Merge branch 'incubation-5mp-google-cloud-deployments-controller' into 'master'

Introduce DeploymentsController with placeholder routes

See merge request gitlab-org/gitlab!77663

app/controllers/projects/google_cloud/base_controller.rb

@@ -23,4 +23,39 @@ class Projects::GoogleCloud::BaseController < Projects::ApplicationController
   def feature_flag_enabled!
     access_denied! unless Feature.enabled?(:incubation_5mp_google_cloud, project)
   end
+
+  def validate_gcp_token!
+    is_token_valid = GoogleApi::CloudPlatform::Client.new(token_in_session, nil)
+                                                     .validate_token(expires_at_in_session)
+
+    return if is_token_valid
+
+    return_url = project_google_cloud_index_path(project)
+    state = generate_session_key_redirect(request.url, return_url)
+    @authorize_url = GoogleApi::CloudPlatform::Client.new(nil,
+                                                          callback_google_api_auth_url,
+                                                          state: state).authorize_url
+    redirect_to @authorize_url
+  end
+
+  def generate_session_key_redirect(uri, error_uri)
+    GoogleApi::CloudPlatform::Client.new_session_key_for_redirect_uri do |key|
+      session[key] = uri
+      session[:error_uri] = error_uri
+    end
+  end
+
+  def token_in_session
+    session[GoogleApi::CloudPlatform::Client.session_key_for_token]
+  end
+
+  def expires_at_in_session
+    session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at]
+  end
+
+  def handle_gcp_error(error, project)
+    Gitlab::ErrorTracking.track_exception(error, project_id: project.id)
+    @js_data = { screen: 'gcp_error', error: error.to_s }.to_json
+    render status: :unauthorized, template: 'projects/google_cloud/errors/gcp_error'
+  end
 end

app/controllers/projects/google_cloud/deployments_controller.rb

+# frozen_string_literal: true
+
+class Projects::GoogleCloud::DeploymentsController < Projects::GoogleCloud::BaseController
+  before_action :validate_gcp_token!
+
+  def cloud_run
+    render json: "Placeholder"
+  end
+
+  def cloud_storage
+    render json: "Placeholder"
+  end
+end

app/controllers/projects/google_cloud/service_accounts_controller.rb

@@ -45,41 +45,4 @@ class Projects::GoogleCloud::ServiceAccountsController < Projects::GoogleCloud::
   rescue Google::Apis::ClientError, Google::Apis::ServerError, Google::Apis::AuthorizationError => error
     handle_gcp_error(error, project)
   end
-
-  private
-
-  def validate_gcp_token!
-    is_token_valid = GoogleApi::CloudPlatform::Client.new(token_in_session, nil)
-                                                     .validate_token(expires_at_in_session)
-
-    return if is_token_valid
-
-    return_url = project_google_cloud_index_path(project)
-    state = generate_session_key_redirect(request.url, return_url)
-    @authorize_url = GoogleApi::CloudPlatform::Client.new(nil,
-                                                          callback_google_api_auth_url,
-                                                          state: state).authorize_url
-    redirect_to @authorize_url
-  end
-
-  def generate_session_key_redirect(uri, error_uri)
-    GoogleApi::CloudPlatform::Client.new_session_key_for_redirect_uri do |key|
-      session[key] = uri
-      session[:error_uri] = error_uri
-    end
-  end
-
-  def token_in_session
-    session[GoogleApi::CloudPlatform::Client.session_key_for_token]
-  end
-
-  def expires_at_in_session
-    session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at]
-  end
-
-  def handle_gcp_error(error, project)
-    Gitlab::ErrorTracking.track_exception(error, project_id: project.id)
-    @js_data = { screen: 'gcp_error', error: error.to_s }.to_json
-    render status: :unauthorized, template: 'projects/google_cloud/errors/gcp_error'
-  end
 end

config/routes/project.rb

@@ -319,6 +319,9 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
 
         namespace :google_cloud do
           resources :service_accounts, only: [:index, :create]
+
+          get '/deployments/cloud_run', to: 'deployments#cloud_run'
+          get '/deployments/cloud_storage', to: 'deployments#cloud_storage'
         end
 
         resources :environments, except: [:destroy] do

lib/sidebars/projects/menus/infrastructure_menu.rb

@@ -100,7 +100,7 @@ module Sidebars
           ::Sidebars::MenuItem.new(
             title: _('Google Cloud'),
             link: project_google_cloud_index_path(context.project),
-            active_routes: { controller: [:google_cloud, :service_accounts] },
+            active_routes: { controller: [:google_cloud, :service_accounts, :deployments] },
             item_id: :google_cloud
           )
         end

spec/requests/projects/google_cloud/deployments_controller_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::GoogleCloud::DeploymentsController do
+  let_it_be(:project) { create(:project, :public) }
+
+  let_it_be(:user_guest) { create(:user) }
+  let_it_be(:user_developer) { create(:user) }
+  let_it_be(:user_maintainer) { create(:user) }
+  let_it_be(:user_creator) { project.creator }
+
+  let_it_be(:unauthorized_members) { [user_guest, user_developer] }
+  let_it_be(:authorized_members) { [user_maintainer, user_creator] }
+
+  let_it_be(:urls_list) { %W[#{project_google_cloud_deployments_cloud_run_path(project)} #{project_google_cloud_deployments_cloud_storage_path(project)}] }
+
+  before do
+    project.add_guest(user_guest)
+    project.add_developer(user_developer)
+    project.add_maintainer(user_maintainer)
+  end
+
+  describe "Routes must be restricted behind Google OAuth2" do
+    context 'when a public request is made' do
+      it 'returns not found on GET request' do
+        urls_list.each do |url|
+          get url
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
+
+    context 'when unauthorized members make requests' do
+      it 'returns not found on GET request' do
+        urls_list.each do |url|
+          unauthorized_members.each do |unauthorized_member|
+            sign_in(unauthorized_member)
+
+            get url
+
+            expect(response).to have_gitlab_http_status(:not_found)
+          end
+        end
+      end
+    end
+
+    context 'when authorized members make requests' do
+      it 'redirects on GET request' do
+        urls_list.each do |url|
+          authorized_members.each do |authorized_member|
+            sign_in(authorized_member)
+
+            get url
+
+            expect(response).to redirect_to(assigns(:authorize_url))
+          end
+        end
+      end
+    end
+  end
+
+  describe 'Authorized GET project/-/google_cloud/deployments/cloud_run' do
+    let_it_be(:url) { "#{project_google_cloud_deployments_cloud_run_path(project)}" }
+
+    before do
+      allow_next_instance_of(GoogleApi::CloudPlatform::Client) do |client|
+        allow(client).to receive(:validate_token).and_return(true)
+      end
+    end
+
+    it 'renders placeholder' do
+      authorized_members.each do |authorized_member|
+        sign_in(authorized_member)
+
+        get url
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+    end
+  end
+
+  describe 'Authorized GET project/-/google_cloud/deployments/cloud_storage' do
+    let_it_be(:url) { "#{project_google_cloud_deployments_cloud_storage_path(project)}" }
+
+    before do
+      allow_next_instance_of(GoogleApi::CloudPlatform::Client) do |client|
+        allow(client).to receive(:validate_token).and_return(true)
+      end
+    end
+
+    it 'renders placeholder' do
+      authorized_members.each do |authorized_member|
+        sign_in(authorized_member)
+
+        get url
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+    end
+  end
+end