Commit 93b1ac94 authored by Imre Farkas's avatar Imre Farkas Committed by James Lopez

Move external authorization service API management to EE

Premium license is required to:
- expose external_authorization_classification_label in the Project API
- override external_authorization_classification_label during project
  import/export
parent ef452a7f
...@@ -69,6 +69,7 @@ class License < ApplicationRecord ...@@ -69,6 +69,7 @@ class License < ApplicationRecord
variable_environment_scope variable_environment_scope
reject_unsigned_commits reject_unsigned_commits
commit_committer_check commit_committer_check
external_authorization_service_api_management
ci_cd_projects ci_cd_projects
default_project_deletion_protection default_project_deletion_protection
protected_environments protected_environments
...@@ -190,6 +191,7 @@ class License < ApplicationRecord ...@@ -190,6 +191,7 @@ class License < ApplicationRecord
multiple_ldap_servers multiple_ldap_servers
object_storage object_storage
repository_size_limit repository_size_limit
external_authorization_service_api_management
custom_project_templates custom_project_templates
usage_quotas usage_quotas
required_ci_templates required_ci_templates
......
---
title: Move external authorization service API management to EE
merge_request: 14598
author:
type: changed
...@@ -49,6 +49,8 @@ module EE ...@@ -49,6 +49,8 @@ module EE
expose :mirror_trigger_builds, if: ->(project, _) { project.mirror? } expose :mirror_trigger_builds, if: ->(project, _) { project.mirror? }
expose :only_mirror_protected_branches, if: ->(project, _) { project.mirror? } expose :only_mirror_protected_branches, if: ->(project, _) { project.mirror? }
expose :mirror_overwrites_diverged_branches, if: ->(project, _) { project.mirror? } expose :mirror_overwrites_diverged_branches, if: ->(project, _) { project.mirror? }
expose :external_authorization_classification_label,
if: ->(_, _) { License.feature_available?(:external_authorization_service_api_management) }
expose :packages_enabled, if: ->(project, _) { project.feature_available?(:packages) } expose :packages_enabled, if: ->(project, _) { project.feature_available?(:packages) }
end end
end end
......
...@@ -5,6 +5,7 @@ module EE ...@@ -5,6 +5,7 @@ module EE
module Helpers module Helpers
module ProjectsHelpers module ProjectsHelpers
extend ActiveSupport::Concern extend ActiveSupport::Concern
extend ::Gitlab::Utils::Override
prepended do prepended do
params :optional_project_params_ee do params :optional_project_params_ee do
...@@ -12,6 +13,7 @@ module EE ...@@ -12,6 +13,7 @@ module EE
optional :approvals_before_merge, type: Integer, desc: 'How many approvers should approve merge request by default' optional :approvals_before_merge, type: Integer, desc: 'How many approvers should approve merge request by default'
optional :mirror, type: Grape::API::Boolean, desc: 'Enables pull mirroring in a project' optional :mirror, type: Grape::API::Boolean, desc: 'Enables pull mirroring in a project'
optional :mirror_trigger_builds, type: Grape::API::Boolean, desc: 'Pull mirroring triggers builds' optional :mirror_trigger_builds, type: Grape::API::Boolean, desc: 'Pull mirroring triggers builds'
optional :external_authorization_classification_label, type: String, desc: 'The classification label for the project'
end end
params :optional_filter_params_ee do params :optional_filter_params_ee do
...@@ -44,10 +46,20 @@ module EE ...@@ -44,10 +46,20 @@ module EE
:external_authorization_classification_label, :external_authorization_classification_label,
:import_url, :import_url,
:packages_enabled, :packages_enabled,
:fallback_approvals_required :fallback_approvals_required,
:external_authorization_classification_label
] ]
end end
end end
override :filter_attributes_using_license!
def filter_attributes_using_license!(attrs)
super
unless ::License.feature_available?(:external_authorization_service_api_management)
attrs.delete(:external_authorization_classification_label)
end
end
end end
end end
end end
......
...@@ -18,10 +18,14 @@ describe API::ProjectImport do ...@@ -18,10 +18,14 @@ describe API::ProjectImport do
end end
describe 'POST /projects/import' do describe 'POST /projects/import' do
it 'overrides the classification label when the service is enabled' do let(:override_params) { { 'external_authorization_classification_label' => 'Hello world' } }
before do
enable_external_authorization_service_check enable_external_authorization_service_check
override_params = { 'external_authorization_classification_label' => 'Hello world' } stub_licensed_features(external_authorization_service_api_management: true)
end
subject do
Sidekiq::Testing.inline! do Sidekiq::Testing.inline! do
post api('/projects/import', user), post api('/projects/import', user),
params: { params: {
...@@ -31,9 +35,26 @@ describe API::ProjectImport do ...@@ -31,9 +35,26 @@ describe API::ProjectImport do
override_params: override_params override_params: override_params
} }
end end
import_project = Project.find(json_response['id']) end
it 'overrides the classification label' do
subject
import_project = Project.find(json_response['id'])
expect(import_project.external_authorization_classification_label).to eq('Hello world') expect(import_project.external_authorization_classification_label).to eq('Hello world')
end end
context 'feature is disabled' do
before do
stub_licensed_features(external_authorization_service_api_management: false)
end
it 'uses the default the classification label and ignores override param' do
subject
import_project = Project.find(json_response['id'])
expect(import_project.external_authorization_classification_label).to eq('default_label')
end
end
end end
end end
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
require 'spec_helper' require 'spec_helper'
describe API::Projects do describe API::Projects do
include ExternalAuthorizationServiceHelpers
let(:user) { create(:user) } let(:user) { create(:user) }
let(:project) { create(:project, namespace: user.namespace) } let(:project) { create(:project, namespace: user.namespace) }
...@@ -50,6 +52,56 @@ describe API::Projects do ...@@ -50,6 +52,56 @@ describe API::Projects do
end end
describe 'GET /projects/:id' do describe 'GET /projects/:id' do
context 'with external authorization' do
let(:project) do
create(:project,
namespace: user.namespace,
external_authorization_classification_label: 'the-label')
end
before do
stub_licensed_features(external_authorization_service_api_management: true)
end
context 'when the user has access to the project' do
before do
external_service_allow_access(user, project)
end
it 'includes the label in the response' do
get api("/projects/#{project.id}", user)
expect(response).to have_gitlab_http_status(200)
expect(json_response['external_authorization_classification_label']).to eq('the-label')
end
end
context 'when the external service denies access' do
before do
external_service_deny_access(user, project)
end
it 'returns a 404' do
get api("/projects/#{project.id}", user)
expect(response).to have_gitlab_http_status(404)
end
end
context 'it does not return the label when the feature is not available' do
before do
stub_licensed_features(external_authorization_service_api_management: false)
end
it 'does not include the label in the response' do
get api("/projects/#{project.id}", user)
expect(response).to have_gitlab_http_status(200)
expect(json_response['external_authorization_classification_label']).to be_nil
end
end
end
describe 'packages_enabled attribute' do describe 'packages_enabled attribute' do
it 'exposed when the feature is available' do it 'exposed when the feature is available' do
stub_licensed_features(packages: true) stub_licensed_features(packages: true)
...@@ -161,6 +213,20 @@ describe API::Projects do ...@@ -161,6 +213,20 @@ describe API::Projects do
describe 'PUT /projects/:id' do describe 'PUT /projects/:id' do
let(:project) { create(:project, namespace: user.namespace) } let(:project) { create(:project, namespace: user.namespace) }
context 'when updating external classification' do
before do
enable_external_authorization_service_check
stub_licensed_features(external_authorization_service_api_management: true)
end
it 'updates the classification label' do
put(api("/projects/#{project.id}", user), params: { external_authorization_classification_label: 'new label' })
expect(response).to have_gitlab_http_status(200)
expect(project.reload.external_authorization_classification_label).to eq('new label')
end
end
context 'when updating repository storage' do context 'when updating repository storage' do
let(:unknown_storage) { 'new-storage' } let(:unknown_storage) { 'new-storage' }
let(:new_project) { create(:project, :repository, namespace: user.namespace) } let(:new_project) { create(:project, :repository, namespace: user.namespace) }
......
...@@ -294,7 +294,6 @@ module API ...@@ -294,7 +294,6 @@ module API
expose :statistics, using: 'API::Entities::ProjectStatistics', if: -> (project, options) { expose :statistics, using: 'API::Entities::ProjectStatistics', if: -> (project, options) {
options[:statistics] && Ability.allowed?(options[:current_user], :read_statistics, project) options[:statistics] && Ability.allowed?(options[:current_user], :read_statistics, project)
} }
expose :external_authorization_classification_label
expose :auto_devops_enabled?, as: :auto_devops_enabled expose :auto_devops_enabled?, as: :auto_devops_enabled
expose :auto_devops_deploy_strategy do |project, options| expose :auto_devops_deploy_strategy do |project, options|
project.auto_devops.nil? ? 'continuous' : project.auto_devops.deploy_strategy project.auto_devops.nil? ? 'continuous' : project.auto_devops.deploy_strategy
......
...@@ -42,7 +42,6 @@ module API ...@@ -42,7 +42,6 @@ module API
optional :printing_merge_request_link_enabled, type: Boolean, desc: 'Show link to create/view merge request when pushing from the command line' optional :printing_merge_request_link_enabled, type: Boolean, desc: 'Show link to create/view merge request when pushing from the command line'
optional :merge_method, type: String, values: %w(ff rebase_merge merge), desc: 'The merge method used when merging merge requests' optional :merge_method, type: String, values: %w(ff rebase_merge merge), desc: 'The merge method used when merging merge requests'
optional :initialize_with_readme, type: Boolean, desc: "Initialize a project with a README.md" optional :initialize_with_readme, type: Boolean, desc: "Initialize a project with a README.md"
optional :external_authorization_classification_label, type: String, desc: 'The classification label for the project'
optional :ci_default_git_depth, type: Integer, desc: 'Default number of revisions for shallow cloning' optional :ci_default_git_depth, type: Integer, desc: 'Default number of revisions for shallow cloning'
optional :auto_devops_enabled, type: Boolean, desc: 'Flag indication if Auto DevOps is enabled' optional :auto_devops_enabled, type: Boolean, desc: 'Flag indication if Auto DevOps is enabled'
optional :auto_devops_deploy_strategy, type: String, values: %w(continuous manual timed_incremental), desc: 'Auto Deploy strategy' optional :auto_devops_deploy_strategy, type: String, values: %w(continuous manual timed_incremental), desc: 'Auto Deploy strategy'
...@@ -94,7 +93,6 @@ module API ...@@ -94,7 +93,6 @@ module API
:visibility, :visibility,
:wiki_access_level, :wiki_access_level,
:avatar, :avatar,
:external_authorization_classification_label,
# TODO: remove in API v5, replaced by *_access_level # TODO: remove in API v5, replaced by *_access_level
:issues_enabled, :issues_enabled,
...@@ -105,6 +103,9 @@ module API ...@@ -105,6 +103,9 @@ module API
:snippets_enabled :snippets_enabled
] ]
end end
def filter_attributes_using_license!(attrs)
end
end end
end end
end end
......
...@@ -59,6 +59,7 @@ module API ...@@ -59,6 +59,7 @@ module API
} }
override_params = import_params.delete(:override_params) override_params = import_params.delete(:override_params)
filter_attributes_using_license!(override_params) if override_params
project = ::Projects::GitlabProjectsImportService.new( project = ::Projects::GitlabProjectsImportService.new(
current_user, project_params, override_params current_user, project_params, override_params
......
...@@ -145,6 +145,7 @@ module API ...@@ -145,6 +145,7 @@ module API
post do post do
attrs = declared_params(include_missing: false) attrs = declared_params(include_missing: false)
attrs = translate_params_for_compatibility(attrs) attrs = translate_params_for_compatibility(attrs)
filter_attributes_using_license!(attrs)
project = ::Projects::CreateService.new(current_user, attrs).execute project = ::Projects::CreateService.new(current_user, attrs).execute
if project.saved? if project.saved?
...@@ -179,6 +180,7 @@ module API ...@@ -179,6 +180,7 @@ module API
attrs = declared_params(include_missing: false) attrs = declared_params(include_missing: false)
attrs = translate_params_for_compatibility(attrs) attrs = translate_params_for_compatibility(attrs)
filter_attributes_using_license!(attrs)
project = ::Projects::CreateService.new(user, attrs).execute project = ::Projects::CreateService.new(user, attrs).execute
if project.saved? if project.saved?
...@@ -292,7 +294,7 @@ module API ...@@ -292,7 +294,7 @@ module API
authorize! :change_visibility_level, user_project if attrs[:visibility].present? authorize! :change_visibility_level, user_project if attrs[:visibility].present?
attrs = translate_params_for_compatibility(attrs) attrs = translate_params_for_compatibility(attrs)
filter_attributes_using_license!(attrs)
verify_update_project_attrs!(user_project, attrs) verify_update_project_attrs!(user_project, attrs)
result = ::Projects::UpdateService.new(user_project, current_user, attrs).execute result = ::Projects::UpdateService.new(user_project, current_user, attrs).execute
......
...@@ -46,8 +46,6 @@ shared_examples 'languages and percentages JSON response' do ...@@ -46,8 +46,6 @@ shared_examples 'languages and percentages JSON response' do
end end
describe API::Projects do describe API::Projects do
include ExternalAuthorizationServiceHelpers
let(:user) { create(:user) } let(:user) { create(:user) }
let(:user2) { create(:user) } let(:user2) { create(:user) }
let(:user3) { create(:user) } let(:user3) { create(:user) }
...@@ -1425,39 +1423,6 @@ describe API::Projects do ...@@ -1425,39 +1423,6 @@ describe API::Projects do
end end
end end
end end
context 'with external authorization' do
let(:project) do
create(:project,
namespace: user.namespace,
external_authorization_classification_label: 'the-label')
end
context 'when the user has access to the project' do
before do
external_service_allow_access(user, project)
end
it 'includes the label in the response' do
get api("/projects/#{project.id}", user)
expect(response).to have_gitlab_http_status(200)
expect(json_response['external_authorization_classification_label']).to eq('the-label')
end
end
context 'when the external service denies access' do
before do
external_service_deny_access(user, project)
end
it 'returns a 404' do
get api("/projects/#{project.id}", user)
expect(response).to have_gitlab_http_status(404)
end
end
end
end end
describe 'GET /projects/:id/users' do describe 'GET /projects/:id/users' do
...@@ -2061,20 +2026,6 @@ describe API::Projects do ...@@ -2061,20 +2026,6 @@ describe API::Projects do
expect(response).to have_gitlab_http_status(403) expect(response).to have_gitlab_http_status(403)
end end
end end
context 'when updating external classification' do
before do
enable_external_authorization_service_check
end
it 'updates the classification label' do
put(api("/projects/#{project.id}", user), params: { external_authorization_classification_label: 'new label' })
expect(response).to have_gitlab_http_status(200)
expect(project.reload.external_authorization_classification_label).to eq('new label')
end
end
end end
describe 'POST /projects/:id/archive' do describe 'POST /projects/:id/archive' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment