Commit eacb371a authored by Jan Provaznik's avatar Jan Provaznik

Merge branch 'incubation_5mp_google_oauth2_not_configured' into 'master'

Access restrictions for project /google_cloud

See merge request gitlab-org/gitlab!73569
parents b11482ac ae1dbb47
# frozen_string_literal: true # frozen_string_literal: true
class Projects::GoogleCloudController < Projects::ApplicationController class Projects::GoogleCloudController < Projects::ApplicationController
before_action :authorize_can_manage_google_cloud_deployments! feature_category :google_cloud
feature_category :release_orchestration before_action :admin_project_google_cloud?
before_action :google_oauth2_enabled?
before_action :feature_flag_enabled?
def index def index
end end
private private
def authorize_can_manage_google_cloud_deployments! def admin_project_google_cloud?
access_denied! unless can?(current_user, :manage_project_google_cloud, project) access_denied! unless can?(current_user, :admin_project_google_cloud, project)
end
def google_oauth2_enabled?
config = Gitlab::Auth::OAuth::Provider.config_for('google_oauth2')
if config.app_id.blank? || config.app_secret.blank?
access_denied! 'This GitLab instance not configured for Google Oauth2.'
end
end
def feature_flag_enabled?
access_denied! unless Feature.enabled?(:incubation_5mp_google_cloud)
end end
end end
...@@ -439,7 +439,7 @@ class ProjectPolicy < BasePolicy ...@@ -439,7 +439,7 @@ class ProjectPolicy < BasePolicy
enable :destroy_freeze_period enable :destroy_freeze_period
enable :admin_feature_flags_client enable :admin_feature_flags_client
enable :update_runners_registration_token enable :update_runners_registration_token
enable :manage_project_google_cloud enable :admin_project_google_cloud
end end
rule { public_project & metrics_dashboard_allowed }.policy do rule { public_project & metrics_dashboard_allowed }.policy do
......
...@@ -4,80 +4,3 @@ ...@@ -4,80 +4,3 @@
- @content_class = "limit-container-width" unless fluid_layout - @content_class = "limit-container-width" unless fluid_layout
#js-google-cloud #js-google-cloud
%h1.gl-font-size-h1 Google Cloud
%section#js-section-google-cloud-service-accounts
%h2.gl-font-size-h2 Service Accounts
%p= _('Service Accounts keys are required to authorize GitLab to deploy your Google Cloud project.')
%table.table.b-table.gl-table
%thead
%tr
%th Environment
%th GCP Project ID
%th Service Account Key
%tbody
%tr
%td *
%td serving-salutes-453
%td .....
%tr
%td production
%td crimson-corey-234
%td .....
%tr
%td review/*
%td roving-river-379
%td .....
%a.gl-button.btn.btn-primary= _('Add new service account')
%br
%section#js-section-google-cloud-deployments
.row.row-fluid
.col-lg-4
%h2.gl-font-size-h2 Deployments
%p= _('Google Cloud offers several deployment targets. Select the one most suitable for your project.')
%p
= _('Deployments to Google Kubernetes Engine can be ')
%a{ href: '#' }= _('managed')
= _('in Infrastructure :: Kubernetes clusters')
.col-lg-8
%br
.gl-card.gl-mb-6
.gl-card-body
.gl-display-flex.gl-align-items-baseline
%strong.gl-font-lg App Engine
.gl-ml-auto.gl-text-gray-500 Disabled
%p= _('App Engine description and apps that are suitable for this deployment target')
%button.gl-button.btn.btn-default= _('Configure via Merge Request')
.gl-card.gl-mb-6
.gl-card-body
.gl-display-flex.gl-align-items-baseline
%strong.gl-font-lg Cloud Functions
.gl-ml-auto.gl-text-gray-500 Disabled
%p= _('Cloud Functions description and apps that are suitable for this deployment target')
%button.gl-button.btn.btn-default= _('Configure via Merge Request')
.gl-card.gl-mb-6
.gl-card-body
.gl-display-flex.gl-align-items-baseline
%strong.gl-font-lg Cloud Run
.gl-ml-auto.gl-text-gray-500 Disabled
%p= _('Cloud Run description and apps that are suitable for this deployment target')
%button.gl-button.btn.btn-default= _('Configure via Merge Request')
...@@ -57,6 +57,7 @@ ...@@ -57,6 +57,7 @@
- gitaly - gitaly
- gitlab_docs - gitlab_docs
- global_search - global_search
- google_cloud
- helm_chart_registry - helm_chart_registry
- horse - horse
- importers - importers
......
...@@ -91,7 +91,7 @@ module Sidebars ...@@ -91,7 +91,7 @@ module Sidebars
def google_cloud_menu_item def google_cloud_menu_item
feature_is_enabled = Feature.enabled?(:incubation_5mp_google_cloud) feature_is_enabled = Feature.enabled?(:incubation_5mp_google_cloud)
user_has_permissions = can?(context.current_user, :manage_project_google_cloud, context.project) user_has_permissions = can?(context.current_user, :admin_project_google_cloud, context.project)
unless feature_is_enabled && user_has_permissions unless feature_is_enabled && user_has_permissions
return ::Sidebars::NilMenuItem.new(item_id: :incubation_5mp_google_cloud) return ::Sidebars::NilMenuItem.new(item_id: :incubation_5mp_google_cloud)
......
...@@ -2047,9 +2047,6 @@ msgstr "" ...@@ -2047,9 +2047,6 @@ msgstr ""
msgid "Add new directory" msgid "Add new directory"
msgstr "" msgstr ""
msgid "Add new service account"
msgstr ""
msgid "Add or remove previously merged commits" msgid "Add or remove previously merged commits"
msgstr "" msgstr ""
...@@ -3987,9 +3984,6 @@ msgstr "" ...@@ -3987,9 +3984,6 @@ msgstr ""
msgid "Any namespace" msgid "Any namespace"
msgstr "" msgstr ""
msgid "App Engine description and apps that are suitable for this deployment target"
msgstr ""
msgid "App ID" msgid "App ID"
msgstr "" msgstr ""
...@@ -7283,12 +7277,6 @@ msgstr "" ...@@ -7283,12 +7277,6 @@ msgstr ""
msgid "Closes this %{quick_action_target}." msgid "Closes this %{quick_action_target}."
msgstr "" msgstr ""
msgid "Cloud Functions description and apps that are suitable for this deployment target"
msgstr ""
msgid "Cloud Run description and apps that are suitable for this deployment target"
msgstr ""
msgid "Cluster" msgid "Cluster"
msgstr "" msgstr ""
...@@ -8728,9 +8716,6 @@ msgstr "" ...@@ -8728,9 +8716,6 @@ msgstr ""
msgid "Configure the way a user creates a new account." msgid "Configure the way a user creates a new account."
msgstr "" msgstr ""
msgid "Configure via Merge Request"
msgstr ""
msgid "Configure which lists are shown for anyone who visits this board" msgid "Configure which lists are shown for anyone who visits this board"
msgstr "" msgstr ""
...@@ -11554,9 +11539,6 @@ msgstr "" ...@@ -11554,9 +11539,6 @@ msgstr ""
msgid "Deployments" msgid "Deployments"
msgstr "" msgstr ""
msgid "Deployments to Google Kubernetes Engine can be "
msgstr ""
msgid "Deployments|%{deployments} environment impacted." msgid "Deployments|%{deployments} environment impacted."
msgid_plural "Deployments|%{deployments} environments impacted." msgid_plural "Deployments|%{deployments} environments impacted."
msgstr[0] "" msgstr[0] ""
...@@ -16052,9 +16034,6 @@ msgstr "" ...@@ -16052,9 +16034,6 @@ msgstr ""
msgid "Google Cloud" msgid "Google Cloud"
msgstr "" msgstr ""
msgid "Google Cloud offers several deployment targets. Select the one most suitable for your project."
msgstr ""
msgid "Google authentication is not %{link_start}properly configured%{link_end}. Ask your GitLab administrator if you want to use this service." msgid "Google authentication is not %{link_start}properly configured%{link_end}. Ask your GitLab administrator if you want to use this service."
msgstr "" msgstr ""
...@@ -31306,9 +31285,6 @@ msgstr "" ...@@ -31306,9 +31285,6 @@ msgstr ""
msgid "Service" msgid "Service"
msgstr "" msgstr ""
msgid "Service Accounts keys are required to authorize GitLab to deploy your Google Cloud project."
msgstr ""
msgid "Service Desk" msgid "Service Desk"
msgstr "" msgstr ""
...@@ -40769,9 +40745,6 @@ msgstr "" ...@@ -40769,9 +40745,6 @@ msgstr ""
msgid "in" msgid "in"
msgstr "" msgstr ""
msgid "in Infrastructure :: Kubernetes clusters"
msgstr ""
msgid "in all GitLab" msgid "in all GitLab"
msgstr "" msgstr ""
...@@ -40936,9 +40909,6 @@ msgstr "" ...@@ -40936,9 +40909,6 @@ msgstr ""
msgid "log in" msgid "log in"
msgstr "" msgstr ""
msgid "managed"
msgstr ""
msgid "manual" msgid "manual"
msgstr "" msgstr ""
......
...@@ -955,6 +955,28 @@ RSpec.describe ProjectPolicy do ...@@ -955,6 +955,28 @@ RSpec.describe ProjectPolicy do
end end
end end
context 'infrastructure google cloud feature' do
%w(guest reporter developer).each do |role|
context role do
let(:current_user) { send(role) }
it 'disallows managing google cloud' do
expect_disallowed(:admin_project_google_cloud)
end
end
end
%w(maintainer owner).each do |role|
context role do
let(:current_user) { send(role) }
it 'allows managing google cloud' do
expect_allowed(:admin_project_google_cloud)
end
end
end
end
describe 'design permissions' do describe 'design permissions' do
include DesignManagementTestHelpers include DesignManagementTestHelpers
......
...@@ -2,49 +2,107 @@ ...@@ -2,49 +2,107 @@
require 'spec_helper' require 'spec_helper'
# Mock Types
MockGoogleOAuth2Credentials = Struct.new(:app_id, :app_secret)
RSpec.describe Projects::GoogleCloudController do RSpec.describe Projects::GoogleCloudController do
let_it_be(:project) { create(:project, :public) } let_it_be(:project) { create(:project, :public) }
describe 'GET index' do describe 'GET index' do
let_it_be(:url) { "#{project_google_cloud_index_path(project)}" } let_it_be(:url) { "#{project_google_cloud_index_path(project)}" }
let(:subject) { get url } context 'when a public request is made' do
it 'returns not found' do
get url
context 'when user is authorized' do expect(response).to have_gitlab_http_status(:not_found)
let(:user) { project.creator } end
end
before do context 'when a project.guest makes request' do
let(:user) { create(:user) }
it 'returns not found' do
project.add_guest(user)
sign_in(user) sign_in(user)
subject
get url
expect(response).to have_gitlab_http_status(:not_found)
end
end end
it 'renders content' do context 'when project.developer makes request' do
expect(response).to be_successful let(:user) { create(:user) }
it 'returns not found' do
project.add_developer(user)
sign_in(user)
get url
expect(response).to have_gitlab_http_status(:not_found)
end end
end end
context 'when user is unauthorized' do context 'when project.maintainer makes request' do
let(:user) { create(:user) } let(:user) { create(:user) }
before do it 'returns successful' do
project.add_guest(user) project.add_maintainer(user)
sign_in(user)
get url
expect(response).to be_successful
end
end
context 'when project.creator makes request' do
let(:user) { project.creator }
it 'returns successful' do
sign_in(user) sign_in(user)
subject
get url
expect(response).to be_successful
end
end end
it 'shows 404' do describe 'when authorized user makes request' do
expect(response).to have_gitlab_http_status(:not_found) let(:user) { project.creator }
context 'but gitlab instance is not configured for google oauth2' do
before do
unconfigured_google_oauth2 = MockGoogleOAuth2Credentials.new('', '')
allow(Gitlab::Auth::OAuth::Provider).to receive(:config_for)
.with('google_oauth2')
.and_return(unconfigured_google_oauth2)
end
it 'returns forbidden' do
sign_in(user)
get url
expect(response).to have_gitlab_http_status(:forbidden)
end end
end end
context 'when no user is present' do context 'but feature flag is disabled' do
before do before do
subject stub_feature_flags(incubation_5mp_google_cloud: false)
end end
it 'shows 404' do it 'returns not found' do
sign_in(user)
get url
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:not_found)
end end
end end
end end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment