Introduce Project bot users

Adds a new type of users - Project bot users. The purpose of these users is that they will be used internally to generate project level access token. We also define the policy for this user based on it's purpose.

Introduce Project bot users
Adds a new type of users - Project bot users. The purpose of these users is that they will be used internally to generate project level access token. We also define the policy for this user based on it's purpose.
fc7a89c4 · Aishwarya Subramanian · 9048b675 · fc7a89c4 · fc7a89c4 · fc7a89c4
Commit fc7a89c4 authored Mar 26, 2020 by Aishwarya Subramanian
8 changed files
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -337,7 +337,8 @@ class User < ApplicationRecord
  scope :with_dashboard, -> (dashboard) { where(dashboard: dashboard) }
  scope :with_public_profile, -> { where(private_profile: false) }
  scope :bots, -> { where(user_type: UserTypeEnums.bots.values) }
-  scope :not_bots, -> { humans.or(where.not(user_type: UserTypeEnums.bots.values)) }
+  scope :bots_without_project_bot, -> { bots.where.not(user_type: UserTypeEnums.bots[:project_bot]) }
+  scope :with_project_bots, -> { humans.or(where.not(user_type: UserTypeEnums.bots.except(:project_bot).values)) }
  scope :humans, -> { where(user_type: nil) }

  scope :with_expiring_and_not_notified_personal_access_tokens, ->(at) do
@@ -657,8 +658,10 @@ class User < ApplicationRecord
    UserTypeEnums.bots.has_key?(user_type)
  end

+  # The explicit check for project_bot will be removed with Bot Categorization
+  # Ref: https://gitlab.com/gitlab-org/gitlab/-/issues/213945
  def internal?
-    ghost? || bot?
+    ghost? || (bot? && !project_bot?)
  end

  # We are transitioning from ghost boolean column to user_type
@@ -668,12 +671,16 @@ class User < ApplicationRecord
    ghost
  end

+  # The explicit check for project_bot will be removed with Bot Categorization
+  # Ref: https://gitlab.com/gitlab-org/gitlab/-/issues/213945
  def self.internal
-    where(ghost: true).or(bots)
+    where(ghost: true).or(bots_without_project_bot)
  end

+  # The explicit check for project_bot will be removed with Bot Categorization
+  # Ref: https://gitlab.com/gitlab-org/gitlab/-/issues/213945
  def self.non_internal
-    without_ghosts.not_bots
+    without_ghosts.with_project_bots
  end

  #

--- a/app/models/user_type_enums.rb
+++ b/app/models/user_type_enums.rb
@@ -6,7 +6,7 @@ module UserTypeEnums
  end

  def self.bots
-    @bots ||= { alert_bot: 2 }.with_indifferent_access
+    @bots ||= { alert_bot: 2, project_bot: 6 }.with_indifferent_access
  end
 end


--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -17,6 +17,8 @@ class GlobalPolicy < BasePolicy

  condition(:private_instance_statistics, score: 0) { Gitlab::CurrentSettings.instance_statistics_visibility_private? }

+  condition(:project_bot, scope: :user) { @user&.project_bot? }
+
  rule { admin | (~private_instance_statistics & ~anonymous) }
    .enable :read_instance_statistics

@@ -51,6 +53,11 @@ class GlobalPolicy < BasePolicy
    prevent :use_slash_commands
  end

+  rule { project_bot }.policy do
+    prevent :log_in
+    prevent :receive_notifications
+  end
+
  rule { deactivated }.policy do
    prevent :access_git
    prevent :access_api

--- a/ee/app/models/ee/user.rb
+++ b/ee/app/models/ee/user.rb
@@ -262,6 +262,7 @@ module EE
    def using_license_seat?
      active? &&
      !internal? &&
+      !project_bot? &&
      has_current_license? &&
      paid_in_current_license?
    end

--- a/spec/factories/users.rb
+++ b/spec/factories/users.rb
@@ -27,6 +27,10 @@ FactoryBot.define do
      user_type { :alert_bot }
    end

+    trait :project_bot do
+      user_type { :project_bot }
+    end
+
    trait :external do
      external { true }
    end

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -4357,18 +4357,19 @@ describe User, :do_not_mock_admin_mode do

  describe 'internal methods' do
    let_it_be(:user) { create(:user) }
-    let!(:ghost) { described_class.ghost }
-    let!(:alert_bot) { described_class.alert_bot }
-    let!(:non_internal) { [user] }
-    let!(:internal) { [ghost, alert_bot] }
+    let_it_be(:ghost) { described_class.ghost }
+    let_it_be(:alert_bot) { described_class.alert_bot }
+    let_it_be(:project_bot) { create(:user, :project_bot) }
+    let_it_be(:non_internal) { [user, project_bot] }
+    let_it_be(:internal) { [ghost, alert_bot] }

    it 'returns internal users' do
-      expect(described_class.internal).to eq(internal)
+      expect(described_class.internal).to match_array(internal)
      expect(internal.all?(&:internal?)).to eq(true)
    end

    it 'returns non internal users' do
-      expect(described_class.non_internal).to eq(non_internal)
+      expect(described_class.non_internal).to match_array(non_internal)
      expect(non_internal.all?(&:internal?)).to eq(false)
    end

@@ -4420,9 +4421,12 @@ describe User, :do_not_mock_admin_mode do
    it 'returns corresponding users' do
      human = create(:user)
      bot = create(:user, :bot)
+      project_bot = create(:user, :project_bot)

      expect(described_class.humans).to match_array([human])
-      expect(described_class.bots).to match_array([bot])
+      expect(described_class.bots).to match_array([bot, project_bot])
+      expect(described_class.bots_without_project_bot).to match_array([bot])
+      expect(described_class.with_project_bots).to match_array([human, project_bot])
    end
  end


--- a/spec/models/user_type_enums_spec.rb
+++ b/spec/models/user_type_enums_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe UserTypeEnums do
+  it '.types' do
+    expect(described_class.types.keys).to include('alert_bot', 'project_bot', 'human', 'ghost')
+  end
+
+  it '.bots' do
+    expect(described_class.bots.keys).to include('alert_bot', 'project_bot')
+  end
+end
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
 describe GlobalPolicy do
  include TermsHelper

+  let_it_be(:project_bot) { create(:user, :project_bot) }
  let(:current_user) { create(:user) }
  let(:user) { create(:user) }

@@ -120,6 +121,12 @@ describe GlobalPolicy do
      it { is_expected.to be_allowed(:access_api) }
    end

+    context 'project bot' do
+      let(:current_user) { project_bot }
+
+      it { is_expected.to be_allowed(:access_api) }
+    end
+
    context 'when terms are enforced' do
      before do
        enforce_terms
@@ -203,6 +210,12 @@ describe GlobalPolicy do

      it { is_expected.not_to be_allowed(:receive_notifications) }
    end
+
+    context 'project bot' do
+      let(:current_user) { project_bot }
+
+      it { is_expected.not_to be_allowed(:receive_notifications) }
+    end
  end

  describe 'git access' do
@@ -265,6 +278,12 @@ describe GlobalPolicy do
        it { is_expected.to be_allowed(:access_git) }
      end
    end
+
+    context 'project bot' do
+      let(:current_user) { project_bot }
+
+      it { is_expected.to be_allowed(:access_git) }
+    end
  end

  describe 'read instance metadata' do
@@ -361,6 +380,12 @@ describe GlobalPolicy do

      it { is_expected.not_to be_allowed(:use_slash_commands) }
    end
+
+    context 'project bot' do
+      let(:current_user) { project_bot }
+
+      it { is_expected.to be_allowed(:use_slash_commands) }
+    end
  end

  describe 'create_snippet' do
@@ -380,4 +405,12 @@ describe GlobalPolicy do
      it { is_expected.not_to be_allowed(:create_snippet) }
    end
  end
+
+  describe 'log in' do
+    context 'project bot' do
+      let(:current_user) { project_bot }
+
+      it { is_expected.not_to be_allowed(:log_in) }
+    end
+  end
 end