 'returns namespaces with disabled email'
|
|
end
|
|
|
|
describe '.timelogs' do
|
|
let(:project) { create(:project, namespace: group) }
|
|
let(:issue) { create(:issue, project: project) }
|
|
let(:other_project) { create(:project, namespace: create(:group)) }
|
|
let(:other_issue) { create(:issue, project: other_project) }
|
|
|
|
let!(:timelog1) { create(:timelog, issue: issue) }
|
|
let!(:timelog2) { create(:timelog, issue: other_issue) }
|
|
let!(:timelog3) { create(:timelog, issue: issue) }
|
|
|
|
it 'returns timelogs belonging to the group' do
|
|
expect(group.timelogs).to contain_exactly(timelog1, timelog3)
|
|
end
|
|
end
|
|
|
|
describe '.organizations' do
|
|
it 'returns organizations belonging to the group' do
|
|
organization1 = create(:organization, group: group)
|
|
create(:organization)
|
|
organization3 = create(:organization, group: group)
|
|
|
|
expect(group.organizations).to contain_exactly(organization1, organization3)
|
|
end
|
|
end
|
|
|
|
describe '.contacts' do
|
|
it 'returns contacts belonging to the group' do
|
|
contact1 = create(:contact, group: group)
|
|
create(:contact)
|
|
contact3 = create(:contact, group: group)
|
|
|
|
expect(group.contacts).to contain_exactly(contact1, contact3)
|
|
end
|
|
end
|
|
|
|
describe '#to_ability_name' do
|
|
it 'returns group' do
|
|
group = build(:group)
|
|
|
|
expect(group.to_ability_name).to eq('group')
|
|
end
|
|
end
|
|
|
|
describe '#activity_path' do
|
|
it 'returns the group activity_path' do
|
|
expected_path = "/groups/#{group.name}/-/activity"
|
|
|
|
expect(group.activity_path).to eq(expected_path)
|
|
end
|
|
end
|
|
|
|
context 'with export' do
|
|
let(:group) { create(:group, :with_export) }
|
|
|
|
it '#export_file_exists? returns true' do
|
|
expect(group.export_file_exists?).to be true
|
|
end
|
|
|
|
it '#export_archive_exists? returns true' do
|
|
expect(group.export_archive_exists?).to be true
|
|
end
|
|
end
|
|
|
|
describe '#open_issues_count', :aggregate_failures do
|
|
let(:group) { build(:group) }
|
|
|
|
it 'provides the issue count' do
|
|
expect(group.open_issues_count).to eq 0
|
|
end
|
|
|
|
it 'invokes the count service with current_user' do
|
|
user = build(:user)
|
|
count_service = instance_double(Groups::OpenIssuesCountService)
|
|
expect(Groups::OpenIssuesCountService).to receive(:new).with(group, user).and_return(count_service)
|
|
expect(count_service).to receive(:count)
|
|
|
|
group.open_issues_count(user)
|
|
end
|
|
|
|
it 'invokes the count service with no current_user' do
|
|
count_service = instance_double(Groups::OpenIssuesCountService)
|
|
expect(Groups::OpenIssuesCountService).to receive(:new).with(group, nil).and_return(count_service)
|
|
expect(count_service).to receive(:count)
|
|
|
|
group.open_issues_count
|
|
end
|
|
end
|
|
|
|
describe '#open_merge_requests_count', :aggregate_failures do
|
|
let(:group) { build(:group) }
|
|
|
|
it 'provides the merge request count' do
|
|
expect(group.open_merge_requests_count).to eq 0
|
|
end
|
|
|
|
it 'invokes the count service with current_user' do
|
|
user = build(:user)
|
|
count_service = instance_double(Groups::MergeRequestsCountService)
|
|
expect(Groups::MergeRequestsCountService).to receive(:new).with(group, user).and_return(count_service)
|
|
expect(count_service).to receive(:count)
|
|
|
|
group.open_merge_requests_count(user)
|
|
end
|
|
|
|
it 'invokes the count service with no current_user' do
|
|
count_service = instance_double(Groups::MergeRequestsCountService)
|
|
expect(Groups::MergeRequestsCountService).to receive(:new).with(group, nil).and_return(count_service)
|
|
expect(count_service).to receive(:count)
|
|
|
|
group.open_merge_requests_count
|
|
end
|
|
end
|
|
|
|
describe '#dependency_proxy_image_prefix' do
|
|
let_it_be(:group) { build_stubbed(:group, path: 'GroupWithUPPERcaseLetters') }
|
|
|
|
it 'converts uppercase letters to lowercase' do
|
|
expect(group.dependency_proxy_image_prefix).to end_with("/groupwithuppercaseletters#{DependencyProxy::URL_SUFFIX}")
|
|
end
|
|
|
|
it 'removes the protocol' do
|
|
expect(group.dependency_proxy_image_prefix).not_to include('http')
|
|
end
|
|
|
|
it 'does not include /groups' do
|
|
expect(group.dependency_proxy_image_prefix).not_to include('/groups')
|
|
end
|
|
end
|
|
|
|
describe '#dependency_proxy_image_ttl_policy' do
|
|
subject(:ttl_policy) { group.dependency_proxy_image_ttl_policy }
|
|
|
|
it 'builds a new policy if one does not exist', :aggregate_failures do
|
|
expect(ttl_policy.ttl).to eq(90)
|
|
expect(ttl_policy.enabled).to eq(false)
|
|
expect(ttl_policy.created_at).to be_nil
|
|
expect(ttl_policy.updated_at).to be_nil
|
|
end
|
|
|
|
context 'with existing policy' do
|
|
before do
|
|
group.dependency_proxy_image_ttl_policy.update!(ttl: 30, enabled: true)
|
|
end
|
|
|
|
it 'returns the policy if it already exists', :aggregate_failures do
|
|
expect(ttl_policy.ttl).to eq(30)
|
|
expect(ttl_policy.enabled).to eq(true)
|
|
expect(ttl_policy.created_at).not_to be_nil
|
|
expect(ttl_policy.updated_at).not_to be_nil
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#dependency_proxy_setting' do
|
|
subject(:setting) { group.dependency_proxy_setting }
|
|
|
|
it 'builds a new policy if one does not exist', :aggregate_failures do
|
|
expect(setting.enabled).to eq(true)
|
|
expect(setting).not_to be_persisted
|
|
end
|
|
|
|
context 'with existing policy' do
|
|
before do
|
|
group.dependency_proxy_setting.update!(enabled: false)
|
|
end
|
|
|
|
it 'returns the policy if it already exists', :aggregate_failures do
|
|
expect(setting.enabled).to eq(false)
|
|
expect(setting).to be_persisted
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#crm_enabled?' do
|
|
it 'returns false where no crm_settings exist' do
|
|
expect(group.crm_enabled?).to be_falsey
|
|
end
|
|
|
|
it 'returns false where crm_settings.state is disabled' do
|
|
create(:crm_settings, enabled: false, group: group)
|
|
|
|
expect(group.crm_enabled?).to be_falsey
|
|
end
|
|
|
|
it 'returns true where crm_settings.state is enabled' do
|
|
create(:crm_settings, enabled: true, group: group)
|
|
|
|
expect(group.crm_enabled?).to be_truthy
|
|
end
|
|
|
|
it 'returns true where crm_settings.state is enabled for subgroup' do
|
|
subgroup = create(:group, :crm_enabled, parent: group)
|
|
|
|
expect(subgroup.crm_enabled?).to be_truthy
|
|
end
|
|
end
|
|
|
|
describe '.get_ids_by_ids_or_paths' do
|
|
let(:group_path) { 'group_path' }
|
|
let!(:group) { create(:group, path: group_path) }
|
|
let(:group_id) { group.id }
|
|
|
|
it 'returns ids matching records based on paths' do
|
|
expect(described_class.get_ids_by_ids_or_paths(nil, [group_path])).to match_array([group_id])
|
|
end
|
|
|
|
it 'returns ids matching records based on ids' do
|
|
expect(described_class.get_ids_by_ids_or_paths([group_id], nil)).to match_array([group_id])
|
|
end
|
|
|
|
it 'returns ids matching records based on both paths and ids' do
|
|
new_group_id = create(:group).id
|
|
|
|
expect(described_class.get_ids_by_ids_or_paths([new_group_id], [group_path])).to match_array([group_id, new_group_id])
|
|
end
|
|
end
|
|
|
|
describe '#shared_with_group_links_visible_to_user' do
|
|
let_it_be(:admin) { create :admin }
|
|
let_it_be(:normal_user) { create :user }
|
|
let_it_be(:user_with_access) { create :user }
|
|
let_it_be(:user_with_parent_access) { create :user }
|
|
let_it_be(:user_without_access) { create :user }
|
|
let_it_be(:shared_group) { create :group }
|
|
let_it_be(:parent_group) { create :group, :private }
|
|
let_it_be(:shared_with_private_group) { create :group, :private, parent: parent_group }
|
|
let_it_be(:shared_with_internal_group) { create :group, :internal }
|
|
let_it_be(:shared_with_public_group) { create :group, :public }
|
|
let_it_be(:private_group_group_link) { create(:group_group_link, shared_group: shared_group, shared_with_group: shared_with_private_group) }
|
|
let_it_be(:internal_group_group_link) { create(:group_group_link, shared_group: shared_group, shared_with_group: shared_with_internal_group) }
|
|
let_it_be(:public_group_group_link) { create(:group_group_link, shared_group: shared_group, shared_with_group: shared_with_public_group) }
|
|
|
|
before do
|
|
shared_with_private_group.add_developer(user_with_access)
|
|
parent_group.add_developer(user_with_parent_access)
|
|
end
|
|
|
|
context 'when user is admin', :enable_admin_mode do
|
|
it 'returns all existing shared group links' do
|
|
expect(shared_group.shared_with_group_links_visible_to_user(admin)).to contain_exactly(private_group_group_link, internal_group_group_link, public_group_group_link)
|
|
end
|
|
end
|
|
|
|
context 'when user is nil' do
|
|
it 'returns only link of public shared group' do
|
|
expect(shared_group.shared_with_group_links_visible_to_user(nil)).to contain_exactly(public_group_group_link)
|
|
end
|
|
end
|
|
|
|
context 'when user has no access to private shared group' do
|
|
it 'returns links of internal and public shared groups' do
|
|
expect(shared_group.shared_with_group_links_visible_to_user(normal_user)).to contain_exactly(internal_group_group_link, public_group_group_link)
|
|
end
|
|
end
|
|
|
|
context 'when user is member of private shared group' do
|
|
it 'returns links of private, internal and public shared groups' do
|
|
expect(shared_group.shared_with_group_links_visible_to_user(user_with_access)).to contain_exactly(private_group_group_link, internal_group_group_link, public_group_group_link)
|
|
end
|
|
end
|
|
|
|
context 'when user is inherited member of private shared group' do
|
|
it 'returns links of private, internal and public shared groups' do
|
|
expect(shared_group.shared_with_group_links_visible_to_user(user_with_parent_access)).to contain_exactly(private_group_group_link, internal_group_group_link, public_group_group_link)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#enforced_runner_token_expiration_interval and #effective_runner_token_expiration_interval' do
|
|
shared_examples 'no enforced expiration interval' do
|
|
it { expect(subject.enforced_runner_token_expiration_interval).to be_nil }
|
|
end
|
|
|
|
shared_examples 'enforced expiration interval' do |enforced_interval:|
|
|
it { expect(subject.enforced_runner_token_expiration_interval).to eq(enforced_interval) }
|
|
end
|
|
|
|
shared_examples 'no effective expiration interval' do
|
|
it { expect(subject.effective_runner_token_expiration_interval).to be_nil }
|
|
end
|
|
|
|
shared_examples 'effective expiration interval' do |effective_interval:|
|
|
it { expect(subject.effective_runner_token_expiration_interval).to eq(effective_interval) }
|
|
end
|
|
|
|
context 'when there is no interval in group settings' do
|
|
let_it_be(:group) { create(:group) }
|
|
|
|
subject { group }
|
|
|
|
it_behaves_like 'no enforced expiration interval'
|
|
it_behaves_like 'no effective expiration interval'
|
|
end
|
|
|
|
context 'when there is a group interval' do
|
|
let(:group_settings) { create(:namespace_settings, runner_token_expiration_interval: 3.days.to_i) }
|
|
|
|
subject { create(:group, namespace_settings: group_settings) }
|
|
|
|
it_behaves_like 'no enforced expiration interval'
|
|
it_behaves_like 'effective expiration interval', effective_interval: 3.days
|
|
end
|
|
|
|
# runner_token_expiration_interval should not affect the expiration interval, only
|
|
# group_runner_token_expiration_interval should.
|
|
context 'when there is a site-wide enforced shared interval' do
|
|
before do
|
|
stub_application_setting(runner_token_expiration_interval: 5.days.to_i)
|
|
end
|
|
|
|
let_it_be(:group) { create(:group) }
|
|
|
|
subject { group }
|
|
|
|
it_behaves_like 'no enforced expiration interval'
|
|
it_behaves_like 'no effective expiration interval'
|
|
end
|
|
|
|
context 'when there is a site-wide enforced group interval' do
|
|
before do
|
|
stub_application_setting(group_runner_token_expiration_interval: 5.days.to_i)
|
|
end
|
|
|
|
let_it_be(:group) { create(:group) }
|
|
|
|
subject { group }
|
|
|
|
it_behaves_like 'enforced expiration interval', enforced_interval: 5.days
|
|
it_behaves_like 'effective expiration interval', effective_interval: 5.days
|
|
end
|
|
|
|
# project_runner_token_expiration_interval should not affect the expiration interval, only
|
|
# group_runner_token_expiration_interval should.
|
|
context 'when there is a site-wide enforced project interval' do
|
|
before do
|
|
stub_application_setting(project_runner_token_expiration_interval: 5.days.to_i)
|
|
end
|
|
|
|
let_it_be(:group) { create(:group) }
|
|
|
|
subject { group }
|
|
|
|
it_behaves_like 'no enforced expiration interval'
|
|
it_behaves_like 'no effective expiration interval'
|
|
end
|
|
|
|
# runner_token_expiration_interval should not affect the expiration interval, only
|
|
# subgroup_runner_token_expiration_interval should.
|
|
context 'when there is a grandparent group enforced group interval' do
|
|
let_it_be(:grandparent_group_settings) { create(:namespace_settings, runner_token_expiration_interval: 4.days.to_i) }
|
|
let_it_be(:grandparent_group) { create(:group, namespace_settings: grandparent_group_settings) }
|
|
let_it_be(:parent_group) { create(:group, parent: grandparent_group) }
|
|
let_it_be(:subgroup) { create(:group, parent: parent_group) }
|
|
|
|
subject { subgroup }
|
|
|
|
it_behaves_like 'no enforced expiration interval'
|
|
it_behaves_like 'no effective expiration interval'
|
|
end
|
|
|
|
context 'when there is a grandparent group enforced subgroup interval' do
|
|
let_it_be(:grandparent_group_settings) { create(:namespace_settings, subgroup_runner_token_expiration_interval: 4.days.to_i) }
|
|
let_it_be(:grandparent_group) { create(:group, namespace_settings: grandparent_group_settings) }
|
|
let_it_be(:parent_group) { create(:group, parent: grandparent_group) }
|
|
let_it_be(:subgroup) { create(:group, parent: parent_group) }
|
|
|
|
subject { subgroup }
|
|
|
|
it_behaves_like 'enforced expiration interval', enforced_interval: 4.days
|
|
it_behaves_like 'effective expiration interval', effective_interval: 4.days
|
|
end
|
|
|
|
# project_runner_token_expiration_interval should not affect the expiration interval, only
|
|
# subgroup_runner_token_expiration_interval should.
|
|
context 'when there is a grandparent group enforced project interval' do
|
|
let_it_be(:grandparent_group_settings) { create(:namespace_settings, project_runner_token_expiration_interval: 4.days.to_i) }
|
|
let_it_be(:grandparent_group) { create(:group, namespace_settings: grandparent_group_settings) }
|
|
let_it_be(:parent_group) { create(:group, parent: grandparent_group) }
|
|
let_it_be(:subgroup) { create(:group, parent: parent_group) }
|
|
|
|
subject { subgroup }
|
|
|
|
it_behaves_like 'no enforced expiration interval'
|
|
it_behaves_like 'no effective expiration interval'
|
|
end
|
|
|
|
context 'when there is a parent group enforced interval overridden by group interval' do
|
|
let_it_be(:parent_group_settings) { create(:namespace_settings, subgroup_runner_token_expiration_interval: 5.days.to_i) }
|
|
let_it_be(:parent_group) { create(:group, namespace_settings: parent_group_settings) }
|
|
let_it_be(:group_settings) { create(:namespace_settings, runner_token_expiration_interval: 4.days.to_i) }
|
|
let_it_be(:subgroup_with_settings) { create(:group, parent: parent_group, namespace_settings: group_settings) }
|
|
|
|
subject { subgroup_with_settings }
|
|
|
|
it_behaves_like 'enforced expiration interval', enforced_interval: 5.days
|
|
it_behaves_like 'effective expiration interval', effective_interval: 4.days
|
|
|
|
it 'has human-readable expiration intervals' do
|
|
expect(subject.enforced_runner_token_expiration_interval_human_readable).to eq('5d')
|
|
expect(subject.effective_runner_token_expiration_interval_human_readable).to eq('4d')
|
|
end
|
|
end
|
|
|
|
context 'when site-wide enforced interval overrides group interval' do
|
|
before do
|
|
stub_application_setting(group_runner_token_expiration_interval: 3.days.to_i)
|
|
end
|
|
|
|
let_it_be(:group_settings) { create(:namespace_settings, runner_token_expiration_interval: 4.days.to_i) }
|
|
let_it_be(:group_with_settings) { create(:group, namespace_settings: group_settings) }
|
|
|
|
subject { group_with_settings }
|
|
|
|
it_behaves_like 'enforced expiration interval', enforced_interval: 3.days
|
|
it_behaves_like 'effective expiration interval', effective_interval: 3.days
|
|
end
|
|
|
|
context 'when group interval overrides site-wide enforced interval' do
|
|
before do
|
|
stub_application_setting(group_runner_token_expiration_interval: 5.days.to_i)
|
|
end
|
|
|
|
let_it_be(:group_settings) { create(:namespace_settings, runner_token_expiration_interval: 4.days.to_i) }
|
|
let_it_be(:group_with_settings) { create(:group, namespace_settings: group_settings) }
|
|
|
|
subject { group_with_settings }
|
|
|
|
it_behaves_like 'enforced expiration interval', enforced_interval: 5.days
|
|
it_behaves_like 'effective expiration interval', effective_interval: 4.days
|
|
end
|
|
|
|
context 'when site-wide enforced interval overrides parent group enforced interval' do
|
|
before do
|
|
stub_application_setting(group_runner_token_expiration_interval: 3.days.to_i)
|
|
end
|
|
|
|
let_it_be(:parent_group_settings) { create(:namespace_settings, subgroup_runner_token_expiration_interval: 4.days.to_i) }
|
|
let_it_be(:parent_group) { create(:group, namespace_settings: parent_group_settings) }
|
|
let_it_be(:subgroup) { create(:group, parent: parent_group) }
|
|
|
|
subject { subgroup }
|
|
|
|
it_behaves_like 'enforced expiration interval', enforced_interval: 3.days
|
|
it_behaves_like 'effective expiration interval', effective_interval: 3.days
|
|
end
|
|
|
|
context 'when parent group enforced interval overrides site-wide enforced interval' do
|
|
before do
|
|
stub_application_setting(group_runner_token_expiration_interval: 5.days.to_i)
|
|
end
|
|
|
|
let_it_be(:parent_group_settings) { create(:namespace_settings, subgroup_runner_token_expiration_interval: 4.days.to_i) }
|
|
let_it_be(:parent_group) { create(:group, namespace_settings: parent_group_settings) }
|
|
let_it_be(:subgroup) { create(:group, parent: parent_group) }
|
|
|
|
subject { subgroup }
|
|
|
|
it_behaves_like 'enforced expiration interval', enforced_interval: 4.days
|
|
it_behaves_like 'effective expiration interval', effective_interval: 4.days
|
|
end
|
|
|
|
# Unrelated groups should not affect the expiration interval.
|
|
context 'when there is an enforced group interval in an unrelated group' do
|
|
let_it_be(:unrelated_group_settings) { create(:namespace_settings, subgroup_runner_token_expiration_interval: 4.days.to_i) }
|
|
let_it_be(:unrelated_group) { create(:group, namespace_settings: unrelated_group_settings) }
|
|
let_it_be(:group) { create(:group) }
|
|
|
|
subject { group }
|
|
|
|
it_behaves_like 'no enforced expiration interval'
|
|
it_behaves_like 'no effective expiration interval'
|
|
end
|
|
|
|
# Subgroups should not affect the parent group expiration interval.
|
|
context 'when there is an enforced group interval in a subgroup' do
|
|
let_it_be(:subgroup_settings) { create(:namespace_settings, subgroup_runner_token_expiration_interval: 4.days.to_i) }
|
|
let_it_be(:subgroup) { create(:group, parent: group, namespace_settings: subgroup_settings) }
|
|
let_it_be(:group) { create(:group) }
|
|
|
|
subject { group }
|
|
|
|
it_behaves_like 'no enforced expiration interval'
|
|
it_behaves_like 'no effective expiration interval'
|
|
end
|
|
end
|
|
|
|
describe '#work_items_feature_flag_enabled?' do
|
|
it_behaves_like 'checks self and root ancestor feature flag' do
|
|
let(:feature_flag) { :work_items }
|
|
let(:feature_flag_method) { :work_items_feature_flag_enabled? }
|
|
end
|
|
end
|
|
|
|
describe 'group shares' do
|
|
let!(:sub_group) { create(:group, parent: group) }
|
|
let!(:sub_sub_group) { create(:group, parent: sub_group) }
|
|
let!(:shared_group_1) { create(:group) }
|
|
let!(:shared_group_2) { create(:group) }
|
|
let!(:shared_group_3) { create(:group) }
|
|
|
|
before do
|
|
group.shared_with_groups << shared_group_1
|
|
sub_group.shared_with_groups << shared_group_2
|
|
sub_sub_group.shared_with_groups << shared_group_3
|
|
end
|
|
|
|
describe '#shared_with_group_links.of_ancestors' do
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
where(:subject_group, :result) do
|
|
ref(:group) | []
|
|
ref(:sub_group) | lazy { [shared_group_1].map(&:id) }
|
|
ref(:sub_sub_group) | lazy { [shared_group_1, shared_group_2].map(&:id) }
|
|
end
|
|
|
|
with_them do
|
|
it 'returns correct group shares' do
|
|
expect(subject_group.shared_with_group_links.of_ancestors.map(&:shared_with_group_id)).to match_array(result)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#shared_with_group_links.of_ancestors_and_self' do
|
|
using RSpec::Parameterized::TableSyntax
|
|
|
|
where(:subject_group, :result) do
|
|
ref(:group) | lazy { [shared_group_1].map(&:id) }
|
|
ref(:sub_group) | lazy { [shared_group_1, shared_group_2].map(&:id) }
|
|
ref(:sub_sub_group) | lazy { [shared_group_1, shared_group_2, shared_group_3].map(&:id) }
|
|
end
|
|
|
|
with_them do
|
|
it 'returns correct group shares' do
|
|
expect(subject_group.shared_with_group_links.of_ancestors_and_self.map(&:shared_with_group_id)).to match_array(result)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe '#gitlab_deploy_token' do
|
|
subject(:gitlab_deploy_token) { group.gitlab_deploy_token }
|
|
|
|
context 'when there is a gitlab deploy token associated' do
|
|
let!(:deploy_token) { create(:deploy_token, :group, :gitlab_deploy_token, groups: [group]) }
|
|
|
|
it { is_expected.to eq(deploy_token) }
|
|
end
|
|
|
|
context 'when there is no a gitlab deploy token associated' do
|
|
it { is_expected.to be_nil }
|
|
end
|
|
|
|
context 'when there is a gitlab deploy token associated but is has been revoked' do
|
|
let!(:deploy_token) { create(:deploy_token, :group, :gitlab_deploy_token, :revoked, groups: [group]) }
|
|
|
|
it { is_expected.to be_nil }
|
|
end
|
|
|
|
context 'when there is a gitlab deploy token associated but it is expired' do
|
|
let!(:deploy_token) { create(:deploy_token, :group, :gitlab_deploy_token, :expired, groups: [group]) }
|
|
|
|
it { is_expected.to be_nil }
|
|
end
|
|
|
|
context 'when there is a deploy token associated with a different name' do
|
|
let!(:deploy_token) { create(:deploy_token, :group, groups: [group]) }
|
|
|
|
it { is_expected.to be_nil }
|
|
end
|
|
|
|
context 'when there is a gitlab deploy token associated to a different group' do
|
|
let!(:deploy_token) { create(:deploy_token, :group, :gitlab_deploy_token, groups: [create(:group)]) }
|
|
|
|
it { is_expected.to be_nil }
|
|
end
|
|
end
|
|
end
|