Skip to content

G
gitlab-ce
Switch branch/tag
Find file Normal viewHistoryPermalink
groups_controller_spec.rb 6.13 KB
Newer Older
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 
# frozen_string_literal: true

require 'spec_helper'

describe GroupsController, type: :request do
  let(:user) { create(:user) }
  let(:group) { create(:group) }

  describe 'PUT update' do
    before do
      group.add_owner(user)
      login_as(user)

      stub_licensed_features(group_ip_restriction: true)
    end

    subject do
      put(group_path(group), params: params)
    end

    context 'setting ip_restriction' do
      let(:group) { create(:group) }
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
23 
      let(:params) { { group: { ip_restriction_ranges: range } } }
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
24 25 26 27 28 29 30 31 32 33 34 
      let(:range) { '192.168.0.0/24' }

      before do
        stub_licensed_features(group_ip_restriction: true)
        allow_any_instance_of(Gitlab::IpRestriction::Enforcer).to(
          receive(:allows_current_ip?).and_return(true))
      end

      context 'top-level group' do
        context 'when ip_restriction does not exist' do
          context 'valid param' do
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 
            shared_examples 'creates ip restrictions' do
              it 'creates ip restrictions' do
                expect { subject }
                  .to(change { group.reload.ip_restrictions.map(&:range) }
                    .from([]).to(range.split(',')))
                expect(response).to have_gitlab_http_status(302)
              end
            end

            context 'single IP subnet' do
              let(:range) { '192.168.0.0/24' }

              it_behaves_like 'creates ip restrictions'
            end

            context 'multiple IP subnets' do
              let(:range) { '192.168.0.0/24,192.168.0.1/8' }

              it_behaves_like 'creates ip restrictions'
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
54 55 56 57 58 59 60 61 
            end
          end

          context 'invalid param' do
            let(:range) { 'boom!' }

            it 'adds error message' do
              expect { subject }
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
62 
                .not_to(change { group.reload.ip_restrictions.count }.from(0))
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
63 
              expect(response).to have_gitlab_http_status(200)
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
64 
              expect(response.body).to include('Ip restrictions range is an invalid IP address range')
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
65 66 67 68 69 70 
            end
          end
        end

        context 'when ip_restriction already exists' do
          let!(:ip_restriction) { IpRestriction.create!(group: group, range: '10.0.0.0/8') }
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
71 
          let(:params) { { group: { ip_restriction_ranges: range } } }
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
72 73 74 

          context 'ip restriction param set' do
            context 'valid param' do
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 
              shared_examples 'updates ip restrictions' do
                it 'updates ip restrictions' do
                  expect { subject }
                    .to(change { group.reload.ip_restrictions.map(&:range) }
                      .from(['10.0.0.0/8']).to(range.split(',')))
                  expect(response).to have_gitlab_http_status(302)
                end
              end

              context 'single subnet' do
                let(:range) { '192.168.0.0/24' }

                it_behaves_like 'updates ip restrictions'
              end

              context 'multiple subnets' do
                context 'a new subnet along with the existing one' do
                  let(:range) { '10.0.0.0/8,192.168.1.0/8' }

                  it_behaves_like 'updates ip restrictions'
                end

                context 'completely new range of subnets' do
                  let(:range) { '192.168.0.0/24,192.168.1.0/8' }

                  it_behaves_like 'updates ip restrictions'
                end
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
102 103 104 105 
              end
            end

            context 'invalid param' do
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
106 107 108 109 110 111 112 113 114 115 116 117 118 119 
              shared_examples 'does not update existing ip restrictions' do
                it 'does not change ip restriction records' do
                  expect { subject }
                    .not_to(change { group.reload.ip_restrictions.map(&:range) }
                      .from(['10.0.0.0/8']))
                end

                it 'adds error message' do
                  subject

                  expect(response).to have_gitlab_http_status(200)
                  expect(response.body).to include('Ip restrictions range is an invalid IP address range')
                end
              end
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
120
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
121 122 123 124 125 126 127 128 129 130 131 132 
              context 'not a valid subnet' do
                let(:range) { 'boom!' }

                it_behaves_like 'does not update existing ip restrictions'
              end

              context 'multiple IP subnets' do
                context 'any one of them being not a valid' do
                  let(:range) { '192.168.0.0/24,boom!' }

                  it_behaves_like 'does not update existing ip restrictions'
                end
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
133 134 135 136 137 138 139 140 141 
              end
            end
          end

          context 'empty ip restriction param' do
            let(:range) { '' }

            it 'deletes ip restriction' do
              expect { subject }
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
142 
                .to(change { group.reload.ip_restrictions.count }.to(0))
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
143 144 145 146 147 148 
              expect(response).to have_gitlab_http_status(302)
            end
          end
        end
      end
Heinrich Lee Yu's avatar
Remove code related to object hierarchy in MySQL  
Heinrich Lee Yu committed
149 
      context 'subgroup' do
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
150 151 152 153 
        let(:group) { create(:group, :nested) }

        it 'does not create ip restriction' do
          expect { subject }
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
154 
            .not_to change { group.reload.ip_restrictions.count }.from(0)
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
155 
          expect(response).to have_gitlab_http_status(200)
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
156 
          expect(response.body).to include('Ip restrictions base IP subnet restriction only allowed for top-level groups')
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
157 158 159 
        end
      end
Imre Farkas's avatar
Allow blank values for IP restriction setting form  
Imre Farkas committed
160 161 162 
      context 'with empty ip restriction param' do
        let(:params) do
          { group: { two_factor_grace_period: 42,
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
163 
                     ip_restriction_ranges: "" } }
Imre Farkas's avatar
Allow blank values for IP restriction setting form  
Imre Farkas committed
164 165 166 167 168 169 170 171 172 173 174 175 176 
        end

        it 'updates group setting' do
          expect { subject }
            .to change { group.reload.two_factor_grace_period }.from(48).to(42)
          expect(response).to have_gitlab_http_status(302)
        end

        it 'does not create ip restriction' do
          expect { subject }.not_to change { IpRestriction.count }
        end
      end
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
177 178 179 180 181 182 183 
      context 'feature is disabled' do
        before do
          stub_licensed_features(group_ip_restriction: false)
        end

        it 'does not create ip restriction' do
          expect { subject }
manojmj's avatar
Support restricting group access by multiple IP subnets  
manojmj committed
184 
            .not_to change { group.reload.ip_restrictions.count }.from(0)
James Edwards-Jones's avatar
Improvements for IP Address Enforcement prototype  
James Edwards-Jones committed
185 186 187 188 189 190 
          expect(response).to have_gitlab_http_status(302)
        end
      end
    end
  end
end
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7