Service: update management_project_id for cluster

Adds service to update the management_project_id for a cluster. The management_project_id referred to must be be authorized for the current user.

Service: update management_project_id for cluster
Adds service to update the management_project_id for a cluster. The management_project_id referred to must be be authorized for the current user.
94c58f73 · Thong Kuah · a2f03694 · 94c58f73 · 94c58f73 · 94c58f73
Commit 94c58f73 authored Oct 11, 2019 by Thong Kuah
4 changed files
--- a/app/controllers/clusters/clusters_controller.rb
+++ b/app/controllers/clusters/clusters_controller.rb
@@ -142,6 +142,7 @@ class Clusters::ClustersController < Clusters::BaseController
        :environment_scope,
        :managed,
        :base_domain,
+        :management_project_id,
        platform_kubernetes_attributes: [
          :api_url,
          :token,
@@ -155,6 +156,7 @@ class Clusters::ClustersController < Clusters::BaseController
        :environment_scope,
        :managed,
        :base_domain,
+        :management_project_id,
        platform_kubernetes_attributes: [
          :namespace
        ]

--- a/app/services/clusters/update_service.rb
+++ b/app/services/clusters/update_service.rb
@@ -9,7 +9,38 @@ module Clusters
    end

    def execute(cluster)
+      if validate_params(cluster)
        cluster.update(params)
+      else
+        false
+      end
+    end
+
+    private
+
+    def can_admin_pipeline_for_project?(project)
+      Ability.allowed?(current_user, :admin_pipeline, project)
+    end
+
+    def validate_params(cluster)
+      if params[:management_project_id]
+        management_project = ::Project.find_by_id(params[:management_project_id])
+
+        unless management_project
+          cluster.errors.add(:management_project_id, _('Project does not exist or you don\'t have permission to perform this action'))
+
+          return false
+        end
+
+        unless can_admin_pipeline_for_project?(management_project)
+          # Use same message as not found to prevent enumeration
+          cluster.errors.add(:management_project_id, _('Project does not exist or you don\'t have permission to perform this action'))
+
+          return false
+        end
+      end
+
+      true
    end
  end
 end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -12701,6 +12701,9 @@ msgstr ""
 msgid "Project details"
 msgstr ""

+msgid "Project does not exist or you don't have permission to perform this action"
+msgstr ""
+
 msgid "Project export could not be deleted."
 msgstr ""


--- a/spec/services/clusters/update_service_spec.rb
+++ b/spec/services/clusters/update_service_spec.rb
@@ -90,5 +90,55 @@ describe Clusters::UpdateService do
        end
      end
    end
+
+    context 'when params includes :management_project_id' do
+      let(:management_project) { create(:project) }
+
+      context 'management_project is non-existent' do
+        let(:params) do
+          { management_project_id: 0 }
+        end
+
+        it 'does not update management_project_id' do
+          is_expected.to eq(false)
+
+          expect(cluster.errors[:management_project_id]).to include('Project does not exist or you don\'t have permission to perform this action')
+
+          cluster.reload
+          expect(cluster.management_project_id).to be_nil
+        end
+      end
+
+      context 'user is authorized to adminster manangement_project' do
+        before do
+          management_project.add_maintainer(cluster.user)
+        end
+
+        let(:params) do
+          { management_project_id: management_project.id }
+        end
+
+        it 'updates management_project_id' do
+          is_expected.to eq(true)
+
+          expect(cluster.management_project).to eq(management_project)
+        end
+      end
+
+      context 'user is not authorized to adminster manangement_project' do
+        let(:params) do
+          { management_project_id: management_project.id }
+        end
+
+        it 'does not update management_project_id' do
+          is_expected.to eq(false)
+
+          expect(cluster.errors[:management_project_id]).to include('Project does not exist or you don\'t have permission to perform this action')
+
+          cluster.reload
+          expect(cluster.management_project_id).to be_nil
+        end
+      end
+    end
  end
 end