Restrict multiple clusters through API

Modifies authorize! method to accept a third param, and then use it in
combination with 'add_cluster' policy to appropriately restrict adding
multiple clusters

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56110

changelogs/unreleased/56110-cluster-kubernetes-api-500-error-on-post-request.yml

@@ -0,0 +1,5 @@
+---
+title: Improves restriction of multiple Kubernetes clusters through API
+merge_request: 24251
+author:
+type: fixed

lib/api/helpers.rb

@@ -235,8 +235,8 @@ module API
       forbidden! unless current_user.admin?
     end
 
-    def authorize!(action, subject = :global)
-      forbidden! unless can?(current_user, action, subject)
+    def authorize!(action, subject = :global, reason = nil)
+      forbidden!(reason) unless can?(current_user, action, subject)
     end
 
     def authorize_push_project

lib/api/project_clusters.rb

@@ -63,7 +63,7 @@ module API
         use :create_params_ee
       end
       post ':id/clusters/user' do
-        authorize! :create_cluster, user_project
+        authorize! :add_cluster, user_project, 'Instance does not support multiple Kubernetes clusters'
 
         user_cluster = ::Clusters::CreateService
           .new(current_user, create_cluster_user_params)

spec/requests/api/project_clusters_spec.rb

@@ -266,6 +266,23 @@ describe API::ProjectClusters do
         end
       end
     end
+
+    context 'when user tries to add multiple clusters' do
+      before do
+        create(:cluster, :provided_by_gcp, :project,
+               projects: [project])
+
+        post api("/projects/#{project.id}/clusters/user", current_user), params: cluster_params
+      end
+
+      it 'should respond with 403' do
+        expect(response).to have_gitlab_http_status(403)
+      end
+
+      it 'should return an appropriate message' do
+        expect(json_response['message']).to include('Instance does not support multiple Kubernetes clusters')
+      end
+    end
   end
 
   describe 'PUT /projects/:id/clusters/:cluster_id' do