Merge branch 'incubation_5mp_google_oauth2_not_configured' into 'master'

Access restrictions for project /google_cloud See merge request gitlab-org/gitlab!73569

Merge branch 'incubation_5mp_google_oauth2_not_configured' into 'master'
Access restrictions for project /google_cloud See merge request gitlab-org/gitlab!73569
eacb371a · Jan Provaznik · b11482ac · ae1dbb47 · eacb371a · eacb371a
Commit eacb371a authored Nov 05, 2021 by Jan Provaznik
8 changed files
--- a/app/controllers/projects/google_cloud_controller.rb
+++ b/app/controllers/projects/google_cloud_controller.rb
 # frozen_string_literal: true
 class Projects::GoogleCloudController < Projects::ApplicationController
-  before_action :authorize_can_manage_google_cloud_deployments!
+  feature_category :google_cloud
-  feature_category :release_orchestration
+  before_action :admin_project_google_cloud?
+  before_action :google_oauth2_enabled?
+  before_action :feature_flag_enabled?
  def index
  end
  private
-  def authorize_can_manage_google_cloud_deployments!
+  def admin_project_google_cloud?
-    access_denied! unless can?(current_user, :manage_project_google_cloud, project)
+    access_denied! unless can?(current_user, :admin_project_google_cloud, project)
+  end
+  def google_oauth2_enabled?
+    config = Gitlab::Auth::OAuth::Provider.config_for('google_oauth2')
+    if config.app_id.blank? || config.app_secret.blank?
+      access_denied! 'This GitLab instance not configured for Google Oauth2.'
+    end
+  end
+  def feature_flag_enabled?
+    access_denied! unless Feature.enabled?(:incubation_5mp_google_cloud)
  end
 end
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -439,7 +439,7 @@ class ProjectPolicy < BasePolicy
    enable :destroy_freeze_period
    enable :admin_feature_flags_client
    enable :update_runners_registration_token
-    enable :manage_project_google_cloud
+    enable :admin_project_google_cloud
  end
  rule { public_project & metrics_dashboard_allowed }.policy do

--- a/app/views/projects/google_cloud/index.html.haml
+++ b/app/views/projects/google_cloud/index.html.haml
@@ -4,80 +4,3 @@
 - @content_class = "limit-container-width" unless fluid_layout
 #js-google-cloud
-  %h1.gl-font-size-h1 Google Cloud
-  %section#js-section-google-cloud-service-accounts
-    %h2.gl-font-size-h2 Service Accounts
-    %p= _('Service Accounts keys are required to authorize GitLab to deploy your Google Cloud project.')
-    %table.table.b-table.gl-table
-      %thead
-        %tr
-          %th Environment
-          %th GCP Project ID
-          %th Service Account Key
-      %tbody
-        %tr
-          %td *
-          %td serving-salutes-453
-          %td .....
-        %tr
-          %td production
-          %td crimson-corey-234
-          %td .....
-        %tr
-          %td review/*
-          %td roving-river-379
-          %td .....
-    %a.gl-button.btn.btn-primary= _('Add new service account')
-  %br
-  %section#js-section-google-cloud-deployments
-    .row.row-fluid
-      .col-lg-4
-        %h2.gl-font-size-h2 Deployments
-        %p= _('Google Cloud offers several deployment targets. Select the one most suitable for your project.')
-        %p
-          = _('Deployments to Google Kubernetes Engine can be ')
-          %a{ href: '#' }= _('managed')
-          = _('in Infrastructure :: Kubernetes clusters')
-      .col-lg-8
-        %br
-        .gl-card.gl-mb-6
-          .gl-card-body
-            .gl-display-flex.gl-align-items-baseline
-              %strong.gl-font-lg App Engine
-              .gl-ml-auto.gl-text-gray-500 Disabled
-            %p= _('App Engine description and apps that are suitable for this deployment target')
-            %button.gl-button.btn.btn-default= _('Configure via Merge Request')
-        .gl-card.gl-mb-6
-          .gl-card-body
-            .gl-display-flex.gl-align-items-baseline
-              %strong.gl-font-lg Cloud Functions
-              .gl-ml-auto.gl-text-gray-500 Disabled
-            %p= _('Cloud Functions description and apps that are suitable for this deployment target')
-            %button.gl-button.btn.btn-default= _('Configure via Merge Request')
-        .gl-card.gl-mb-6
-          .gl-card-body
-            .gl-display-flex.gl-align-items-baseline
-              %strong.gl-font-lg Cloud Run
-              .gl-ml-auto.gl-text-gray-500 Disabled
-            %p= _('Cloud Run description and apps that are suitable for this deployment target')
-            %button.gl-button.btn.btn-default= _('Configure via Merge Request')
--- a/config/feature_categories.yml
+++ b/config/feature_categories.yml
@@ -57,6 +57,7 @@
 - gitaly
 - gitlab_docs
 - global_search
+- google_cloud
 - helm_chart_registry
 - horse
 - importers

--- a/lib/sidebars/projects/menus/infrastructure_menu.rb
+++ b/lib/sidebars/projects/menus/infrastructure_menu.rb
@@ -91,7 +91,7 @@ module Sidebars
        def google_cloud_menu_item
          feature_is_enabled = Feature.enabled?(:incubation_5mp_google_cloud)
-          user_has_permissions = can?(context.current_user, :manage_project_google_cloud, context.project)
+          user_has_permissions = can?(context.current_user, :admin_project_google_cloud, context.project)
          unless feature_is_enabled && user_has_permissions
            return ::Sidebars::NilMenuItem.new(item_id: :incubation_5mp_google_cloud)

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -2047,9 +2047,6 @@ msgstr ""
 msgid "Add new directory"
 msgstr ""
-msgid "Add new service account"
-msgstr ""
 msgid "Add or remove previously merged commits"
 msgstr ""
@@ -3987,9 +3984,6 @@ msgstr ""
 msgid "Any namespace"
 msgstr ""
-msgid "App Engine description and apps that are suitable for this deployment target"
-msgstr ""
 msgid "App ID"
 msgstr ""
@@ -7283,12 +7277,6 @@ msgstr ""
 msgid "Closes this %{quick_action_target}."
 msgstr ""
-msgid "Cloud Functions description and apps that are suitable for this deployment target"
-msgstr ""
-msgid "Cloud Run description and apps that are suitable for this deployment target"
-msgstr ""
 msgid "Cluster"
 msgstr ""
@@ -8728,9 +8716,6 @@ msgstr ""
 msgid "Configure the way a user creates a new account."
 msgstr ""
-msgid "Configure via Merge Request"
-msgstr ""
 msgid "Configure which lists are shown for anyone who visits this board"
 msgstr ""
@@ -11554,9 +11539,6 @@ msgstr ""
 msgid "Deployments"
 msgstr ""
-msgid "Deployments to Google Kubernetes Engine can be "
-msgstr ""
 msgid "Deployments|%{deployments} environment impacted."
 msgid_plural "Deployments|%{deployments} environments impacted."
 msgstr[0] ""
@@ -16052,9 +16034,6 @@ msgstr ""
 msgid "Google Cloud"
 msgstr ""
-msgid "Google Cloud offers several deployment targets. Select the one most suitable for your project."
-msgstr ""
 msgid "Google authentication is not %{link_start}properly configured%{link_end}. Ask your GitLab administrator if you want to use this service."
 msgstr ""
@@ -31306,9 +31285,6 @@ msgstr ""
 msgid "Service"
 msgstr ""
-msgid "Service Accounts keys are required to authorize GitLab to deploy your Google Cloud project."
-msgstr ""
 msgid "Service Desk"
 msgstr ""
@@ -40769,9 +40745,6 @@ msgstr ""
 msgid "in"
 msgstr ""
-msgid "in Infrastructure :: Kubernetes clusters"
-msgstr ""
 msgid "in all GitLab"
 msgstr ""
@@ -40936,9 +40909,6 @@ msgstr ""
 msgid "log in"
 msgstr ""
-msgid "managed"
-msgstr ""
 msgid "manual"
 msgstr ""

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -955,6 +955,28 @@ RSpec.describe ProjectPolicy do
    end
  end
+  context 'infrastructure google cloud feature' do
+    %w(guest reporter developer).each do |role|
+      context role do
+        let(:current_user) { send(role) }
+        it 'disallows managing google cloud' do
+          expect_disallowed(:admin_project_google_cloud)
+        end
+      end
+    end
+    %w(maintainer owner).each do |role|
+      context role do
+        let(:current_user) { send(role) }
+        it 'allows managing google cloud' do
+          expect_allowed(:admin_project_google_cloud)
+        end
+      end
+    end
+  end
  describe 'design permissions' do
    include DesignManagementTestHelpers

--- a/spec/requests/projects/google_cloud_controller_spec.rb
+++ b/spec/requests/projects/google_cloud_controller_spec.rb
@@ -2,48 +2,106 @@
 require 'spec_helper'
+# Mock Types
+MockGoogleOAuth2Credentials = Struct.new(:app_id, :app_secret)
 RSpec.describe Projects::GoogleCloudController do
  let_it_be(:project) { create(:project, :public) }
  describe 'GET index' do
    let_it_be(:url) { "#{project_google_cloud_index_path(project)}" }
-    let(:subject) { get url }
+    context 'when a public request is made' do
+      it 'returns not found' do
+        get url
-    context 'when user is authorized' do
+        expect(response).to have_gitlab_http_status(:not_found)
-      let(:user) { project.creator }
+      end
+    end
-      before do
+    context 'when a project.guest makes request' do
+      let(:user) { create(:user) }
+      it 'returns not found' do
+        project.add_guest(user)
        sign_in(user)
-        subject
+        get url
+        expect(response).to have_gitlab_http_status(:not_found)
      end
+    end
-      it 'renders content' do
+    context 'when project.developer makes request' do
-        expect(response).to be_successful
+      let(:user) { create(:user) }
+      it 'returns not found' do
+        project.add_developer(user)
+        sign_in(user)
+        get url
+        expect(response).to have_gitlab_http_status(:not_found)
      end
    end
-    context 'when user is unauthorized' do
+    context 'when project.maintainer makes request' do
      let(:user) { create(:user) }
-      before do
+      it 'returns successful' do
-        project.add_guest(user)
+        project.add_maintainer(user)
        sign_in(user)
-        subject
+        get url
+        expect(response).to be_successful
      end
+    end
-      it 'shows 404' do
+    context 'when project.creator makes request' do
-        expect(response).to have_gitlab_http_status(:not_found)
+      let(:user) { project.creator }
+      it 'returns successful' do
+        sign_in(user)
+        get url
+        expect(response).to be_successful
      end
    end
-    context 'when no user is present' do
+    describe 'when authorized user makes request' do
-      before do
+      let(:user) { project.creator }
-        subject
+      context 'but gitlab instance is not configured for google oauth2' do
+        before do
+          unconfigured_google_oauth2 = MockGoogleOAuth2Credentials.new('', '')
+          allow(Gitlab::Auth::OAuth::Provider).to receive(:config_for)
+                                                    .with('google_oauth2')
+                                                    .and_return(unconfigured_google_oauth2)
+        end
+        it 'returns forbidden' do
+          sign_in(user)
+          get url
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
      end
-      it 'shows 404' do
+      context 'but feature flag is disabled' do
-        expect(response).to have_gitlab_http_status(:not_found)
+        before do
+          stub_feature_flags(incubation_5mp_google_cloud: false)
+        end
+        it 'returns not found' do
+          sign_in(user)
+          get url
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
      end
    end
  end