Add agent project authorizations to finder

f811f67c · Hordur Freyr Yngvason · Mayra Cabrera · 6d5147b9 · f811f67c · f811f67c
Commit f811f67c authored Oct 06, 2021 by Hordur Freyr Yngvason Committed by Mayra Cabrera Oct 06, 2021
2 changed files
--- a/ee/app/finders/clusters/agent_authorizations_finder.rb
+++ b/ee/app/finders/clusters/agent_authorizations_finder.rb
@@ -9,7 +9,9 @@ module Clusters
    def execute
      return [] unless feature_available?

-      implicit_authorizations + group_authorizations
+      # closest, most-specific authorization for a given agent wins
+      (project_authorizations + implicit_authorizations + group_authorizations)
+        .uniq(&:agent_id)
    end

    private
@@ -27,6 +29,17 @@ module Clusters
    end

    # rubocop: disable CodeReuse/ActiveRecord
+    def project_authorizations
+      ancestor_ids = project.group ? project.ancestors.select(:id) : project.namespace_id
+
+      Clusters::Agents::ProjectAuthorization
+        .where(project_id: project.id)
+        .joins(agent: :project)
+        .preload(agent: :project)
+        .where(cluster_agents: { projects: { namespace_id: ancestor_ids } })
+        .to_a
+    end
+
    def group_authorizations
      return [] unless project.group


--- a/ee/spec/finders/clusters/agent_authorizations_finder_spec.rb
+++ b/ee/spec/finders/clusters/agent_authorizations_finder_spec.rb
@@ -29,15 +29,41 @@ RSpec.describe Clusters::AgentAuthorizationsFinder do
      it { is_expected.to be_empty }
    end

+    describe 'project authorizations' do
+      context 'agent configuration project does not share a root namespace with the given project' do
+        let(:unrelated_agent) { create(:cluster_agent) }
+
+        before do
+          create(:agent_project_authorization, agent: unrelated_agent, project: requesting_project)
+        end
+
+        it { is_expected.to be_empty }
+      end
+
+      context 'with project authorizations present' do
+        let!(:authorization) {create(:agent_project_authorization, agent: production_agent, project: requesting_project) }
+
+        it { is_expected.to match_array [authorization] }
+      end
+
+      context 'with overlapping authorizations' do
+        let!(:agent) { create(:cluster_agent, project: requesting_project) }
+        let!(:project_authorization) { create(:agent_project_authorization, agent: agent, project: requesting_project) }
+        let!(:group_authorization) { create(:agent_group_authorization, agent: agent, group: bottom_level_group) }
+
+        it { is_expected.to match_array [project_authorization] }
+      end
+    end
+
    describe 'implicit authorizations' do
      let!(:associated_agent) { create(:cluster_agent, project: requesting_project) }

-      it 'returns authorazations for agents directly associated with the project' do
+      it 'returns authorizations for agents directly associated with the project' do
        expect(subject.count).to eq(1)

-        authorazation = subject.first
-        expect(authorazation).to be_a(Clusters::Agents::ImplicitAuthorization)
-        expect(authorazation.agent).to eq(associated_agent)
+        authorization = subject.first
+        expect(authorization).to be_a(Clusters::Agents::ImplicitAuthorization)
+        expect(authorization.agent).to eq(associated_agent)
      end
    end