2021-08-23 09:10:23 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
|
|
|
RSpec.describe Clusters::Agents::RefreshAuthorizationService do
|
|
|
|
describe '#execute' do
|
|
|
|
let_it_be(:root_ancestor) { create(:group) }
|
2021-09-16 12:09:35 +00:00
|
|
|
|
2021-08-23 09:10:23 +00:00
|
|
|
let_it_be(:removed_group) { create(:group, parent: root_ancestor) }
|
|
|
|
let_it_be(:modified_group) { create(:group, parent: root_ancestor) }
|
|
|
|
let_it_be(:added_group) { create(:group, parent: root_ancestor) }
|
|
|
|
|
2021-09-16 12:09:35 +00:00
|
|
|
let_it_be(:removed_project) { create(:project, namespace: root_ancestor) }
|
|
|
|
let_it_be(:modified_project) { create(:project, namespace: root_ancestor) }
|
|
|
|
let_it_be(:added_project) { create(:project, namespace: root_ancestor) }
|
|
|
|
|
2021-08-23 09:10:23 +00:00
|
|
|
let(:project) { create(:project, namespace: root_ancestor) }
|
|
|
|
let(:agent) { create(:cluster_agent, project: project) }
|
|
|
|
|
|
|
|
let(:config) do
|
|
|
|
{
|
|
|
|
ci_access: {
|
|
|
|
groups: [
|
|
|
|
{ id: added_group.full_path, default_namespace: 'default' },
|
|
|
|
{ id: modified_group.full_path, default_namespace: 'new-namespace' }
|
2021-09-16 12:09:35 +00:00
|
|
|
],
|
|
|
|
projects: [
|
|
|
|
{ id: added_project.full_path, default_namespace: 'default' },
|
|
|
|
{ id: modified_project.full_path, default_namespace: 'new-namespace' }
|
2021-08-23 09:10:23 +00:00
|
|
|
]
|
|
|
|
}
|
|
|
|
}.deep_stringify_keys
|
|
|
|
end
|
|
|
|
|
|
|
|
subject { described_class.new(agent, config: config).execute }
|
|
|
|
|
|
|
|
before do
|
|
|
|
default_config = { default_namespace: 'default' }
|
|
|
|
|
|
|
|
agent.group_authorizations.create!(group: removed_group, config: default_config)
|
|
|
|
agent.group_authorizations.create!(group: modified_group, config: default_config)
|
2021-09-16 12:09:35 +00:00
|
|
|
|
|
|
|
agent.project_authorizations.create!(project: removed_project, config: default_config)
|
|
|
|
agent.project_authorizations.create!(project: modified_project, config: default_config)
|
2021-08-23 09:10:23 +00:00
|
|
|
end
|
|
|
|
|
2021-09-16 12:09:35 +00:00
|
|
|
shared_examples 'removing authorization' do
|
|
|
|
context 'config contains no groups' do
|
|
|
|
let(:config) { {} }
|
2021-08-23 09:10:23 +00:00
|
|
|
|
2021-09-16 12:09:35 +00:00
|
|
|
it 'removes all authorizations' do
|
|
|
|
expect(subject).to be_truthy
|
|
|
|
expect(authorizations).to be_empty
|
|
|
|
end
|
|
|
|
end
|
2021-08-23 09:10:23 +00:00
|
|
|
|
2021-09-16 12:09:35 +00:00
|
|
|
context 'config contains groups outside of the configuration project hierarchy' do
|
|
|
|
let(:project) { create(:project, namespace: create(:group)) }
|
2021-08-23 09:10:23 +00:00
|
|
|
|
2021-09-16 12:09:35 +00:00
|
|
|
it 'removes all authorizations' do
|
|
|
|
expect(subject).to be_truthy
|
|
|
|
expect(authorizations).to be_empty
|
|
|
|
end
|
|
|
|
end
|
2021-08-23 09:10:23 +00:00
|
|
|
|
2021-09-16 12:09:35 +00:00
|
|
|
context 'configuration project does not belong to a group' do
|
|
|
|
let(:project) { create(:project) }
|
|
|
|
|
|
|
|
it 'removes all authorizations' do
|
|
|
|
expect(subject).to be_truthy
|
|
|
|
expect(authorizations).to be_empty
|
|
|
|
end
|
2021-08-23 09:10:23 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-09-16 12:09:35 +00:00
|
|
|
describe 'group authorization' do
|
|
|
|
it 'refreshes authorizations for the agent' do
|
2021-08-23 09:10:23 +00:00
|
|
|
expect(subject).to be_truthy
|
2021-09-16 12:09:35 +00:00
|
|
|
expect(agent.authorized_groups).to contain_exactly(added_group, modified_group)
|
|
|
|
|
|
|
|
added_authorization = agent.group_authorizations.find_by(group: added_group)
|
|
|
|
expect(added_authorization.config).to eq({ 'default_namespace' => 'default' })
|
|
|
|
|
|
|
|
modified_authorization = agent.group_authorizations.find_by(group: modified_group)
|
|
|
|
expect(modified_authorization.config).to eq({ 'default_namespace' => 'new-namespace' })
|
2021-08-23 09:10:23 +00:00
|
|
|
end
|
|
|
|
|
2021-09-16 12:09:35 +00:00
|
|
|
context 'config contains too many groups' do
|
|
|
|
before do
|
|
|
|
stub_const("#{described_class}::AUTHORIZED_ENTITY_LIMIT", 1)
|
|
|
|
end
|
2021-08-23 09:10:23 +00:00
|
|
|
|
2021-09-16 12:09:35 +00:00
|
|
|
it 'authorizes groups up to the limit' do
|
|
|
|
expect(subject).to be_truthy
|
|
|
|
expect(agent.authorized_groups).to contain_exactly(added_group)
|
|
|
|
end
|
2021-08-23 09:10:23 +00:00
|
|
|
end
|
|
|
|
|
2021-09-16 12:09:35 +00:00
|
|
|
include_examples 'removing authorization' do
|
|
|
|
let(:authorizations) { agent.authorized_groups }
|
2021-08-23 09:10:23 +00:00
|
|
|
end
|
2021-09-16 12:09:35 +00:00
|
|
|
end
|
2021-08-23 09:10:23 +00:00
|
|
|
|
2021-09-16 12:09:35 +00:00
|
|
|
describe 'project authorization' do
|
|
|
|
it 'refreshes authorizations for the agent' do
|
2021-08-23 09:10:23 +00:00
|
|
|
expect(subject).to be_truthy
|
2021-09-16 12:09:35 +00:00
|
|
|
expect(agent.authorized_projects).to contain_exactly(added_project, modified_project)
|
|
|
|
|
|
|
|
added_authorization = agent.project_authorizations.find_by(project: added_project)
|
|
|
|
expect(added_authorization.config).to eq({ 'default_namespace' => 'default' })
|
|
|
|
|
|
|
|
modified_authorization = agent.project_authorizations.find_by(project: modified_project)
|
|
|
|
expect(modified_authorization.config).to eq({ 'default_namespace' => 'new-namespace' })
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'config contains too many projects' do
|
|
|
|
before do
|
|
|
|
stub_const("#{described_class}::AUTHORIZED_ENTITY_LIMIT", 1)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'authorizes projects up to the limit' do
|
|
|
|
expect(subject).to be_truthy
|
|
|
|
expect(agent.authorized_projects).to contain_exactly(added_project)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
include_examples 'removing authorization' do
|
|
|
|
let(:authorizations) { agent.authorized_projects }
|
2021-08-23 09:10:23 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|