Skip to content
Snippets Groups Projects
Commit 1b8cd8ef authored by Pedro Pombeiro's avatar Pedro Pombeiro Committed by Stan Hu
Browse files

GraphQL: Fix access to CiRunner.ephemeralRegisterUrl

parent 67f3bbaa
No related branches found
No related tags found
2 merge requests!122597doc/gitaly: Remove references to removed metrics,!118302GraphQL: Fix access to CiRunner.ephemeralRegisterUrl
......@@ -151,7 +151,7 @@ def edit_admin_url
end
def ephemeral_register_url
return unless ephemeral_register_url_access_allowed?(runner)
return unless context[:current_user]&.can?(:read_ephemeral_token, runner) && runner.registration_available?
case runner.runner_type
when 'instance_type'
......@@ -203,23 +203,6 @@ def job_execution_status
def can_admin_runners?
context[:current_user]&.can_admin_all_resources?
end
def ephemeral_register_url_access_allowed?(runner)
return unless runner.registration_available?
case runner.runner_type
when 'instance_type'
can_admin_runners?
when 'group_type'
group = runner.groups[0]
group && context[:current_user]&.can?(:register_group_runners, group)
when 'project_type'
project = runner.projects[0]
project && context[:current_user]&.can?(:register_project_runners, project)
end
end
end
end
end
......
......@@ -7,7 +7,7 @@
let_it_be(:user) { create(:user, :admin) }
let_it_be(:another_admin) { create(:user, :admin) }
let_it_be(:group) { create(:group) }
let_it_be_with_reload(:group) { create(:group) }
let_it_be(:active_instance_runner) do
create(:ci_runner, :instance, :with_runner_manager,
......@@ -379,6 +379,7 @@
end
describe 'ephemeralRegisterUrl' do
let(:runner_args) { { registration_type: :authenticated_user, creator: creator } }
let(:query) do
%(
query {
......@@ -403,54 +404,46 @@
end
end
context 'with an instance runner' do
context 'with registration available' do
let_it_be(:runner) { create(:ci_runner, registration_type: :authenticated_user) }
context 'with an instance runner', :freeze_time do
let(:creator) { user }
let(:runner) { create(:ci_runner, **runner_args) }
context 'with valid ephemeral registration' do
it_behaves_like 'has register url' do
let(:expected_url) { "http://localhost/admin/runners/#{runner.id}/register" }
end
end
context 'with no registration available' do
let_it_be(:runner) { create(:ci_runner) }
context 'when runner ephemeral registration has expired' do
let(:runner) do
create(:ci_runner, created_at: (Ci::Runner::REGISTRATION_AVAILABILITY_TIME + 1.second).ago, **runner_args)
end
it_behaves_like 'has no register url'
end
context 'when runner has already been registered' do
let(:runner) { create(:ci_runner, :with_runner_manager, **runner_args) }
it_behaves_like 'has no register url'
end
end
context 'with a group runner' do
context 'with registration available' do
let_it_be(:runner) { create(:ci_runner, :group, groups: [group], registration_type: :authenticated_user) }
let(:creator) { user }
let(:runner) { create(:ci_runner, :group, groups: [group], **runner_args) }
context 'with valid ephemeral registration' do
it_behaves_like 'has register url' do
let(:expected_url) { "http://localhost/groups/#{group.path}/-/runners/#{runner.id}/register" }
end
end
context 'with no group' do
let(:destroyed_group) { create(:group) }
let(:runner) { create(:ci_runner, :group, groups: [destroyed_group], registration_type: :authenticated_user) }
before do
destroyed_group.destroy!
end
it_behaves_like 'has no register url'
end
context 'with no registration available' do
let_it_be(:runner) { create(:ci_runner, :group, groups: [group]) }
it_behaves_like 'has no register url'
end
context 'with no access' do
let_it_be(:user) { create(:user) }
let_it_be(:runner) { create(:ci_runner, :group, groups: [group], registration_type: :authenticated_user) }
context 'when request not from creator' do
let(:creator) { another_admin }
before do
group.add_maintainer(user)
group.add_owner(another_admin)
end
it_behaves_like 'has no register url'
......@@ -458,37 +451,20 @@
end
context 'with a project runner' do
context 'with registration available' do
let_it_be(:runner) { create(:ci_runner, :project, projects: [project1], registration_type: :authenticated_user) }
let(:creator) { user }
let(:runner) { create(:ci_runner, :project, projects: [project1], **runner_args) }
context 'with valid ephemeral registration' do
it_behaves_like 'has register url' do
let(:expected_url) { "http://localhost/#{project1.full_path}/-/runners/#{runner.id}/register" }
end
end
context 'with no project' do
let(:destroyed_project) { create(:project) }
let(:runner) { create(:ci_runner, :project, projects: [destroyed_project], registration_type: :authenticated_user) }
before do
destroyed_project.destroy!
end
it_behaves_like 'has no register url'
end
context 'with no registration available' do
let_it_be(:runner) { create(:ci_runner, :project, projects: [project1]) }
it_behaves_like 'has no register url'
end
context 'with no access' do
let_it_be(:user) { create(:user) }
let_it_be(:runner) { create(:ci_runner, :project, projects: [project1], registration_type: :authenticated_user) }
context 'when request not from creator' do
let(:creator) { another_admin }
before do
group.add_maintainer(user)
project1.add_owner(another_admin)
end
it_behaves_like 'has no register url'
......@@ -1016,11 +992,11 @@ def runner_query(runner)
describe 'sorting and pagination' do
let(:query) do
<<~GQL
query($id: CiRunnerID!, $projectSearchTerm: String, $n: Int, $cursor: String) {
runner(id: $id) {
#{fields}
query($id: CiRunnerID!, $projectSearchTerm: String, $n: Int, $cursor: String) {
runner(id: $id) {
#{fields}
}
}
}
GQL
end
......@@ -1039,18 +1015,18 @@ def runner_query(runner)
let(:fields) do
<<~QUERY
projects(search: $projectSearchTerm, first: $n, after: $cursor) {
count
nodes {
id
}
pageInfo {
hasPreviousPage
startCursor
endCursor
hasNextPage
projects(search: $projectSearchTerm, first: $n, after: $cursor) {
count
nodes {
id
}
pageInfo {
hasPreviousPage
startCursor
endCursor
hasNextPage
}
}
}
QUERY
end
......
......@@ -107,11 +107,7 @@
end
end
shared_context 'when runner is created successfully' do
before do
stub_feature_flags(create_runner_workflow_for_namespace: [group])
end
shared_examples 'when runner is created successfully' do
it do
expected_args = { user: current_user, params: anything }
expect_next_instance_of(::Ci::Runners::CreateRunnerService, expected_args) do |service|
......@@ -168,6 +164,10 @@
}
end
before do
stub_feature_flags(create_runner_workflow_for_namespace: [group])
end
it_behaves_like 'when user does not have permissions'
context 'when user has permissions' do
......@@ -218,10 +218,7 @@
it 'returns an error' do
post_graphql_mutation(mutation, current_user: current_user)
expect_graphql_errors_to_include(
'The resource that you are attempting to access does not exist ' \
"or you don't have permission to perform this action"
)
expect(flattened_errors).not_to be_empty
end
end
end
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment