Commit d1dee969 authored by Sri's avatar Sri

Access restrictions for project /google_cloud

- Blocked when GitLab instance not configured for Google OAuth2
- Blocked when Feature Flag not enabled
- Blocked when user not project `maintainer` or `owner`
parent d902854a
# frozen_string_literal: true
class Projects::GoogleCloudController < Projects::ApplicationController
before_action :authorize_can_manage_google_cloud_deployments!
feature_category :google_cloud
feature_category :release_orchestration
before_action :admin_project_google_cloud?
before_action :google_oauth2_enabled?
before_action :feature_flag_enabled?
def index
end
private
def authorize_can_manage_google_cloud_deployments!
access_denied! unless can?(current_user, :manage_project_google_cloud, project)
def admin_project_google_cloud?
access_denied! unless can?(current_user, :admin_project_google_cloud, project)
end
def google_oauth2_enabled?
config = Gitlab::Auth::OAuth::Provider.config_for('google_oauth2')
if config.app_id.blank? || config.app_secret.blank?
access_denied! 'This GitLab instance not configured for Google Oauth2.'
end
end
def feature_flag_enabled?
access_denied! unless Feature.enabled?(:incubation_5mp_google_cloud)
end
end
......@@ -439,7 +439,7 @@ class ProjectPolicy < BasePolicy
enable :destroy_freeze_period
enable :admin_feature_flags_client
enable :update_runners_registration_token
enable :manage_project_google_cloud
enable :admin_project_google_cloud
end
rule { public_project & metrics_dashboard_allowed }.policy do
......
......@@ -4,80 +4,3 @@
- @content_class = "limit-container-width" unless fluid_layout
#js-google-cloud
%h1.gl-font-size-h1 Google Cloud
%section#js-section-google-cloud-service-accounts
%h2.gl-font-size-h2 Service Accounts
%p= _('Service Accounts keys are required to authorize GitLab to deploy your Google Cloud project.')
%table.table.b-table.gl-table
%thead
%tr
%th Environment
%th GCP Project ID
%th Service Account Key
%tbody
%tr
%td *
%td serving-salutes-453
%td .....
%tr
%td production
%td crimson-corey-234
%td .....
%tr
%td review/*
%td roving-river-379
%td .....
%a.gl-button.btn.btn-primary= _('Add new service account')
%br
%section#js-section-google-cloud-deployments
.row.row-fluid
.col-lg-4
%h2.gl-font-size-h2 Deployments
%p= _('Google Cloud offers several deployment targets. Select the one most suitable for your project.')
%p
= _('Deployments to Google Kubernetes Engine can be ')
%a{ href: '#' }= _('managed')
= _('in Infrastructure :: Kubernetes clusters')
.col-lg-8
%br
.gl-card.gl-mb-6
.gl-card-body
.gl-display-flex.gl-align-items-baseline
%strong.gl-font-lg App Engine
.gl-ml-auto.gl-text-gray-500 Disabled
%p= _('App Engine description and apps that are suitable for this deployment target')
%button.gl-button.btn.btn-default= _('Configure via Merge Request')
.gl-card.gl-mb-6
.gl-card-body
.gl-display-flex.gl-align-items-baseline
%strong.gl-font-lg Cloud Functions
.gl-ml-auto.gl-text-gray-500 Disabled
%p= _('Cloud Functions description and apps that are suitable for this deployment target')
%button.gl-button.btn.btn-default= _('Configure via Merge Request')
.gl-card.gl-mb-6
.gl-card-body
.gl-display-flex.gl-align-items-baseline
%strong.gl-font-lg Cloud Run
.gl-ml-auto.gl-text-gray-500 Disabled
%p= _('Cloud Run description and apps that are suitable for this deployment target')
%button.gl-button.btn.btn-default= _('Configure via Merge Request')
......@@ -57,6 +57,7 @@
- gitaly
- gitlab_docs
- global_search
- google_cloud
- helm_chart_registry
- horse
- importers
......
......@@ -91,7 +91,7 @@ module Sidebars
def google_cloud_menu_item
feature_is_enabled = Feature.enabled?(:incubation_5mp_google_cloud)
user_has_permissions = can?(context.current_user, :manage_project_google_cloud, context.project)
user_has_permissions = can?(context.current_user, :admin_project_google_cloud, context.project)
unless feature_is_enabled && user_has_permissions
return ::Sidebars::NilMenuItem.new(item_id: :incubation_5mp_google_cloud)
......
......@@ -2047,9 +2047,6 @@ msgstr ""
msgid "Add new directory"
msgstr ""
msgid "Add new service account"
msgstr ""
msgid "Add or remove previously merged commits"
msgstr ""
......@@ -3987,9 +3984,6 @@ msgstr ""
msgid "Any namespace"
msgstr ""
msgid "App Engine description and apps that are suitable for this deployment target"
msgstr ""
msgid "App ID"
msgstr ""
......@@ -7283,12 +7277,6 @@ msgstr ""
msgid "Closes this %{quick_action_target}."
msgstr ""
msgid "Cloud Functions description and apps that are suitable for this deployment target"
msgstr ""
msgid "Cloud Run description and apps that are suitable for this deployment target"
msgstr ""
msgid "Cluster"
msgstr ""
......@@ -8728,9 +8716,6 @@ msgstr ""
msgid "Configure the way a user creates a new account."
msgstr ""
msgid "Configure via Merge Request"
msgstr ""
msgid "Configure which lists are shown for anyone who visits this board"
msgstr ""
......@@ -11554,9 +11539,6 @@ msgstr ""
msgid "Deployments"
msgstr ""
msgid "Deployments to Google Kubernetes Engine can be "
msgstr ""
msgid "Deployments|%{deployments} environment impacted."
msgid_plural "Deployments|%{deployments} environments impacted."
msgstr[0] ""
......@@ -16046,9 +16028,6 @@ msgstr ""
msgid "Google Cloud"
msgstr ""
msgid "Google Cloud offers several deployment targets. Select the one most suitable for your project."
msgstr ""
msgid "Google authentication is not %{link_start}properly configured%{link_end}. Ask your GitLab administrator if you want to use this service."
msgstr ""
......@@ -31297,9 +31276,6 @@ msgstr ""
msgid "Service"
msgstr ""
msgid "Service Accounts keys are required to authorize GitLab to deploy your Google Cloud project."
msgstr ""
msgid "Service Desk"
msgstr ""
......@@ -40754,9 +40730,6 @@ msgstr ""
msgid "in"
msgstr ""
msgid "in Infrastructure :: Kubernetes clusters"
msgstr ""
msgid "in all GitLab"
msgstr ""
......@@ -40921,9 +40894,6 @@ msgstr ""
msgid "log in"
msgstr ""
msgid "managed"
msgstr ""
msgid "manual"
msgstr ""
......
......@@ -955,6 +955,28 @@ RSpec.describe ProjectPolicy do
end
end
context 'infrastructure google cloud feature' do
%w(guest reporter developer).each do |role|
context role do
let(:current_user) { send(role) }
it 'disallows managing google cloud' do
expect_disallowed(:admin_project_google_cloud)
end
end
end
%w(maintainer owner).each do |role|
context role do
let(:current_user) { send(role) }
it 'allows managing google cloud' do
expect_allowed(:admin_project_google_cloud)
end
end
end
end
describe 'design permissions' do
include DesignManagementTestHelpers
......
......@@ -2,49 +2,94 @@
require 'spec_helper'
# Mock Types
MockGoogleOAuth2Credentials = Struct.new(:app_id, :app_secret)
RSpec.describe Projects::GoogleCloudController do
let_it_be(:project) { create(:project, :public) }
describe 'GET index' do
let_it_be(:url) { "#{project_google_cloud_index_path(project)}" }
let(:subject) { get url }
context 'when a public request is made' do
it 'returns not found' do
get url
context 'when user is authorized' do
let(:user) { project.creator }
expect(response).to have_gitlab_http_status(:not_found)
end
end
before do
context 'when a project.guest makes request' do
let(:user) { create(:user) }
it 'returns not found' do
project.add_guest(user)
sign_in(user)
subject
get url
expect(response).to have_gitlab_http_status(:not_found)
end
end
it 'renders content' do
expect(response).to be_successful
context 'when project.developer makes request' do
let(:user) { create(:user) }
it 'returns not found' do
project.add_developer(user)
sign_in(user)
get url
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when user is unauthorized' do
context 'when project.maintainer makes request' do
let(:user) { create(:user) }
before do
project.add_guest(user)
it 'returns successful' do
project.add_maintainer(user)
sign_in(user)
subject
get url
expect(response).to be_successful
end
end
it 'shows 404' do
expect(response).to have_gitlab_http_status(:not_found)
context 'when project.creator makes request' do
let(:user) { project.creator }
it 'returns successful' do
sign_in(user)
get url
expect(response).to be_successful
end
end
context 'when no user is present' do
before do
subject
describe 'when authorized user makes request' do
let(:user) { project.creator }
context 'but gitlab instance is not configured for google oauth2' do
it 'returns forbidden' do
unconfigured_google_oauth2 = MockGoogleOAuth2Credentials.new('', '')
allow(Gitlab::Auth::OAuth::Provider).to receive(:config_for)
.with('google_oauth2')
.and_return(unconfigured_google_oauth2)
sign_in(user)
get url
expect(response).to have_gitlab_http_status(:forbidden)
end
end
it 'shows 404' do
context 'but feature flag is disabled' do
it 'returns not found' do
allow(Feature).to receive(:enabled?).and_return(false)
sign_in(user)
get url
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment