Merge branch 'pedropombeiro/19819/add-read_group_runners-policy-rule' into 'master'

Add read_group_runners group policy rule See merge request gitlab-org/gitlab!77253

Merge branch 'pedropombeiro/19819/add-read_group_runners-policy-rule' into 'master'
Add read_group_runners group policy rule See merge request gitlab-org/gitlab!77253
7854d4e8 · Tiger Watson · b434ec4e · aa65354d · 7854d4e8 · 7854d4e8
Commit 7854d4e8 authored Jan 11, 2022 by Tiger Watson
11 changed files
--- a/app/controllers/groups/application_controller.rb
+++ b/app/controllers/groups/application_controller.rb
@@ -37,6 +37,18 @@ class Groups::ApplicationController < ApplicationController
    end
  end
+  def authorize_admin_group_runners!
+    unless can?(current_user, :admin_group_runners, group)
+      render_404
+    end
+  end
+  def authorize_read_group_runners!
+    unless can?(current_user, :read_group_runners, group)
+      render_404
+    end
+  end
  def authorize_create_deploy_token!
    unless can?(current_user, :create_deploy_token, group)
      render_404

--- a/app/controllers/groups/runners_controller.rb
+++ b/app/controllers/groups/runners_controller.rb
 # frozen_string_literal: true
 class Groups::RunnersController < Groups::ApplicationController
-  # TODO Proper policies, such as `read_group_runners, should be implemented per
+  before_action :authorize_read_group_runners!, only: [:index, :show]
-  # https://gitlab.com/gitlab-org/gitlab/-/issues/334802
+  before_action :authorize_admin_group_runners!, only: [:edit, :update, :destroy, :pause, :resume]
-  before_action :authorize_admin_group!
  before_action :runner_list_group_view_vue_ui_enabled, only: [:index]
  before_action :runner, only: [:edit, :update, :destroy, :pause, :resume, :show]
@@ -17,7 +16,7 @@ class Groups::RunnersController < Groups::ApplicationController
  end
  def runner_list_group_view_vue_ui_enabled
-    return render_404 unless Feature.enabled?(:runner_list_group_view_vue_ui, group, default_enabled: :yaml)
+    render_404 unless Feature.enabled?(:runner_list_group_view_vue_ui, group, default_enabled: :yaml)
  end
  def show

--- a/app/finders/ci/runners_finder.rb
+++ b/app/finders/ci/runners_finder.rb
@@ -47,7 +47,7 @@ module Ci
    end
    def group_runners
-      raise Gitlab::Access::AccessDeniedError unless can?(@current_user, :admin_group, @group)
+      raise Gitlab::Access::AccessDeniedError unless can?(@current_user, :read_group_runners, @group)
      @runners = case @params[:membership]
                 when :direct

--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -165,7 +165,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
    enable :destroy_package
    enable :create_projects
    enable :admin_pipeline
-    enable :admin_group_runners
    enable :admin_build
    enable :read_cluster
    enable :add_cluster
@@ -183,6 +182,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
    enable :admin_group_member
    enable :change_visibility_level
+    enable :read_group_runners
+    enable :admin_group_runners
+    enable :register_group_runners
    enable :set_note_created_at
    enable :set_emails_disabled
    enable :change_prevent_sharing_groups_outside_hierarchy
@@ -208,10 +211,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
    enable :read_nested_project_resources
  end
-  rule { can?(:admin_group_runners) }.policy do
-    enable :register_group_runners
-  end
  rule { owner }.enable :create_subgroup
  rule { maintainer & maintainer_can_create_group }.enable :create_subgroup

--- a/app/views/projects/runners/_group_runners.html.haml
+++ b/app/views/projects/runners/_group_runners.html.haml
@@ -29,9 +29,9 @@
  - if can?(current_user, :admin_group_runners, @project.group)
    - group_link = link_to _("group's CI/CD settings."), group_settings_ci_cd_path(@project.group)
-    = _('Group maintainers can register group runners in the %{link}').html_safe % { link: group_link }
+    = _('Group owners can register group runners in the %{link}').html_safe % { link: group_link }
  - else
-    = _('Ask your group maintainer to set up a group runner.')
+    = _('Ask your group owner to set up a group runner.')
 - else
  %h4.underlined-title

--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -47,7 +47,7 @@ The following table lists project permissions available for each role:
 <!-- Keep this table sorted: By topic first, then by minimum role, then alphabetically. -->
 | Action                                                                                                                                                                                    | Guest    | Reporter | Developer | Maintainer | Owner |
-|-------------------------------------------------------------------------------------------------------------------------|----------|----------|-----------|------------|-------|
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|----------|-----------|------------|-------|
 | [Analytics](analytics/index.md):<br>View issue analytics **(PREMIUM)**                                                                                                                    | ✓        | ✓        | ✓         | ✓          | ✓     |
 | [Analytics](analytics/index.md):<br>View [merge request analytics](analytics/merge_request_analytics.md) **(PREMIUM)**                                                                    | ✓        | ✓        | ✓         | ✓          | ✓     |
 | [Analytics](analytics/index.md):<br>View value stream analytics                                                                                                                           | ✓        | ✓        | ✓         | ✓          | ✓     |
@@ -73,7 +73,8 @@ The following table lists project permissions available for each role:
 | [CI/CD](../ci/index.md):<br>View a job with [debug logging](../ci/variables/index.md#debug-logging)                                                                                       |          |          | ✓         | ✓          | ✓     |
 | [CI/CD](../ci/index.md):<br>Manage CI/CD variables                                                                                                                                        |          |          |           | ✓          | ✓     |
 | [CI/CD](../ci/index.md):<br>Manage job triggers                                                                                                                                           |          |          |           | ✓          | ✓     |
-| [CI/CD](../ci/index.md):<br>Manage runners                                                                             |          |          |           | ✓          | ✓     |
+| [CI/CD](../ci/index.md):<br>Manage group runners                                                                                                                                          |          |          |           |            | ✓     |
+| [CI/CD](../ci/index.md):<br>Manage project runners                                                                                                                                        |          |          |           | ✓          | ✓     |
 | [CI/CD](../ci/index.md):<br>Run Web IDE's Interactive Web Terminals **(ULTIMATE ONLY)**                                                                                                   |          |          |           | ✓          | ✓     |
 | [CI/CD](../ci/index.md):<br>Use [environment terminals](../ci/environments/index.md#web-terminals-deprecated)                                                                             |          |          |           | ✓          | ✓     |
 | [CI/CD](../ci/index.md):<br>Delete pipelines                                                                                                                                              |          |          |           |            | ✓     |
@@ -94,7 +95,7 @@ The following table lists project permissions available for each role:
 | [Incident Management](../operations/incident_management/index.md):<br>Participate in on-call rotation                                                                                     | ✓| ✓ | ✓ | ✓          | ✓ |
 | [Incident Management](../operations/incident_management/index.md):<br>View [escalation policies](../operations/incident_management/escalation_policies.md)                                |  | ✓ | ✓ | ✓          | ✓ |
 | [Incident Management](../operations/incident_management/index.md):<br>Manage [on-call schedules](../operations/incident_management/oncall_schedules.md)                                   |  |   |   | ✓          | ✓ |
-| [Incident Management](../operations/incident_management/index.md):<br>Manage [escalation policies](../operations/incident_management/escalation_policies.md)|  |   |   | ✓ | ✓ |
+| [Incident Management](../operations/incident_management/index.md):<br>Manage [escalation policies](../operations/incident_management/escalation_policies.md)                              |  |   |   | ✓          | ✓ |
 | [Issues](project/issues/index.md):<br>Add Labels                                                                                                                                          | ✓ (*16*) | ✓        | ✓         | ✓          | ✓     |
 | [Issues](project/issues/index.md):<br>Assign                                                                                                                                              | ✓ (*16*) | ✓        | ✓         | ✓          | ✓     |
 | [Issues](project/issues/index.md):<br>Create                                                                                                                                              | ✓        | ✓        | ✓         | ✓          | ✓     |

--- a/lib/sidebars/groups/menus/ci_cd_menu.rb
+++ b/lib/sidebars/groups/menus/ci_cd_menu.rb
@@ -34,10 +34,8 @@ module Sidebars
          )
        end
-        # TODO Proper policies, such as `read_group_runners`, should be implemented per
-        # See https://gitlab.com/gitlab-org/gitlab/-/issues/334802
        def show_runners?
-          can?(context.current_user, :admin_group, context.group) &&
+          can?(context.current_user, :read_group_runners, context.group) &&
            Feature.enabled?(:runner_list_group_view_vue_ui, context.group, default_enabled: :yaml)
        end
      end

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -4793,7 +4793,7 @@ msgstr ""
 msgid "Ask someone with write access to resolve it."
 msgstr ""
-msgid "Ask your group maintainer to set up a group runner."
+msgid "Ask your group owner to set up a group runner."
 msgstr ""
 msgid "Assertion consumer service URL"
@@ -16754,9 +16754,6 @@ msgstr ""
 msgid "Group jobs by"
 msgstr ""
-msgid "Group maintainers can register group runners in the %{link}"
-msgstr ""
 msgid "Group members"
 msgstr ""
@@ -16781,6 +16778,9 @@ msgstr ""
 msgid "Group overview content"
 msgstr ""
+msgid "Group owners can register group runners in the %{link}"
+msgstr ""
 msgid "Group path is already taken. We've suggested one that is available."
 msgstr ""

--- a/spec/features/runners_spec.rb
+++ b/spec/features/runners_spec.rb
@@ -268,10 +268,27 @@ RSpec.describe 'Runners' do
        it 'group runners are not available' do
          visit project_runners_path(project)
+          expect(page).not_to have_content 'Group owners can register group runners in the group\'s CI/CD settings.'
+          expect(page).to have_content 'Ask your group owner to set up a group runner'
+        end
+      end
+    end
+    context 'as project maintainer and group owner' do
+      before do
+        group.add_owner(user)
+      end
+      context 'project with a group but no group runner' do
+        let(:project) { create :project, group: group }
+        it 'group runners are available' do
+          visit project_runners_path(project)
          expect(page).to have_content 'This group does not have any group runners yet.'
-          expect(page).to have_content 'Group maintainers can register group runners in the group\'s CI/CD settings.'
+          expect(page).to have_content 'Group owners can register group runners in the group\'s CI/CD settings.'
-          expect(page).not_to have_content 'Ask your group maintainer to set up a group runner'
+          expect(page).not_to have_content 'Ask your group owner to set up a group runner'
        end
      end
    end
@@ -296,8 +313,8 @@ RSpec.describe 'Runners' do
          expect(page).to have_content 'This group does not have any group runners yet.'
-          expect(page).not_to have_content 'Group maintainers can register group runners in the group\'s CI/CD settings.'
+          expect(page).not_to have_content 'Group owners can register group runners in the group\'s CI/CD settings.'
-          expect(page).to have_content 'Ask your group maintainer to set up a group runner.'
+          expect(page).to have_content 'Ask your group owner to set up a group runner.'
        end
      end

--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -36,6 +36,7 @@ RSpec.describe GroupPolicy do
    it { expect_disallowed(:read_crm_organization) }
    it { expect_disallowed(:read_crm_contact) }
    it { expect_disallowed(:read_counts) }
+    it { expect_disallowed(:read_group_runners) }
    it { expect_disallowed(*read_group_permissions) }
  end
@@ -51,6 +52,7 @@ RSpec.describe GroupPolicy do
    it { expect_disallowed(:read_crm_organization) }
    it { expect_disallowed(:read_crm_contact) }
    it { expect_disallowed(:read_counts) }
+    it { expect_disallowed(:read_group_runners) }
    it { expect_disallowed(*read_group_permissions) }
  end
@@ -1126,9 +1128,7 @@ RSpec.describe GroupPolicy do
    context 'with maintainer' do
      let(:current_user) { maintainer }
-      it { is_expected.to be_allowed(:register_group_runners) }
+      it { is_expected.to be_disallowed(:register_group_runners) }
-      it_behaves_like 'expected outcome based on runner registration control'
    end
    context 'with reporter' do

--- a/spec/support/shared_contexts/policies/group_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
@@ -48,22 +48,24 @@ RSpec.shared_context 'GroupPolicy context' do
      destroy_package
      create_projects
      read_cluster create_cluster update_cluster admin_cluster add_cluster
-      admin_group_runners
    ]
  end
  let(:owner_permissions) do
-    [
+    %i[
-      :owner_access,
+      owner_access
-      :admin_group,
+      admin_group
-      :admin_namespace,
+      admin_namespace
-      :admin_group_member,
+      admin_group_member
-      :change_visibility_level,
+      change_visibility_level
-      :set_note_created_at,
+      set_note_created_at
-      :create_subgroup,
+      create_subgroup
-      :read_statistics,
+      read_statistics
-      :update_default_branch_protection
+      update_default_branch_protection
-    ].compact
+      read_group_runners
+      admin_group_runners
+      register_group_runners
+    ]
  end
  let(:admin_permissions) { %i[read_confidential_issues] }