Fix group permissions during LDAP tests

Create the sandbox group with appropriate permissions before the LDAP group sync test starts so that in subsequent tests the LDAP user has permission to the group. This also restores the original (most likely nil) env personal access token, so that subsequent tests don't perform API calls as the root user while logged in and performing other actions as a non-root LDAP user. Without this change groups would be created by the root user, so when the LDAP user tried to push, it would not be permitted.

Fix group permissions during LDAP tests
Create the sandbox group with appropriate permissions before the LDAP group sync test starts so that in subsequent tests the LDAP user has permission to the group. This also restores the original (most likely nil) env personal access token, so that subsequent tests don't perform API calls as the root user while logged in and performing other actions as a non-root LDAP user. Without this change groups would be created by the root user, so when the LDAP user tried to push, it would not be permitted.
8982da86 · Mark Lapierre · 285b3184 · 8982da86
Commit 8982da86 authored Jan 18, 2019 by Mark Lapierre
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 8 deletions

qa/qa/specs/features/browser_ui/1_manage/ee_group/group_ldap_sync_spec.rb ...ures/browser_ui/1_manage/ee_group/group_ldap_sync_spec.rb +18 -8

No files found.
--- a/qa/qa/specs/features/browser_ui/1_manage/ee_group/group_ldap_sync_spec.rb
+++ b/qa/qa/specs/features/browser_ui/1_manage/ee_group/group_ldap_sync_spec.rb
@@ -6,7 +6,24 @@ module QA
      include Support::Api

      before(:all) do
-        create_admin_personal_access_token
+        # Create the sandbox group as the LDAP user. Without this the admin user
+        # would own the sandbox group and then in subsequent tests the LDAP user
+        # would not have enough permission to push etc.
+        Resource::Sandbox.fabricate_via_api!
+
+        # Create an admin personal access token and use it for the remaining API calls
+        @original_personal_access_token = Runtime::Env.personal_access_token
+        Runtime::Browser.visit(:gitlab, Page::Main::Login)
+        Page::Main::Login.perform(&:sign_in_using_admin_credentials)
+        Runtime::Env.personal_access_token = Resource::PersonalAccessToken.fabricate!.access_token
+        Page::Main::Menu.perform(&:sign_out)
+      end
+
+      after(:all) do
+        # Restore the original personal access token so that subsequent tests
+        # don't perform API calls as an admin user while logged in as a non-root
+        # LDAP user
+        Runtime::Env.personal_access_token = @original_personal_access_token
      end

      context 'using group cn method' do
@@ -126,13 +143,6 @@ module QA
        post Runtime::API::Request.new(api_client, group.api_members_path).url, { user_id: parse_body(response).first[:id], access_level: '50' }
      end

-      def create_admin_personal_access_token
-        Runtime::Browser.visit(:gitlab, Page::Main::Login)
-        Page::Main::Login.perform(&:sign_in_using_admin_credentials)
-        Runtime::Env.personal_access_token = Resource::PersonalAccessToken.fabricate!.access_token
-        Page::Main::Menu.perform(&:sign_out)
-      end
-
      def create_group_and_add_user_via_api(user_name, group_name)
        group = Resource::Group.fabricate_via_api! do |resource|
          resource.path = "#{group_name}-#{SecureRandom.hex(4)}"