diff --git a/app/policies/clusters/agent_policy.rb b/app/policies/clusters/agent_policy.rb
index fd50b22c9936d42aaffc9b0757070d1fe65f100d..6ceae803f6764f2f26887323b96eaf5f5a310f6c 100644
--- a/app/policies/clusters/agent_policy.rb
+++ b/app/policies/clusters/agent_policy.rb
@@ -6,6 +6,10 @@ class AgentPolicy < BasePolicy
delegate { cluster_agent.project }
+ condition(:admin_agent) do
+ Ability.allowed?(@user, :owner_access, @subject.project)
+ end
+
# This condition is more expensive than the same permission check in ProjectPolicy,
# so having a higher score.
condition(:ci_access_authorized_agent, score: 10) do
diff --git a/ee/app/graphql/mutations/remote_development/namespace_cluster_agent_mapping_operations/create.rb b/ee/app/graphql/mutations/remote_development/namespace_cluster_agent_mapping_operations/create.rb
index fd6c91161cd227cb19e35b8ac97565297c9cc5c4..ae0bdbc230d21979a48700cf33733005fd287852 100644
--- a/ee/app/graphql/mutations/remote_development/namespace_cluster_agent_mapping_operations/create.rb
+++ b/ee/app/graphql/mutations/remote_development/namespace_cluster_agent_mapping_operations/create.rb
@@ -25,9 +25,13 @@ def resolve(args)
raise_resource_not_available_error!("'remote_development' licensed feature is not available")
end
+ # Authorize the user on the Group as the subject for the ability
namespace_id = args.delete(:namespace_id)
namespace = authorized_find!(id: namespace_id)
+ # Authorize the user on the Agent(which delegates to the Project) as the subject for the ability,
+ # this second call is needed as the agent might not be in the same namespace that
+ # we previously authorized against.
cluster_agent_id = args.delete(:cluster_agent_id)
cluster_agent = authorized_find!(id: cluster_agent_id)
diff --git a/ee/app/policies/ee/organizations/organization_policy.rb b/ee/app/policies/ee/organizations/organization_policy.rb
index a2eb01180b7cc59115bb6c18b2fe6a11df1f5a2b..ff372bee6be7743c7cbaeeb9f65c40e9c79467f8 100644
--- a/ee/app/policies/ee/organizations/organization_policy.rb
+++ b/ee/app/policies/ee/organizations/organization_policy.rb
@@ -7,6 +7,8 @@ module OrganizationPolicy
extend ::Gitlab::Utils::Override
prepended do
+ include RemoteDevelopment::OrganizationPolicy
+
condition(:dependency_scanning_enabled) do
License.feature_available?(:dependency_scanning)
end
diff --git a/ee/app/policies/remote_development/agent_policy.rb b/ee/app/policies/remote_development/agent_policy.rb
index 984040837264f5e1d087f6a5398dff8a26896fc6..2f491c937da4ec7b2fb209358d4d08abd8c6d5d0 100644
--- a/ee/app/policies/remote_development/agent_policy.rb
+++ b/ee/app/policies/remote_development/agent_policy.rb
@@ -5,7 +5,11 @@ module AgentPolicy
extend ActiveSupport::Concern
included do
- rule { can?(:owner_access) }.enable :admin_remote_development_cluster_agent_mapping
+ rule { admin_agent }.policy do
+ enable :admin_organization_cluster_agent_mapping
+ enable :admin_remote_development_cluster_agent_mapping
+ end
+
rule { can?(:maintainer_access) }.enable :read_remote_development_cluster_agent_mapping
end
end
diff --git a/ee/app/policies/remote_development/group_policy.rb b/ee/app/policies/remote_development/group_policy.rb
index 3e1da363911c76b9860459824609d630b844c804..ad0ccc95354cc435065b65153ffe1f08ba551642 100644
--- a/ee/app/policies/remote_development/group_policy.rb
+++ b/ee/app/policies/remote_development/group_policy.rb
@@ -5,7 +5,7 @@ module GroupPolicy
extend ActiveSupport::Concern
included do
- rule { can?(:owner_access) }.enable :admin_remote_development_cluster_agent_mapping
+ rule { can?(:admin_namespace) }.enable :admin_remote_development_cluster_agent_mapping
rule { can?(:maintainer_access) }.enable :read_remote_development_cluster_agent_mapping
end
end
diff --git a/ee/app/policies/remote_development/organization_policy.rb b/ee/app/policies/remote_development/organization_policy.rb
new file mode 100644
index 0000000000000000000000000000000000000000..2da0da95d182d040cce3951084d505513fd0ce36
--- /dev/null
+++ b/ee/app/policies/remote_development/organization_policy.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module RemoteDevelopment
+ module OrganizationPolicy
+ extend ActiveSupport::Concern
+
+ included do
+ rule { can?(:admin_organization) }.policy do
+ enable :admin_organization_cluster_agent_mapping
+ enable :read_organization_cluster_agent_mapping
+ end
+
+ rule { organization_user }.enable :read_organization_cluster_agent_mapping
+ end
+ end
+end
diff --git a/ee/app/policies/remote_development/workspace_policy.rb b/ee/app/policies/remote_development/workspace_policy.rb
index ef9d7db81af0de45fcaa38c7ef386f1180e159e0..3295783ea63eb3742642ed4f62ab39b2270429bc 100644
--- a/ee/app/policies/remote_development/workspace_policy.rb
+++ b/ee/app/policies/remote_development/workspace_policy.rb
@@ -7,18 +7,6 @@ class WorkspacePolicy < BasePolicy
condition(:can_admin_cluster_agent_for_workspace) { can?(:admin_cluster, workspace.agent) }
condition(:can_admin_owned_workspace) { workspace_owner? && has_developer_access_to_workspace_project? }
- # NOTE: We use the following guidelines to make this policy more performant and easier to debug
- #
- # 1. Avoid booleans when composing rules, prefer one policy block per condition
- # 2. Place prevent rules first (for performance)
- # 3. Place less-expensive rules first (for performance)
- #
- # ADDITIONAL NOTES:
- #
- # - All "prevent" rules which check conditions for non-anonymous users must be prepended with `~admin &`
- # - For documentation on the Declarative Policy framework, see: https://docs.gitlab.com/ee/development/policies.html
- # - For instructions on debugging policies, see: https://docs.gitlab.com/ee/development/permissions/custom_roles.html#refactoring-abilities
-
rule { ~can_access_workspaces_feature }.policy do
prevent :read_workspace
prevent :update_workspace
diff --git a/ee/lib/remote_development/README.md b/ee/lib/remote_development/README.md
index 6f0b380ad5995446c8aa0d3f615f761fbb72ee51..8211f92380cba6e8ffb47d59d7b09bca23ddae1c 100644
--- a/ee/lib/remote_development/README.md
+++ b/ee/lib/remote_development/README.md
@@ -40,7 +40,6 @@
- [Passing information along the ROP chain](#passing-information-along-the-rop-chain)
- [Enforcement of patterns](#enforcement-of-patterns)
- [Testing levels for the Workspaces feature](#testing-levels-for-the-workspaces-feature)
-- [Testing DeclarativePolicy authorization policies](#testing-declarativepolicy-authorization-policies)
- [Testing ROP main classes](#testing-rop-main-classes)
- [Matcher API](#matcher-api)
- [Matcher entry](#matcher-entry)
@@ -64,6 +63,10 @@
- [Usage of ENV vars to override settings at the instance level](#usage-of-env-vars-to-override-settings-at-the-instance-level)
- [`workspaces_agent_configs` versioning](#workspaces_agent_configs-versioning)
- [How is `workspaces` linked with versioned `workspaces_agent_configs`?](#how-is-workspaces-linked-with-versioned-workspaces_agent_configs)
+- [Using the DeclarativePolicy authorization framework](#using-the-declarativepolicy-authorization-framework)
+ - [DeclarativePolicy guidelines](#declarativepolicy-guidelines)
+ - [Testing DeclarativePolicy authorization policies](#testing-declarativepolicy-authorization-policies)
+ - [Guidelines for writing tests using this pattern](#guidelines-for-writing-tests-using-this-pattern)
- [FAQ](#faq)
- [Why is the Result class in the top level lib directory?](#why-is-the-result-class-in-the-top-level-lib-directory)
- [What are all the `noinspection` comments in the code?](#what-are-all-the-noinspection-comments-in-the-code)
@@ -794,73 +797,6 @@ We also have a video of a pairing session where we discuss the testing pyramid a
* **[Video of pairing session discussing Workspaces feature testing levels](https://youtu.be/wFI9ijOP-98?si=JdNc1JJYQd84hM_Q&t=418)**
-## Testing DeclarativePolicy authorization policies
-
-The matrix pattern is our standard approach for testing policies in the remote development domain. This pattern helps test different permission combinations systematically and ensures consistent test coverage across policy changes.
-
-Use this pattern when testing policies that require checking multiple permission combinations and edge cases, especially those involving:
-
-- User roles and permissions
-- Feature flags and licenses
-- Administrative access levels
-- Project based permissions
-
-Define your test matrix using the `where` block
-
-Example:
-```ruby
- # Test matrix
- where(:admin, :admin_mode, :licensed, :role_on_project, :allowed) do
- true | true | true | :none | true | # admin with admin mode: allowed
- true | false | true | :none | false | # admin without admin mode: not allowed
- false | false | true | :maintainer | true | # maintainer access: allowed
- false | false | true | :developer | false | # insufficient access: not allowed
- false | false | false | :maintainer | false | # not licensed: not allowed
- end
-```
-
-The spec matrix should include columns for:
-
-- Administrative flags (admin role, admin mode)
-- Feature flags and licensing (if applicable)
-- User role on a specific project
-- Expected outcome (:allowed -> true/false)
-- Comment explaining each test case
-
-For available user roles, refer to: https://docs.gitlab.com/ee/user/permissions.html#roles
-
-### Guidelines for writing tests using this pattern
-- Users can have multiple roles so it is important to test all edge cases such as insufficient permissions, missing licenses, conflicting roles
-- Order columns logically (admin → roles → outcome)
-- Group related scenarios together
-- Test both positive and negative cases
-- Verify fixture relationships in sanity checks
-- Include the `debug_policies` helper for troubleshooting
-- Note that the `debug_policies` is specific to each policy, so each spec/context has its own version.
- It would likely introduce unnecessary complexity to try to generalize/abstract it, so we leave it inline in each spec file.
-- We are also OK with permanently committing this "debug code" to each of the policy spec files, because it's not intuitive
- or straightforward to figure out how to recreate it. So, we leave it here to make it easier for future devs to easily enable
- and use if needed.
-
-
-```ruby
- # NOTE: Leaving this method here for future use. You can also set GITLAB_DEBUG_POLICIES=1. For more details, see:
- # https://docs.gitlab.com/ee/development/permissions/custom_roles.html#refactoring-abilities
- # This may be generalized in the future for use across all policy specs
- # Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/463453
- def debug_policies(user, workspace, policy_class, ability)
- puts "\n\nPolicy debug for #{policy_class} policy:\n"
- puts "user: #{user.username} (id: #{user.id}, admin: #{user.admin?}, " \
- "admin_mode: #{user && Gitlab::Auth::CurrentUserMode.new(user).admin_mode?}" \
- ")\n"
-
- policy = policy_class.new(user, workspace)
- puts "debugging :#{ability} ability:\n\n"
- pp policy.debug(ability)
- puts "\n\n"
- end
-```
-
## Testing ROP main classes
The ROP main class called by the service layer depends on ROP step classes chained together to execute functionality. Testing the ROP main class which mainly entails asserting the right
@@ -1285,6 +1221,92 @@ foo.save! # => A new agent version is created
bar.reload.workspaces_agent_config # => workspaces_per_user_quota: 10
```
+## Using the DeclarativePolicy authorization framework
+
+### DeclarativePolicy guidelines
+
+We use the following guidelines to make policies more performant and easier to debug:
+
+1. Avoid booleans when composing rules, prefer one policy block per condition
+1. Avoid delegating to indirect policies we depend on; prefer explicit checks. See [this comment](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180565#note_2369173516) and [this thread](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180565#note_2371102626) for rationale
+1. Place prevent rules first (for performance)
+1. Place less-expensive rules first (for performance)
+
+Additional notes:
+
+- All "prevent" rules which check conditions for non-anonymous users must be prepended with `~admin &`
+- For documentation on the Declarative Policy framework, see: https://docs.gitlab.com/ee/development/policies.html
+- For instructions on debugging policies, see: https://docs.gitlab.com/ee/development/permissions/custom_roles.html#refactoring-abilities
+
+### Testing DeclarativePolicy authorization policies
+
+The matrix pattern is our standard approach for testing policies in the remote development domain. This pattern helps test different permission combinations systematically and ensures consistent test coverage across policy changes.
+
+Use this pattern when testing policies that require checking multiple permission combinations and edge cases, especially those involving:
+
+- User roles and permissions
+- Feature flags and licenses
+- Administrative access levels
+- Project based permissions
+
+Define your test matrix using the `where` block
+
+Example:
+```ruby
+ # Test matrix
+ where(:admin, :admin_mode, :licensed, :role_on_project, :allowed) do
+ true | true | true | :none | true | # admin with admin mode: allowed
+ true | false | true | :none | false | # admin without admin mode: not allowed
+ false | false | true | :maintainer | true | # maintainer access: allowed
+ false | false | true | :developer | false | # insufficient access: not allowed
+ false | false | false | :maintainer | false | # not licensed: not allowed
+ end
+```
+
+The spec matrix should include columns for:
+
+- Administrative flags (admin role, admin mode)
+- Feature flags and licensing (if applicable)
+- User role on a specific project
+- Expected outcome (:allowed -> true/false)
+- Comment explaining each test case
+
+For available user roles, refer to: https://docs.gitlab.com/ee/user/permissions.html#roles
+
+### Guidelines for writing tests using this pattern
+
+- Users can have multiple roles so it is important to test all edge cases such as insufficient permissions, missing licenses, conflicting roles
+- Order columns logically (admin → roles → outcome)
+- Group related scenarios together
+- Test both positive and negative cases
+- Verify fixture relationships in sanity checks
+- Include the `debug_policies` helper for troubleshooting
+- Note that the `debug_policies` is specific to each policy, so each spec/context has its own version.
+ It would likely introduce unnecessary complexity to try to generalize/abstract it, so we leave it inline in each spec file.
+- We are also OK with permanently committing this "debug code" to each of the policy spec files, because it's not intuitive
+ or straightforward to figure out how to recreate it. So, we leave it here to make it easier for future devs to easily enable
+ and use if needed.
+
+
+```ruby
+ # NOTE: Leaving this method here for future use. You can also set GITLAB_DEBUG_POLICIES=1. For more details, see:
+ # https://docs.gitlab.com/ee/development/permissions/custom_roles.html#refactoring-abilities
+ # This may be generalized in the future for use across all policy specs
+ # Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/463453
+ def debug_policies(user, workspace, policy_class, ability)
+ puts "\n\nPolicy debug for #{policy_class} policy:\n"
+ puts "user: #{user.username} (id: #{user.id}, admin: #{user.admin?}, " \
+ "admin_mode: #{user && Gitlab::Auth::CurrentUserMode.new(user).admin_mode?}" \
+ ")\n"
+
+ policy = policy_class.new(user, workspace)
+ puts "debugging :#{ability} ability:\n\n"
+ pp policy.debug(ability)
+ puts "\n\n"
+ end
+```
+
+
## FAQ
### Why is the Result class in the top level lib directory?
diff --git a/ee/lib/remote_development/namespace_cluster_agent_mapping_operations/create/cluster_agent_validator.rb b/ee/lib/remote_development/namespace_cluster_agent_mapping_operations/create/cluster_agent_validator.rb
index b1f98d4aa7349a16e0f12f32897854b7d6d98141..4faf408d0c2efd891527241c618e533245ef0fdc 100644
--- a/ee/lib/remote_development/namespace_cluster_agent_mapping_operations/create/cluster_agent_validator.rb
+++ b/ee/lib/remote_development/namespace_cluster_agent_mapping_operations/create/cluster_agent_validator.rb
@@ -14,6 +14,7 @@ def self.validate(context)
cluster_agent: Clusters::Agent => cluster_agent,
}
+ # Verify the agent's project is in the same namespace as the namespace we intend to map it to.
unless cluster_agent.project.project_namespace.traversal_ids.exclude?(namespace.id)
return Gitlab::Fp::Result.ok(context)
end
diff --git a/ee/spec/policies/remote_development/agent_policy_spec.rb b/ee/spec/policies/remote_development/agent_policy_spec.rb
index a437c48adbf4f0c351f440850ee2c43efca7de8b..4eba11419fb2587045fb7a06a456f5c52a1bebd5 100644
--- a/ee/spec/policies/remote_development/agent_policy_spec.rb
+++ b/ee/spec/policies/remote_development/agent_policy_spec.rb
@@ -6,8 +6,8 @@
include AdminModeHelper
using RSpec::Parameterized::TableSyntax
- let_it_be(:agent) { create(:ee_cluster_agent) }
- let_it_be(:project) { agent.project }
+ let_it_be(:agent, reload: true) { create(:ee_cluster_agent) }
+ let_it_be(:project, reload: true) { agent.project }
let_it_be(:admin_in_non_admin_mode) { create(:admin) }
let_it_be(:admin_in_admin_mode) { create(:admin) }
let_it_be(:owner) { create(:user, owner_of: [project]) }
@@ -43,6 +43,35 @@
end
end
+ describe ':admin_organization_cluster_agent_mapping' do
+ let(:ability) { :admin_organization_cluster_agent_mapping }
+ let_it_be(:organization_owner) { create(:user, owner_of: project.organization) }
+
+ where(:user, :result) do
+ ref(:guest) | false
+ ref(:reporter) | false
+ ref(:developer) | false
+ ref(:maintainer) | false
+ ref(:owner) | true
+ ref(:admin_in_non_admin_mode) | false
+ ref(:admin_in_admin_mode) | true
+ ref(:organization_owner) | true
+ end
+
+ with_them do
+ subject(:policy_instance) { Clusters::AgentPolicy.new(user, agent) }
+
+ before do
+ enable_admin_mode!(admin_in_admin_mode) if user == admin_in_admin_mode
+
+ debug = false # Set to true to enable debugging of policies, but change back to false before committing
+ debug_policies(user, agent, Clusters::AgentPolicy, ability) if debug
+ end
+
+ it { expect(policy_instance.allowed?(ability)).to eq(result) }
+ end
+ end
+
describe ':read_remote_development_cluster_agent_mapping' do
let(:ability) { :read_remote_development_cluster_agent_mapping }
@@ -74,13 +103,21 @@
# https://docs.gitlab.com/ee/development/permissions/custom_roles.html#refactoring-abilities
# This may be generalized in the future for use across all policy specs
# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/463453
+ #
+ # @param user [User] the user making the request.
+ # @param agent [Clusters::Agent] the agent that is the subject of the request.
+ # @param policy_class [Clusters::AgentPolicy] the policy class.
+ # @param ability [Symbol] the ability needed by the user to allow the request.
+ # @return [nil] This method does not return any value.
def debug_policies(user, agent, policy_class, ability)
puts "\n\nPolicy debug for #{policy_class} policy:\n"
puts "user: #{user.username} (id: #{user.id}, admin: #{user.admin?}, " \
"admin_mode: #{user && Gitlab::Auth::CurrentUserMode.new(user).admin_mode?}, " \
"agent.project.owners: #{agent.project.owners.to_a}, " \
+ "agent.project.organization.organization_users.owners: " \
+ "#{agent.project.organization.organization_users.owners.to_a}, " \
"agent.project.maintainers: #{agent.project.maintainers.to_a}" \
- ")\n"
+ ")"
policy = policy_class.new(user, agent)
puts "debugging :#{ability} ability:\n\n"
diff --git a/ee/spec/policies/remote_development/group_policy_spec.rb b/ee/spec/policies/remote_development/group_policy_spec.rb
index 389105d2d912ec6312e13f3ef8d8943ddb0ef68d..111b5cf21852f67669d303987bdd37953875a193 100644
--- a/ee/spec/policies/remote_development/group_policy_spec.rb
+++ b/ee/spec/policies/remote_development/group_policy_spec.rb
@@ -87,6 +87,12 @@
# https://docs.gitlab.com/ee/development/permissions/custom_roles.html#refactoring-abilities
# This may be generalized in the future for use across all policy specs
# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/463453
+ #
+ # @param user [User] the user making the request.
+ # @param group [Group] the group that is the subject of the request.
+ # @param policy_class [GroupPolicy] the policy class.
+ # @param ability [Symbol] the ability needed by the user to allow the request.
+ # @return [nil] This method does not return any value.
def debug_policies(user, group, policy_class, ability)
puts "\n\nPolicy debug for #{policy_class} policy:\n"
puts "user: #{user.username} (id: #{user.id}, admin: #{user.admin?}, " \
diff --git a/ee/spec/policies/remote_development/organization_policy_spec.rb b/ee/spec/policies/remote_development/organization_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..5d7a5a44e881645508e5df8163a052a24b77c772
--- /dev/null
+++ b/ee/spec/policies/remote_development/organization_policy_spec.rb
@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+# noinspection RubyArgCount -- https://handbook.gitlab.com/handbook/tools-and-tips/editors-and-ides/jetbrains-ides/tracked-jetbrains-issues/#ruby-31542
+RSpec.describe RemoteDevelopment::OrganizationPolicy, feature_category: :workspaces do
+ include AdminModeHelper
+ using RSpec::Parameterized::TableSyntax
+
+ let_it_be(:organization) { create(:organization) }
+ let_it_be(:non_org_user) { create(:user) }
+
+ let_it_be(:organization_user) do
+ user = create(:user)
+ create(:organization_user, organization: organization, user: user)
+ user
+ end
+
+ let_it_be(:organization_owner) { create(:user, owner_of: organization) }
+ let_it_be(:admin_in_admin_mode) { create(:user, :admin) }
+ let_it_be(:admin_not_in_admin_mode) { create(:user, :admin) }
+
+ describe ':admin_organization_cluster_agent_mapping' do
+ let(:ability) { :admin_organization_cluster_agent_mapping }
+
+ where(:policy_class, :user, :result) do
+ # In the future, there is a possibility that a common policy module may have to be mixed in to multiple
+ # target policy types for ex. ProjectNamespacePolicy or UserNamespacePolicy. As a result, the policy_class
+ # has been parameterized to accommodate different values that may exist in the future
+ #
+ # See the following issues for more details:
+ # - https://gitlab.com/gitlab-org/gitlab/-/issues/417894
+ # - https://gitlab.com/gitlab-org/gitlab/-/issues/454934#note_1867678918
+ Organizations::OrganizationPolicy | ref(:organization_user) | false
+ Organizations::OrganizationPolicy | ref(:admin_not_in_admin_mode) | false
+ Organizations::OrganizationPolicy | ref(:non_org_user) | false
+ Organizations::OrganizationPolicy | ref(:admin_in_admin_mode) | true
+ Organizations::OrganizationPolicy | ref(:organization_owner) | true
+ end
+
+ with_them do
+ subject(:policy_instance) { policy_class.new(user, organization) }
+
+ before do
+ enable_admin_mode!(admin_in_admin_mode) if user == admin_in_admin_mode
+ debug = false # Set to true to enable debugging of policies, but change back to false before committing
+ debug_policies(user, organization, policy_class, ability) if debug
+ end
+
+ it { expect(policy_instance.allowed?(ability)).to eq(result) }
+ end
+ end
+
+ describe ':read_organization_cluster_agent_mapping' do
+ let(:ability) { :read_organization_cluster_agent_mapping }
+
+ where(:policy_class, :user, :result) do
+ # In the future, there is a possibility that a common policy module may have to be mixed in to multiple
+ # target policy types for ex. ProjectNamespacePolicy or UserNamespacePolicy. As a result, the policy_class
+ # has been parameterized to accommodate different values that may exist in the future
+ #
+ # See the following issues for more details:
+ # - https://gitlab.com/gitlab-org/gitlab/-/issues/417894
+ # - https://gitlab.com/gitlab-org/gitlab/-/issues/454934#note_1867678918
+ Organizations::OrganizationPolicy | ref(:organization_user) | true
+ Organizations::OrganizationPolicy | ref(:organization_owner) | true
+ Organizations::OrganizationPolicy | ref(:admin_in_admin_mode) | true
+ Organizations::OrganizationPolicy | ref(:admin_not_in_admin_mode) | false
+ Organizations::OrganizationPolicy | ref(:non_org_user) | false
+ end
+
+ with_them do
+ subject(:policy_instance) { policy_class.new(user, organization) }
+
+ before do
+ enable_admin_mode!(admin_in_admin_mode) if user == admin_in_admin_mode
+ debug = false # Set to true to enable debugging of policies, but change back to false before committing
+ debug_policies(user, organization, policy_class, ability) if debug
+ end
+
+ it { expect(policy_instance.allowed?(ability)).to eq(result) }
+ end
+ end
+
+ # NOTE: Leaving this method here for future use. You can also set GITLAB_DEBUG_POLICIES=1. For more details, see:
+ # https://docs.gitlab.com/ee/development/permissions/custom_roles.html#refactoring-abilities
+ # This may be generalized in the future for use across all policy specs
+ # Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/463453
+ #
+ # @param user [User] the user making the request.
+ # @param org [Organizations::Organization] the organization that is the subject of the request.
+ # @param policy_class [Organizations::OrganizationPolicy] the policy class.
+ # @param ability [Symbol] the ability needed by the user to allow the request.
+ # @return [nil] This method does not return any value.
+ def debug_policies(user, org, policy_class, ability)
+ org_user = user.organization_users.find { |org_user| org_user.organization.id == org.id }
+ org_owners = Organizations::OrganizationUser.owners.filter { |owner| owner.organization_id == org.id }
+ puts "\n\nPolicy debug for #{policy_class} policy:\n"
+ puts "user: #{user.username} (id: #{user.id}, admin: #{user.admin?}, " \
+ "admin_mode: #{user && Gitlab::Auth::CurrentUserMode.new(user).admin_mode?}" \
+ ")\n"
+ puts "org: #{org.name} (id: #{org.id}, " \
+ "owners: #{org_owners} " \
+ "user access level in org: #{org_user&.access_level || 'not in org'}" \
+
+ policy = policy_class.new(user, org)
+ puts "debugging :#{ability} ability:\n\n"
+ pp policy.debug(ability)
+ puts "\n\n"
+ end
+end
diff --git a/ee/spec/policies/remote_development/workspace_policy_spec.rb b/ee/spec/policies/remote_development/workspace_policy_spec.rb
index 23d2d3f844af3aa26ddfce7e1e9ecfc604a28be1..544193504ad972d8437a6b144cddc27d6b612c28 100644
--- a/ee/spec/policies/remote_development/workspace_policy_spec.rb
+++ b/ee/spec/policies/remote_development/workspace_policy_spec.rb
@@ -98,6 +98,12 @@
# https://docs.gitlab.com/ee/development/permissions/custom_roles.html#refactoring-abilities
# This may be generalized in the future for use across all policy specs
# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/463453
+ #
+ # @param user [User] the user making the request.
+ # @param workspace [RemoteDevelopment::Workspace] the workspace that is the subject of the request.
+ # @param policy_class [RemoteDevelopment::WorkspacePolicy] the policy class.
+ # @param ability [Symbol] the ability needed by the user to allow the request.
+ # @return [nil] This method does not return any value.
def debug_policies(user, workspace, policy_class, ability)
puts "\n\nPolicy debug for #{policy_class} policy:\n"
puts "user: #{user.username} (id: #{user.id}, admin: #{user.admin?}, " \
diff --git a/ee/spec/policies/remote_development/workspace_variable_policy_spec.rb b/ee/spec/policies/remote_development/workspace_variable_policy_spec.rb
index 6db73ccdffdbae67b3cdaed59fb394c797ad1010..3b1dbdb64204d1acba15cf4a97135dda373007f9 100644
--- a/ee/spec/policies/remote_development/workspace_variable_policy_spec.rb
+++ b/ee/spec/policies/remote_development/workspace_variable_policy_spec.rb
@@ -94,6 +94,13 @@
# https://docs.gitlab.com/ee/development/permissions/custom_roles.html#refactoring-abilities
# This may be generalized in the future for use across all policy specs
# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/463453
+ #
+ # @param user [User] the user making the request.
+ # @param workspace_variable [RemoteDevelopment::Enums::Workspace::WORKSPACE_VARIABLE_TYPES]
+ # the workspace variable that is the subject of the request.
+ # @param policy_class [RemoteDevelopment::WorkspaceVariablePolicy] the policy class.
+ # @param ability [Symbol] the ability needed by the user to allow the request.
+ # @return [nil] This method does not return any value.
def debug_policies(user, workspace_variable, policy_class, ability)
puts "\n\nPolicy debug for #{policy_class} policy:\n"
puts "user: #{user.username} (id: #{user.id}, admin: #{user.admin?}, " \