Commit d1dee969 authored by Sri's avatar Sri

Access restrictions for project /google_cloud

- Blocked when GitLab instance not configured for Google OAuth2
- Blocked when Feature Flag not enabled
- Blocked when user not project `maintainer` or `owner`
parent d902854a
# frozen_string_literal: true # frozen_string_literal: true
class Projects::GoogleCloudController < Projects::ApplicationController class Projects::GoogleCloudController < Projects::ApplicationController
before_action :authorize_can_manage_google_cloud_deployments! feature_category :google_cloud
feature_category :release_orchestration before_action :admin_project_google_cloud?
before_action :google_oauth2_enabled?
before_action :feature_flag_enabled?
def index def index
end end
private private
def authorize_can_manage_google_cloud_deployments! def admin_project_google_cloud?
access_denied! unless can?(current_user, :manage_project_google_cloud, project) access_denied! unless can?(current_user, :admin_project_google_cloud, project)
end
def google_oauth2_enabled?
config = Gitlab::Auth::OAuth::Provider.config_for('google_oauth2')
if config.app_id.blank? || config.app_secret.blank?
access_denied! 'This GitLab instance not configured for Google Oauth2.'
end
end
def feature_flag_enabled?
access_denied! unless Feature.enabled?(:incubation_5mp_google_cloud)
end end
end end
...@@ -439,7 +439,7 @@ class ProjectPolicy < BasePolicy ...@@ -439,7 +439,7 @@ class ProjectPolicy < BasePolicy
enable :destroy_freeze_period enable :destroy_freeze_period
enable :admin_feature_flags_client enable :admin_feature_flags_client
enable :update_runners_registration_token enable :update_runners_registration_token
enable :manage_project_google_cloud enable :admin_project_google_cloud
end end
rule { public_project & metrics_dashboard_allowed }.policy do rule { public_project & metrics_dashboard_allowed }.policy do
......
...@@ -4,80 +4,3 @@ ...@@ -4,80 +4,3 @@
- @content_class = "limit-container-width" unless fluid_layout - @content_class = "limit-container-width" unless fluid_layout
#js-google-cloud #js-google-cloud
%h1.gl-font-size-h1 Google Cloud
%section#js-section-google-cloud-service-accounts
%h2.gl-font-size-h2 Service Accounts
%p= _('Service Accounts keys are required to authorize GitLab to deploy your Google Cloud project.')
%table.table.b-table.gl-table
%thead
%tr
%th Environment
%th GCP Project ID
%th Service Account Key
%tbody
%tr
%td *
%td serving-salutes-453
%td .....
%tr
%td production
%td crimson-corey-234
%td .....
%tr
%td review/*
%td roving-river-379
%td .....
%a.gl-button.btn.btn-primary= _('Add new service account')
%br
%section#js-section-google-cloud-deployments
.row.row-fluid
.col-lg-4
%h2.gl-font-size-h2 Deployments
%p= _('Google Cloud offers several deployment targets. Select the one most suitable for your project.')
%p
= _('Deployments to Google Kubernetes Engine can be ')
%a{ href: '#' }= _('managed')
= _('in Infrastructure :: Kubernetes clusters')
.col-lg-8
%br
.gl-card.gl-mb-6
.gl-card-body
.gl-display-flex.gl-align-items-baseline
%strong.gl-font-lg App Engine
.gl-ml-auto.gl-text-gray-500 Disabled
%p= _('App Engine description and apps that are suitable for this deployment target')
%button.gl-button.btn.btn-default= _('Configure via Merge Request')
.gl-card.gl-mb-6
.gl-card-body
.gl-display-flex.gl-align-items-baseline
%strong.gl-font-lg Cloud Functions
.gl-ml-auto.gl-text-gray-500 Disabled
%p= _('Cloud Functions description and apps that are suitable for this deployment target')
%button.gl-button.btn.btn-default= _('Configure via Merge Request')
.gl-card.gl-mb-6
.gl-card-body
.gl-display-flex.gl-align-items-baseline
%strong.gl-font-lg Cloud Run
.gl-ml-auto.gl-text-gray-500 Disabled
%p= _('Cloud Run description and apps that are suitable for this deployment target')
%button.gl-button.btn.btn-default= _('Configure via Merge Request')
...@@ -57,6 +57,7 @@ ...@@ -57,6 +57,7 @@
- gitaly - gitaly
- gitlab_docs - gitlab_docs
- global_search - global_search
- google_cloud
- helm_chart_registry - helm_chart_registry
- horse - horse
- importers - importers
......
...@@ -91,7 +91,7 @@ module Sidebars ...@@ -91,7 +91,7 @@ module Sidebars
def google_cloud_menu_item def google_cloud_menu_item
feature_is_enabled = Feature.enabled?(:incubation_5mp_google_cloud) feature_is_enabled = Feature.enabled?(:incubation_5mp_google_cloud)
user_has_permissions = can?(context.current_user, :manage_project_google_cloud, context.project) user_has_permissions = can?(context.current_user, :admin_project_google_cloud, context.project)
unless feature_is_enabled && user_has_permissions unless feature_is_enabled && user_has_permissions
return ::Sidebars::NilMenuItem.new(item_id: :incubation_5mp_google_cloud) return ::Sidebars::NilMenuItem.new(item_id: :incubation_5mp_google_cloud)
......
...@@ -2047,9 +2047,6 @@ msgstr "" ...@@ -2047,9 +2047,6 @@ msgstr ""
msgid "Add new directory" msgid "Add new directory"
msgstr "" msgstr ""
msgid "Add new service account"
msgstr ""
msgid "Add or remove previously merged commits" msgid "Add or remove previously merged commits"
msgstr "" msgstr ""
...@@ -3987,9 +3984,6 @@ msgstr "" ...@@ -3987,9 +3984,6 @@ msgstr ""
msgid "Any namespace" msgid "Any namespace"
msgstr "" msgstr ""
msgid "App Engine description and apps that are suitable for this deployment target"
msgstr ""
msgid "App ID" msgid "App ID"
msgstr "" msgstr ""
...@@ -7283,12 +7277,6 @@ msgstr "" ...@@ -7283,12 +7277,6 @@ msgstr ""
msgid "Closes this %{quick_action_target}." msgid "Closes this %{quick_action_target}."
msgstr "" msgstr ""
msgid "Cloud Functions description and apps that are suitable for this deployment target"
msgstr ""
msgid "Cloud Run description and apps that are suitable for this deployment target"
msgstr ""
msgid "Cluster" msgid "Cluster"
msgstr "" msgstr ""
...@@ -8728,9 +8716,6 @@ msgstr "" ...@@ -8728,9 +8716,6 @@ msgstr ""
msgid "Configure the way a user creates a new account." msgid "Configure the way a user creates a new account."
msgstr "" msgstr ""
msgid "Configure via Merge Request"
msgstr ""
msgid "Configure which lists are shown for anyone who visits this board" msgid "Configure which lists are shown for anyone who visits this board"
msgstr "" msgstr ""
...@@ -11554,9 +11539,6 @@ msgstr "" ...@@ -11554,9 +11539,6 @@ msgstr ""
msgid "Deployments" msgid "Deployments"
msgstr "" msgstr ""
msgid "Deployments to Google Kubernetes Engine can be "
msgstr ""
msgid "Deployments|%{deployments} environment impacted." msgid "Deployments|%{deployments} environment impacted."
msgid_plural "Deployments|%{deployments} environments impacted." msgid_plural "Deployments|%{deployments} environments impacted."
msgstr[0] "" msgstr[0] ""
...@@ -16046,9 +16028,6 @@ msgstr "" ...@@ -16046,9 +16028,6 @@ msgstr ""
msgid "Google Cloud" msgid "Google Cloud"
msgstr "" msgstr ""
msgid "Google Cloud offers several deployment targets. Select the one most suitable for your project."
msgstr ""
msgid "Google authentication is not %{link_start}properly configured%{link_end}. Ask your GitLab administrator if you want to use this service." msgid "Google authentication is not %{link_start}properly configured%{link_end}. Ask your GitLab administrator if you want to use this service."
msgstr "" msgstr ""
...@@ -31297,9 +31276,6 @@ msgstr "" ...@@ -31297,9 +31276,6 @@ msgstr ""
msgid "Service" msgid "Service"
msgstr "" msgstr ""
msgid "Service Accounts keys are required to authorize GitLab to deploy your Google Cloud project."
msgstr ""
msgid "Service Desk" msgid "Service Desk"
msgstr "" msgstr ""
...@@ -40754,9 +40730,6 @@ msgstr "" ...@@ -40754,9 +40730,6 @@ msgstr ""
msgid "in" msgid "in"
msgstr "" msgstr ""
msgid "in Infrastructure :: Kubernetes clusters"
msgstr ""
msgid "in all GitLab" msgid "in all GitLab"
msgstr "" msgstr ""
...@@ -40921,9 +40894,6 @@ msgstr "" ...@@ -40921,9 +40894,6 @@ msgstr ""
msgid "log in" msgid "log in"
msgstr "" msgstr ""
msgid "managed"
msgstr ""
msgid "manual" msgid "manual"
msgstr "" msgstr ""
......
...@@ -955,6 +955,28 @@ RSpec.describe ProjectPolicy do ...@@ -955,6 +955,28 @@ RSpec.describe ProjectPolicy do
end end
end end
context 'infrastructure google cloud feature' do
%w(guest reporter developer).each do |role|
context role do
let(:current_user) { send(role) }
it 'disallows managing google cloud' do
expect_disallowed(:admin_project_google_cloud)
end
end
end
%w(maintainer owner).each do |role|
context role do
let(:current_user) { send(role) }
it 'allows managing google cloud' do
expect_allowed(:admin_project_google_cloud)
end
end
end
end
describe 'design permissions' do describe 'design permissions' do
include DesignManagementTestHelpers include DesignManagementTestHelpers
......
...@@ -2,48 +2,93 @@ ...@@ -2,48 +2,93 @@
require 'spec_helper' require 'spec_helper'
# Mock Types
MockGoogleOAuth2Credentials = Struct.new(:app_id, :app_secret)
RSpec.describe Projects::GoogleCloudController do RSpec.describe Projects::GoogleCloudController do
let_it_be(:project) { create(:project, :public) } let_it_be(:project) { create(:project, :public) }
describe 'GET index' do describe 'GET index' do
let_it_be(:url) { "#{project_google_cloud_index_path(project)}" } let_it_be(:url) { "#{project_google_cloud_index_path(project)}" }
let(:subject) { get url } context 'when a public request is made' do
it 'returns not found' do
get url
context 'when user is authorized' do expect(response).to have_gitlab_http_status(:not_found)
let(:user) { project.creator } end
end
context 'when a project.guest makes request' do
let(:user) { create(:user) }
before do it 'returns not found' do
project.add_guest(user)
sign_in(user) sign_in(user)
subject get url
expect(response).to have_gitlab_http_status(:not_found)
end end
end
it 'renders content' do context 'when project.developer makes request' do
expect(response).to be_successful let(:user) { create(:user) }
it 'returns not found' do
project.add_developer(user)
sign_in(user)
get url
expect(response).to have_gitlab_http_status(:not_found)
end end
end end
context 'when user is unauthorized' do context 'when project.maintainer makes request' do
let(:user) { create(:user) } let(:user) { create(:user) }
before do it 'returns successful' do
project.add_guest(user) project.add_maintainer(user)
sign_in(user) sign_in(user)
subject get url
expect(response).to be_successful
end end
end
it 'shows 404' do context 'when project.creator makes request' do
expect(response).to have_gitlab_http_status(:not_found) let(:user) { project.creator }
it 'returns successful' do
sign_in(user)
get url
expect(response).to be_successful
end end
end end
context 'when no user is present' do describe 'when authorized user makes request' do
before do let(:user) { project.creator }
subject
context 'but gitlab instance is not configured for google oauth2' do
it 'returns forbidden' do
unconfigured_google_oauth2 = MockGoogleOAuth2Credentials.new('', '')
allow(Gitlab::Auth::OAuth::Provider).to receive(:config_for)
.with('google_oauth2')
.and_return(unconfigured_google_oauth2)
sign_in(user)
get url
expect(response).to have_gitlab_http_status(:forbidden)
end
end end
it 'shows 404' do context 'but feature flag is disabled' do
expect(response).to have_gitlab_http_status(:not_found) it 'returns not found' do
allow(Feature).to receive(:enabled?).and_return(false)
sign_in(user)
get url
expect(response).to have_gitlab_http_status(:not_found)
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment