Protect cloud licenses from being removed

A new validation check was added to Admin::LicensesController#destroy that checks if license has the cloud flag in order to reject the removal of it.

Protect cloud licenses from being removed
A new validation check was added to Admin::LicensesController#destroy that checks if license has the cloud flag in order to reject the removal of it.
c36fca26 · Rubén Dávila · 1fd8f45d · c36fca26 · c36fca26 · c36fca26
Commit c36fca26 authored Apr 22, 2021 by Rubén Dávila
7 changed files
--- a/ee/app/controllers/admin/licenses_controller.rb
+++ b/ee/app/controllers/admin/licenses_controller.rb
@@ -47,7 +47,7 @@ class Admin::LicensesController < Admin::ApplicationController
  end
  def destroy
-    license.destroy
+    Licenses::DestroyService.new(license, current_user).execute
    if License.current
      flash[:notice] = _('The license was removed. GitLab has fallen back on the previous license.')
@@ -55,6 +55,10 @@ class Admin::LicensesController < Admin::ApplicationController
      flash[:alert] = _('The license was removed. GitLab now no longer has a valid license.')
    end
+    redirect_to admin_license_path, status: :found
+  rescue Licenses::DestroyService::DestroyCloudLicenseError => e
+    flash[:error] = e.message
    redirect_to admin_license_path, status: :found
  end

--- a/ee/app/services/licenses/destroy_service.rb
+++ b/ee/app/services/licenses/destroy_service.rb
@@ -4,10 +4,13 @@ module Licenses
  class DestroyService < ::Licenses::BaseService
    extend ::Gitlab::Utils::Override
+    DestroyCloudLicenseError = Class.new(StandardError)
    override :execute
    def execute
      raise ActiveRecord::RecordNotFound unless license
      raise Gitlab::Access::AccessDeniedError unless can?(user, :destroy_licenses)
+      raise DestroyCloudLicenseError.new(_('Cloud licenses can not be removed.')) if license.cloud?
      license.destroy
    end

--- a/ee/changelogs/unreleased/325595-prevent-cloud-licenses-from-being-removed.yml
+++ b/ee/changelogs/unreleased/325595-prevent-cloud-licenses-from-being-removed.yml
+---
+title: Protect cloud licenses from being removed
+merge_request: 59576
+author:
+type: changed
--- a/ee/lib/api/license.rb
+++ b/ee/lib/api/license.rb
@@ -6,6 +6,10 @@ module API
    feature_category :license
+    rescue_from Licenses::DestroyService::DestroyCloudLicenseError do |e|
+      render_api_error!(e.message, 422)
+    end
    resource :license do
      desc 'Get information on the currently active license' do
        success EE::API::Entities::GitlabLicenseWithActiveUsers

--- a/ee/spec/controllers/admin/licenses_controller_spec.rb
+++ b/ee/spec/controllers/admin/licenses_controller_spec.rb
@@ -134,4 +134,36 @@ RSpec.describe Admin::LicensesController do
      end
    end
  end
+  describe 'DELETE destroy' do
+    let(:cloud_licenses) { License.where(cloud: true) }
+    before do
+      allow(License).to receive(:current).and_return(create(:license, cloud: is_cloud_license))
+    end
+    context 'with a cloud license' do
+      let(:is_cloud_license) { true }
+      it 'is can not be removed' do
+        delete :destroy
+        expect(response).to redirect_to(admin_license_path)
+        expect(flash[:error]).to match('Cloud licenses can not be removed.')
+        expect(cloud_licenses).to be_present
+      end
+    end
+    context 'with a legacy license' do
+      let(:is_cloud_license) { false }
+      it 'is can be removed' do
+        delete :destroy
+        expect(response).to redirect_to(admin_license_path)
+        expect(flash[:notice]).to match('The license was removed. GitLab has fallen back on the previous license.')
+        expect(cloud_licenses).to be_empty
+      end
+    end
+  end
 end
--- a/ee/spec/requests/api/license_spec.rb
+++ b/ee/spec/requests/api/license_spec.rb
@@ -71,7 +71,8 @@ RSpec.describe API::License, api: true do
  end
  describe 'DELETE /license/:id' do
-    let(:license) { create(:license, created_at: Time.now, data: build(:gitlab_license, starts_at: Date.today, expires_at: Date.today, restrictions: { add_ons: { 'GitLab_DeployBoard' => 1 }, active_user_count: 2 }).export) }
+    let(:license_type) { nil }
+    let(:license) { create(:license, created_at: Time.now, data: build(:gitlab_license, type: license_type, starts_at: Date.today, expires_at: Date.today, restrictions: { add_ons: { 'GitLab_DeployBoard' => 1 }, active_user_count: 2 }).export) }
    let(:endpoint) { "/license/#{license.id}" }
    it 'destroys a license and returns 204' do
@@ -95,6 +96,17 @@ RSpec.describe API::License, api: true do
      expect(response).to have_gitlab_http_status(:forbidden)
      expect(json_response['message']).to eq('403 Forbidden')
    end
+    context 'with a cloud license' do
+      let(:license_type) { License::CLOUD_LICENSE_TYPE }
+      it 'returns 422 and does not delete the license' do
+        delete api(endpoint, admin)
+        expect(response).to have_gitlab_http_status(:unprocessable_entity)
+        expect(License.where(id: license.id)).to exist
+      end
+    end
  end
  describe 'GET /licenses' do

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -6677,6 +6677,9 @@ msgstr ""
 msgid "Closes this %{quick_action_target}."
 msgstr ""
+msgid "Cloud licenses can not be removed."
+msgstr ""
 msgid "CloudLicense|Activate"
 msgstr ""