Merge branch '323573-limit-creating-top-level-groups' into 'master'

Add feature flag to block gitlab.com top-level group creation via api [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!56360

Merge branch '323573-limit-creating-top-level-groups' into 'master'
Add feature flag to block gitlab.com top-level group creation via api [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!56360
69401726 · James Lopez · 71385691 · 852c41fe · 69401726 · 69401726
Commit 69401726 authored Mar 12, 2021 by James Lopez
7 changed files
--- a/ee/app/policies/ee/global_policy.rb
+++ b/ee/app/policies/ee/global_policy.rb
@@ -21,6 +21,14 @@ module EE
        ::License.feature_available?(:export_user_permissions)
      end

+      condition(:top_level_group_creation_enabled) do
+        if ::Gitlab.com?
+          ::Feature.enabled?(:top_level_group_creation_enabled, type: :ops, default_enabled: true)
+        else
+          true
+        end
+      end
+
      rule { ~anonymous & operations_dashboard_available }.enable :read_operations_dashboard

      rule { admin }.policy do
@@ -46,6 +54,9 @@ module EE
      end

      rule { export_user_permissions_available & admin }.enable :export_user_permissions
+
+      rule { can?(:create_group) }.enable :create_group_via_api
+      rule { ~top_level_group_creation_enabled }.prevent :create_group_via_api
    end
  end
 end
--- a/ee/changelogs/unreleased/323573-limit-creating-top-level-groups.yml
+++ b/ee/changelogs/unreleased/323573-limit-creating-top-level-groups.yml
+---
+title: Add feature flag to block gitlab.com top-level group creation via api
+merge_request: 56360
+author:
+type: added
--- a/ee/config/feature_flags/ops/top_level_group_creation_enabled.yml
+++ b/ee/config/feature_flags/ops/top_level_group_creation_enabled.yml
+---
+name: top_level_group_creation_enabled
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/56360
+rollout_issue_url:
+milestone: '13.10'
+type: ops
+group: group::access
+default_enabled: true
--- a/ee/lib/ee/api/groups.rb
+++ b/ee/lib/ee/api/groups.rb
@@ -49,6 +49,11 @@ module EE
            super
          end

+          override :authorize_group_creation!
+          def authorize_group_creation!
+            authorize! :create_group_via_api
+          end
+
          def check_audit_events_available!(group)
            forbidden! unless group.feature_available?(:audit_events)
          end

--- a/ee/spec/policies/global_policy_spec.rb
+++ b/ee/spec/policies/global_policy_spec.rb
@@ -266,4 +266,48 @@ RSpec.describe GlobalPolicy do
      it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
    end
  end
+
+  describe 'create_group_via_api' do
+    let(:policy) { :create_group_via_api }
+
+    context 'on .com' do
+      before do
+        allow(::Gitlab).to receive(:com?).and_return(true)
+      end
+
+      context 'when feature is enabled' do
+        before do
+          stub_feature_flags(top_level_group_creation_enabled: true)
+        end
+
+        it { is_expected.to be_allowed(policy) }
+      end
+
+      context 'when feature is disabled' do
+        before do
+          stub_feature_flags(top_level_group_creation_enabled: false)
+        end
+
+        it { is_expected.to be_disallowed(policy) }
+      end
+    end
+
+    context 'on self-managed' do
+      context 'when feature is enabled' do
+        before do
+          stub_feature_flags(top_level_group_creation_enabled: true)
+        end
+
+        it { is_expected.to be_allowed(policy) }
+      end
+
+      context 'when feature is disabled' do
+        before do
+          stub_feature_flags(top_level_group_creation_enabled: false)
+        end
+
+        it { is_expected.to be_allowed(policy) }
+      end
+    end
+  end
 end
--- a/ee/spec/requests/api/groups_spec.rb
+++ b/ee/spec/requests/api/groups_spec.rb
@@ -414,6 +414,100 @@ RSpec.describe API::Groups do
        end
      end
    end
+
+    context 'when creating group on .com' do
+      before do
+        allow(::Gitlab).to receive(:com?).and_return(true)
+      end
+
+      context 'when top_level_group_creation_enabled feature flag is disabled' do
+        before do
+          stub_feature_flags(top_level_group_creation_enabled: false)
+        end
+
+        it 'does not create a top-level group' do
+          group = attributes_for_group_api
+
+          expect do
+            post api("/groups", admin), params: group
+          end.not_to change { Group.count }
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+
+        it 'creates a subgroup' do
+          parent = create(:group)
+          parent.add_owner(admin)
+
+          expect do
+            post api("/groups", admin), params: { parent_id: parent.id, name: 'foo', path: 'foo' }
+          end.to change { Group.count }.by(1)
+
+          expect(response).to have_gitlab_http_status(:created)
+        end
+      end
+
+      context 'when top_level_group_creation_enabled feature flag is enabled' do
+        before do
+          stub_feature_flags(top_level_group_creation_enabled: true)
+        end
+
+        it 'creates a top-level group' do
+          group = attributes_for_group_api
+
+          expect do
+            post api("/groups", admin), params: group
+          end.to change { Group.count }
+
+          expect(response).to have_gitlab_http_status(:created)
+        end
+      end
+    end
+
+    context 'when creating group on self-managed' do
+      context 'when top_level_group_creation_enabled feature flag is disabled' do
+        before do
+          stub_feature_flags(top_level_group_creation_enabled: false)
+        end
+
+        it 'creates a top-level group' do
+          group = attributes_for_group_api
+
+          expect do
+            post api("/groups", admin), params: group
+          end.to change { Group.count }
+
+          expect(response).to have_gitlab_http_status(:created)
+        end
+
+        it 'creates a subgroup' do
+          parent = create(:group)
+          parent.add_owner(admin)
+
+          expect do
+            post api("/groups", admin), params: { parent_id: parent.id, name: 'foo', path: 'foo' }
+          end.to change { Group.count }.by(1)
+
+          expect(response).to have_gitlab_http_status(:created)
+        end
+      end
+
+      context 'when top_level_group_creation_enabled feature flag is enabled' do
+        before do
+          stub_feature_flags(top_level_group_creation_enabled: true)
+        end
+
+        it 'creates a top-level group' do
+          group = attributes_for_group_api
+
+          expect do
+            post api("/groups", admin), params: group
+          end.to change { Group.count }
+
+          expect(response).to have_gitlab_http_status(:created)
+        end
+      end
+    end
  end

  describe 'POST /groups/:id/ldap_sync' do

--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -137,6 +137,10 @@ module API
        end
      end
      # rubocop: enable CodeReuse/ActiveRecord
+
+      def authorize_group_creation!
+        authorize! :create_group
+      end
    end

    resource :groups do
@@ -169,7 +173,7 @@ module API
        if parent_group
          authorize! :create_subgroup, parent_group
        else
-          authorize! :create_group
+          authorize_group_creation!
        end

        group = create_group