8b2fe985dd
Modifies authorize! method to accept a third param, and then use it in combination with 'add_cluster' policy to appropriately restrict adding multiple clusters Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56110
467 lines
14 KiB
Ruby
467 lines
14 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'spec_helper'
|
|
|
|
describe API::ProjectClusters do
|
|
include KubernetesHelpers
|
|
|
|
let(:current_user) { create(:user) }
|
|
let(:non_member) { create(:user) }
|
|
let(:project) { create(:project, :repository) }
|
|
|
|
before do
|
|
project.add_maintainer(current_user)
|
|
end
|
|
|
|
describe 'GET /projects/:id/clusters' do
|
|
let!(:extra_cluster) { create(:cluster, :provided_by_gcp, :project) }
|
|
|
|
let!(:clusters) do
|
|
create_list(:cluster, 5, :provided_by_gcp, :project, :production_environment,
|
|
projects: [project])
|
|
end
|
|
|
|
context 'non-authorized user' do
|
|
it 'should respond with 404' do
|
|
get api("/projects/#{project.id}/clusters", non_member)
|
|
|
|
expect(response).to have_gitlab_http_status(404)
|
|
end
|
|
end
|
|
|
|
context 'authorized user' do
|
|
before do
|
|
get api("/projects/#{project.id}/clusters", current_user)
|
|
end
|
|
|
|
it 'should respond with 200' do
|
|
expect(response).to have_gitlab_http_status(200)
|
|
end
|
|
|
|
it 'should include pagination headers' do
|
|
expect(response).to include_pagination_headers
|
|
end
|
|
|
|
it 'should only include authorized clusters' do
|
|
cluster_ids = json_response.map { |cluster| cluster['id'] }
|
|
|
|
expect(cluster_ids).to match_array(clusters.pluck(:id))
|
|
expect(cluster_ids).not_to include(extra_cluster.id)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'GET /projects/:id/clusters/:cluster_id' do
|
|
let(:cluster_id) { cluster.id }
|
|
|
|
let(:platform_kubernetes) do
|
|
create(:cluster_platform_kubernetes, :configured,
|
|
namespace: 'project-namespace')
|
|
end
|
|
|
|
let(:cluster) do
|
|
create(:cluster, :project, :provided_by_gcp,
|
|
platform_kubernetes: platform_kubernetes,
|
|
user: current_user,
|
|
projects: [project])
|
|
end
|
|
|
|
context 'non-authorized user' do
|
|
it 'should respond with 404' do
|
|
get api("/projects/#{project.id}/clusters/#{cluster_id}", non_member)
|
|
|
|
expect(response).to have_gitlab_http_status(404)
|
|
end
|
|
end
|
|
|
|
context 'authorized user' do
|
|
before do
|
|
get api("/projects/#{project.id}/clusters/#{cluster_id}", current_user)
|
|
end
|
|
|
|
it 'returns specific cluster' do
|
|
expect(json_response['id']).to eq(cluster.id)
|
|
end
|
|
|
|
it 'returns cluster information' do
|
|
expect(json_response['provider_type']).to eq('gcp')
|
|
expect(json_response['platform_type']).to eq('kubernetes')
|
|
expect(json_response['environment_scope']).to eq('*')
|
|
expect(json_response['cluster_type']).to eq('project_type')
|
|
end
|
|
|
|
it 'returns project information' do
|
|
cluster_project = json_response['project']
|
|
|
|
expect(cluster_project['id']).to eq(project.id)
|
|
expect(cluster_project['name']).to eq(project.name)
|
|
expect(cluster_project['path']).to eq(project.path)
|
|
end
|
|
|
|
it 'returns kubernetes platform information' do
|
|
platform = json_response['platform_kubernetes']
|
|
|
|
expect(platform['api_url']).to eq('https://kubernetes.example.com')
|
|
expect(platform['namespace']).to eq('project-namespace')
|
|
expect(platform['ca_cert']).to be_present
|
|
end
|
|
|
|
it 'returns user information' do
|
|
user = json_response['user']
|
|
|
|
expect(user['id']).to eq(current_user.id)
|
|
expect(user['username']).to eq(current_user.username)
|
|
end
|
|
|
|
it 'returns GCP provider information' do
|
|
gcp_provider = json_response['provider_gcp']
|
|
|
|
expect(gcp_provider['cluster_id']).to eq(cluster.id)
|
|
expect(gcp_provider['status_name']).to eq('created')
|
|
expect(gcp_provider['gcp_project_id']).to eq('test-gcp-project')
|
|
expect(gcp_provider['zone']).to eq('us-central1-a')
|
|
expect(gcp_provider['machine_type']).to eq('n1-standard-2')
|
|
expect(gcp_provider['num_nodes']).to eq(3)
|
|
expect(gcp_provider['endpoint']).to eq('111.111.111.111')
|
|
end
|
|
|
|
context 'when cluster has no provider' do
|
|
let(:cluster) do
|
|
create(:cluster, :project, :provided_by_user,
|
|
projects: [project])
|
|
end
|
|
|
|
it 'should not include GCP provider info' do
|
|
expect(json_response['provider_gcp']).not_to be_present
|
|
end
|
|
end
|
|
|
|
context 'with non-existing cluster' do
|
|
let(:cluster_id) { 123 }
|
|
|
|
it 'returns 404' do
|
|
expect(response).to have_gitlab_http_status(404)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
shared_context 'kubernetes calls stubbed' do
|
|
before do
|
|
stub_kubeclient_discover(api_url)
|
|
stub_kubeclient_get_namespace(api_url, namespace: namespace)
|
|
stub_kubeclient_get_service_account(api_url, "#{namespace}-service-account", namespace: namespace)
|
|
stub_kubeclient_put_service_account(api_url, "#{namespace}-service-account", namespace: namespace)
|
|
|
|
stub_kubeclient_get_secret(
|
|
api_url,
|
|
{
|
|
metadata_name: "#{namespace}-token",
|
|
token: Base64.encode64('sample-token'),
|
|
namespace: namespace
|
|
}
|
|
)
|
|
|
|
stub_kubeclient_put_secret(api_url, "#{namespace}-token", namespace: namespace)
|
|
stub_kubeclient_get_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
|
|
stub_kubeclient_put_role_binding(api_url, "gitlab-#{namespace}", namespace: namespace)
|
|
end
|
|
end
|
|
|
|
describe 'POST /projects/:id/clusters/user' do
|
|
include_context 'kubernetes calls stubbed'
|
|
|
|
let(:api_url) { 'https://kubernetes.example.com' }
|
|
let(:namespace) { project.path }
|
|
let(:authorization_type) { 'rbac' }
|
|
|
|
let(:platform_kubernetes_attributes) do
|
|
{
|
|
api_url: api_url,
|
|
token: 'sample-token',
|
|
namespace: namespace,
|
|
authorization_type: authorization_type
|
|
}
|
|
end
|
|
|
|
let(:cluster_params) do
|
|
{
|
|
name: 'test-cluster',
|
|
platform_kubernetes_attributes: platform_kubernetes_attributes
|
|
}
|
|
end
|
|
|
|
context 'non-authorized user' do
|
|
it 'should respond with 404' do
|
|
post api("/projects/#{project.id}/clusters/user", non_member), params: cluster_params
|
|
|
|
expect(response).to have_gitlab_http_status(404)
|
|
end
|
|
end
|
|
|
|
context 'authorized user' do
|
|
before do
|
|
post api("/projects/#{project.id}/clusters/user", current_user), params: cluster_params
|
|
end
|
|
|
|
context 'with valid params' do
|
|
it 'should respond with 201' do
|
|
expect(response).to have_gitlab_http_status(201)
|
|
end
|
|
|
|
it 'should create a new Cluster::Cluster' do
|
|
cluster_result = Clusters::Cluster.find(json_response["id"])
|
|
platform_kubernetes = cluster_result.platform
|
|
|
|
expect(cluster_result).to be_user
|
|
expect(cluster_result).to be_kubernetes
|
|
expect(cluster_result.project).to eq(project)
|
|
expect(cluster_result.name).to eq('test-cluster')
|
|
expect(platform_kubernetes.rbac?).to be_truthy
|
|
expect(platform_kubernetes.api_url).to eq(api_url)
|
|
expect(platform_kubernetes.namespace).to eq(namespace)
|
|
expect(platform_kubernetes.token).to eq('sample-token')
|
|
end
|
|
end
|
|
|
|
context 'when user does not indicate authorization type' do
|
|
let(:platform_kubernetes_attributes) do
|
|
{
|
|
api_url: api_url,
|
|
token: 'sample-token',
|
|
namespace: namespace
|
|
}
|
|
end
|
|
|
|
it 'defaults to RBAC' do
|
|
cluster_result = Clusters::Cluster.find(json_response['id'])
|
|
|
|
expect(cluster_result.platform_kubernetes.rbac?).to be_truthy
|
|
end
|
|
end
|
|
|
|
context 'when user sets authorization type as ABAC' do
|
|
let(:authorization_type) { 'abac' }
|
|
|
|
it 'should create an ABAC cluster' do
|
|
cluster_result = Clusters::Cluster.find(json_response['id'])
|
|
|
|
expect(cluster_result.platform.abac?).to be_truthy
|
|
end
|
|
end
|
|
|
|
context 'with invalid params' do
|
|
let(:namespace) { 'invalid_namespace' }
|
|
|
|
it 'should respond with 400' do
|
|
expect(response).to have_gitlab_http_status(400)
|
|
end
|
|
|
|
it 'should not create a new Clusters::Cluster' do
|
|
expect(project.reload.clusters).to be_empty
|
|
end
|
|
|
|
it 'should return validation errors' do
|
|
expect(json_response['message']['platform_kubernetes.namespace'].first).to be_present
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'when user tries to add multiple clusters' do
|
|
before do
|
|
create(:cluster, :provided_by_gcp, :project,
|
|
projects: [project])
|
|
|
|
post api("/projects/#{project.id}/clusters/user", current_user), params: cluster_params
|
|
end
|
|
|
|
it 'should respond with 403' do
|
|
expect(response).to have_gitlab_http_status(403)
|
|
end
|
|
|
|
it 'should return an appropriate message' do
|
|
expect(json_response['message']).to include('Instance does not support multiple Kubernetes clusters')
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'PUT /projects/:id/clusters/:cluster_id' do
|
|
include_context 'kubernetes calls stubbed'
|
|
|
|
let(:api_url) { 'https://kubernetes.example.com' }
|
|
let(:namespace) { 'new-namespace' }
|
|
let(:platform_kubernetes_attributes) { { namespace: namespace } }
|
|
|
|
let(:update_params) do
|
|
{
|
|
platform_kubernetes_attributes: platform_kubernetes_attributes
|
|
}
|
|
end
|
|
|
|
let!(:kubernetes_namespace) do
|
|
create(:cluster_kubernetes_namespace,
|
|
cluster: cluster,
|
|
project: project)
|
|
end
|
|
|
|
let(:cluster) do
|
|
create(:cluster, :project, :provided_by_gcp,
|
|
projects: [project])
|
|
end
|
|
|
|
context 'non-authorized user' do
|
|
it 'should respond with 404' do
|
|
put api("/projects/#{project.id}/clusters/#{cluster.id}", non_member), params: update_params
|
|
|
|
expect(response).to have_gitlab_http_status(404)
|
|
end
|
|
end
|
|
|
|
context 'authorized user' do
|
|
before do
|
|
put api("/projects/#{project.id}/clusters/#{cluster.id}", current_user), params: update_params
|
|
|
|
cluster.reload
|
|
end
|
|
|
|
context 'with valid params' do
|
|
it 'should respond with 200' do
|
|
expect(response).to have_gitlab_http_status(200)
|
|
end
|
|
|
|
it 'should update cluster attributes' do
|
|
expect(cluster.platform_kubernetes.namespace).to eq('new-namespace')
|
|
expect(cluster.kubernetes_namespace.namespace).to eq('new-namespace')
|
|
end
|
|
end
|
|
|
|
context 'with invalid params' do
|
|
let(:namespace) { 'invalid_namespace' }
|
|
|
|
it 'should respond with 400' do
|
|
expect(response).to have_gitlab_http_status(400)
|
|
end
|
|
|
|
it 'should not update cluster attributes' do
|
|
expect(cluster.platform_kubernetes.namespace).not_to eq('invalid_namespace')
|
|
expect(cluster.kubernetes_namespace.namespace).not_to eq('invalid_namespace')
|
|
end
|
|
|
|
it 'should return validation errors' do
|
|
expect(json_response['message']['platform_kubernetes.namespace'].first).to match('can contain only lowercase letters')
|
|
end
|
|
end
|
|
|
|
context 'with a GCP cluster' do
|
|
context 'when user tries to change GCP specific fields' do
|
|
let(:platform_kubernetes_attributes) do
|
|
{
|
|
api_url: 'https://new-api-url.com',
|
|
token: 'new-sample-token'
|
|
}
|
|
end
|
|
|
|
it 'should respond with 400' do
|
|
expect(response).to have_gitlab_http_status(400)
|
|
end
|
|
|
|
it 'should return validation error' do
|
|
expect(json_response['message']['platform_kubernetes.base'].first).to eq('Cannot modify managed Kubernetes cluster')
|
|
end
|
|
end
|
|
|
|
context 'when user tries to change namespace' do
|
|
let(:namespace) { 'new-namespace' }
|
|
|
|
it 'should respond with 200' do
|
|
expect(response).to have_gitlab_http_status(200)
|
|
end
|
|
end
|
|
end
|
|
|
|
context 'with an user cluster' do
|
|
let(:api_url) { 'https://new-api-url.com' }
|
|
|
|
let(:cluster) do
|
|
create(:cluster, :project, :provided_by_user,
|
|
projects: [project])
|
|
end
|
|
|
|
let(:platform_kubernetes_attributes) do
|
|
{
|
|
api_url: api_url,
|
|
namespace: 'new-namespace',
|
|
token: 'new-sample-token'
|
|
}
|
|
end
|
|
|
|
let(:update_params) do
|
|
{
|
|
name: 'new-name',
|
|
platform_kubernetes_attributes: platform_kubernetes_attributes
|
|
}
|
|
end
|
|
|
|
it 'should respond with 200' do
|
|
expect(response).to have_gitlab_http_status(200)
|
|
end
|
|
|
|
it 'should update platform kubernetes attributes' do
|
|
platform_kubernetes = cluster.platform_kubernetes
|
|
|
|
expect(cluster.name).to eq('new-name')
|
|
expect(platform_kubernetes.namespace).to eq('new-namespace')
|
|
expect(platform_kubernetes.api_url).to eq('https://new-api-url.com')
|
|
expect(platform_kubernetes.token).to eq('new-sample-token')
|
|
end
|
|
end
|
|
|
|
context 'with a cluster that does not belong to user' do
|
|
let(:cluster) { create(:cluster, :project, :provided_by_user) }
|
|
|
|
it 'should respond with 404' do
|
|
expect(response).to have_gitlab_http_status(404)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe 'DELETE /projects/:id/clusters/:cluster_id' do
|
|
let(:cluster_params) { { cluster_id: cluster.id } }
|
|
|
|
let(:cluster) do
|
|
create(:cluster, :project, :provided_by_gcp,
|
|
projects: [project])
|
|
end
|
|
|
|
context 'non-authorized user' do
|
|
it 'should respond with 404' do
|
|
delete api("/projects/#{project.id}/clusters/#{cluster.id}", non_member), params: cluster_params
|
|
|
|
expect(response).to have_gitlab_http_status(404)
|
|
end
|
|
end
|
|
|
|
context 'authorized user' do
|
|
before do
|
|
delete api("/projects/#{project.id}/clusters/#{cluster.id}", current_user), params: cluster_params
|
|
end
|
|
|
|
it 'should respond with 204' do
|
|
expect(response).to have_gitlab_http_status(204)
|
|
end
|
|
|
|
it 'should delete the cluster' do
|
|
expect(Clusters::Cluster.exists?(id: cluster.id)).to be_falsy
|
|
end
|
|
|
|
context 'with a cluster that does not belong to user' do
|
|
let(:cluster) { create(:cluster, :project, :provided_by_user) }
|
|
|
|
it 'should respond with 404' do
|
|
expect(response).to have_gitlab_http_status(404)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|