Forbid creating streaming destinations for subgroups

Subgroups should not be able to create audit event streaming destinations as this is only possible at the root level. EE: true Changelog: changed

Forbid creating streaming destinations for subgroups
b217d2ee · Max Woolf · 7acfccb2 · b217d2ee · b217d2ee · b217d2ee
--- a/ee/app/models/audit_events/external_audit_event_destination.rb
+++ b/ee/app/models/audit_events/external_audit_event_destination.rb
@@ -13,5 +13,13 @@ class ExternalAuditEventDestination < ApplicationRecord
    validates :destination_url, public_url: true, presence: true
    validates :destination_url, uniqueness: { scope: :namespace_id }, length: { maximum: 255 }
    has_secure_token :verification_token, length: 24
+    validate :root_level_group?
+    private
+    def root_level_group?
+      errors.add(:group, 'must not be a subgroup') if group.subgroup?
+    end
  end
 end
--- a/ee/spec/models/audit_events/external_audit_event_destination_spec.rb
+++ b/ee/spec/models/audit_events/external_audit_event_destination_spec.rb
@@ -3,17 +3,35 @@
 require 'spec_helper'
 RSpec.describe AuditEvents::ExternalAuditEventDestination do
-  subject { build(:external_audit_event_destination) }
+  subject { create(:external_audit_event_destination) }
+  let_it_be(:group) { create(:group) }
  describe 'Associations' do
-    it { is_expected.to belong_to(:group) }
+    it 'belongs to a group' do
+      expect(subject.group).not_to be_nil
+    end
  end
  describe 'Validations' do
-    it { is_expected.to validate_uniqueness_of(:destination_url).scoped_to(:namespace_id) }
    it { is_expected.to validate_length_of(:destination_url).is_at_most(255) }
    it { is_expected.to validate_presence_of(:destination_url) }
    it { is_expected.to have_db_column(:verification_token).of_type(:text) }
+    it 'must have a unique destination_url' do
+      create(:external_audit_event_destination, destination_url: 'https://example.com/1', group: group)
+      dup = build(:external_audit_event_destination, destination_url: 'https://example.com/1', group: group)
+      dup.save # rubocop:disable Rails/SaveBang
+      expect(dup.errors.full_messages).to include('Destination url has already been taken')
+    end
+    it 'must not have any parents' do
+      destination = build(:external_audit_event_destination, group: create(:group, :nested))
+      destination.save # rubocop:disable Rails/SaveBang
+      expect(destination.errors.full_messages).to include('Group must not be a subgroup')
+    end
  end
  it_behaves_like 'includes Limitable concern' do

--- a/ee/spec/requests/api/graphql/mutations/audit_events/external_audit_event_destinations/create_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/audit_events/external_audit_event_destinations/create_spec.rb
@@ -5,7 +5,7 @@
 RSpec.describe 'Create an external audit event destination' do
  include GraphqlHelpers
-  let_it_be(:group) { create(:group, :nested) }
+  let_it_be(:group) { create(:group) }
  let_it_be(:owner) { create(:user) }
  let(:current_user) { owner }
@@ -80,6 +80,12 @@
        it_behaves_like 'a mutation that does not create a destination'
      end
+      context 'when group is a subgroup' do
+        let_it_be(:group) { create(:group, :nested) }
+        it_behaves_like 'a mutation that does not create a destination'
+      end
    end
    context 'when current user is a group maintainer' do