Move external authorization service API management to EE

Premium license is required to: - expose external_authorization_classification_label in the Project API - override external_authorization_classification_label during project import/export

Move external authorization service API management to EE
Premium license is required to: - expose external_authorization_classification_label in the Project API - override external_authorization_classification_label during project import/export
93b1ac94 · Imre Farkas · James Lopez · ef452a7f · 93b1ac94 · 93b1ac94
Commit 93b1ac94 authored Jul 17, 2019 by Imre Farkas Committed by James Lopez Jul 17, 2019
11 changed files
--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -69,6 +69,7 @@ class License < ApplicationRecord
    variable_environment_scope
    reject_unsigned_commits
    commit_committer_check
+    external_authorization_service_api_management
    ci_cd_projects
    default_project_deletion_protection
    protected_environments
@@ -190,6 +191,7 @@ class License < ApplicationRecord
    multiple_ldap_servers
    object_storage
    repository_size_limit
+    external_authorization_service_api_management
    custom_project_templates
    usage_quotas
    required_ci_templates

--- a/ee/changelogs/unreleased/12036-move_external_authorization_service_api_management_to_ee.yml
+++ b/ee/changelogs/unreleased/12036-move_external_authorization_service_api_management_to_ee.yml
+---
+title: Move external authorization service API management to EE
+merge_request: 14598
+author:
+type: changed
--- a/ee/lib/ee/api/entities.rb
+++ b/ee/lib/ee/api/entities.rb
@@ -49,6 +49,8 @@ module EE
          expose :mirror_trigger_builds, if: ->(project, _) { project.mirror? }
          expose :only_mirror_protected_branches, if: ->(project, _) { project.mirror? }
          expose :mirror_overwrites_diverged_branches, if: ->(project, _) { project.mirror? }
+          expose :external_authorization_classification_label,
+                 if: ->(_, _) { License.feature_available?(:external_authorization_service_api_management) }
          expose :packages_enabled, if: ->(project, _) { project.feature_available?(:packages) }
        end
      end

--- a/ee/lib/ee/api/helpers/projects_helpers.rb
+++ b/ee/lib/ee/api/helpers/projects_helpers.rb
@@ -5,6 +5,7 @@ module EE
    module Helpers
      module ProjectsHelpers
        extend ActiveSupport::Concern
+        extend ::Gitlab::Utils::Override

        prepended do
          params :optional_project_params_ee do
@@ -12,6 +13,7 @@ module EE
            optional :approvals_before_merge, type: Integer, desc: 'How many approvers should approve merge request by default'
            optional :mirror, type: Grape::API::Boolean, desc: 'Enables pull mirroring in a project'
            optional :mirror_trigger_builds, type: Grape::API::Boolean, desc: 'Pull mirroring triggers builds'
+            optional :external_authorization_classification_label, type: String, desc: 'The classification label for the project'
          end

          params :optional_filter_params_ee do
@@ -44,10 +46,20 @@ module EE
              :external_authorization_classification_label,
              :import_url,
              :packages_enabled,
-              :fallback_approvals_required
+              :fallback_approvals_required,
+              :external_authorization_classification_label
            ]
          end
        end
+
+        override :filter_attributes_using_license!
+        def filter_attributes_using_license!(attrs)
+          super
+
+          unless ::License.feature_available?(:external_authorization_service_api_management)
+            attrs.delete(:external_authorization_classification_label)
+          end
+        end
      end
    end
  end

--- a/ee/spec/requests/api/project_import_spec.rb
+++ b/ee/spec/requests/api/project_import_spec.rb
@@ -18,10 +18,14 @@ describe API::ProjectImport do
  end

  describe 'POST /projects/import' do
-    it 'overrides the classification label when the service is enabled' do
+    let(:override_params) { { 'external_authorization_classification_label' => 'Hello world' } }
+
+    before do
      enable_external_authorization_service_check
-      override_params = { 'external_authorization_classification_label' => 'Hello world' }
+      stub_licensed_features(external_authorization_service_api_management: true)
+    end

+    subject do
      Sidekiq::Testing.inline! do
        post api('/projects/import', user),
             params: {
@@ -31,9 +35,26 @@ describe API::ProjectImport do
               override_params: override_params
             }
      end
-      import_project = Project.find(json_response['id'])
+    end
+
+    it 'overrides the classification label' do
+      subject

+      import_project = Project.find(json_response['id'])
      expect(import_project.external_authorization_classification_label).to eq('Hello world')
    end
+
+    context 'feature is disabled' do
+      before do
+        stub_licensed_features(external_authorization_service_api_management: false)
+      end
+
+      it 'uses the default the classification label and ignores override param' do
+        subject
+
+        import_project = Project.find(json_response['id'])
+        expect(import_project.external_authorization_classification_label).to eq('default_label')
+      end
+    end
  end
 end
--- a/ee/spec/requests/api/projects_spec.rb
+++ b/ee/spec/requests/api/projects_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'

 describe API::Projects do
+  include ExternalAuthorizationServiceHelpers
+
  let(:user) { create(:user) }
  let(:project) { create(:project, namespace: user.namespace) }

@@ -50,6 +52,56 @@ describe API::Projects do
  end

  describe 'GET /projects/:id' do
+    context 'with external authorization' do
+      let(:project) do
+        create(:project,
+               namespace: user.namespace,
+               external_authorization_classification_label: 'the-label')
+      end
+
+      before do
+        stub_licensed_features(external_authorization_service_api_management: true)
+      end
+
+      context 'when the user has access to the project' do
+        before do
+          external_service_allow_access(user, project)
+        end
+
+        it 'includes the label in the response' do
+          get api("/projects/#{project.id}", user)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['external_authorization_classification_label']).to eq('the-label')
+        end
+      end
+
+      context 'when the external service denies access' do
+        before do
+          external_service_deny_access(user, project)
+        end
+
+        it 'returns a 404' do
+          get api("/projects/#{project.id}", user)
+
+          expect(response).to have_gitlab_http_status(404)
+        end
+      end
+
+      context 'it does not return the label when the feature is not available' do
+        before do
+          stub_licensed_features(external_authorization_service_api_management: false)
+        end
+
+        it 'does not include the label in the response' do
+          get api("/projects/#{project.id}", user)
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response['external_authorization_classification_label']).to be_nil
+        end
+      end
+    end
+
    describe 'packages_enabled attribute' do
      it 'exposed when the feature is available' do
        stub_licensed_features(packages: true)
@@ -161,6 +213,20 @@ describe API::Projects do
  describe 'PUT /projects/:id' do
    let(:project) { create(:project, namespace: user.namespace) }

+    context 'when updating external classification' do
+      before do
+        enable_external_authorization_service_check
+        stub_licensed_features(external_authorization_service_api_management: true)
+      end
+
+      it 'updates the classification label' do
+        put(api("/projects/#{project.id}", user), params: { external_authorization_classification_label: 'new label' })
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(project.reload.external_authorization_classification_label).to eq('new label')
+      end
+    end
+
    context 'when updating repository storage' do
      let(:unknown_storage) { 'new-storage' }
      let(:new_project) { create(:project, :repository, namespace: user.namespace) }

--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -294,7 +294,6 @@ module API
      expose :statistics, using: 'API::Entities::ProjectStatistics', if: -> (project, options) {
        options[:statistics] && Ability.allowed?(options[:current_user], :read_statistics, project)
      }
-      expose :external_authorization_classification_label
      expose :auto_devops_enabled?, as: :auto_devops_enabled
      expose :auto_devops_deploy_strategy do |project, options|
        project.auto_devops.nil? ? 'continuous' : project.auto_devops.deploy_strategy

--- a/lib/api/helpers/projects_helpers.rb
+++ b/lib/api/helpers/projects_helpers.rb
@@ -42,7 +42,6 @@ module API
        optional :printing_merge_request_link_enabled, type: Boolean, desc: 'Show link to create/view merge request when pushing from the command line'
        optional :merge_method, type: String, values: %w(ff rebase_merge merge), desc: 'The merge method used when merging merge requests'
        optional :initialize_with_readme, type: Boolean, desc: "Initialize a project with a README.md"
-        optional :external_authorization_classification_label, type: String, desc: 'The classification label for the project'
        optional :ci_default_git_depth, type: Integer, desc: 'Default number of revisions for shallow cloning'
        optional :auto_devops_enabled, type: Boolean, desc: 'Flag indication if Auto DevOps is enabled'
        optional :auto_devops_deploy_strategy, type: String, values: %w(continuous manual timed_incremental), desc: 'Auto Deploy strategy'
@@ -94,7 +93,6 @@ module API
          :visibility,
          :wiki_access_level,
          :avatar,
-          :external_authorization_classification_label,

          # TODO: remove in API v5, replaced by *_access_level
          :issues_enabled,
@@ -105,6 +103,9 @@ module API
          :snippets_enabled
        ]
      end
+
+      def filter_attributes_using_license!(attrs)
+      end
    end
  end
 end

--- a/lib/api/project_import.rb
+++ b/lib/api/project_import.rb
@@ -59,6 +59,7 @@ module API
        }

        override_params = import_params.delete(:override_params)
+        filter_attributes_using_license!(override_params) if override_params

        project = ::Projects::GitlabProjectsImportService.new(
          current_user, project_params, override_params

--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -145,6 +145,7 @@ module API
      post do
        attrs = declared_params(include_missing: false)
        attrs = translate_params_for_compatibility(attrs)
+        filter_attributes_using_license!(attrs)
        project = ::Projects::CreateService.new(current_user, attrs).execute

        if project.saved?
@@ -179,6 +180,7 @@ module API

        attrs = declared_params(include_missing: false)
        attrs = translate_params_for_compatibility(attrs)
+        filter_attributes_using_license!(attrs)
        project = ::Projects::CreateService.new(user, attrs).execute

        if project.saved?
@@ -292,7 +294,7 @@ module API
        authorize! :change_visibility_level, user_project if attrs[:visibility].present?

        attrs = translate_params_for_compatibility(attrs)
-
+        filter_attributes_using_license!(attrs)
        verify_update_project_attrs!(user_project, attrs)

        result = ::Projects::UpdateService.new(user_project, current_user, attrs).execute

--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -46,8 +46,6 @@ shared_examples 'languages and percentages JSON response' do
 end

 describe API::Projects do
-  include ExternalAuthorizationServiceHelpers
-
  let(:user) { create(:user) }
  let(:user2) { create(:user) }
  let(:user3) { create(:user) }
@@ -1425,39 +1423,6 @@ describe API::Projects do
        end
      end
    end
-
-    context 'with external authorization' do
-      let(:project) do
-        create(:project,
-               namespace: user.namespace,
-               external_authorization_classification_label: 'the-label')
-      end
-
-      context 'when the user has access to the project' do
-        before do
-          external_service_allow_access(user, project)
-        end
-
-        it 'includes the label in the response' do
-          get api("/projects/#{project.id}", user)
-
-          expect(response).to have_gitlab_http_status(200)
-          expect(json_response['external_authorization_classification_label']).to eq('the-label')
-        end
-      end
-
-      context 'when the external service denies access' do
-        before do
-          external_service_deny_access(user, project)
-        end
-
-        it 'returns a 404' do
-          get api("/projects/#{project.id}", user)
-
-          expect(response).to have_gitlab_http_status(404)
-        end
-      end
-    end
  end

  describe 'GET /projects/:id/users' do
@@ -2061,20 +2026,6 @@ describe API::Projects do
        expect(response).to have_gitlab_http_status(403)
      end
    end
-
-    context 'when updating external classification' do
-      before do
-        enable_external_authorization_service_check
-      end
-
-      it 'updates the classification label' do
-        put(api("/projects/#{project.id}", user), params: { external_authorization_classification_label: 'new label' })
-
-        expect(response).to have_gitlab_http_status(200)
-
-        expect(project.reload.external_authorization_classification_label).to eq('new label')
-      end
-    end
  end

  describe 'POST /projects/:id/archive' do