Add register_group_runners policy to GroupPolicy

Based on admin_group_runners but taking valid_runner_registrars into account

Add register_group_runners policy to GroupPolicy
Based on admin_group_runners but taking valid_runner_registrars into account
f4884f43 · Pedro Pombeiro · Markus Koller · a6dec7d9 · f4884f43 · f4884f43
Commit f4884f43 authored Dec 16, 2021 by Pedro Pombeiro Committed by Markus Koller Dec 16, 2021
6 changed files
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -77,6 +77,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
  condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) }
+  with_scope :subject
+  condition(:group_runner_registration_allowed, score: 0, scope: :subject) do
+    Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
+  end
  rule { can?(:read_group) & design_management_enabled }.policy do
    enable :read_design_activity
  end
@@ -200,6 +205,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
    enable :read_nested_project_resources
  end
+  rule { can?(:admin_group_runners) }.policy do
+    enable :register_group_runners
+  end
  rule { owner }.enable :create_subgroup
  rule { maintainer & maintainer_can_create_group }.enable :create_subgroup
@@ -262,6 +271,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
    prevent :admin_crm_organization
  end
+  rule { ~group_runner_registration_allowed }.policy do
+    prevent :register_group_runners
+  end
  def access_level(for_any_session: false)
    return GroupMember::NO_ACCESS if @user.nil?
    return GroupMember::NO_ACCESS unless user_is_user?

--- a/app/views/groups/runners/_group_runners.html.haml
+++ b/app/views/groups/runners/_group_runners.html.haml
@@ -10,7 +10,7 @@
    = _('These runners are shared across projects in this group.')
    = _('Group runners can be managed with the %{link}.').html_safe % { link: link }
-  - if can?(current_user, :admin_pipeline, @group) && valid_runner_registrars.include?('group')
+  - if can?(current_user, :register_group_runners, @group)
    - if params[:ci_runner_templates]
      %hr
      = render partial: 'ci/runner/setup_runner_in_aws',

--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -379,6 +379,7 @@ module EE
        prevent :admin_issue
        prevent :admin_pipeline
        prevent :admin_group_runners
+        prevent :register_group_runners
        prevent :add_cluster
        prevent :create_cluster
        prevent :update_cluster

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -1397,8 +1397,8 @@ RSpec.describe GroupPolicy do
    let(:current_user) { owner }
    let(:policies) do
      %i[create_projects create_epic update_epic admin_milestone upload_file admin_label
-         admin_issue_board_list admin_issue admin_pipeline add_cluster create_cluster update_cluster
+         admin_issue_board_list admin_issue admin_pipeline admin_group_runners register_group_runners add_cluster
-         admin_cluster admin_group_member create_deploy_token create_subgroup]
+         create_cluster update_cluster admin_cluster admin_group_member create_deploy_token create_subgroup]
    end
    before do

--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -1033,6 +1033,86 @@ RSpec.describe GroupPolicy do
    end
  end
+  describe 'register_group_runners' do
+    shared_examples 'expected outcome based on runner registration control' do
+      context 'with runner_registration_control FF disabled' do
+        before do
+          stub_feature_flags(runner_registration_control: false)
+        end
+        it { is_expected.to be_allowed(:register_group_runners) }
+      end
+      context 'with runner_registration_control FF enabled' do
+        before do
+          stub_feature_flags(runner_registration_control: true)
+        end
+        context 'with group runner registration disabled' do
+          before do
+            stub_application_setting(valid_runner_registrars: ['project'])
+          end
+          it { is_expected.to be_disallowed(:register_group_runners) }
+        end
+      end
+    end
+    context 'admin' do
+      let(:current_user) { admin }
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:register_group_runners) }
+        it_behaves_like 'expected outcome based on runner registration control'
+      end
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:register_group_runners) }
+      end
+    end
+    context 'with owner' do
+      let(:current_user) { owner }
+      it { is_expected.to be_allowed(:register_group_runners) }
+      it_behaves_like 'expected outcome based on runner registration control'
+    end
+    context 'with maintainer' do
+      let(:current_user) { maintainer }
+      it { is_expected.to be_allowed(:register_group_runners) }
+      it_behaves_like 'expected outcome based on runner registration control'
+    end
+    context 'with reporter' do
+      let(:current_user) { reporter }
+      it { is_expected.to be_disallowed(:register_group_runners) }
+    end
+    context 'with guest' do
+      let(:current_user) { guest }
+      it { is_expected.to be_disallowed(:register_group_runners) }
+    end
+    context 'with non member' do
+      let(:current_user) { create(:user) }
+      it { is_expected.to be_disallowed(:register_group_runners) }
+    end
+    context 'with anonymous' do
+      let(:current_user) { nil }
+      it { is_expected.to be_disallowed(:register_group_runners) }
+    end
+  end
  context 'with customer_relations feature flag disabled' do
    let(:current_user) { owner }

--- a/spec/views/groups/runners/_group_runners.html.haml_spec.rb
+++ b/spec/views/groups/runners/_group_runners.html.haml_spec.rb
@@ -11,12 +11,11 @@ RSpec.describe 'groups/runners/group_runners.html.haml' do
      @group = group
      allow(view).to receive(:current_user).and_return(user)
      allow(view).to receive(:reset_registration_token_group_settings_ci_cd_path).and_return('banana_url')
-      allow(view).to receive(:can?).with(user, :admin_pipeline, group).and_return(true)
    end
    context 'when group runner registration is allowed' do
      before do
-        stub_application_setting(valid_runner_registrars: ['group'])
+        allow(view).to receive(:can?).with(user, :register_group_runners, group).and_return(true)
      end
      it 'enables the Remove group button for a group' do
@@ -29,7 +28,7 @@ RSpec.describe 'groups/runners/group_runners.html.haml' do
    context 'when group runner registration is not allowed' do
      before do
-        stub_application_setting(valid_runner_registrars: ['project'])
+        allow(view).to receive(:can?).with(user, :register_group_runners, group).and_return(false)
      end
      it 'does not enable the  the Remove group button for a group' do