Merge branch 'add-agent-project-authorizations-to-finder' into 'master'

Add agent project authorizations to finder See merge request gitlab-org/gitlab!71434

Merge branch 'add-agent-project-authorizations-to-finder' into 'master'
Add agent project authorizations to finder See merge request gitlab-org/gitlab!71434
21f2b8ce · Mayra Cabrera · fc59ad96 · f811f67c · 21f2b8ce · 21f2b8ce
Commit 21f2b8ce authored Oct 06, 2021 by Mayra Cabrera
2 changed files
--- a/ee/app/finders/clusters/agent_authorizations_finder.rb
+++ b/ee/app/finders/clusters/agent_authorizations_finder.rb
@@ -9,7 +9,9 @@ module Clusters
    def execute
      return [] unless feature_available?
-      implicit_authorizations + group_authorizations
+      # closest, most-specific authorization for a given agent wins
+      (project_authorizations + implicit_authorizations + group_authorizations)
+        .uniq(&:agent_id)
    end
    private
@@ -27,6 +29,17 @@ module Clusters
    end
    # rubocop: disable CodeReuse/ActiveRecord
+    def project_authorizations
+      ancestor_ids = project.group ? project.ancestors.select(:id) : project.namespace_id
+      Clusters::Agents::ProjectAuthorization
+        .where(project_id: project.id)
+        .joins(agent: :project)
+        .preload(agent: :project)
+        .where(cluster_agents: { projects: { namespace_id: ancestor_ids } })
+        .to_a
+    end
    def group_authorizations
      return [] unless project.group

--- a/ee/spec/finders/clusters/agent_authorizations_finder_spec.rb
+++ b/ee/spec/finders/clusters/agent_authorizations_finder_spec.rb
@@ -29,15 +29,41 @@ RSpec.describe Clusters::AgentAuthorizationsFinder do
      it { is_expected.to be_empty }
    end
+    describe 'project authorizations' do
+      context 'agent configuration project does not share a root namespace with the given project' do
+        let(:unrelated_agent) { create(:cluster_agent) }
+        before do
+          create(:agent_project_authorization, agent: unrelated_agent, project: requesting_project)
+        end
+        it { is_expected.to be_empty }
+      end
+      context 'with project authorizations present' do
+        let!(:authorization) {create(:agent_project_authorization, agent: production_agent, project: requesting_project) }
+        it { is_expected.to match_array [authorization] }
+      end
+      context 'with overlapping authorizations' do
+        let!(:agent) { create(:cluster_agent, project: requesting_project) }
+        let!(:project_authorization) { create(:agent_project_authorization, agent: agent, project: requesting_project) }
+        let!(:group_authorization) { create(:agent_group_authorization, agent: agent, group: bottom_level_group) }
+        it { is_expected.to match_array [project_authorization] }
+      end
+    end
    describe 'implicit authorizations' do
      let!(:associated_agent) { create(:cluster_agent, project: requesting_project) }
-      it 'returns authorazations for agents directly associated with the project' do
+      it 'returns authorizations for agents directly associated with the project' do
        expect(subject.count).to eq(1)
-        authorazation = subject.first
+        authorization = subject.first
-        expect(authorazation).to be_a(Clusters::Agents::ImplicitAuthorization)
+        expect(authorization).to be_a(Clusters::Agents::ImplicitAuthorization)
-        expect(authorazation.agent).to eq(associated_agent)
+        expect(authorization.agent).to eq(associated_agent)
      end
    end