Commit f4884f43 authored by Pedro Pombeiro's avatar Pedro Pombeiro Committed by Markus Koller

Add register_group_runners policy to GroupPolicy

Based on admin_group_runners but taking valid_runner_registrars
into account
parent a6dec7d9
......@@ -77,6 +77,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) }
with_scope :subject
condition(:group_runner_registration_allowed, score: 0, scope: :subject) do
Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
end
rule { can?(:read_group) & design_management_enabled }.policy do
enable :read_design_activity
end
......@@ -200,6 +205,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
enable :read_nested_project_resources
end
rule { can?(:admin_group_runners) }.policy do
enable :register_group_runners
end
rule { owner }.enable :create_subgroup
rule { maintainer & maintainer_can_create_group }.enable :create_subgroup
......@@ -262,6 +271,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
prevent :admin_crm_organization
end
rule { ~group_runner_registration_allowed }.policy do
prevent :register_group_runners
end
def access_level(for_any_session: false)
return GroupMember::NO_ACCESS if @user.nil?
return GroupMember::NO_ACCESS unless user_is_user?
......
......@@ -10,7 +10,7 @@
= _('These runners are shared across projects in this group.')
= _('Group runners can be managed with the %{link}.').html_safe % { link: link }
- if can?(current_user, :admin_pipeline, @group) && valid_runner_registrars.include?('group')
- if can?(current_user, :register_group_runners, @group)
- if params[:ci_runner_templates]
%hr
= render partial: 'ci/runner/setup_runner_in_aws',
......
......@@ -379,6 +379,7 @@ module EE
prevent :admin_issue
prevent :admin_pipeline
prevent :admin_group_runners
prevent :register_group_runners
prevent :add_cluster
prevent :create_cluster
prevent :update_cluster
......
......@@ -1397,8 +1397,8 @@ RSpec.describe GroupPolicy do
let(:current_user) { owner }
let(:policies) do
%i[create_projects create_epic update_epic admin_milestone upload_file admin_label
admin_issue_board_list admin_issue admin_pipeline add_cluster create_cluster update_cluster
admin_cluster admin_group_member create_deploy_token create_subgroup]
admin_issue_board_list admin_issue admin_pipeline admin_group_runners register_group_runners add_cluster
create_cluster update_cluster admin_cluster admin_group_member create_deploy_token create_subgroup]
end
before do
......
......@@ -1033,6 +1033,86 @@ RSpec.describe GroupPolicy do
end
end
describe 'register_group_runners' do
shared_examples 'expected outcome based on runner registration control' do
context 'with runner_registration_control FF disabled' do
before do
stub_feature_flags(runner_registration_control: false)
end
it { is_expected.to be_allowed(:register_group_runners) }
end
context 'with runner_registration_control FF enabled' do
before do
stub_feature_flags(runner_registration_control: true)
end
context 'with group runner registration disabled' do
before do
stub_application_setting(valid_runner_registrars: ['project'])
end
it { is_expected.to be_disallowed(:register_group_runners) }
end
end
end
context 'admin' do
let(:current_user) { admin }
context 'when admin mode is enabled', :enable_admin_mode do
it { is_expected.to be_allowed(:register_group_runners) }
it_behaves_like 'expected outcome based on runner registration control'
end
context 'when admin mode is disabled' do
it { is_expected.to be_disallowed(:register_group_runners) }
end
end
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:register_group_runners) }
it_behaves_like 'expected outcome based on runner registration control'
end
context 'with maintainer' do
let(:current_user) { maintainer }
it { is_expected.to be_allowed(:register_group_runners) }
it_behaves_like 'expected outcome based on runner registration control'
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_disallowed(:register_group_runners) }
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:register_group_runners) }
end
context 'with non member' do
let(:current_user) { create(:user) }
it { is_expected.to be_disallowed(:register_group_runners) }
end
context 'with anonymous' do
let(:current_user) { nil }
it { is_expected.to be_disallowed(:register_group_runners) }
end
end
context 'with customer_relations feature flag disabled' do
let(:current_user) { owner }
......
......@@ -11,12 +11,11 @@ RSpec.describe 'groups/runners/group_runners.html.haml' do
@group = group
allow(view).to receive(:current_user).and_return(user)
allow(view).to receive(:reset_registration_token_group_settings_ci_cd_path).and_return('banana_url')
allow(view).to receive(:can?).with(user, :admin_pipeline, group).and_return(true)
end
context 'when group runner registration is allowed' do
before do
stub_application_setting(valid_runner_registrars: ['group'])
allow(view).to receive(:can?).with(user, :register_group_runners, group).and_return(true)
end
it 'enables the Remove group button for a group' do
......@@ -29,7 +28,7 @@ RSpec.describe 'groups/runners/group_runners.html.haml' do
context 'when group runner registration is not allowed' do
before do
stub_application_setting(valid_runner_registrars: ['project'])
allow(view).to receive(:can?).with(user, :register_group_runners, group).and_return(false)
end
it 'does not enable the the Remove group button for a group' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment