Limit feature flags to EEP

25907d0f · Kamil Trzciński · 6e01d70d · 25907d0f · 25907d0f · 25907d0f
Commit 25907d0f authored Oct 02, 2018 by Kamil Trzciński
5 changed files
--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -67,6 +67,7 @@ class License < ActiveRecord::Base
    custom_project_templates
    packages
    code_owner_as_approver_suggestion
+    feature_flags
  ].freeze
  EEU_FEATURES = EEP_FEATURES + %i[

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -65,6 +65,11 @@ module EE
        @subject.feature_available?(:license_management)
      end
+      with_scope :subject
+      condition(:feature_flags_disabled) do
+        !@subject.feature_available?(:feature_flags)
+      end
      rule { admin }.enable :change_repository_storage
      rule { support_bot }.enable :guest_access
@@ -122,6 +127,10 @@ module EE
        prevent(*create_read_update_admin_destroy(:package))
      end
+      rule { feature_flags_disabled }.policy do
+        prevent(*create_read_update_admin_destroy(:feature_flag))
+      end
      rule { can?(:maintainer_access) }.policy do
        enable :push_code_to_protected_branches
        enable :admin_path_locks

--- a/ee/lib/api/unleash.rb
+++ b/ee/lib/api/unleash.rb
@@ -10,7 +10,8 @@ module API
        end
        route_param :project_id do
          before do
-            authenticate_by_unleash_instanceid!
+            authorize_by_unleash_instanceid!
+            authorize_feature_flags_feature!
          end
          get 'features' do
@@ -39,10 +40,14 @@ module API
        params[:instanceid] || env['HTTP_UNLEASH_INSTANCEID']
      end
-      def authenticate_by_unleash_instanceid!
+      def authorize_by_unleash_instanceid!
        unauthorized! unless Operations::FeatureFlagsClient
          .find_for_project_and_token(project, unleash_instanceid)
      end
+      def authorize_feature_flags_feature!
+        forbidden! unless project.feature_available?(:feature_flags)
+      end
    end
  end
 end
--- a/ee/spec/controllers/projects/feature_flags_controller_spec.rb
+++ b/ee/spec/controllers/projects/feature_flags_controller_spec.rb
@@ -5,11 +5,13 @@ describe Projects::FeatureFlagsController do
  set(:user) { create(:user) }
  set(:project) { create(:project) }
+  let(:feature_enabled) { true }
  before do
    project.add_developer(user)
    sign_in(user)
+    stub_licensed_features(feature_flags: feature_enabled)
  end
  describe 'GET index' do
@@ -44,6 +46,18 @@ describe Projects::FeatureFlagsController do
        expect(response).to render_template('_new_feature_flag_button')
      end
    end
+    context 'when feature is not available' do
+      let(:feature_enabled) { false }
+      before do
+        subject
+      end
+      it 'shows not found' do
+        expect(subject).to have_gitlab_http_status(404)
+      end
+    end
  end
  describe 'GET new' do

--- a/ee/spec/requests/api/unleash_spec.rb
+++ b/ee/spec/requests/api/unleash_spec.rb
@@ -3,9 +3,14 @@ require 'spec_helper'
 describe API::Unleash do
  set(:project) { create(:project) }
  let(:project_id) { project.id }
+  let(:feature_enabled) { true }
  let(:params) { }
  let(:headers) { }
+  before do
+    stub_licensed_features(feature_flags: feature_enabled)
+  end
  shared_examples 'authenticated request' do
    context 'when using instanceid' do
      let(:client) { create(:operations_feature_flags_client, project: project) }
@@ -16,6 +21,16 @@ describe API::Unleash do
        expect(response).to have_gitlab_http_status(200)
      end
+      context 'when feature is not available' do
+        let(:feature_enabled) { false }
+        it 'responds with forbidden' do
+          subject
+          expect(response).to have_gitlab_http_status(403)
+        end
+      end
    end
    context 'when using header' do