Commit f9356b47 authored by Diego Louzán's avatar Diego Louzán

Disable auto admin mode for lib specs

parent 0795a0fd
---
title: Disable auto admin mode for lib specs
merge_request: 50056
author: Diego Louzán
type: other
......@@ -5,7 +5,7 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::GroupStageTimeSummary do
let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, :repository, namespace: group) }
let_it_be(:project_2) { create(:project, :repository, namespace: group) }
let_it_be(:user) { create(:user, :admin) }
let_it_be(:user) { create(:user) }
let(:from) { 1.day.ago }
let(:to) { nil }
let(:options) { { from: from, to: to, current_user: user } }
......@@ -16,6 +16,10 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::GroupStageTimeSummary do
freeze_time { example.run }
end
before do
group.add_owner(user)
end
describe '#lead_time' do
describe 'issuable filter parameters' do
let_it_be(:label) { create(:group_label, group: group) }
......
......@@ -6,10 +6,14 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::Summary::Group::StageSummary d
let(:project) { create(:project, :repository, namespace: group) }
let(:project_2) { create(:project, :repository, namespace: group) }
let(:from) { 1.day.ago }
let(:user) { create(:user, :admin) }
let(:user) { create(:user) }
subject { described_class.new(group, options: { from: Time.now, current_user: user }).data }
before do
group.add_owner(user)
end
describe "#new_issues" do
context 'with from date' do
before do
......
......@@ -7,7 +7,7 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::Summary::Group::StageTimeSumma
let(:project_2) { create(:project, :repository, namespace: group) }
let(:from) { 1.day.ago }
let(:to) { nil }
let(:user) { create(:user, :admin) }
let(:user) { create(:user) }
subject { described_class.new(group, options: { from: from, to: to, current_user: user }).data }
......@@ -15,6 +15,10 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::Summary::Group::StageTimeSumma
freeze_time { example.run }
end
before do
group.add_owner(user)
end
describe '#lead_time' do
context 'with `from` date' do
let(:from) { 6.days.ago }
......
......@@ -19,13 +19,13 @@ RSpec.describe 'Jobs/Browser-Performance-Testing.gitlab-ci.yml' do
end
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:project) do
create(:project, :repository, variables: [
build(:ci_variable, key: 'CI_KUBERNETES_ACTIVE', value: 'true')
])
end
let(:user) { project.owner }
let(:default_branch) { 'master' }
let(:pipeline_ref) { default_branch }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_ref) }
......
......@@ -22,13 +22,13 @@ RSpec.describe 'Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml' do
end
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:project) do
create(:project, :repository, variables: [
build(:ci_variable, key: 'CI_KUBERNETES_ACTIVE', value: 'true')
])
end
let(:user) { project.owner }
let(:default_branch) { 'master' }
let(:pipeline_ref) { default_branch }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_ref) }
......
......@@ -19,13 +19,13 @@ RSpec.describe 'Jobs/Load-Performance-Testing.gitlab-ci.yml' do
end
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:project) do
create(:project, :repository, variables: [
build(:ci_variable, key: 'CI_KUBERNETES_ACTIVE', value: 'true')
])
end
let(:user) { project.owner }
let(:default_branch) { 'master' }
let(:pipeline_ref) { default_branch }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_ref) }
......
......@@ -18,9 +18,9 @@ RSpec.describe 'Verify/Browser-Performance.gitlab-ci.yml' do
YAML
end
describe 'the created pipeline' do
let(:user) { create(:admin) }
describe 'the created pipeline', :clean_gitlab_redis_cache do
let(:project) { create(:project, :repository) }
let(:user) { project.owner }
let(:default_branch) { 'master' }
let(:pipeline_ref) { default_branch }
......
......@@ -18,9 +18,9 @@ RSpec.describe 'Verify/Load-Performance-Testing.gitlab-ci.yml' do
YAML
end
describe 'the created pipeline' do
let(:user) { create(:admin) }
describe 'the created pipeline', :clean_gitlab_redis_cache do
let(:project) { create(:project, :repository) }
let(:user) { project.owner }
let(:default_branch) { 'master' }
let(:pipeline_ref) { default_branch }
......
......@@ -27,16 +27,17 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
end
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:pipeline_branch) { default_branch }
let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
before do
stub_ci_pipeline_yaml_file(template.content)
allow_any_instance_of(Ci::BuildScheduleWorker).to receive(:perform).and_return(true)
allow(project).to receive(:default_branch).and_return(default_branch)
end
......
......@@ -6,9 +6,9 @@ RSpec.describe 'Container-Scanning.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Container-Scanning') }
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......
......@@ -6,9 +6,9 @@ RSpec.describe 'Coverage-Fuzzing.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Coverage-Fuzzing') }
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......
......@@ -6,10 +6,10 @@ RSpec.describe 'DAST.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('DAST') }
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:pipeline_branch) { default_branch }
let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......
......@@ -6,10 +6,10 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Dependency-Scanning') }
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:files) { { 'README.txt' => '' } }
let(:project) { create(:project, :custom_repo, files: files) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......
......@@ -6,9 +6,9 @@ RSpec.describe 'License-Scanning.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('License-Scanning') }
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......
......@@ -6,10 +6,10 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('SAST') }
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:files) { { 'README.txt' => '' } }
let(:project) { create(:project, :custom_repo, files: files) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......
......@@ -445,7 +445,9 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
expect(results.issues_count).to eq 4
end
it 'lists all issues for admin' do
context 'for admin users' do
context 'when admin mode enabled', :enable_admin_mode do
it 'lists all issues' do
results = described_class.new(admin, query, limit_project_ids)
issues = results.objects('issues')
......@@ -459,6 +461,23 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
end
end
context 'when admin mode disabled' do
it 'does not list confidential issues' do
results = described_class.new(admin, query, limit_project_ids)
issues = results.objects('issues')
expect(issues).to include @issue
expect(issues).not_to include @security_issue_1
expect(issues).not_to include @security_issue_2
expect(issues).not_to include @security_issue_3
expect(issues).not_to include @security_issue_4
expect(issues).not_to include @security_issue_5
expect(results.issues_count).to eq 1
end
end
end
end
context 'search by iid' do
let(:query) { '#1' }
......@@ -530,7 +549,9 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
expect(results.issues_count).to eq 3
end
it 'lists all issues for admin' do
context 'for admin users' do
context 'when admin mode enabled', :enable_admin_mode do
it 'lists all issues' do
results = described_class.new(admin, query, limit_project_ids)
issues = results.objects('issues')
......@@ -543,6 +564,23 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
expect(results.issues_count).to eq 4
end
end
context 'when admin mode disabled' do
it 'does not list confidential issues' do
results = described_class.new(admin, query, limit_project_ids)
issues = results.objects('issues')
expect(issues).to include @issue
expect(issues).not_to include @security_issue_1
expect(issues).not_to include @security_issue_2
expect(issues).not_to include @security_issue_3
expect(issues).not_to include @security_issue_4
expect(issues).not_to include @security_issue_5
expect(results.issues_count).to eq 1
end
end
end
end
end
describe 'merge requests' do
......@@ -1095,6 +1133,7 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
end
context 'when user is admin' do
context 'when admin mode enabled', :enable_admin_mode do
it 'returns right set of milestones' do
user.update(admin: true)
public_project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
......@@ -1109,6 +1148,7 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
expect(milestones).to match_array([milestone_2, milestone_3, milestone_4])
end
end
end
context 'when user can read milestones' do
it 'returns right set of milestones' do
......
......@@ -71,7 +71,7 @@ RSpec.describe Gitlab::Elastic::SnippetSearchResults, :elastic, :sidekiq_might_n
end
end
context 'when user has read_all_resources', :do_not_mock_admin_mode do
context 'when user has read_all_resources' do
include_context 'custom session'
let(:user) { create(:admin) }
......
......@@ -5,6 +5,7 @@ require 'spec_helper'
RSpec.describe Gitlab::GitAccess do
include GitHelpers
include EE::GeoHelpers
include AdminModeHelper
let_it_be(:user) { create(:user) }
......@@ -456,8 +457,9 @@ RSpec.describe Gitlab::GitAccess do
# Expectations are given a custom failure message proc so that it's
# easier to identify which check(s) failed.
it "has the correct permissions for #{role}s" do
if role == :admin
if [:admin_with_admin_mode, :admin_without_admin_mode].include?(role)
user.update_attribute(:admin, true)
enable_admin_mode!(user) if role == :admin_with_admin_mode
project.add_guest(user)
else
project.add_role(user, role)
......@@ -509,7 +511,7 @@ RSpec.describe Gitlab::GitAccess do
end
permissions_matrix = {
admin: {
admin_with_admin_mode: {
any: true,
push_new_branch: true,
push_master: true,
......@@ -521,6 +523,18 @@ RSpec.describe Gitlab::GitAccess do
merge_into_protected_branch: true
},
admin_without_admin_mode: {
any: false,
push_new_branch: false,
push_master: false,
push_protected_branch: false,
push_remove_protected_branch: false,
push_tag: false,
push_new_tag: false,
push_all: false,
merge_into_protected_branch: false
},
maintainer: {
any: true,
push_new_branch: true,
......@@ -589,7 +603,8 @@ RSpec.describe Gitlab::GitAccess do
create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
end
run_permission_checks(permissions_matrix.deep_merge(admin: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
run_permission_checks(permissions_matrix.deep_merge(admin_with_admin_mode: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
admin_without_admin_mode: { push_protected_branch: false, merge_into_protected_branch: false },
maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
guest: { push_protected_branch: false, merge_into_protected_branch: false },
......@@ -613,6 +628,7 @@ RSpec.describe Gitlab::GitAccess do
before do
create_current_license(starts_at: 1.month.ago.to_date, block_changes_at: Date.current, notify_admins_at: Date.current)
user.update_attribute(:admin, true)
enable_admin_mode!(user)
project.add_role(user, :developer)
end
......@@ -632,7 +648,8 @@ RSpec.describe Gitlab::GitAccess do
context "when a specific group is allowed to push into the #{protected_branch_type} protected branch" do
let(:protected_branch) { build(:protected_branch, authorize_group_to_push: group, name: protected_branch_name, project: project) }
permissions = permissions_matrix.except(:admin).deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true },
permissions = permissions_matrix.except(:admin_with_admin_mode, :admin_without_admin_mode)
.deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true },
guest: { push_protected_branch: false, merge_into_protected_branch: false },
reporter: { push_protected_branch: false, merge_into_protected_branch: false })
......@@ -646,7 +663,8 @@ RSpec.describe Gitlab::GitAccess do
create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
end
permissions = permissions_matrix.except(:admin).deep_merge(maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
permissions = permissions_matrix.except(:admin_with_admin_mode, :admin_without_admin_mode)
.deep_merge(maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
guest: { push_protected_branch: false, merge_into_protected_branch: false },
reporter: { push_protected_branch: false, merge_into_protected_branch: false })
......@@ -661,7 +679,8 @@ RSpec.describe Gitlab::GitAccess do
create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
end
permissions = permissions_matrix.except(:admin).deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true },
permissions = permissions_matrix.except(:admin_with_admin_mode, :admin_without_admin_mode)
.deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true },
guest: { push_protected_branch: false, merge_into_protected_branch: false },
reporter: { push_protected_branch: false, merge_into_protected_branch: false })
......
......@@ -143,7 +143,9 @@ RSpec.describe Banzai::Filter::ReferenceRedactorFilter do
expect(doc.css('a').length).to eq 1
end
it 'allows references for admin' do
context 'for admin' do
context 'when admin mode is enabled', :enable_admin_mode do
it 'allows references' do
admin = create(:admin)
project = create(:project, :public)
issue = create(:issue, :confidential, project: project)
......@@ -153,6 +155,21 @@ RSpec.describe Banzai::Filter::ReferenceRedactorFilter do
expect(doc.css('a').length).to eq 1
end
end
context 'when admin mode is disabled' do
it 'removes references' do
admin = create(:admin)
project = create(:project, :public)
issue = create(:issue, :confidential, project: project)
link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue')
doc = filter(link, current_user: admin)
expect(doc.css('a').length).to eq 0
end
end
end
context "when a confidential issue is moved from a public project to a private one" do
let(:public_project) { create(:project, :public) }
......
......@@ -2,7 +2,7 @@
#
require 'spec_helper'
RSpec.describe Constraints::AdminConstrainer, :do_not_mock_admin_mode do
RSpec.describe Constraints::AdminConstrainer do
let(:user) { create(:user) }
let(:session) { {} }
......
......@@ -2,7 +2,7 @@
require 'spec_helper'
RSpec.describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store do
RSpec.describe Gitlab::Auth::CurrentUserMode, :request_store do
let(:user) { build_stubbed(:user) }
subject { described_class.new(user) }
......
......@@ -6,10 +6,10 @@ RSpec.describe 'Deploy-ECS.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('AWS/Deploy-ECS') }
describe 'the created pipeline' do
let_it_be(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:pipeline_branch) { default_branch }
let(:project) { create(:project, :auto_devops, :custom_repo, files: { 'README.md' => '' }) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......
......@@ -6,8 +6,8 @@ RSpec.describe 'Jobs/Build.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Build') }
describe 'the created pipeline' do
let_it_be(:user) { create(:admin) }
let_it_be(:project) { create(:project, :repository) }
let_it_be(:user) { project.owner }
let(:default_branch) { 'master' }
let(:pipeline_ref) { default_branch }
......
......@@ -6,8 +6,8 @@ RSpec.describe 'Jobs/Code-Quality.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Code-Quality') }
describe 'the created pipeline' do
let_it_be(:user) { create(:admin) }
let_it_be(:project) { create(:project, :repository) }
let_it_be(:user) { project.owner }
let(:default_branch) { 'master' }
let(:pipeline_ref) { default_branch }
......
......@@ -27,8 +27,8 @@ RSpec.describe 'Jobs/Deploy.gitlab-ci.yml' do
end
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:project) { create(:project, :repository) }
let(:user) { project.owner }
let(:default_branch) { 'master' }
let(:pipeline_ref) { default_branch }
......
......@@ -6,8 +6,8 @@ RSpec.describe 'Jobs/Test.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Test') }
describe 'the created pipeline' do
let_it_be(:user) { create(:admin) }
let_it_be(:project) { create(:project, :repository) }
let_it_be(:user) { project.owner }
let(:default_branch) { 'master' }
let(:pipeline_ref) { default_branch }
......
......@@ -6,10 +6,10 @@ RSpec.describe 'Terraform/Base.latest.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Terraform/Base.latest') }
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:pipeline_branch) { default_branch }
let(:project) { create(:project, :custom_repo, files: { 'README.md' => '' }) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......
......@@ -19,8 +19,8 @@ RSpec.describe 'Verify/Load-Performance-Testing.gitlab-ci.yml' do
end
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:project) { create(:project, :repository) }
let(:user) { project.owner }
let(:default_branch) { 'master' }
let(:pipeline_ref) { default_branch }
......
......@@ -6,10 +6,10 @@ RSpec.describe 'Auto-DevOps.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Auto-DevOps') }
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:pipeline_branch) { default_branch }
let(:project) { create(:project, :auto_devops, :custom_repo, files: { 'README.md' => '' }) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......@@ -232,8 +232,8 @@ RSpec.describe 'Auto-DevOps.gitlab-ci.yml' do
end
with_them do
let(:user) { create(:admin) }
let(:project) { create(:project, :custom_repo, files: files) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
let(:pipeline) { service.execute(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......
......@@ -6,10 +6,9 @@ RSpec.describe 'Flutter.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Flutter') }
describe 'the created pipeline' do
let_it_be(:user) { create(:admin) }
let(:pipeline_branch) { 'master' }
let(:project) { create(:project, :custom_repo, files: { 'README.md' => '' }) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......
......@@ -6,11 +6,10 @@ RSpec.describe 'npm.latest.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('npm.latest') }
describe 'the created pipeline' do
let_it_be(:user) { create(:admin) }
let(:repo_files) { { 'package.json' => '{}', 'README.md' => '' } }
let(:modified_files) { %w[package.json] }
let(:project) { create(:project, :custom_repo, files: repo_files) }
let(:user) { project.owner }
let(:pipeline_branch) { project.default_branch }
let(:pipeline_tag) { 'v1.2.1' }
let(:pipeline_ref) { pipeline_branch }
......
......@@ -10,11 +10,10 @@ RSpec.describe 'Terraform.latest.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Terraform.latest') }
describe 'the created pipeline' do
let_it_be(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:pipeline_branch) { default_branch }
let(:project) { create(:project, :custom_repo, files: { 'README.md' => '' }) }
let(:user) { project.owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......
......@@ -5,7 +5,7 @@ require 'spec_helper'
RSpec.describe Gitlab::CycleAnalytics::BaseEventFetcher do
let(:max_events) { 2 }
let(:project) { create(:project, :repository) }
let(:user) { create(:user, :admin) }
let(:user) { project.owner }
let(:start_time_attrs) { Issue.arel_table[:created_at] }
let(:end_time_attrs) { [Issue::Metrics.arel_table[:first_associated_with_milestone_at]] }
let(:options) do
......
......@@ -4,7 +4,7 @@ require 'spec_helper'
RSpec.describe 'value stream analytics events', :aggregate_failures do
let_it_be(:project) { create(:project, :repository) }
let_it_be(:user) { create(:user, :admin) }
let_it_be(:user) { project.owner }
let(:from_date) { 10.days.ago }
let!(:context) { create(:issue, project: project, created_at: 2.days.ago) }
......
......@@ -172,7 +172,7 @@ RSpec.describe Gitlab::GitAccessSnippet do
end
end
[:guest, :reporter, :maintainer, :author, :admin].each do |membership|
[:guest, :reporter, :maintainer, :author].each do |membership|
context membership.to_s do
let(:membership) { membership }
......@@ -183,6 +183,24 @@ RSpec.describe Gitlab::GitAccessSnippet do
end
end
context 'admin' do
let(:membership) { :admin }
context 'when admin mode is enabled', :enable_admin_mode do
it 'cannot perform git pushes' do
expect { push_access_check }.to raise_error(described_class::ForbiddenError)
expect { pull_access_check }.not_to raise_error
end
end
context 'when admin mode is disabled' do
it 'cannot perform git operations' do
expect { push_access_check }.to raise_error(described_class::ForbiddenError)
expect { pull_access_check }.to raise_error(described_class::ForbiddenError)
end
end
end
it_behaves_like 'actor is migration bot'
end
......
......@@ -5,6 +5,7 @@ require 'spec_helper'
RSpec.describe Gitlab::GitAccess do
include TermsHelper
include GitHelpers
include AdminModeHelper
let(:user) { create(:user) }
......@@ -769,6 +770,7 @@ RSpec.describe Gitlab::GitAccess do
describe 'admin user' do
let(:user) { create(:admin) }
context 'when admin mode enabled', :enable_admin_mode do
context 'when member of the project' do
before do
project.add_reporter(user)
......@@ -786,6 +788,25 @@ RSpec.describe Gitlab::GitAccess do
end
end
context 'when admin mode disabled' do
context 'when member of the project' do
before do
project.add_reporter(user)
end
context 'pull code' do
it { expect { pull_access_check }.not_to raise_error }
end
end
context 'when is not member of the project' do
context 'pull code' do
it { expect { pull_access_check }.to raise_not_found }
end
end
end
end
describe 'generic CI (build without a user)' do
let(:actor) { :ci }
......@@ -870,8 +891,9 @@ RSpec.describe Gitlab::GitAccess do
# Expectations are given a custom failure message proc so that it's
# easier to identify which check(s) failed.
it "has the correct permissions for #{role}s" do
if role == :admin
if [:admin_with_admin_mode, :admin_without_admin_mode].include?(role)
user.update_attribute(:admin, true)
enable_admin_mode!(user) if role == :admin_with_admin_mode
project.add_guest(user)
else
project.add_role(user, role)
......@@ -897,7 +919,7 @@ RSpec.describe Gitlab::GitAccess do
end
permissions_matrix = {
admin: {
admin_with_admin_mode: {
any: true,
push_new_branch: true,
push_master: true,
......@@ -909,6 +931,18 @@ RSpec.describe Gitlab::GitAccess do
merge_into_protected_branch: true
},
admin_without_admin_mode: {
any: false,
push_new_branch: false,
push_master: false,
push_protected_branch: false,
push_remove_protected_branch: false,
push_tag: false,
push_new_tag: false,
push_all: false,
merge_into_protected_branch: false
},
maintainer: {
any: true,
push_new_branch: true,
......@@ -1009,7 +1043,7 @@ RSpec.describe Gitlab::GitAccess do
run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
admin: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
admin_with_admin_mode: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
end
end
......
......@@ -342,7 +342,9 @@ RSpec.describe Gitlab::SearchResults do
expect(results.limited_issues_count).to eq 4
end
it 'lists all issues for admin' do
context 'with admin user' do
context 'when admin mode enabled', :enable_admin_mode do
it 'lists all issues' do
results = described_class.new(admin, query, limit_projects)
issues = results.objects('issues')
......@@ -356,6 +358,23 @@ RSpec.describe Gitlab::SearchResults do
end
end
context 'when admin mode disabled' do
it 'does not list confidential issues' do
results = described_class.new(admin, query, limit_projects)
issues = results.objects('issues')
expect(issues).to include issue
expect(issues).not_to include security_issue_1
expect(issues).not_to include security_issue_2
expect(issues).not_to include security_issue_3
expect(issues).not_to include security_issue_4
expect(issues).not_to include security_issue_5
expect(results.limited_issues_count).to eq 1
end
end
end
end
it 'does not list merge requests on projects with limited access' do
project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
......
......@@ -2,7 +2,7 @@
require 'spec_helper'
RSpec.describe Gitlab::SidekiqMiddleware::AdminMode::Client, :do_not_mock_admin_mode, :request_store do
RSpec.describe Gitlab::SidekiqMiddleware::AdminMode::Client, :request_store do
include AdminModeHelper
let(:worker) do
......
......@@ -2,7 +2,7 @@
require 'spec_helper'
RSpec.describe Gitlab::SidekiqMiddleware::AdminMode::Server, :do_not_mock_admin_mode, :request_store do
RSpec.describe Gitlab::SidekiqMiddleware::AdminMode::Server, :request_store do
include AdminModeHelper
let(:worker) do
......
......@@ -3,15 +3,20 @@
require 'spec_helper'
RSpec.describe Gitlab::SlashCommands::Presenters::IssueMove do
let_it_be(:admin) { create(:admin) }
let_it_be(:user) { create(:user) }
let_it_be(:project, reload: true) { create(:project) }
let_it_be(:other_project) { create(:project) }
let_it_be(:old_issue, reload: true) { create(:issue, project: project) }
let(:new_issue) { Issues::MoveService.new(project, admin).execute(old_issue, other_project) }
let(:new_issue) { Issues::MoveService.new(project, user).execute(old_issue, other_project) }
let(:attachment) { subject[:attachments].first }
subject { described_class.new(new_issue).present(old_issue) }
before do
project.add_developer(user)
other_project.add_developer(user)
end
it { is_expected.to be_a(Hash) }
it 'shows the new issue' do
......
......@@ -45,11 +45,21 @@ RSpec.describe Gitlab::UserAccess do
let(:empty_project) { create(:project_empty_repo) }
let(:project_access) { described_class.new(user, container: empty_project) }
context 'when admin mode is enabled', :enable_admin_mode do
it 'returns true for admins' do
user.update!(admin: true)
expect(access.can_push_to_branch?('master')).to be_truthy
end
end
context 'when admin mode is disabled' do
it 'returns false for admins' do
user.update!(admin: true)
expect(access.can_push_to_branch?('master')).to be_falsey
end
end
it 'returns true if user is maintainer' do
empty_project.add_maintainer(user)
......@@ -85,11 +95,21 @@ RSpec.describe Gitlab::UserAccess do
let(:branch) { create :protected_branch, project: project, name: "test" }
let(:not_existing_branch) { create :protected_branch, :developers_can_merge, project: project }
context 'when admin mode is enabled', :enable_admin_mode do
it 'returns true for admins' do
user.update!(admin: true)
expect(access.can_push_to_branch?(branch.name)).to be_truthy
end
end
context 'when admin mode is disabled' do
it 'returns false for admins' do
user.update!(admin: true)
expect(access.can_push_to_branch?(branch.name)).to be_falsey
end
end
it 'returns true if user is a maintainer' do
project.add_maintainer(user)
......
......@@ -22,6 +22,7 @@ RSpec.describe Gitlab::VisibilityLevel do
end
describe '.levels_for_user' do
context 'when admin mode is enabled', :enable_admin_mode do
it 'returns all levels for an admin' do
user = build(:user, :admin)
......@@ -30,6 +31,17 @@ RSpec.describe Gitlab::VisibilityLevel do
Gitlab::VisibilityLevel::INTERNAL,
Gitlab::VisibilityLevel::PUBLIC])
end
end
context 'when admin mode is disabled' do
it 'returns INTERNAL and PUBLIC for an admin' do
user = build(:user, :admin)
expect(described_class.levels_for_user(user))
.to eq([Gitlab::VisibilityLevel::INTERNAL,
Gitlab::VisibilityLevel::PUBLIC])
end
end
it 'returns INTERNAL and PUBLIC for internal users' do
user = build(:user)
......
......@@ -290,14 +290,11 @@ RSpec.configure do |config|
admin_mode_mock_dirs = %w(
./ee/spec/elastic_integration
./ee/spec/finders
./ee/spec/lib
./ee/spec/serializers
./ee/spec/support/shared_examples/finders/geo
./ee/spec/support/shared_examples/graphql/geo
./spec/finders
./spec/lib
./spec/serializers
./spec/support/shared_examples/lib/gitlab
./spec/workers
)
......
......@@ -54,7 +54,7 @@ RSpec.shared_examples 'access restricted confidential issues' do
end
end
context 'when the user is a developper' do
context 'when the user is a developer' do
let(:user) do
create(:user) { |user| project.add_developer(user) }
end
......@@ -70,10 +70,19 @@ RSpec.shared_examples 'access restricted confidential issues' do
context 'when the user is admin', :request_store do
let(:user) { create(:user, admin: true) }
context 'when admin mode is enabled', :enable_admin_mode do
it 'lists all project issues' do
expect(objects).to contain_exactly(issue,
security_issue_1,
security_issue_2)
end
end
context 'when admin mode is disabled' do
it 'does not list project confidential issues' do
expect(objects).to contain_exactly(issue)
expect(results.limited_issues_count).to eq 1
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment