096ac0111b
Previously, access control was implemented via AccessPolicy and {Access/AppliedTag}.
This doesn't remove AccessPolicy/AppliedTag yet, as there are still references to
them. They will be removed in a later commit.
In order for the new access control to work, the authorization methods need to be
passed the project_id, to force the access query to operate on a single project.
That part isn't very invasive, since authorization is mostly centralized in
helpers/general.rb, but it did require a couple other places to be changed:
* model/invoice.rb is the only caller of Authorization.authorize outside of
the Clover helpers. This is probably a layer violation that should be fixed
later, but for now, add the project_id manually to the call.
* In the github route, set @project so that the helpers can access it.
Add Project#dissociate_subject, which handles remove the subject tags and
direct access control entries when removing a user or token from a project.
Call this when removing uses or tokens from a project.
Remove Authorization.authorized_resources_dataset, as it was only
needed by Dataset#authorize. This inlines the code into Dataset#authorize.
This was done because it doesn't make sense to use the method in isolation,
and the query needed in Dataset#authorize depends on the dataset, which
isn't passed to Authorization.authorized_resources_dataset.
Remove Authorization.expand_actions. This method has no equivalent in the
new design, and it is no longer needed.
For the api specs that use a personal access token, this adds the
token to the Admin subject tag (which has full access). This has
similar behavior as applying the admin managed policy had previously.
The authorization queries do not currently support nested tags. Support
for nested tags will be added later.
While here, fix parameter name for Clover#all_permissions.
This method is only currently called with @project.id as the argument,
so it doesn't technically need an argument, but it could potentially
be used later to get all permissions on an object other than the
current project.
122 lines
5.4 KiB
Ruby
122 lines
5.4 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require_relative "spec_helper"
|
|
require "octokit"
|
|
|
|
RSpec.describe Clover, "github" do
|
|
let(:user) { create_account }
|
|
let(:project) { user.create_project_with_default_policy("project-1") }
|
|
let(:installation) { GithubInstallation.create_with_id(installation_id: 123, project_id: project.id, name: "test-user", type: "User") }
|
|
let(:oauth_client) { instance_double(Octokit::Client) }
|
|
let(:adhoc_client) { instance_double(Octokit::Client) }
|
|
|
|
before do
|
|
login(user.email)
|
|
|
|
allow(Config).to receive(:github_app_name).and_return("runner-app")
|
|
allow(Github).to receive(:oauth_client).and_return(oauth_client)
|
|
allow(Octokit::Client).to receive(:new).and_return(adhoc_client)
|
|
end
|
|
|
|
it "redirects to github page if already installed" do
|
|
expect(oauth_client).to receive(:exchange_code_for_token).with("123123").and_return({access_token: "123"})
|
|
|
|
visit "/github/callback?code=123123&installation_id=#{installation.installation_id}"
|
|
|
|
expect(page.title).to eq("Ubicloud - Active Runners")
|
|
expect(page).to have_flash_notice("GitHub runner integration is already enabled for #{project.name} project.")
|
|
end
|
|
|
|
it "raises forbidden when does not have permissions to access already enabled installation" do
|
|
expect(oauth_client).to receive(:exchange_code_for_token).with("123123").and_return({access_token: "123"})
|
|
project
|
|
installation
|
|
AccessControlEntry.dataset.update(action_id: ActionType::NAME_MAP["Project:view"])
|
|
|
|
visit "/github/callback?code=123123&installation_id=#{installation.installation_id}"
|
|
|
|
expect(page.title).to eq("Ubicloud - Forbidden")
|
|
expect(page.status_code).to eq(403)
|
|
expect(page).to have_content "Forbidden"
|
|
end
|
|
|
|
it "fails if project not found at session" do
|
|
expect(oauth_client).to receive(:exchange_code_for_token).with("123123").and_return({access_token: "123"})
|
|
|
|
visit "/github/callback?code=123123&installation_id=345"
|
|
|
|
expect(page.title).to eq("Ubicloud - Projects")
|
|
expect(page).to have_flash_error("You should initiate the GitHub App installation request from the project's GitHub runner integration page.")
|
|
end
|
|
|
|
it "raises forbidden when does not have permissions to the project in session" do
|
|
expect(oauth_client).to receive(:exchange_code_for_token).with("123123").and_return({access_token: "123"})
|
|
expect(Project).to receive(:[]).and_return(project).at_least(:once)
|
|
AccessControlEntry.dataset.destroy
|
|
|
|
visit "/github/callback?code=123123&installation_id=345"
|
|
|
|
expect(page.title).to eq("Ubicloud - Forbidden")
|
|
expect(page.status_code).to eq(403)
|
|
expect(page).to have_content "Forbidden"
|
|
end
|
|
|
|
it "redirects to user management page if it requires approval" do
|
|
expect(oauth_client).to receive(:exchange_code_for_token).with("123123").and_return({})
|
|
expect(Project).to receive(:[]).and_return(project).at_least(:once)
|
|
|
|
visit "/github/callback?code=123123&setup_action=request"
|
|
|
|
expect(page.title).to eq("Ubicloud - #{project.name} - Users")
|
|
expect(page).to have_flash_notice(/.*awaiting approval from the GitHub organization's administrator.*/)
|
|
end
|
|
|
|
it "fails if oauth code is invalid" do
|
|
expect(oauth_client).to receive(:exchange_code_for_token).with("invalid").and_return({})
|
|
expect(Project).to receive(:[]).and_return(project).at_least(:once)
|
|
|
|
visit "/github/callback?code=invalid"
|
|
|
|
expect(page.title).to eq("Ubicloud - GitHub Runner Settings")
|
|
expect(page).to have_flash_error(/^GitHub App installation failed.*/)
|
|
end
|
|
|
|
it "fails if installation not found" do
|
|
expect(oauth_client).to receive(:exchange_code_for_token).with("123123").and_return({access_token: "123"})
|
|
expect(adhoc_client).to receive(:get).with("/user/installations").and_return({installations: []})
|
|
expect(Project).to receive(:[]).and_return(project).at_least(:once)
|
|
|
|
visit "/github/callback?code=123123"
|
|
|
|
expect(page.title).to eq("Ubicloud - GitHub Runner Settings")
|
|
expect(page).to have_flash_error(/^GitHub App installation failed.*/)
|
|
end
|
|
|
|
it "fails if the project is not active" do
|
|
expect(oauth_client).to receive(:exchange_code_for_token).with("123123").and_return({access_token: "123"})
|
|
expect(adhoc_client).to receive(:get).with("/user/installations").and_return({installations: [{id: 345, account: {login: "test-user", type: "User"}}]})
|
|
expect(Project).to receive(:[]).and_return(project).at_least(:once)
|
|
expect(project).to receive(:active?).and_return(false)
|
|
|
|
visit "/github/callback?code=123123&installation_id=345"
|
|
|
|
expect(page.title).to eq("Ubicloud - project-1 Dashboard")
|
|
expect(page).to have_flash_error("GitHub runner integration is not allowed for inactive projects")
|
|
end
|
|
|
|
it "creates installation with project from session" do
|
|
expect(oauth_client).to receive(:exchange_code_for_token).with("123123").and_return({access_token: "123"})
|
|
expect(adhoc_client).to receive(:get).with("/user/installations").and_return({installations: [{id: 345, account: {login: "test-user", type: "User"}}]})
|
|
expect(Project).to receive(:[]).and_return(project).at_least(:once)
|
|
|
|
visit "/github/callback?code=123123&installation_id=345"
|
|
|
|
expect(page.title).to eq("Ubicloud - Active Runners")
|
|
expect(page).to have_flash_notice("GitHub runner integration is enabled for #{project.name} project.")
|
|
installation = GithubInstallation[installation_id: 345]
|
|
expect(installation.name).to eq("test-user")
|
|
expect(installation.type).to eq("User")
|
|
expect(installation.project_id).to eq(project.id)
|
|
end
|
|
end
|