Skip to content
代码片段 群组 项目
未验证 提交 a5d687b0 编辑于 作者: Jarka Košanová's avatar Jarka Košanová 提交者: GitLab
浏览文件

Merge branch '439167-restrict-member-roles-ff' into 'master'

Allow creation of group-level roles on self-managed instances

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142637



Merged-by: default avatarJarka Košanová <jarka@gitlab.com>
Approved-by: default avatarHarsha Muralidhar <hmuralidhar@gitlab.com>
Approved-by: default avatarJarka Košanová <jarka@gitlab.com>
Approved-by: default avatarVijay Hawoldar <vhawoldar@gitlab.com>
Reviewed-by: default avatarVijay Hawoldar <vhawoldar@gitlab.com>
Reviewed-by: default avatarHinam Mehra <hmehra@gitlab.com>
Co-authored-by: default avatarHinam Mehra <hmehra@gitlab.com>
No related branches found
No related tags found
无相关合并请求
...@@ -49,7 +49,7 @@ def authorize_admin_roles!(group) ...@@ -49,7 +49,7 @@ def authorize_admin_roles!(group)
end end
def authorize_group_member_roles!(group) def authorize_group_member_roles!(group)
raise_resource_not_available_error! unless saas? raise_resource_not_available_error! if restrict_member_roles? && !saas?
raise_resource_not_available_error! unless Ability.allowed?(current_user, :admin_member_role, group) raise_resource_not_available_error! unless Ability.allowed?(current_user, :admin_member_role, group)
raise_resource_not_available_error! unless group.custom_roles_enabled? raise_resource_not_available_error! unless group.custom_roles_enabled?
end end
...@@ -75,6 +75,10 @@ def canonicalize(args) ...@@ -75,6 +75,10 @@ def canonicalize(args)
new_args[permission.downcase] = true new_args[permission.downcase] = true
end end
end end
def restrict_member_roles?
Feature.enabled?(:restrict_member_roles, type: :beta)
end
end end
end end
end end
---
name: restrict_member_roles
feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/439167
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142637
rollout_issue_url: https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17458
milestone: '16.9'
group: group::authorization
type: beta
default_enabled: false
\ No newline at end of file
...@@ -11,10 +11,6 @@ ...@@ -11,10 +11,6 @@
let(:permission_name) { permission.to_s.humanize } let(:permission_name) { permission.to_s.humanize }
let(:access_level) { 'Developer' } let(:access_level) { 'Developer' }
before_all do
sign_in(admin)
end
before do before do
stub_licensed_features(custom_roles: true) stub_licensed_features(custom_roles: true)
end end
...@@ -37,21 +33,45 @@ def created_role(name, id, access_level, permissions) ...@@ -37,21 +33,45 @@ def created_role(name, id, access_level, permissions)
before do before do
allow(Gitlab::CustomRoles::Definition).to receive(:all).and_return(permissions) allow(Gitlab::CustomRoles::Definition).to receive(:all).and_return(permissions)
visit admin_application_settings_roles_and_permissions_path gitlab_sign_in(admin)
end
shared_examples 'creates a new custom role' do
it 'and displays it' do
create_role(access_level, name, [permission_name])
created_member_role = MemberRole.find_by(
name: name,
base_access_level: Gitlab::Access.options[access_level],
permission => true)
expect(created_member_role).not_to be_nil
role = created_role(name, created_member_role.id, access_level, [permission_name])
expect(page).to have_content(role)
end
end end
it 'creates a new custom role' do context 'when on self-managed' do
create_role(access_level, name, [permission_name]) before do
stub_saas_features(group_custom_roles: false)
visit admin_application_settings_roles_and_permissions_path
end
it_behaves_like 'creates a new custom role'
end
created_member_role = MemberRole.find_by( context 'when on SaaS', :saas do
name: name, before do
base_access_level: Gitlab::Access.options[access_level], visit admin_application_settings_roles_and_permissions_path
permission => true) end
expect(created_member_role).not_to be_nil it 'shows an error message' do
create_role(access_level, name, [permission_name])
role = created_role(name, created_member_role.id, access_level, [permission_name]) expect(page).to have_content('Failed to create role')
expect(page).to have_content(role) end
end end
end end
end end
...@@ -39,46 +39,59 @@ def created_role(name, id, access_level, permissions) ...@@ -39,46 +39,59 @@ def created_role(name, id, access_level, permissions)
allow(Gitlab::CustomRoles::Definition).to receive(:all).and_return(permissions) allow(Gitlab::CustomRoles::Definition).to receive(:all).and_return(permissions)
sign_in(user) sign_in(user)
visit group_settings_roles_and_permissions_path(group)
end end
it 'creates a new custom role' do shared_examples 'creates a new custom role' do
create_role(access_level, name, [permission_name]) it 'and displays it' do
create_role(access_level, name, [permission_name])
created_member_role = MemberRole.find_by( created_member_role = MemberRole.find_by(
name: name, name: name,
base_access_level: Gitlab::Access.options[access_level], base_access_level: Gitlab::Access.options[access_level],
permission => true) permission => true)
expect(created_member_role).not_to be_nil expect(created_member_role).not_to be_nil
role = created_role(name, created_member_role.id, access_level, [permission_name]) role = created_role(name, created_member_role.id, access_level, [permission_name])
expect(page).to have_content(role) expect(page).to have_content(role)
end
end end
context 'when the permission has a requirement' do context 'when on SaaS' do
let(:permissions) do before do
{ admin_vulnerability: { name: 'admin_vulnerability', requirements: ['read_vulnerability'] }, visit group_settings_roles_and_permissions_path(group)
read_vulnerability: { name: 'read_vulnerability' } }
end end
let(:permission) { :admin_vulnerability } it_behaves_like 'creates a new custom role'
let(:requirement) { permissions[permission][:requirements].first } end
let(:requirement_name) { requirement.to_s.humanize }
it 'creates the custom role' do context 'when on self-managed' do
create_role(access_level, name, [permission_name]) before do
stub_saas_features(group_custom_roles: false)
end
created_member_role = MemberRole.find_by( context 'when restrict_member_roles feature-flag is disabled' do
name: name, before do
base_access_level: Gitlab::Access.options[access_level], stub_feature_flags(restrict_member_roles: false)
permission => true,
requirement => true)
expect(created_member_role).not_to be_nil visit group_settings_roles_and_permissions_path(group)
end
role = created_role(name, created_member_role.id, access_level, [permission_name, requirement_name]) it_behaves_like 'creates a new custom role'
expect(page).to have_content(role) end
context 'when restrict_member_roles feature-flag is enabled' do
before do
stub_feature_flags(restrict_member_roles: true)
visit group_settings_roles_and_permissions_path(group)
end
it 'shows an error message' do
create_role(access_level, name, [permission_name])
expect(page).to have_content('Failed to create role')
end
end end
end end
end end
......
...@@ -174,7 +174,7 @@ ...@@ -174,7 +174,7 @@
let(:current_user) { admin } let(:current_user) { admin }
context 'when on self-managed' do context 'when on self-managed' do
it 'returns instance member roles for instance admin' do it 'returns instance member roles' do
expect(find_member_roles).to eq([member_role_instance]) expect(find_member_roles).to eq([member_role_instance])
end end
end end
......
...@@ -38,6 +38,28 @@ ...@@ -38,6 +38,28 @@
subject(:create_member_role) { graphql_mutation_response(:member_role_create) } subject(:create_member_role) { graphql_mutation_response(:member_role_create) }
shared_examples 'a mutation that creates a member role' do
it 'returns success', :aggregate_failures do
post_graphql_mutation(mutation, current_user: current_user)
expect(graphql_errors).to be_nil
expect(create_member_role['memberRole']['enabledPermissions']['nodes'].flat_map(&:values))
.to match_array(permissions)
end
it 'creates the member role', :aggregate_failures do
expect { post_graphql_mutation(mutation, current_user: current_user) }
.to change { MemberRole.count }.by(1)
member_role = MemberRole.last
expect(member_role.read_vulnerability).to eq(true)
expect(member_role.namespace).to eq(group)
end
end
context 'without the custom roles feature' do context 'without the custom roles feature' do
before do before do
stub_licensed_features(custom_roles: false) stub_licensed_features(custom_roles: false)
...@@ -74,49 +96,32 @@ ...@@ -74,49 +96,32 @@
end end
context 'when on self-managed' do context 'when on self-managed' do
it_behaves_like 'a mutation that returns a top-level access error' context 'when restrict_member_roles feature-flag is disabled' do
end before do
stub_feature_flags(restrict_member_roles: false)
end
context 'when on Saas', :saas do it_behaves_like 'a mutation that creates a member role'
context 'with valid arguments' do end
it 'returns success' do
post_graphql_mutation(mutation, current_user: current_user)
expect(graphql_errors).to be_nil context 'when restrict_member_roles feature-flag is enabled' do
expect(create_member_role['memberRole']['enabledPermissions']['nodes'].flat_map(&:values)) before do
.to match_array(MemberRole.all_customizable_permissions.keys.map(&:to_s).map(&:upcase)) stub_feature_flags(restrict_member_roles: true)
end end
it 'creates the member role' do it_behaves_like 'a mutation that returns a top-level access error'
expect { post_graphql_mutation(mutation, current_user: current_user) } end
.to change { MemberRole.count }.by(1) end
member_role = MemberRole.last
expect(member_role.read_vulnerability).to eq(true) context 'when on SaaS', :saas do
expect(member_role.namespace).to eq(group) context 'with valid arguments' do
end it_behaves_like 'a mutation that creates a member role'
end end
context 'with an array of permissions' do context 'with an array of permissions' do
let(:permissions) { ['READ_VULNERABILITY'] } let(:permissions) { ['READ_VULNERABILITY'] }
it 'returns success' do it_behaves_like 'a mutation that creates a member role'
post_graphql_mutation(mutation, current_user: current_user)
expect(graphql_errors).to be_nil
mutation_response = create_member_role['memberRole']
expect(mutation_response['enabledPermissions']['nodes'].flat_map(&:values)).to eq(['READ_VULNERABILITY'])
end
it 'creates a member role with the specified permissions' do
expect do
post_graphql_mutation(mutation, current_user: current_user)
end.to change { MemberRole.count }.by(1)
member_role = MemberRole.last
expect(member_role.read_vulnerability).to eq(true)
end
end end
context 'with an unknown permission' do context 'with an unknown permission' do
...@@ -139,8 +144,11 @@ ...@@ -139,8 +144,11 @@
end end
context 'when creating an instance level member role' do context 'when creating an instance level member role' do
before do let(:input) do
input.delete(:group_path) {
base_access_level: 'GUEST',
permissions: permissions
}
end end
context 'with unauthorized user' do context 'with unauthorized user' do
...@@ -152,30 +160,35 @@ ...@@ -152,30 +160,35 @@
current_user.update!(admin: true) current_user.update!(admin: true)
end end
context 'when on SaaS', :saas do context 'when on self-managed' do
it_behaves_like 'a mutation that returns top-level errors', errors: ['group_path argument is required.'] it 'returns success', :aggregate_failures do
end
context 'when running on self-managed' do
it 'returns success' do
post_graphql_mutation(mutation, current_user: current_user) post_graphql_mutation(mutation, current_user: current_user)
expect(graphql_errors).to be_nil expect(graphql_errors).to be_nil
expect(create_member_role['memberRole']['enabledPermissions']['nodes'].flat_map(&:values)) expect(create_member_role['memberRole']['enabledPermissions']['nodes'].flat_map(&:values))
.to include('READ_VULNERABILITY') .to match_array(permissions)
expect(create_member_role['memberRole']['namespace']).to be_nil
end end
it 'creates the member role' do it 'creates the member role', :aggregate_failures do
expect { post_graphql_mutation(mutation, current_user: current_user) } expect { post_graphql_mutation(mutation, current_user: current_user) }
.to change { MemberRole.count }.by(1) .to change { MemberRole.count }.by(1)
member_role = MemberRole.last member_role = MemberRole.last
expect(member_role.read_vulnerability).to eq(true) expect(member_role.read_vulnerability).to eq(true)
expect(member_role.namespace).to be_nil expect(member_role.namespace).to be_nil
end end
end end
context 'when on SaaS', :saas do
before do
stub_feature_flags(restrict_member_roles: false)
end
it_behaves_like 'a mutation that returns top-level errors', errors: ['group_path argument is required.']
end
end end
end end
end end
......
0% 加载中 .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册