1# frozen_string_literal: true 2 3require 'spec_helper' 4 5RSpec.describe GroupPolicy do 6 include_context 'GroupPolicy context' 7 8 context 'public group with no user' do 9 let(:group) { create(:group, :public) } 10 let(:current_user) { nil } 11 12 it do 13 expect_allowed(:read_group) 14 expect_allowed(:read_crm_organization) 15 expect_allowed(:read_crm_contact) 16 expect_allowed(:read_counts) 17 expect_allowed(*read_group_permissions) 18 expect_disallowed(:upload_file) 19 expect_disallowed(*reporter_permissions) 20 expect_disallowed(*developer_permissions) 21 expect_disallowed(*maintainer_permissions) 22 expect_disallowed(*owner_permissions) 23 expect_disallowed(:read_namespace) 24 end 25 end 26 27 context 'with no user and public project' do 28 let(:project) { create(:project, :public) } 29 let(:current_user) { nil } 30 31 before do 32 create(:project_group_link, project: project, group: group) 33 end 34 35 it { expect_disallowed(:read_group) } 36 it { expect_disallowed(:read_crm_organization) } 37 it { expect_disallowed(:read_crm_contact) } 38 it { expect_disallowed(:read_counts) } 39 it { expect_disallowed(*read_group_permissions) } 40 end 41 42 context 'with foreign user and public project' do 43 let(:project) { create(:project, :public) } 44 let(:current_user) { create(:user) } 45 46 before do 47 create(:project_group_link, project: project, group: group) 48 end 49 50 it { expect_disallowed(:read_group) } 51 it { expect_disallowed(:read_crm_organization) } 52 it { expect_disallowed(:read_crm_contact) } 53 it { expect_disallowed(:read_counts) } 54 it { expect_disallowed(*read_group_permissions) } 55 end 56 57 context 'has projects' do 58 let(:current_user) { create(:user) } 59 let(:project) { create(:project, namespace: group) } 60 61 before do 62 project.add_developer(current_user) 63 end 64 65 it { expect_allowed(*read_group_permissions) } 66 67 context 'in subgroups' do 68 let(:subgroup) { create(:group, :private, parent: group) } 69 let(:project) { create(:project, namespace: subgroup) } 70 71 it { expect_allowed(*read_group_permissions) } 72 end 73 end 74 75 shared_examples 'deploy token does not get confused with user' do 76 before do 77 deploy_token.update!(id: user_id) 78 end 79 80 let(:deploy_token) { create(:deploy_token) } 81 let(:current_user) { deploy_token } 82 83 it do 84 expect_disallowed(*read_group_permissions) 85 expect_disallowed(*guest_permissions) 86 expect_disallowed(*reporter_permissions) 87 expect_disallowed(*developer_permissions) 88 expect_disallowed(*maintainer_permissions) 89 expect_disallowed(*owner_permissions) 90 end 91 end 92 93 context 'guests' do 94 let(:current_user) { guest } 95 96 it do 97 expect_allowed(*read_group_permissions) 98 expect_allowed(*guest_permissions) 99 expect_disallowed(*reporter_permissions) 100 expect_disallowed(*developer_permissions) 101 expect_disallowed(*maintainer_permissions) 102 expect_disallowed(*owner_permissions) 103 end 104 105 it_behaves_like 'deploy token does not get confused with user' do 106 let(:user_id) { guest.id } 107 end 108 end 109 110 context 'reporter' do 111 let(:current_user) { reporter } 112 113 it do 114 expect_allowed(*read_group_permissions) 115 expect_allowed(*guest_permissions) 116 expect_allowed(*reporter_permissions) 117 expect_disallowed(*developer_permissions) 118 expect_disallowed(*maintainer_permissions) 119 expect_disallowed(*owner_permissions) 120 end 121 122 it_behaves_like 'deploy token does not get confused with user' do 123 let(:user_id) { reporter.id } 124 end 125 end 126 127 context 'developer' do 128 let(:current_user) { developer } 129 130 it do 131 expect_allowed(*read_group_permissions) 132 expect_allowed(*guest_permissions) 133 expect_allowed(*reporter_permissions) 134 expect_allowed(*developer_permissions) 135 expect_disallowed(*maintainer_permissions) 136 expect_disallowed(*owner_permissions) 137 end 138 139 it_behaves_like 'deploy token does not get confused with user' do 140 let(:user_id) { developer.id } 141 end 142 end 143 144 context 'maintainer' do 145 let(:current_user) { maintainer } 146 147 context 'with subgroup_creation level set to maintainer' do 148 before_all do 149 group.update!(subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS) 150 end 151 152 it 'allows every maintainer permission plus creating subgroups' do 153 create_subgroup_permission = [:create_subgroup] 154 updated_maintainer_permissions = 155 maintainer_permissions + create_subgroup_permission 156 updated_owner_permissions = 157 owner_permissions - create_subgroup_permission 158 159 expect_allowed(*read_group_permissions) 160 expect_allowed(*guest_permissions) 161 expect_allowed(*reporter_permissions) 162 expect_allowed(*developer_permissions) 163 expect_allowed(*updated_maintainer_permissions) 164 expect_disallowed(*updated_owner_permissions) 165 end 166 end 167 168 context 'with subgroup_creation_level set to owner' do 169 it 'allows every maintainer permission' do 170 expect_allowed(*read_group_permissions) 171 expect_allowed(*guest_permissions) 172 expect_allowed(*reporter_permissions) 173 expect_allowed(*developer_permissions) 174 expect_allowed(*maintainer_permissions) 175 expect_disallowed(*owner_permissions) 176 end 177 end 178 179 it_behaves_like 'deploy token does not get confused with user' do 180 let(:user_id) { maintainer.id } 181 end 182 end 183 184 context 'owner' do 185 let(:current_user) { owner } 186 187 it do 188 expect_allowed(*read_group_permissions) 189 expect_allowed(*guest_permissions) 190 expect_allowed(*reporter_permissions) 191 expect_allowed(*developer_permissions) 192 expect_allowed(*maintainer_permissions) 193 expect_allowed(*owner_permissions) 194 end 195 196 it_behaves_like 'deploy token does not get confused with user' do 197 let(:user_id) { owner.id } 198 end 199 end 200 201 context 'admin' do 202 let(:current_user) { admin } 203 204 specify do 205 expect_disallowed(*read_group_permissions) 206 expect_disallowed(*guest_permissions) 207 expect_disallowed(*reporter_permissions) 208 expect_disallowed(*developer_permissions) 209 expect_disallowed(*maintainer_permissions) 210 expect_disallowed(*owner_permissions) 211 end 212 213 context 'with admin mode', :enable_admin_mode do 214 specify do 215 expect_allowed(*read_group_permissions) 216 expect_allowed(*guest_permissions) 217 expect_allowed(*reporter_permissions) 218 expect_allowed(*developer_permissions) 219 expect_allowed(*maintainer_permissions) 220 expect_allowed(*owner_permissions) 221 expect_allowed(*admin_permissions) 222 end 223 end 224 225 it_behaves_like 'deploy token does not get confused with user' do 226 let(:user_id) { admin.id } 227 228 context 'with admin mode', :enable_admin_mode do 229 it { expect_disallowed(*admin_permissions) } 230 end 231 end 232 end 233 234 describe 'private nested group use the highest access level from the group and inherited permissions' do 235 let_it_be(:nested_group) do 236 create(:group, :private, :owner_subgroup_creation_only, parent: group) 237 end 238 239 before_all do 240 nested_group.add_guest(guest) 241 nested_group.add_guest(reporter) 242 nested_group.add_guest(developer) 243 nested_group.add_guest(maintainer) 244 245 group.owners.destroy_all # rubocop: disable Cop/DestroyAll 246 247 group.add_guest(owner) 248 nested_group.add_owner(owner) 249 end 250 251 subject { described_class.new(current_user, nested_group) } 252 253 context 'with no user' do 254 let(:current_user) { nil } 255 256 it do 257 expect_disallowed(:read_counts) 258 expect_disallowed(*read_group_permissions) 259 expect_disallowed(*guest_permissions) 260 expect_disallowed(*reporter_permissions) 261 expect_disallowed(*developer_permissions) 262 expect_disallowed(*maintainer_permissions) 263 expect_disallowed(*owner_permissions) 264 end 265 end 266 267 context 'guests' do 268 let(:current_user) { guest } 269 270 it do 271 expect_allowed(:read_counts) 272 expect_allowed(*read_group_permissions) 273 expect_allowed(*guest_permissions) 274 expect_disallowed(*reporter_permissions) 275 expect_disallowed(*developer_permissions) 276 expect_disallowed(*maintainer_permissions) 277 expect_disallowed(*owner_permissions) 278 end 279 end 280 281 context 'reporter' do 282 let(:current_user) { reporter } 283 284 it do 285 expect_allowed(:read_counts) 286 expect_allowed(*read_group_permissions) 287 expect_allowed(*guest_permissions) 288 expect_allowed(*reporter_permissions) 289 expect_disallowed(*developer_permissions) 290 expect_disallowed(*maintainer_permissions) 291 expect_disallowed(*owner_permissions) 292 end 293 end 294 295 context 'developer' do 296 let(:current_user) { developer } 297 298 it do 299 expect_allowed(:read_counts) 300 expect_allowed(*read_group_permissions) 301 expect_allowed(*guest_permissions) 302 expect_allowed(*reporter_permissions) 303 expect_allowed(*developer_permissions) 304 expect_disallowed(*maintainer_permissions) 305 expect_disallowed(*owner_permissions) 306 end 307 end 308 309 context 'maintainer' do 310 let(:current_user) { maintainer } 311 312 it do 313 expect_allowed(:read_counts) 314 expect_allowed(*read_group_permissions) 315 expect_allowed(*guest_permissions) 316 expect_allowed(*reporter_permissions) 317 expect_allowed(*developer_permissions) 318 expect_allowed(*maintainer_permissions) 319 expect_disallowed(*owner_permissions) 320 end 321 end 322 323 context 'owner' do 324 let(:current_user) { owner } 325 326 it do 327 expect_allowed(:read_counts) 328 expect_allowed(*read_group_permissions) 329 expect_allowed(*guest_permissions) 330 expect_allowed(*reporter_permissions) 331 expect_allowed(*developer_permissions) 332 expect_allowed(*maintainer_permissions) 333 expect_allowed(*owner_permissions) 334 end 335 end 336 end 337 338 describe 'change_share_with_group_lock' do 339 context 'when the current_user owns the group' do 340 let(:current_user) { owner } 341 342 context 'when the group share_with_group_lock is enabled' do 343 let(:group) { create(:group, share_with_group_lock: true, parent: parent) } 344 345 before do 346 group.add_owner(owner) 347 end 348 349 context 'when the parent group share_with_group_lock is enabled' do 350 context 'when the group has a grandparent' do 351 let(:parent) { create(:group, share_with_group_lock: true, parent: grandparent) } 352 353 context 'when the grandparent share_with_group_lock is enabled' do 354 let(:grandparent) { create(:group, share_with_group_lock: true) } 355 356 context 'when the current_user owns the parent' do 357 before do 358 parent.add_owner(current_user) 359 end 360 361 context 'when the current_user owns the grandparent' do 362 before do 363 grandparent.add_owner(current_user) 364 end 365 366 it { expect_allowed(:change_share_with_group_lock) } 367 end 368 369 context 'when the current_user does not own the grandparent' do 370 it { expect_disallowed(:change_share_with_group_lock) } 371 end 372 end 373 374 context 'when the current_user does not own the parent' do 375 it { expect_disallowed(:change_share_with_group_lock) } 376 end 377 end 378 379 context 'when the grandparent share_with_group_lock is disabled' do 380 let(:grandparent) { create(:group) } 381 382 context 'when the current_user owns the parent' do 383 before do 384 parent.add_owner(current_user) 385 end 386 387 it { expect_allowed(:change_share_with_group_lock) } 388 end 389 390 context 'when the current_user does not own the parent' do 391 it { expect_disallowed(:change_share_with_group_lock) } 392 end 393 end 394 end 395 396 context 'when the group does not have a grandparent' do 397 let(:parent) { create(:group, share_with_group_lock: true) } 398 399 context 'when the current_user owns the parent' do 400 before do 401 parent.add_owner(current_user) 402 end 403 404 it { expect_allowed(:change_share_with_group_lock) } 405 end 406 407 context 'when the current_user does not own the parent' do 408 it { expect_disallowed(:change_share_with_group_lock) } 409 end 410 end 411 end 412 413 context 'when the parent group share_with_group_lock is disabled' do 414 let(:parent) { create(:group) } 415 416 it { expect_allowed(:change_share_with_group_lock) } 417 end 418 end 419 420 context 'when the group share_with_group_lock is disabled' do 421 it { expect_allowed(:change_share_with_group_lock) } 422 end 423 end 424 425 context 'when the current_user does not own the group' do 426 let(:current_user) { create(:user) } 427 428 it { expect_disallowed(:change_share_with_group_lock) } 429 end 430 end 431 432 context 'transfer_projects' do 433 shared_examples_for 'allowed to transfer projects' do 434 before do 435 group.update!(project_creation_level: project_creation_level) 436 end 437 438 it { is_expected.to be_allowed(:transfer_projects) } 439 end 440 441 shared_examples_for 'not allowed to transfer projects' do 442 before do 443 group.update!(project_creation_level: project_creation_level) 444 end 445 446 it { is_expected.to be_disallowed(:transfer_projects) } 447 end 448 449 context 'reporter' do 450 let(:current_user) { reporter } 451 452 it_behaves_like 'not allowed to transfer projects' do 453 let(:project_creation_level) { ::Gitlab::Access::NO_ONE_PROJECT_ACCESS } 454 end 455 456 it_behaves_like 'not allowed to transfer projects' do 457 let(:project_creation_level) { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS } 458 end 459 460 it_behaves_like 'not allowed to transfer projects' do 461 let(:project_creation_level) { ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS } 462 end 463 end 464 465 context 'developer' do 466 let(:current_user) { developer } 467 468 it_behaves_like 'not allowed to transfer projects' do 469 let(:project_creation_level) { ::Gitlab::Access::NO_ONE_PROJECT_ACCESS } 470 end 471 472 it_behaves_like 'not allowed to transfer projects' do 473 let(:project_creation_level) { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS } 474 end 475 476 it_behaves_like 'not allowed to transfer projects' do 477 let(:project_creation_level) { ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS } 478 end 479 end 480 481 context 'maintainer' do 482 let(:current_user) { maintainer } 483 484 it_behaves_like 'not allowed to transfer projects' do 485 let(:project_creation_level) { ::Gitlab::Access::NO_ONE_PROJECT_ACCESS } 486 end 487 488 it_behaves_like 'allowed to transfer projects' do 489 let(:project_creation_level) { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS } 490 end 491 492 it_behaves_like 'allowed to transfer projects' do 493 let(:project_creation_level) { ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS } 494 end 495 end 496 497 context 'owner' do 498 let(:current_user) { owner } 499 500 it_behaves_like 'not allowed to transfer projects' do 501 let(:project_creation_level) { ::Gitlab::Access::NO_ONE_PROJECT_ACCESS } 502 end 503 504 it_behaves_like 'allowed to transfer projects' do 505 let(:project_creation_level) { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS } 506 end 507 508 it_behaves_like 'allowed to transfer projects' do 509 let(:project_creation_level) { ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS } 510 end 511 end 512 end 513 514 context 'create_projects' do 515 context 'when group has no project creation level set' do 516 before_all do 517 group.update!(project_creation_level: nil) 518 end 519 520 context 'reporter' do 521 let(:current_user) { reporter } 522 523 it { is_expected.to be_disallowed(:create_projects) } 524 end 525 526 context 'developer' do 527 let(:current_user) { developer } 528 529 it { is_expected.to be_allowed(:create_projects) } 530 end 531 532 context 'maintainer' do 533 let(:current_user) { maintainer } 534 535 it { is_expected.to be_allowed(:create_projects) } 536 end 537 538 context 'owner' do 539 let(:current_user) { owner } 540 541 it { is_expected.to be_allowed(:create_projects) } 542 end 543 end 544 545 context 'when group has project creation level set to no one' do 546 before_all do 547 group.update!(project_creation_level: ::Gitlab::Access::NO_ONE_PROJECT_ACCESS) 548 end 549 550 context 'reporter' do 551 let(:current_user) { reporter } 552 553 it { is_expected.to be_disallowed(:create_projects) } 554 end 555 556 context 'developer' do 557 let(:current_user) { developer } 558 559 it { is_expected.to be_disallowed(:create_projects) } 560 end 561 562 context 'maintainer' do 563 let(:current_user) { maintainer } 564 565 it { is_expected.to be_disallowed(:create_projects) } 566 end 567 568 context 'owner' do 569 let(:current_user) { owner } 570 571 it { is_expected.to be_disallowed(:create_projects) } 572 end 573 end 574 575 context 'when group has project creation level set to maintainer only' do 576 before_all do 577 group.update!(project_creation_level: ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS) 578 end 579 580 context 'reporter' do 581 let(:current_user) { reporter } 582 583 it { is_expected.to be_disallowed(:create_projects) } 584 end 585 586 context 'developer' do 587 let(:current_user) { developer } 588 589 it { is_expected.to be_disallowed(:create_projects) } 590 end 591 592 context 'maintainer' do 593 let(:current_user) { maintainer } 594 595 it { is_expected.to be_allowed(:create_projects) } 596 end 597 598 context 'owner' do 599 let(:current_user) { owner } 600 601 it { is_expected.to be_allowed(:create_projects) } 602 end 603 end 604 605 context 'when group has project creation level set to developers + maintainer' do 606 before_all do 607 group.update!(project_creation_level: ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS) 608 end 609 610 context 'reporter' do 611 let(:current_user) { reporter } 612 613 it { is_expected.to be_disallowed(:create_projects) } 614 end 615 616 context 'developer' do 617 let(:current_user) { developer } 618 619 it { is_expected.to be_allowed(:create_projects) } 620 end 621 622 context 'maintainer' do 623 let(:current_user) { maintainer } 624 625 it { is_expected.to be_allowed(:create_projects) } 626 end 627 628 context 'owner' do 629 let(:current_user) { owner } 630 631 it { is_expected.to be_allowed(:create_projects) } 632 end 633 end 634 end 635 636 context 'create_subgroup' do 637 context 'when group has subgroup creation level set to owner' do 638 before_all do 639 group.update!(subgroup_creation_level: ::Gitlab::Access::OWNER_SUBGROUP_ACCESS) 640 end 641 642 context 'reporter' do 643 let(:current_user) { reporter } 644 645 it { is_expected.to be_disallowed(:create_subgroup) } 646 end 647 648 context 'developer' do 649 let(:current_user) { developer } 650 651 it { is_expected.to be_disallowed(:create_subgroup) } 652 end 653 654 context 'maintainer' do 655 let(:current_user) { maintainer } 656 657 it { is_expected.to be_disallowed(:create_subgroup) } 658 end 659 660 context 'owner' do 661 let(:current_user) { owner } 662 663 it { is_expected.to be_allowed(:create_subgroup) } 664 end 665 end 666 667 context 'when group has subgroup creation level set to maintainer' do 668 before_all do 669 group.update!(subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS) 670 end 671 672 context 'reporter' do 673 let(:current_user) { reporter } 674 675 it { is_expected.to be_disallowed(:create_subgroup) } 676 end 677 678 context 'developer' do 679 let(:current_user) { developer } 680 681 it { is_expected.to be_disallowed(:create_subgroup) } 682 end 683 684 context 'maintainer' do 685 let(:current_user) { maintainer } 686 687 it { is_expected.to be_allowed(:create_subgroup) } 688 end 689 690 context 'owner' do 691 let(:current_user) { owner } 692 693 it { is_expected.to be_allowed(:create_subgroup) } 694 end 695 end 696 end 697 698 it_behaves_like 'clusterable policies' do 699 let(:clusterable) { create(:group) } 700 let(:cluster) do 701 create(:cluster, 702 :provided_by_gcp, 703 :group, 704 groups: [clusterable]) 705 end 706 end 707 708 describe 'update_max_artifacts_size' do 709 let(:group) { create(:group, :public) } 710 711 context 'when no user' do 712 let(:current_user) { nil } 713 714 it { expect_disallowed(:update_max_artifacts_size) } 715 end 716 717 context 'admin' do 718 let(:current_user) { admin } 719 720 context 'when admin mode is enabled', :enable_admin_mode do 721 it { expect_allowed(:update_max_artifacts_size) } 722 end 723 724 context 'when admin mode is enabled' do 725 it { expect_disallowed(:update_max_artifacts_size) } 726 end 727 end 728 729 %w(guest reporter developer maintainer owner).each do |role| 730 context role do 731 let(:current_user) { send(role) } 732 733 it { expect_disallowed(:update_max_artifacts_size) } 734 end 735 end 736 end 737 738 describe 'design activity' do 739 let_it_be(:group) { create(:group, :public) } 740 741 let(:current_user) { nil } 742 743 subject { described_class.new(current_user, group) } 744 745 context 'when design management is not available' do 746 it { is_expected.not_to be_allowed(:read_design_activity) } 747 748 context 'even when there are projects in the group' do 749 before do 750 create_list(:project_group_link, 2, group: group) 751 end 752 753 it { is_expected.not_to be_allowed(:read_design_activity) } 754 end 755 end 756 757 context 'when design management is available globally' do 758 include DesignManagementTestHelpers 759 760 before do 761 enable_design_management 762 end 763 764 context 'the group has no projects' do 765 it { is_expected.not_to be_allowed(:read_design_activity) } 766 end 767 768 context 'the group has a project' do 769 let(:project) { create(:project, :public) } 770 771 before do 772 create(:project_group_link, project: project, group: group) 773 end 774 775 it { is_expected.to be_allowed(:read_design_activity) } 776 777 context 'which does not have design management enabled' do 778 before do 779 project.update!(lfs_enabled: false) 780 end 781 782 it { is_expected.not_to be_allowed(:read_design_activity) } 783 784 context 'but another project does' do 785 before do 786 create(:project_group_link, project: create(:project, :public), group: group) 787 end 788 789 it { is_expected.to be_allowed(:read_design_activity) } 790 end 791 end 792 end 793 end 794 end 795 796 describe 'create_jira_connect_subscription' do 797 context 'admin' do 798 let(:current_user) { admin } 799 800 context 'when admin mode is enabled', :enable_admin_mode do 801 it { is_expected.to be_allowed(:create_jira_connect_subscription) } 802 end 803 804 context 'when admin mode is disabled' do 805 it { is_expected.to be_disallowed(:create_jira_connect_subscription) } 806 end 807 end 808 809 context 'with owner' do 810 let(:current_user) { owner } 811 812 it { is_expected.to be_allowed(:create_jira_connect_subscription) } 813 end 814 815 context 'with maintainer' do 816 let(:current_user) { maintainer } 817 818 it { is_expected.to be_allowed(:create_jira_connect_subscription) } 819 end 820 821 context 'with reporter' do 822 let(:current_user) { reporter } 823 824 it { is_expected.to be_disallowed(:create_jira_connect_subscription) } 825 end 826 827 context 'with guest' do 828 let(:current_user) { guest } 829 830 it { is_expected.to be_disallowed(:create_jira_connect_subscription) } 831 end 832 833 context 'with non member' do 834 let(:current_user) { create(:user) } 835 836 it { is_expected.to be_disallowed(:create_jira_connect_subscription) } 837 end 838 839 context 'with anonymous' do 840 let(:current_user) { nil } 841 842 it { is_expected.to be_disallowed(:create_jira_connect_subscription) } 843 end 844 end 845 846 describe 'read_package' do 847 context 'admin' do 848 let(:current_user) { admin } 849 850 context 'when admin mode is enabled', :enable_admin_mode do 851 it { is_expected.to be_allowed(:read_package) } 852 end 853 854 context 'when admin mode is disabled' do 855 it { is_expected.to be_disallowed(:read_package) } 856 end 857 end 858 859 context 'with owner' do 860 let(:current_user) { owner } 861 862 it { is_expected.to be_allowed(:read_package) } 863 end 864 865 context 'with maintainer' do 866 let(:current_user) { maintainer } 867 868 it { is_expected.to be_allowed(:read_package) } 869 end 870 871 context 'with reporter' do 872 let(:current_user) { reporter } 873 874 it { is_expected.to be_allowed(:read_package) } 875 end 876 877 context 'with guest' do 878 let(:current_user) { guest } 879 880 it { is_expected.to be_disallowed(:read_package) } 881 end 882 883 context 'with non member' do 884 let(:current_user) { create(:user) } 885 886 it { is_expected.to be_disallowed(:read_package) } 887 end 888 889 context 'with anonymous' do 890 let(:current_user) { nil } 891 892 it { is_expected.to be_disallowed(:read_package) } 893 end 894 end 895 896 describe 'dependency proxy' do 897 context 'feature disabled' do 898 let(:current_user) { owner } 899 900 it { is_expected.to be_disallowed(:read_dependency_proxy) } 901 it { is_expected.to be_disallowed(:admin_dependency_proxy) } 902 end 903 904 context 'feature enabled' do 905 before do 906 stub_config(dependency_proxy: { enabled: true }) 907 group.create_dependency_proxy_setting!(enabled: true) 908 end 909 910 context 'reporter' do 911 let(:current_user) { reporter } 912 913 it { is_expected.to be_disallowed(:admin_dependency_proxy) } 914 end 915 916 context 'developer' do 917 let(:current_user) { developer } 918 919 it { is_expected.to be_allowed(:admin_dependency_proxy) } 920 end 921 end 922 end 923 924 context 'deploy token access' do 925 let!(:group_deploy_token) do 926 create(:group_deploy_token, group: group, deploy_token: deploy_token) 927 end 928 929 subject { described_class.new(deploy_token, group) } 930 931 context 'a deploy token with read_package_registry scope' do 932 let(:deploy_token) { create(:deploy_token, :group, read_package_registry: true) } 933 934 it { is_expected.to be_allowed(:read_package) } 935 it { is_expected.to be_allowed(:read_group) } 936 it { is_expected.to be_allowed(:read_crm_organization) } 937 it { is_expected.to be_allowed(:read_crm_contact) } 938 it { is_expected.to be_disallowed(:create_package) } 939 end 940 941 context 'a deploy token with write_package_registry scope' do 942 let(:deploy_token) { create(:deploy_token, :group, write_package_registry: true) } 943 944 it { is_expected.to be_allowed(:create_package) } 945 it { is_expected.to be_allowed(:read_package) } 946 it { is_expected.to be_allowed(:read_group) } 947 it { is_expected.to be_allowed(:read_crm_organization) } 948 it { is_expected.to be_allowed(:read_crm_contact) } 949 it { is_expected.to be_disallowed(:destroy_package) } 950 end 951 952 context 'a deploy token with dependency proxy scopes' do 953 let_it_be(:deploy_token) { create(:deploy_token, :group, :dependency_proxy_scopes) } 954 955 before do 956 stub_config(dependency_proxy: { enabled: true }) 957 group.create_dependency_proxy_setting!(enabled: true) 958 end 959 960 it { is_expected.to be_allowed(:read_dependency_proxy) } 961 it { is_expected.to be_disallowed(:admin_dependency_proxy) } 962 end 963 end 964 965 it_behaves_like 'Self-managed Core resource access tokens' 966 967 context 'support bot' do 968 let_it_be(:group) { create(:group, :private) } 969 let_it_be(:current_user) { User.support_bot } 970 971 before do 972 allow(Gitlab::ServiceDesk).to receive(:supported?).and_return(true) 973 end 974 975 it { expect_disallowed(:read_label) } 976 977 context 'when group hierarchy has a project with service desk enabled' do 978 let_it_be(:subgroup) { create(:group, :private, parent: group)} 979 let_it_be(:project) { create(:project, group: subgroup, service_desk_enabled: true) } 980 981 it { expect_allowed(:read_label) } 982 it { expect(described_class.new(current_user, subgroup)).to be_allowed(:read_label) } 983 end 984 end 985 986 describe 'update_runners_registration_token' do 987 context 'admin' do 988 let(:current_user) { admin } 989 990 context 'when admin mode is enabled', :enable_admin_mode do 991 it { is_expected.to be_allowed(:update_runners_registration_token) } 992 end 993 994 context 'when admin mode is disabled' do 995 it { is_expected.to be_disallowed(:update_runners_registration_token) } 996 end 997 end 998 999 context 'with owner' do 1000 let(:current_user) { owner } 1001 1002 it { is_expected.to be_allowed(:update_runners_registration_token) } 1003 end 1004 1005 context 'with maintainer' do 1006 let(:current_user) { maintainer } 1007 1008 it { is_expected.to be_disallowed(:update_runners_registration_token) } 1009 end 1010 1011 context 'with reporter' do 1012 let(:current_user) { reporter } 1013 1014 it { is_expected.to be_disallowed(:update_runners_registration_token) } 1015 end 1016 1017 context 'with guest' do 1018 let(:current_user) { guest } 1019 1020 it { is_expected.to be_disallowed(:update_runners_registration_token) } 1021 end 1022 1023 context 'with non member' do 1024 let(:current_user) { create(:user) } 1025 1026 it { is_expected.to be_disallowed(:update_runners_registration_token) } 1027 end 1028 1029 context 'with anonymous' do 1030 let(:current_user) { nil } 1031 1032 it { is_expected.to be_disallowed(:update_runners_registration_token) } 1033 end 1034 end 1035 1036 describe 'register_group_runners' do 1037 shared_examples 'expected outcome based on runner registration control' do 1038 context 'with runner_registration_control FF disabled' do 1039 before do 1040 stub_feature_flags(runner_registration_control: false) 1041 end 1042 1043 it { is_expected.to be_allowed(:register_group_runners) } 1044 end 1045 1046 context 'with runner_registration_control FF enabled' do 1047 before do 1048 stub_feature_flags(runner_registration_control: true) 1049 end 1050 1051 context 'with group runner registration disabled' do 1052 before do 1053 stub_application_setting(valid_runner_registrars: ['project']) 1054 end 1055 1056 it { is_expected.to be_disallowed(:register_group_runners) } 1057 end 1058 end 1059 end 1060 1061 context 'admin' do 1062 let(:current_user) { admin } 1063 1064 context 'when admin mode is enabled', :enable_admin_mode do 1065 it { is_expected.to be_allowed(:register_group_runners) } 1066 1067 it_behaves_like 'expected outcome based on runner registration control' 1068 end 1069 1070 context 'when admin mode is disabled' do 1071 it { is_expected.to be_disallowed(:register_group_runners) } 1072 end 1073 end 1074 1075 context 'with owner' do 1076 let(:current_user) { owner } 1077 1078 it { is_expected.to be_allowed(:register_group_runners) } 1079 1080 it_behaves_like 'expected outcome based on runner registration control' 1081 end 1082 1083 context 'with maintainer' do 1084 let(:current_user) { maintainer } 1085 1086 it { is_expected.to be_allowed(:register_group_runners) } 1087 1088 it_behaves_like 'expected outcome based on runner registration control' 1089 end 1090 1091 context 'with reporter' do 1092 let(:current_user) { reporter } 1093 1094 it { is_expected.to be_disallowed(:register_group_runners) } 1095 end 1096 1097 context 'with guest' do 1098 let(:current_user) { guest } 1099 1100 it { is_expected.to be_disallowed(:register_group_runners) } 1101 end 1102 1103 context 'with non member' do 1104 let(:current_user) { create(:user) } 1105 1106 it { is_expected.to be_disallowed(:register_group_runners) } 1107 end 1108 1109 context 'with anonymous' do 1110 let(:current_user) { nil } 1111 1112 it { is_expected.to be_disallowed(:register_group_runners) } 1113 end 1114 end 1115 1116 context 'with customer_relations feature flag disabled' do 1117 let(:current_user) { owner } 1118 1119 before do 1120 stub_feature_flags(customer_relations: false) 1121 end 1122 1123 it { is_expected.to be_disallowed(:read_crm_contact) } 1124 it { is_expected.to be_disallowed(:read_crm_organization) } 1125 it { is_expected.to be_disallowed(:admin_crm_contact) } 1126 it { is_expected.to be_disallowed(:admin_crm_organization) } 1127 end 1128end 1129