diff --git a/app/assets/stylesheets/pages/projects.scss b/app/assets/stylesheets/pages/projects.scss index 79558b8604f990963bef9216660d7a7a20655bf1..792c618fd4045ef49245423e93227446c7758893 100644 --- a/app/assets/stylesheets/pages/projects.scss +++ b/app/assets/stylesheets/pages/projects.scss @@ -67,10 +67,6 @@ } } -.classification-label { - background-color: $red-500; -} - .toggle-wrapper { margin-top: 5px; } diff --git a/app/controllers/admin/application_settings_controller.rb b/app/controllers/admin/application_settings_controller.rb index b681949ab369eec324e9bc277bece915258d37bb..ab792cf7403d77c6d15c2fc3ce5c8cee42bf44f3 100644 --- a/app/controllers/admin/application_settings_controller.rb +++ b/app/controllers/admin/application_settings_controller.rb @@ -124,9 +124,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController end def visible_application_setting_attributes - [ - *::ApplicationSettingsHelper.visible_attributes, - *::ApplicationSettingsHelper.external_authorization_service_attributes, + ApplicationSettingsHelper.visible_attributes + [ :domain_blacklist_file, disabled_oauth_sign_in_sources: [], import_sources: [], diff --git a/app/controllers/concerns/project_unauthorized.rb b/app/controllers/concerns/project_unauthorized.rb index d42363b8b175c1899c208c228bca93fcb9055779..f59440dbc598d334de74832307e52de896b5303f 100644 --- a/app/controllers/concerns/project_unauthorized.rb +++ b/app/controllers/concerns/project_unauthorized.rb @@ -1,21 +1,10 @@ # frozen_string_literal: true module ProjectUnauthorized - def project_unauthorized_proc - lambda do |project| - if project - label = project.external_authorization_classification_label - rejection_reason = nil - - unless ::Gitlab::ExternalAuthorization.access_allowed?(current_user, label) - rejection_reason = ::Gitlab::ExternalAuthorization.rejection_reason(current_user, label) - rejection_reason ||= _('External authorization denied access to this project') - end + extend ActiveSupport::Concern - if rejection_reason - access_denied!(rejection_reason) - end - end - end + # EE would override this + def project_unauthorized_proc + # no-op end end diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 632be29df72ed60c5c288c4af213f3a21146a643..94258e0e90ab1b8e90eb02d6cc050f6dad25ea89 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -345,7 +345,6 @@ class ProjectsController < Projects::ApplicationController :container_registry_enabled, :default_branch, :description, - :external_authorization_classification_label, :import_url, :issues_tracker, :issues_tracker_id, diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb index 50b5edf7da4bef2b93c8a17dee85816691ec4f8c..e635f60823756e55c40f1a2ddcd1ee7aa3ed6314 100644 --- a/app/helpers/application_settings_helper.rb +++ b/app/helpers/application_settings_helper.rb @@ -119,39 +119,6 @@ module ApplicationSettingsHelper options_for_select(options, selected) end - def external_authorization_description - _("If enabled, access to projects will be validated on an external service"\ - " using their classification label.") - end - - def external_authorization_timeout_help_text - _("Time in seconds GitLab will wait for a response from the external "\ - "service. When the service does not respond in time, access will be "\ - "denied.") - end - - def external_authorization_url_help_text - _("When leaving the URL blank, classification labels can still be "\ - "specified without disabling cross project features or performing "\ - "external authorization checks.") - end - - def external_authorization_client_certificate_help_text - _("The X509 Certificate to use when mutual TLS is required to communicate "\ - "with the external authorization service. If left blank, the server "\ - "certificate is still validated when accessing over HTTPS.") - end - - def external_authorization_client_key_help_text - _("The private key to use when a client certificate is provided. This value "\ - "is encrypted at rest.") - end - - def external_authorization_client_pass_help_text - _("The passphrase required to decrypt the private key. This is optional "\ - "and the value is encrypted at rest.") - end - def visible_attributes [ :admin_notification_email, @@ -270,18 +237,6 @@ module ApplicationSettingsHelper ] end - def external_authorization_service_attributes - [ - :external_auth_client_cert, - :external_auth_client_key, - :external_auth_client_key_pass, - :external_authorization_service_default_label, - :external_authorization_service_enabled, - :external_authorization_service_timeout, - :external_authorization_service_url - ] - end - def expanded_by_default? Rails.env.test? end diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb index 2ac90eb8d9ffcba2c60c824b1048a7c7b963bfae..009dd70c2c99fc2f8b62f59736577cc46db63ece 100644 --- a/app/helpers/projects_helper.rb +++ b/app/helpers/projects_helper.rb @@ -303,16 +303,6 @@ module ProjectsHelper @path.present? end - def external_classification_label_help_message - default_label = ::Gitlab::CurrentSettings.current_application_settings - .external_authorization_service_default_label - - s_( - "ExternalAuthorizationService|When no classification label is set the "\ - "default label `%{default_label}` will be used." - ) % { default_label: default_label } - end - private def get_project_nav_tabs(project, current_user) diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index d28a12413bf578d3dcbdfa13ab007e040e6f89b7..7ec8505b33a9b82fb947d567d379be1af2faa20d 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -213,40 +213,6 @@ class ApplicationSetting < ApplicationRecord validate :terms_exist, if: :enforce_terms? - validates :external_authorization_service_default_label, - presence: true, - if: :external_authorization_service_enabled - - validates :external_authorization_service_url, - url: true, allow_blank: true, - if: :external_authorization_service_enabled - - validates :external_authorization_service_timeout, - numericality: { greater_than: 0, less_than_or_equal_to: 10 }, - if: :external_authorization_service_enabled - - validates :external_auth_client_key, - presence: true, - if: -> (setting) { setting.external_auth_client_cert.present? } - - validates_with X509CertificateCredentialsValidator, - certificate: :external_auth_client_cert, - pkey: :external_auth_client_key, - pass: :external_auth_client_key_pass, - if: -> (setting) { setting.external_auth_client_cert.present? } - - attr_encrypted :external_auth_client_key, - mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base_truncated, - algorithm: 'aes-256-gcm', - encode: true - - attr_encrypted :external_auth_client_key_pass, - mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base_truncated, - algorithm: 'aes-256-gcm', - encode: true - before_validation :ensure_uuid! before_validation :strip_sentry_values diff --git a/app/models/issue.rb b/app/models/issue.rb index eb4c87e05d590f5583a7eae2407e3961c05472f4..97c6dcc4745d30830f0ea3bfeae1ea86445ff33c 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -230,13 +230,7 @@ class Issue < ApplicationRecord def visible_to_user?(user = nil) return false unless project && project.feature_available?(:issues, user) - return publicly_visible? unless user - - return false unless readable_by?(user) - - user.full_private_access? || - ::Gitlab::ExternalAuthorization.access_allowed?( - user, project.external_authorization_classification_label) + user ? readable_by?(user) : publicly_visible? end def check_for_spam? @@ -304,7 +298,7 @@ class Issue < ApplicationRecord # Returns `true` if this Issue is visible to everybody. def publicly_visible? - project.public? && !confidential? && !::Gitlab::ExternalAuthorization.enabled? + project.public? && !confidential? end def expire_etag_cache diff --git a/app/models/project.rb b/app/models/project.rb index 97e287d3fa22f7ec191f6462fa5afffeca430f74..e2869fc2ad5280a7905b32af60606e9798daf2d0 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -2062,11 +2062,6 @@ class Project < ApplicationRecord fetch_branch_allows_collaboration(user, branch_name) end - def external_authorization_classification_label - super || ::Gitlab::CurrentSettings.current_application_settings - .external_authorization_service_default_label - end - def licensed_features [] end diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 5dd2279ef99077549f5869590653d929d7b91e0f..72de04203a6cfeb8c156b23be675f7568b1b43a7 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -22,13 +22,6 @@ class BasePolicy < DeclarativePolicy::Base Gitlab::CurrentSettings.current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC) end - condition(:external_authorization_enabled, scope: :global, score: 0) do - ::Gitlab::ExternalAuthorization.perform_check? - end - - rule { external_authorization_enabled & ~full_private_access }.policy do - prevent :read_cross_project - end - + # This is prevented in some cases in `gitlab-ee` rule { default }.enable :read_cross_project end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index ba38af9c5298731abe06cc57e7ef7b38001bb41d..26d7d6e84c43f8c446bd1d108b5e4d0a86fe182c 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -89,15 +89,6 @@ class ProjectPolicy < BasePolicy ::Gitlab::CurrentSettings.current_application_settings.mirror_available end - with_scope :subject - condition(:classification_label_authorized, score: 32) do - ::Gitlab::ExternalAuthorization.access_allowed?( - @user, - @subject.external_authorization_classification_label, - @subject.full_path - ) - end - # We aren't checking `:read_issue` or `:read_merge_request` in this case # because it could be possible for a user to see an issuable-iid # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be @@ -426,25 +417,6 @@ class ProjectPolicy < BasePolicy rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster - rule { ~can?(:read_cross_project) & ~classification_label_authorized }.policy do - # Preventing access here still allows the projects to be listed. Listing - # projects doesn't check the `:read_project` ability. But instead counts - # on the `project_authorizations` table. - # - # All other actions should explicitly check read project, which would - # trigger the `classification_label_authorized` condition. - # - # `:read_project_for_iids` is not prevented by this condition, as it is - # used for cross-project reference checks. - prevent :guest_access - prevent :public_access - prevent :public_user_access - prevent :reporter_access - prevent :developer_access - prevent :maintainer_access - prevent :owner_access - end - private def team_member? diff --git a/app/services/application_settings/update_service.rb b/app/services/application_settings/update_service.rb index 7eeaf8aade139197261d36ecdf781737e7a47e02..9146eb96533d39b4115379ae33cc0f1d801b9893 100644 --- a/app/services/application_settings/update_service.rb +++ b/app/services/application_settings/update_service.rb @@ -2,17 +2,9 @@ module ApplicationSettings class UpdateService < ApplicationSettings::BaseService - include ValidatesClassificationLabel - attr_reader :params, :application_setting def execute - validate_classification_label(application_setting, :external_authorization_service_default_label) - - if application_setting.errors.any? - return false - end - update_terms(@params.delete(:terms)) if params.key?(:performance_bar_allowed_group_path) diff --git a/app/services/concerns/validates_classification_label.rb b/app/services/concerns/validates_classification_label.rb deleted file mode 100644 index ebcf5c24ff8f135d8bfe0214b739d6f20d430034..0000000000000000000000000000000000000000 --- a/app/services/concerns/validates_classification_label.rb +++ /dev/null @@ -1,27 +0,0 @@ -# frozen_string_literal: true - -module ValidatesClassificationLabel - def validate_classification_label(record, attribute_name) - return unless ::Gitlab::ExternalAuthorization.enabled? - return unless classification_label_change?(record, attribute_name) - - new_label = params[attribute_name].presence - new_label ||= ::Gitlab::CurrentSettings.current_application_settings - .external_authorization_service_default_label - - unless ::Gitlab::ExternalAuthorization.access_allowed?(current_user, new_label) - reason = rejection_reason_for_label(new_label) - message = s_('ClassificationLabelUnavailable|is unavailable: %{reason}') % { reason: reason } - record.errors.add(attribute_name, message) - end - end - - def rejection_reason_for_label(label) - reason_from_service = ::Gitlab::ExternalAuthorization.rejection_reason(current_user, label).presence - reason_from_service || _("Access to '%{classification_label}' not allowed") % { classification_label: label } - end - - def classification_label_change?(record, attribute_name) - params.key?(attribute_name) || record.new_record? - end -end diff --git a/app/services/projects/create_service.rb b/app/services/projects/create_service.rb index 3723c5ef7d71301fdef75a84022cb4f52dffc19f..d03137b63b28b4276353de761b19087425699e70 100644 --- a/app/services/projects/create_service.rb +++ b/app/services/projects/create_service.rb @@ -2,8 +2,6 @@ module Projects class CreateService < BaseService - include ValidatesClassificationLabel - def initialize(user, params) @current_user, @params = user, params.dup @skip_wiki = @params.delete(:skip_wiki) @@ -47,8 +45,6 @@ module Projects relations_block&.call(@project) yield(@project) if block_given? - validate_classification_label(@project, :external_authorization_classification_label) - # If the block added errors, don't try to save the project return @project if @project.errors.any? diff --git a/app/services/projects/update_service.rb b/app/services/projects/update_service.rb index bc36bb8659d1a82dcf6b7127c25cc4231f61c1de..6856009b3957b630a005450d2770cf9b7c786c5f 100644 --- a/app/services/projects/update_service.rb +++ b/app/services/projects/update_service.rb @@ -3,7 +3,6 @@ module Projects class UpdateService < BaseService include UpdateVisibilityLevel - include ValidatesClassificationLabel ValidationError = Class.new(StandardError) @@ -15,8 +14,6 @@ module Projects yield if block_given? - validate_classification_label(project, :external_authorization_classification_label) - # If the block added errors, don't try to save the project return update_failed! if project.errors.any? diff --git a/app/validators/x509_certificate_credentials_validator.rb b/app/validators/x509_certificate_credentials_validator.rb deleted file mode 100644 index d2f18e956c333880165c3fdb311cfe1627322194..0000000000000000000000000000000000000000 --- a/app/validators/x509_certificate_credentials_validator.rb +++ /dev/null @@ -1,86 +0,0 @@ -# frozen_string_literal: true - -# X509CertificateCredentialsValidator -# -# Custom validator to check if certificate-attribute was signed using the -# private key stored in an attrebute. -# -# This can be used as an `ActiveModel::Validator` as follows: -# -# validates_with X509CertificateCredentialsValidator, -# certificate: :client_certificate, -# pkey: :decrypted_private_key, -# pass: :decrypted_passphrase -# -# -# Required attributes: -# - certificate: The name of the accessor that returns the certificate to check -# - pkey: The name of the accessor that returns the private key -# Optional: -# - pass: The name of the accessor that returns the passphrase to decrypt the -# private key -class X509CertificateCredentialsValidator < ActiveModel::Validator - def initialize(*args) - super - - # We can't validate if we don't have a private key or certificate attributes - # in which case this validator is useless. - if options[:pkey].nil? || options[:certificate].nil? - raise 'Provide at least `certificate` and `pkey` attribute names' - end - end - - def validate(record) - unless certificate = read_certificate(record) - record.errors.add(options[:certificate], _('is not a valid X509 certificate.')) - end - - unless private_key = read_private_key(record) - record.errors.add(options[:pkey], _('could not read private key, is the passphrase correct?')) - end - - return if private_key.nil? || certificate.nil? - - unless certificate.public_key.fingerprint == private_key.public_key.fingerprint - record.errors.add(options[:pkey], _('private key does not match certificate.')) - end - end - - private - - def read_private_key(record) - OpenSSL::PKey.read(pkey(record).to_s, pass(record).to_s) - rescue OpenSSL::PKey::PKeyError, ArgumentError - # When the primary key could not be read, an ArgumentError is raised. - # This hapens when the passed key is not valid or the passphrase is incorrect - nil - end - - def read_certificate(record) - OpenSSL::X509::Certificate.new(certificate(record).to_s) - rescue OpenSSL::X509::CertificateError - nil - end - - # rubocop:disable GitlabSecurity/PublicSend - # - # Allowing `#public_send` here because we don't want the validator to really - # care about the names of the attributes or where they come from. - # - # The credentials are mostly stored encrypted so we need to go through the - # accessors to get the values, `read_attribute` bypasses those. - def certificate(record) - record.public_send(options[:certificate]) - end - - def pkey(record) - record.public_send(options[:pkey]) - end - - def pass(record) - return unless options[:pass] - - record.public_send(options[:pass]) - end - # rubocop:enable GitlabSecurity/PublicSend -end diff --git a/app/views/admin/application_settings/_external_authorization_service_form.html.haml b/app/views/admin/application_settings/_external_authorization_service_form.html.haml deleted file mode 100644 index 01f6c7afe61aa5224a513a089cedc26fd99d678f..0000000000000000000000000000000000000000 --- a/app/views/admin/application_settings/_external_authorization_service_form.html.haml +++ /dev/null @@ -1,51 +0,0 @@ -%section.settings.as-external-auth.no-animate#js-external-auth-settings{ class: ('expanded' if expanded) } - .settings-header - %h4 - = _('External authentication') - %button.btn.js-settings-toggle{ type: 'button' } - = expanded ? 'Collapse' : 'Expand' - %p - = _('External Classification Policy Authorization') - .settings-content - - = form_for @application_setting, url: admin_application_settings_path(anchor: 'js-external-auth-settings'), html: { class: 'fieldset-form' } do |f| - = form_errors(@application_setting) - - %fieldset - .form-group - .form-check - = f.check_box :external_authorization_service_enabled, class: 'form-check-input' - = f.label :external_authorization_service_enabled, class: 'form-check-label' do - = _('Enable classification control using an external service') - %span.form-text.text-muted - = external_authorization_description - = link_to icon('question-circle'), help_page_path('user/admin_area/settings/external_authorization') - .form-group - = f.label :external_authorization_service_url, _('Service URL'), class: 'label-bold' - = f.text_field :external_authorization_service_url, class: 'form-control' - %span.form-text.text-muted - = external_authorization_url_help_text - .form-group - = f.label :external_authorization_service_timeout, _('External authorization request timeout'), class: 'label-bold' - = f.number_field :external_authorization_service_timeout, class: 'form-control', min: 0.001, max: 10, step: 0.001 - %span.form-text.text-muted - = external_authorization_timeout_help_text - = f.label :external_auth_client_cert, _('Client authentication certificate'), class: 'label-bold' - = f.text_area :external_auth_client_cert, class: 'form-control' - %span.form-text.text-muted - = external_authorization_client_certificate_help_text - .form-group - = f.label :external_auth_client_key, _('Client authentication key'), class: 'label-bold' - = f.text_area :external_auth_client_key, class: 'form-control' - %span.form-text.text-muted - = external_authorization_client_key_help_text - .form-group - = f.label :external_auth_client_key_pass, _('Client authentication key password'), class: 'label-bold' - = f.password_field :external_auth_client_key_pass, class: 'form-control' - %span.form-text.text-muted - = external_authorization_client_pass_help_text - .form-group - = f.label :external_authorization_service_default_label, _('Default classification label'), class: 'label-bold' - = f.text_field :external_authorization_service_default_label, class: 'form-control' - - = f.submit 'Save changes', class: "btn btn-success" diff --git a/app/views/admin/application_settings/show.html.haml b/app/views/admin/application_settings/show.html.haml index 31f18ba0d5623b24c9546fe4e83fd1aeb3762187..fc9dd29b8ca3a31968b792dfb5e5eb30243658eb 100644 --- a/app/views/admin/application_settings/show.html.haml +++ b/app/views/admin/application_settings/show.html.haml @@ -68,7 +68,7 @@ .settings-content = render 'terms' -= render 'admin/application_settings/external_authorization_service_form', expanded: expanded_by_default? += render_if_exists 'admin/application_settings/external_authorization_service_form', expanded: expanded_by_default? %section.settings.as-terminal.no-animate#js-terminal-settings{ class: ('expanded' if expanded_by_default?) } .settings-header diff --git a/app/views/layouts/_page.html.haml b/app/views/layouts/_page.html.haml index 26a1f1e119c4911fb77bf64a61b39529b0713c12..1b2a4cd6780f6de166542a919a80044051d2e38e 100644 --- a/app/views/layouts/_page.html.haml +++ b/app/views/layouts/_page.html.haml @@ -7,7 +7,6 @@ .alert-wrapper = render "layouts/broadcast" = render "layouts/header/read_only_banner" - = render "layouts/nav/classification_level_banner" = yield :flash_message = render "shared/ping_consent" - unless @hide_breadcrumbs diff --git a/app/views/layouts/nav/_classification_level_banner.html.haml b/app/views/layouts/nav/_classification_level_banner.html.haml deleted file mode 100644 index cc4caf079b8b3bc6bcc8786f056e10e779c36175..0000000000000000000000000000000000000000 --- a/app/views/layouts/nav/_classification_level_banner.html.haml +++ /dev/null @@ -1,5 +0,0 @@ -- if ::Gitlab::ExternalAuthorization.enabled? && @project - = content_for :header_content do - %span.badge.color-label.classification-label.has-tooltip{ title: s_('ExternalAuthorizationService|Classification label') } - = sprite_icon('lock-open', size: 8, css_class: 'inline') - = @project.external_authorization_classification_label diff --git a/app/views/projects/_classification_policy_settings.html.haml b/app/views/projects/_classification_policy_settings.html.haml deleted file mode 100644 index 57c7a718d539ce15b3ad28fb35f62c7f45a62601..0000000000000000000000000000000000000000 --- a/app/views/projects/_classification_policy_settings.html.haml +++ /dev/null @@ -1,8 +0,0 @@ -- if ::Gitlab::ExternalAuthorization.enabled? - .form-group - = f.label :external_authorization_classification_label, class: 'label-bold' do - = s_('ExternalAuthorizationService|Classification Label') - %span.light (optional) - = f.text_field :external_authorization_classification_label, class: "form-control" - %span.form-text.text-muted - = external_classification_label_help_message diff --git a/app/views/projects/edit.html.haml b/app/views/projects/edit.html.haml index abf2fb7dc573b93a8071e5c6501526a120314e8b..98017bea0c953334e29046b5bfd841181b943822 100644 --- a/app/views/projects/edit.html.haml +++ b/app/views/projects/edit.html.haml @@ -32,7 +32,7 @@ %span.light (optional) = f.text_area :description, class: "form-control", rows: 3, maxlength: 250 - = render 'projects/classification_policy_settings', f: f + = render_if_exists 'projects/classification_policy_settings', f: f = render_if_exists 'shared/repository_size_limit_setting', form: f, type: :project diff --git a/changelogs/unreleased/57131-external_auth_to_core.yml b/changelogs/unreleased/57131-external_auth_to_core.yml deleted file mode 100644 index aacd3916c82d10cef968b62a9f30fadf24e03bbc..0000000000000000000000000000000000000000 --- a/changelogs/unreleased/57131-external_auth_to_core.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Move "Authorize project access with external service" to Core -merge_request: 26823 -author: -type: changed diff --git a/db/migrate/20171211131502_add_external_classification_authorization_settings_to_appliction_settings.rb b/db/migrate/20171211131502_add_external_classification_authorization_settings_to_appliction_settings.rb deleted file mode 100644 index a7dec8732fb8b1091f07ab633b9cef80a15be26e..0000000000000000000000000000000000000000 --- a/db/migrate/20171211131502_add_external_classification_authorization_settings_to_appliction_settings.rb +++ /dev/null @@ -1,29 +0,0 @@ -class AddExternalClassificationAuthorizationSettingsToApplictionSettings < ActiveRecord::Migration[4.2] - include Gitlab::Database::MigrationHelpers - - DOWNTIME = false - - disable_ddl_transaction! - - def up - add_column_with_default :application_settings, - :external_authorization_service_enabled, - :boolean, - default: false - add_column :application_settings, - :external_authorization_service_url, - :string - add_column :application_settings, - :external_authorization_service_default_label, - :string - end - - def down - remove_column :application_settings, - :external_authorization_service_default_label - remove_column :application_settings, - :external_authorization_service_url - remove_column :application_settings, - :external_authorization_service_enabled - end -end diff --git a/db/migrate/20171218140451_add_external_authorization_service_classification_label_to_projects.rb b/db/migrate/20171218140451_add_external_authorization_service_classification_label_to_projects.rb deleted file mode 100644 index 7b83580f02557cc5b5c9491fb4e0724bf4dc55cb..0000000000000000000000000000000000000000 --- a/db/migrate/20171218140451_add_external_authorization_service_classification_label_to_projects.rb +++ /dev/null @@ -1,11 +0,0 @@ -class AddExternalAuthorizationServiceClassificationLabelToProjects < ActiveRecord::Migration[4.2] - include Gitlab::Database::MigrationHelpers - - DOWNTIME = false - - def change - add_column :projects, - :external_authorization_classification_label, - :string - end -end diff --git a/db/migrate/20180314100728_add_external_authorization_service_timeout_to_application_settings.rb b/db/migrate/20180314100728_add_external_authorization_service_timeout_to_application_settings.rb deleted file mode 100644 index c3c6aa0ddf8333602f169e7479d1517ccd2d967d..0000000000000000000000000000000000000000 --- a/db/migrate/20180314100728_add_external_authorization_service_timeout_to_application_settings.rb +++ /dev/null @@ -1,18 +0,0 @@ -class AddExternalAuthorizationServiceTimeoutToApplicationSettings < ActiveRecord::Migration[4.2] - include Gitlab::Database::MigrationHelpers - - DOWNTIME = false - - def up - # We can use the regular `add_column` with a default since `application_settings` - # is a small table. - add_column :application_settings, - :external_authorization_service_timeout, - :float, - default: 0.5 - end - - def down - remove_column :application_settings, :external_authorization_service_timeout - end -end diff --git a/db/migrate/20180315160435_add_external_auth_mutual_tls_fields_to_project_settings.rb b/db/migrate/20180315160435_add_external_auth_mutual_tls_fields_to_project_settings.rb deleted file mode 100644 index ee3d1078f5e74a937e8b8f45bd2829b355d72f14..0000000000000000000000000000000000000000 --- a/db/migrate/20180315160435_add_external_auth_mutual_tls_fields_to_project_settings.rb +++ /dev/null @@ -1,16 +0,0 @@ -class AddExternalAuthMutualTlsFieldsToProjectSettings < ActiveRecord::Migration[4.2] - DOWNTIME = false - - def change - add_column :application_settings, - :external_auth_client_cert, :text - add_column :application_settings, - :encrypted_external_auth_client_key, :text - add_column :application_settings, - :encrypted_external_auth_client_key_iv, :string - add_column :application_settings, - :encrypted_external_auth_client_key_pass, :string - add_column :application_settings, - :encrypted_external_auth_client_key_pass_iv, :string - end -end diff --git a/db/schema.rb b/db/schema.rb index 4258c5c4dfb52af8e72c5af611c754aaeb687787..b20fe4b3d392c9d0f6a556bd4e59173ecb1fd387 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -177,15 +177,6 @@ ActiveRecord::Schema.define(version: 20190325165127) do t.string "runners_registration_token_encrypted" t.integer "local_markdown_version", default: 0, null: false t.integer "first_day_of_week", default: 0, null: false - t.boolean "external_authorization_service_enabled", default: false, null: false - t.string "external_authorization_service_url" - t.string "external_authorization_service_default_label" - t.float "external_authorization_service_timeout", default: 0.5 - t.text "external_auth_client_cert" - t.text "encrypted_external_auth_client_key" - t.string "encrypted_external_auth_client_key_iv" - t.string "encrypted_external_auth_client_key_pass" - t.string "encrypted_external_auth_client_key_pass_iv" t.index ["usage_stats_set_by_user_id"], name: "index_application_settings_on_usage_stats_set_by_user_id", using: :btree end @@ -1763,7 +1754,6 @@ ActiveRecord::Schema.define(version: 20190325165127) do t.string "runners_token_encrypted" t.string "bfg_object_map" t.boolean "detected_repository_languages" - t.string "external_authorization_classification_label" t.index ["ci_id"], name: "index_projects_on_ci_id", using: :btree t.index ["created_at"], name: "index_projects_on_created_at", using: :btree t.index ["creator_id"], name: "index_projects_on_creator_id", using: :btree diff --git a/lib/api/entities.rb b/lib/api/entities.rb index 079ee7f5cccd1c0530e78bcdef260e403a1c08cb..2dd3120d3fc37ea8ea6d84a882a25397be9f3748 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -277,7 +277,6 @@ module API expose :statistics, using: 'API::Entities::ProjectStatistics', if: -> (project, options) { options[:statistics] && Ability.allowed?(options[:current_user], :read_statistics, project) } - expose :external_authorization_classification_label # rubocop: disable CodeReuse/ActiveRecord def self.preload_relation(projects_relation, options = {}) @@ -1117,8 +1116,6 @@ module API expose(:default_snippet_visibility) { |setting, _options| Gitlab::VisibilityLevel.string_level(setting.default_snippet_visibility) } expose(:default_group_visibility) { |setting, _options| Gitlab::VisibilityLevel.string_level(setting.default_group_visibility) } - expose(*::ApplicationSettingsHelper.external_authorization_service_attributes) - # support legacy names, can be removed in v5 expose :password_authentication_enabled_for_web, as: :password_authentication_enabled expose :password_authentication_enabled_for_web, as: :signin_enabled diff --git a/lib/api/helpers/projects_helpers.rb b/lib/api/helpers/projects_helpers.rb index aaf32dafca494e3536649005e52a6d87d5423a0a..7b858dc2e72d8699f93c069e078640a6f9d3ce3f 100644 --- a/lib/api/helpers/projects_helpers.rb +++ b/lib/api/helpers/projects_helpers.rb @@ -29,13 +29,13 @@ module API optional :printing_merge_request_link_enabled, type: Boolean, desc: 'Show link to create/view merge request when pushing from the command line' optional :merge_method, type: String, values: %w(ff rebase_merge merge), desc: 'The merge method used when merging merge requests' optional :initialize_with_readme, type: Boolean, desc: "Initialize a project with a README.md" - optional :external_authorization_classification_label, type: String, desc: 'The classification label for the project' end if Gitlab.ee? params :optional_project_params_ee do optional :repository_storage, type: String, desc: 'Which storage shard the repository is on. Available only to admins' optional :approvals_before_merge, type: Integer, desc: 'How many approvers should approve merge request by default' + optional :external_authorization_classification_label, type: String, desc: 'The classification label for the project' optional :mirror, type: Boolean, desc: 'Enables pull mirroring in a project' optional :mirror_trigger_builds, type: Boolean, desc: 'Pull mirroring triggers builds' end @@ -72,8 +72,7 @@ module API :tag_list, :visibility, :wiki_enabled, - :avatar, - :external_authorization_classification_label + :avatar ] end end diff --git a/lib/api/settings.rb b/lib/api/settings.rb index 120c5f4ccfc401965cb85e1a12cce2dbb9686d90..d742c6c97c120056feea5020bad1fd98edb2ad86 100644 --- a/lib/api/settings.rb +++ b/lib/api/settings.rb @@ -167,9 +167,7 @@ module API optional :usage_ping_enabled, type: Boolean, desc: 'Every week GitLab will report license usage back to GitLab, Inc.' end - optional_attributes = [*::ApplicationSettingsHelper.visible_attributes, - *::ApplicationSettingsHelper.external_authorization_service_attributes, - :performance_bar_allowed_group_id] + optional_attributes = ::ApplicationSettingsHelper.visible_attributes << :performance_bar_allowed_group_id if Gitlab.ee? optional_attributes += EE::ApplicationSettingsHelper.possible_licensed_attributes diff --git a/lib/gitlab/external_authorization.rb b/lib/gitlab/external_authorization.rb deleted file mode 100644 index 25f8b7b3628424d2ff4a1ff7b70b6547bc17f0e3..0000000000000000000000000000000000000000 --- a/lib/gitlab/external_authorization.rb +++ /dev/null @@ -1,40 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module ExternalAuthorization - extend ExternalAuthorization::Config - - RequestFailed = Class.new(StandardError) - - def self.access_allowed?(user, label, project_path = nil) - return true unless perform_check? - return false unless user - - access_for_user_to_label(user, label, project_path).has_access? - end - - def self.rejection_reason(user, label) - return unless enabled? - return unless user - - access_for_user_to_label(user, label, nil).reason - end - - def self.access_for_user_to_label(user, label, project_path) - if RequestStore.active? - RequestStore.fetch("external_authorisation:user-#{user.id}:label-#{label}") do - load_access(user, label, project_path) - end - else - load_access(user, label, project_path) - end - end - - def self.load_access(user, label, project_path) - access = ::Gitlab::ExternalAuthorization::Access.new(user, label).load! - ::Gitlab::ExternalAuthorization::Logger.log_access(access, project_path) - - access - end - end -end diff --git a/lib/gitlab/external_authorization/access.rb b/lib/gitlab/external_authorization/access.rb deleted file mode 100644 index e111c41fcc2f39a6d9b1ca762590c471b24a5836..0000000000000000000000000000000000000000 --- a/lib/gitlab/external_authorization/access.rb +++ /dev/null @@ -1,55 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module ExternalAuthorization - class Access - attr_reader :user, - :reason, - :loaded_at, - :label, - :load_type - - def initialize(user, label) - @user, @label = user, label - end - - def loaded? - loaded_at && (loaded_at > ExternalAuthorization::Cache::VALIDITY_TIME.ago) - end - - def has_access? - @access - end - - def load! - load_from_cache - load_from_service unless loaded? - self - end - - private - - def load_from_cache - @load_type = :cache - @access, @reason, @loaded_at = cache.load - end - - def load_from_service - @load_type = :request - response = Client.new(@user, @label).request_access - @access = response.successful? - @reason = response.reason - @loaded_at = Time.now - cache.store(@access, @reason, @loaded_at) if response.valid? - rescue ::Gitlab::ExternalAuthorization::RequestFailed => e - @access = false - @reason = e.message - @loaded_at = Time.now - end - - def cache - @cache ||= ExternalAuthorization::Cache.new(@user, @label) - end - end - end -end diff --git a/lib/gitlab/external_authorization/cache.rb b/lib/gitlab/external_authorization/cache.rb deleted file mode 100644 index acdc028b4dcedffb73f7cae8a1899c16dd906bf3..0000000000000000000000000000000000000000 --- a/lib/gitlab/external_authorization/cache.rb +++ /dev/null @@ -1,62 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module ExternalAuthorization - class Cache - VALIDITY_TIME = 6.hours - - def initialize(user, label) - @user, @label = user, label - end - - def load - @access, @reason, @refreshed_at = ::Gitlab::Redis::Cache.with do |redis| - redis.hmget(cache_key, :access, :reason, :refreshed_at) - end - - [access, reason, refreshed_at] - end - - def store(new_access, new_reason, new_refreshed_at) - ::Gitlab::Redis::Cache.with do |redis| - redis.pipelined do - redis.mapped_hmset( - cache_key, - { - access: new_access.to_s, - reason: new_reason.to_s, - refreshed_at: new_refreshed_at.to_s - } - ) - - redis.expire(cache_key, VALIDITY_TIME) - end - end - end - - private - - def access - ::Gitlab::Utils.to_boolean(@access) - end - - def reason - # `nil` if the cached value was an empty string - return unless @reason.present? - - @reason - end - - def refreshed_at - # Don't try to parse a time if there was no cache - return unless @refreshed_at.present? - - Time.parse(@refreshed_at) - end - - def cache_key - "external_authorization:user-#{@user.id}:label-#{@label}" - end - end - end -end diff --git a/lib/gitlab/external_authorization/client.rb b/lib/gitlab/external_authorization/client.rb deleted file mode 100644 index 60aab2e70446f0e16ba192c63ac97604c02c4842..0000000000000000000000000000000000000000 --- a/lib/gitlab/external_authorization/client.rb +++ /dev/null @@ -1,63 +0,0 @@ -# frozen_string_literal: true - -Excon.defaults[:ssl_verify_peer] = false - -module Gitlab - module ExternalAuthorization - class Client - include ExternalAuthorization::Config - - REQUEST_HEADERS = { - 'Content-Type' => 'application/json', - 'Accept' => 'application/json' - }.freeze - - def initialize(user, label) - @user, @label = user, label - end - - def request_access - response = Excon.post( - service_url, - post_params - ) - ::Gitlab::ExternalAuthorization::Response.new(response) - rescue Excon::Error => e - raise ::Gitlab::ExternalAuthorization::RequestFailed.new(e) - end - - private - - def post_params - params = { headers: REQUEST_HEADERS, - body: body.to_json, - connect_timeout: timeout, - read_timeout: timeout, - write_timeout: timeout } - - if has_tls? - params[:client_cert_data] = client_cert - params[:client_key_data] = client_key - params[:client_key_pass] = client_key_pass - end - - params - end - - def body - @body ||= begin - body = { - user_identifier: @user.email, - project_classification_label: @label - } - - if @user.ldap_identity - body[:user_ldap_dn] = @user.ldap_identity.extern_uid - end - - body - end - end - end - end -end diff --git a/lib/gitlab/external_authorization/config.rb b/lib/gitlab/external_authorization/config.rb deleted file mode 100644 index 8654a8c1e2e5c31cb6c056323c7113440bf10ee2..0000000000000000000000000000000000000000 --- a/lib/gitlab/external_authorization/config.rb +++ /dev/null @@ -1,47 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module ExternalAuthorization - module Config - extend self - - def timeout - application_settings.external_authorization_service_timeout - end - - def service_url - application_settings.external_authorization_service_url - end - - def enabled? - application_settings.external_authorization_service_enabled - end - - def perform_check? - enabled? && service_url.present? - end - - def client_cert - application_settings.external_auth_client_cert - end - - def client_key - application_settings.external_auth_client_key - end - - def client_key_pass - application_settings.external_auth_client_key_pass - end - - def has_tls? - client_cert.present? && client_key.present? - end - - private - - def application_settings - ::Gitlab::CurrentSettings.current_application_settings - end - end - end -end diff --git a/lib/gitlab/external_authorization/logger.rb b/lib/gitlab/external_authorization/logger.rb deleted file mode 100644 index 61246cd870e6ba16eb5d667bd083fc37d5a0c56c..0000000000000000000000000000000000000000 --- a/lib/gitlab/external_authorization/logger.rb +++ /dev/null @@ -1,21 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module ExternalAuthorization - class Logger < ::Gitlab::Logger - def self.log_access(access, project_path) - status = access.has_access? ? "GRANTED" : "DENIED" - message = ["#{status} #{access.user.email} access to '#{access.label}'"] - - message << "(#{project_path})" if project_path.present? - message << "- #{access.load_type} #{access.loaded_at}" if access.load_type == :cache - - info(message.join(' ')) - end - - def self.file_name_noext - 'external-policy-access-control' - end - end - end -end diff --git a/lib/gitlab/external_authorization/response.rb b/lib/gitlab/external_authorization/response.rb deleted file mode 100644 index 4f3fe5882db26001415fa02fe32b2d7e065b1439..0000000000000000000000000000000000000000 --- a/lib/gitlab/external_authorization/response.rb +++ /dev/null @@ -1,38 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module ExternalAuthorization - class Response - include ::Gitlab::Utils::StrongMemoize - - def initialize(excon_response) - @excon_response = excon_response - end - - def valid? - @excon_response && [200, 401, 403].include?(@excon_response.status) - end - - def successful? - valid? && @excon_response.status == 200 - end - - def reason - parsed_response['reason'] if parsed_response - end - - private - - def parsed_response - strong_memoize(:parsed_response) { parse_response! } - end - - def parse_response! - JSON.parse(@excon_response.body) - rescue JSON::JSONError - # The JSON response is optional, so don't fail when it's missing - nil - end - end - end -end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index fa7481a7177fdb9d5aa3870433278f48560f2528..6d5abda257c52b90686999e6b67986f8556068cc 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -390,9 +390,6 @@ msgstr "" msgid "Access forbidden. Check your access level." msgstr "" -msgid "Access to '%{classification_label}' not allowed" -msgstr "" - msgid "Account" msgstr "" @@ -1656,9 +1653,6 @@ msgstr "" msgid "CiVariable|Validation failed" msgstr "" -msgid "ClassificationLabelUnavailable|is unavailable: %{reason}" -msgstr "" - msgid "Clear" msgstr "" @@ -1689,15 +1683,6 @@ msgstr "" msgid "Click to expand text" msgstr "" -msgid "Client authentication certificate" -msgstr "" - -msgid "Client authentication key" -msgstr "" - -msgid "Client authentication key password" -msgstr "" - msgid "Clients" msgstr "" @@ -2732,9 +2717,6 @@ msgstr "" msgid "Default artifacts expiration" msgstr "" -msgid "Default classification label" -msgstr "" - msgid "Default first day of the week" msgstr "" @@ -3145,9 +3127,6 @@ msgstr "" msgid "Enable and configure Prometheus metrics." msgstr "" -msgid "Enable classification control using an external service" -msgstr "" - msgid "Enable error tracking" msgstr "" @@ -3574,33 +3553,12 @@ msgstr "" msgid "Explore public groups" msgstr "" -msgid "External Classification Policy Authorization" -msgstr "" - msgid "External URL" msgstr "" msgid "External Wiki" msgstr "" -msgid "External authentication" -msgstr "" - -msgid "External authorization denied access to this project" -msgstr "" - -msgid "External authorization request timeout" -msgstr "" - -msgid "ExternalAuthorizationService|Classification Label" -msgstr "" - -msgid "ExternalAuthorizationService|Classification label" -msgstr "" - -msgid "ExternalAuthorizationService|When no classification label is set the default label `%{default_label}` will be used." -msgstr "" - msgid "Facebook" msgstr "" @@ -4307,9 +4265,6 @@ msgstr "" msgid "If enabled" msgstr "" -msgid "If enabled, access to projects will be validated on an external service using their classification label." -msgstr "" - msgid "If your HTTP repository is not publicly accessible, add authentication information to the URL: https://username:password@gitlab.company.com/group/project.git." msgstr "" @@ -7280,9 +7235,6 @@ msgstr "" msgid "Service Templates" msgstr "" -msgid "Service URL" -msgstr "" - msgid "Session duration (minutes)" msgstr "" @@ -8001,9 +7953,6 @@ msgstr "" msgid "The Issue Tracker is the place to add things that need to be improved or solved in a project. You can register or sign in to create issues for this project." msgstr "" -msgid "The X509 Certificate to use when mutual TLS is required to communicate with the external authorization service. If left blank, the server certificate is still validated when accessing over HTTPS." -msgstr "" - msgid "The character highlighter helps you keep the subject line to %{titleLength} characters and wrap the body at %{bodyLength} so they are readable in git." msgstr "" @@ -8079,9 +8028,6 @@ msgstr "" msgid "The name %{entryName} is already taken in this directory." msgstr "" -msgid "The passphrase required to decrypt the private key. This is optional and the value is encrypted at rest." -msgstr "" - msgid "The path to CI config file. Defaults to .gitlab-ci.yml" msgstr "" @@ -8094,9 +8040,6 @@ msgstr "" msgid "The planning stage shows the time from the previous step to pushing your first commit. This time will be added automatically once you push your first commit." msgstr "" -msgid "The private key to use when a client certificate is provided. This value is encrypted at rest." -msgstr "" - msgid "The production stage shows the total time it takes between creating an issue and deploying the code to production. The data will be automatically added once you have completed the full idea to production cycle." msgstr "" @@ -8460,9 +8403,6 @@ msgstr "" msgid "Time estimate" msgstr "" -msgid "Time in seconds GitLab will wait for a response from the external service. When the service does not respond in time, access will be denied." -msgstr "" - msgid "Time remaining" msgstr "" @@ -9235,9 +9175,6 @@ msgstr "" msgid "When enabled, users cannot use GitLab until the terms have been accepted." msgstr "" -msgid "When leaving the URL blank, classification labels can still be specified without disabling cross project features or performing external authorization checks." -msgstr "" - msgid "When:" msgstr "" @@ -9742,9 +9679,6 @@ msgstr "" msgid "connecting" msgstr "" -msgid "could not read private key, is the passphrase correct?" -msgstr "" - msgid "customize" msgstr "" @@ -9833,9 +9767,6 @@ msgstr "" msgid "index" msgstr "" -msgid "is not a valid X509 certificate." -msgstr "" - msgid "issue boards" msgstr "" @@ -10118,9 +10049,6 @@ msgstr "" msgid "private" msgstr "" -msgid "private key does not match certificate." -msgstr "" - msgid "processing" msgstr "" diff --git a/spec/controllers/admin/application_settings_controller_spec.rb b/spec/controllers/admin/application_settings_controller_spec.rb index 60b725f4cacb6cb9fd61e5c5d8fc0e9662493dc9..9af472df74ee0edbcae64f27e9893ccdb1e3b479 100644 --- a/spec/controllers/admin/application_settings_controller_spec.rb +++ b/spec/controllers/admin/application_settings_controller_spec.rb @@ -85,28 +85,6 @@ describe Admin::ApplicationSettingsController do expect(response).to redirect_to(admin_application_settings_path) expect(ApplicationSetting.current.receive_max_input_size).to eq(1024) end - - context 'external policy classification settings' do - let(:settings) do - { - external_authorization_service_enabled: true, - external_authorization_service_url: 'https://custom.service/', - external_authorization_service_default_label: 'default', - external_authorization_service_timeout: 3, - external_auth_client_cert: File.read('spec/fixtures/passphrase_x509_certificate.crt'), - external_auth_client_key: File.read('spec/fixtures/passphrase_x509_certificate_pk.key'), - external_auth_client_key_pass: "5iveL!fe" - } - end - - it 'updates settings when the feature is available' do - put :update, params: { application_setting: settings } - - settings.each do |attribute, value| - expect(ApplicationSetting.current.public_send(attribute)).to eq(value) - end - end - end end describe 'PUT #reset_registration_token' do diff --git a/spec/controllers/boards/issues_controller_spec.rb b/spec/controllers/boards/issues_controller_spec.rb index 309cac479285f738baa0e565cef876ef24539aef..5eb05f01b8d485f1dd5dcf58726773adbdc240f8 100644 --- a/spec/controllers/boards/issues_controller_spec.rb +++ b/spec/controllers/boards/issues_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe Boards::IssuesController do - include ExternalAuthorizationServiceHelpers - let(:project) { create(:project, :private) } let(:board) { create(:board, project: project) } let(:user) { create(:user) } @@ -138,30 +136,6 @@ describe Boards::IssuesController do end end - context 'with external authorization' do - before do - sign_in(user) - enable_external_authorization_service_check - end - - it 'returns a 403 for group boards' do - group = create(:group) - group_board = create(:board, group: group) - - list_issues(user: user, board: group_board) - - expect(response).to have_gitlab_http_status(403) - end - - it 'is successful for project boards' do - project_board = create(:board, project: project) - - list_issues(user: user, board: project_board) - - expect(response).to have_gitlab_http_status(200) - end - end - def list_issues(user:, board:, list: nil) sign_in(user) diff --git a/spec/controllers/concerns/project_unauthorized_spec.rb b/spec/controllers/concerns/project_unauthorized_spec.rb deleted file mode 100644 index 90b59b027cfe341264705c9f240973c512e1829f..0000000000000000000000000000000000000000 --- a/spec/controllers/concerns/project_unauthorized_spec.rb +++ /dev/null @@ -1,51 +0,0 @@ -require 'spec_helper' - -describe ProjectUnauthorized do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } - - before do - sign_in user - end - - render_views - - describe '#project_unauthorized_proc' do - controller(::Projects::ApplicationController) do - def show - head :ok - end - end - - let(:project) { create(:project) } - - before do - project.add_developer(user) - end - - it 'renders a 200 when the service allows access to the project' do - external_service_allow_access(user, project) - - get :show, params: { namespace_id: project.namespace.to_param, id: project.to_param } - - expect(response).to have_gitlab_http_status(200) - end - - it 'renders a 403 when the service denies access to the project' do - external_service_deny_access(user, project) - - get :show, params: { namespace_id: project.namespace.to_param, id: project.to_param } - - expect(response).to have_gitlab_http_status(403) - expect(response.body).to match("External authorization denied access to this project") - end - - it 'renders a 404 when the user cannot see the project at all' do - other_project = create(:project, :private) - - get :show, params: { namespace_id: other_project.namespace.to_param, id: other_project.to_param } - - expect(response).to have_gitlab_http_status(404) - end - end -end diff --git a/spec/controllers/dashboard/groups_controller_spec.rb b/spec/controllers/dashboard/groups_controller_spec.rb index 775b3ca40b2a8e6ef10229b513e149f2c491d462..c8d99f792774c2634953b9f6e48eae61143554ee 100644 --- a/spec/controllers/dashboard/groups_controller_spec.rb +++ b/spec/controllers/dashboard/groups_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe Dashboard::GroupsController do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } before do @@ -13,43 +11,33 @@ describe Dashboard::GroupsController do expect(described_class).to include(GroupTree) end - describe '#index' do - it 'only includes projects the user is a member of' do - member_of_group = create(:group) - member_of_group.add_developer(user) - create(:group, :public) - - get :index - - expect(assigns(:groups)).to contain_exactly(member_of_group) - end + it 'only includes projects the user is a member of' do + member_of_group = create(:group) + member_of_group.add_developer(user) + create(:group, :public) - context 'when rendering an expanded hierarchy with public groups you are not a member of', :nested_groups do - let!(:top_level_result) { create(:group, name: 'chef-top') } - let!(:top_level_a) { create(:group, name: 'top-a') } - let!(:sub_level_result_a) { create(:group, name: 'chef-sub-a', parent: top_level_a) } - let!(:other_group) { create(:group, name: 'other') } + get :index - before do - top_level_result.add_maintainer(user) - top_level_a.add_maintainer(user) - end + expect(assigns(:groups)).to contain_exactly(member_of_group) + end - it 'renders only groups the user is a member of when searching hierarchy correctly' do - get :index, params: { filter: 'chef' }, format: :json + context 'when rendering an expanded hierarchy with public groups you are not a member of', :nested_groups do + let!(:top_level_result) { create(:group, name: 'chef-top') } + let!(:top_level_a) { create(:group, name: 'top-a') } + let!(:sub_level_result_a) { create(:group, name: 'chef-sub-a', parent: top_level_a) } + let!(:other_group) { create(:group, name: 'other') } - expect(response).to have_gitlab_http_status(200) - all_groups = [top_level_result, top_level_a, sub_level_result_a] - expect(assigns(:groups)).to contain_exactly(*all_groups) - end + before do + top_level_result.add_maintainer(user) + top_level_a.add_maintainer(user) end - it 'works when the external authorization service is enabled' do - enable_external_authorization_service_check - - get :index + it 'renders only groups the user is a member of when searching hierarchy correctly' do + get :index, params: { filter: 'chef' }, format: :json expect(response).to have_gitlab_http_status(200) + all_groups = [top_level_result, top_level_a, sub_level_result_a] + expect(assigns(:groups)).to contain_exactly(*all_groups) end end end diff --git a/spec/controllers/dashboard/labels_controller_spec.rb b/spec/controllers/dashboard/labels_controller_spec.rb index 01de896f9f49aabcc282ca9f943e3b724588c1f7..a3bfb2f3a8785a66b94d0376b39432d08475da1e 100644 --- a/spec/controllers/dashboard/labels_controller_spec.rb +++ b/spec/controllers/dashboard/labels_controller_spec.rb @@ -13,17 +13,13 @@ describe Dashboard::LabelsController do describe "#index" do let!(:unrelated_label) { create(:label, project: create(:project, :public)) } - subject { get :index, format: :json } - it 'returns global labels for projects the user has a relationship with' do - subject + get :index, format: :json expect(json_response).to be_kind_of(Array) expect(json_response.size).to eq(1) expect(json_response[0]["id"]).to be_nil expect(json_response[0]["title"]).to eq(label.title) end - - it_behaves_like 'disabled when using an external authorization service' end end diff --git a/spec/controllers/dashboard/milestones_controller_spec.rb b/spec/controllers/dashboard/milestones_controller_spec.rb index 1614739db055adb706bcc1cf526dad1c382447db..828de0e7ca5e540684a7b90a10e2cd47ca0c52e2 100644 --- a/spec/controllers/dashboard/milestones_controller_spec.rb +++ b/spec/controllers/dashboard/milestones_controller_spec.rb @@ -81,11 +81,5 @@ describe Dashboard::MilestonesController do expect(response.body).to include("Open\n2") expect(response.body).to include("Closed\n0") end - - context 'external authorization' do - subject { get :index } - - it_behaves_like 'disabled when using an external authorization service' - end end end diff --git a/spec/controllers/dashboard/projects_controller_spec.rb b/spec/controllers/dashboard/projects_controller_spec.rb index c17cb49e460e69ee2bb63fb75a1a1bfd39d72e4f..649441f4917a9e0fa70b121e5c8f992a2e5f66e8 100644 --- a/spec/controllers/dashboard/projects_controller_spec.rb +++ b/spec/controllers/dashboard/projects_controller_spec.rb @@ -1,29 +1,7 @@ require 'spec_helper' describe Dashboard::ProjectsController do - include ExternalAuthorizationServiceHelpers - - describe '#index' do - context 'user not logged in' do - it_behaves_like 'authenticates sessionless user', :index, :atom - end - - context 'user logged in' do - before do - sign_in create(:user) - end - - context 'external authorization' do - it 'works when the external authorization service is enabled' do - enable_external_authorization_service_check - - get :index - - expect(response).to have_gitlab_http_status(200) - end - end - end - end + it_behaves_like 'authenticates sessionless user', :index, :atom context 'json requests' do render_views diff --git a/spec/controllers/dashboard/todos_controller_spec.rb b/spec/controllers/dashboard/todos_controller_spec.rb index abbf0b523064050d1639efb962a03f21199b984c..d88beaff0e130d6084003d87c52e8ed2893e8929 100644 --- a/spec/controllers/dashboard/todos_controller_spec.rb +++ b/spec/controllers/dashboard/todos_controller_spec.rb @@ -105,12 +105,6 @@ describe Dashboard::TodosController do end end end - - context 'external authorization' do - subject { get :index } - - it_behaves_like 'disabled when using an external authorization service' - end end describe 'PATCH #restore' do diff --git a/spec/controllers/groups/avatars_controller_spec.rb b/spec/controllers/groups/avatars_controller_spec.rb index 6ececa6f3721afa1f97a4123feb84b065367836e..772d1d0c1dd2933994a139cd2e6ac2fc84cb90fe 100644 --- a/spec/controllers/groups/avatars_controller_spec.rb +++ b/spec/controllers/groups/avatars_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe Groups::AvatarsController do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } let(:group) { create(:group, avatar: fixture_file_upload("spec/fixtures/dk.png", "image/png")) } @@ -17,12 +15,4 @@ describe Groups::AvatarsController do expect(@group.avatar.present?).to be_falsey expect(@group).to be_valid end - - it 'works when external authorization service is enabled' do - enable_external_authorization_service_check - - delete :destroy, params: { group_id: group } - - expect(response).to have_gitlab_http_status(302) - end end diff --git a/spec/controllers/groups/boards_controller_spec.rb b/spec/controllers/groups/boards_controller_spec.rb index 0ca5ce51750fcfad16a762b896d00d9816d2b471..27ee37b381722bc943e16c7b0679d9093466ca03 100644 --- a/spec/controllers/groups/boards_controller_spec.rb +++ b/spec/controllers/groups/boards_controller_spec.rb @@ -82,10 +82,6 @@ describe Groups::BoardsController do end end - it_behaves_like 'disabled when using an external authorization service' do - subject { list_boards } - end - def list_boards(format: :html) get :index, params: { group_id: group }, format: format end @@ -164,10 +160,6 @@ describe Groups::BoardsController do end end - it_behaves_like 'disabled when using an external authorization service' do - subject { read_board board: board } - end - def read_board(board:, format: :html) get :show, params: { group_id: group, diff --git a/spec/controllers/groups/children_controller_spec.rb b/spec/controllers/groups/children_controller_spec.rb index 4085c8f95a96d484d9f217edbc25b12c7281b8e4..e1b97013408462bd5076dabf5962544cf460152d 100644 --- a/spec/controllers/groups/children_controller_spec.rb +++ b/spec/controllers/groups/children_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe Groups::ChildrenController do - include ExternalAuthorizationServiceHelpers - let(:group) { create(:group, :public) } let(:user) { create(:user) } let!(:group_member) { create(:group_member, group: group, user: user) } @@ -319,15 +317,5 @@ describe Groups::ChildrenController do end end end - - context 'external authorization' do - it 'works when external authorization service is enabled' do - enable_external_authorization_service_check - - get :index, params: { group_id: group }, format: :json - - expect(response).to have_gitlab_http_status(200) - end - end end end diff --git a/spec/controllers/groups/group_members_controller_spec.rb b/spec/controllers/groups/group_members_controller_spec.rb index 96a58d6d87cb7de1159a2392e056ea8619932f75..3a801fabafc7294668b58f4b2470ae7f0d986803 100644 --- a/spec/controllers/groups/group_members_controller_spec.rb +++ b/spec/controllers/groups/group_members_controller_spec.rb @@ -1,11 +1,8 @@ require 'spec_helper' describe Groups::GroupMembersController do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } let(:group) { create(:group, :public, :access_requestable) } - let(:membership) { create(:group_member, group: group) } describe 'GET index' do it 'renders index with 200 status code' do @@ -266,87 +263,4 @@ describe Groups::GroupMembersController do end end end - - context 'with external authorization enabled' do - before do - enable_external_authorization_service_check - group.add_owner(user) - sign_in(user) - end - - describe 'GET #index' do - it 'is successful' do - get :index, params: { group_id: group } - - expect(response).to have_gitlab_http_status(200) - end - end - - describe 'POST #create' do - it 'is successful' do - post :create, params: { group_id: group, users: user, access_level: Gitlab::Access::GUEST } - - expect(response).to have_gitlab_http_status(302) - end - end - - describe 'PUT #update' do - it 'is successful' do - put :update, - params: { - group_member: { access_level: Gitlab::Access::GUEST }, - group_id: group, - id: membership - }, - format: :js - - expect(response).to have_gitlab_http_status(200) - end - end - - describe 'DELETE #destroy' do - it 'is successful' do - delete :destroy, params: { group_id: group, id: membership } - - expect(response).to have_gitlab_http_status(302) - end - end - - describe 'POST #destroy' do - it 'is successful' do - sign_in(create(:user)) - - post :request_access, params: { group_id: group } - - expect(response).to have_gitlab_http_status(302) - end - end - - describe 'POST #approve_request_access' do - it 'is successful' do - access_request = create(:group_member, :access_request, group: group) - post :approve_access_request, params: { group_id: group, id: access_request } - - expect(response).to have_gitlab_http_status(302) - end - end - - describe 'DELETE #leave' do - it 'is successful' do - group.add_owner(create(:user)) - - delete :leave, params: { group_id: group } - - expect(response).to have_gitlab_http_status(302) - end - end - - describe 'POST #resend_invite' do - it 'is successful' do - post :resend_invite, params: { group_id: group, id: membership } - - expect(response).to have_gitlab_http_status(302) - end - end - end end diff --git a/spec/controllers/groups/labels_controller_spec.rb b/spec/controllers/groups/labels_controller_spec.rb index 9af471148381669bcd5d8f9d588aef6048874139..fa664a29066e89a998093df71fb465a5b65667ff 100644 --- a/spec/controllers/groups/labels_controller_spec.rb +++ b/spec/controllers/groups/labels_controller_spec.rb @@ -37,12 +37,6 @@ describe Groups::LabelsController do expect(label_ids).to match_array([group_label_1.title, subgroup_label_1.title]) end end - - context 'external authorization' do - subject { get :index, params: { group_id: group.to_param } } - - it_behaves_like 'disabled when using an external authorization service' - end end describe 'POST #toggle_subscription' do diff --git a/spec/controllers/groups/milestones_controller_spec.rb b/spec/controllers/groups/milestones_controller_spec.rb index d70946cbc8fe22de36a544ffe77b162fdad30dfa..043cf28514bcc3789afda42366c7d29abaa9500f 100644 --- a/spec/controllers/groups/milestones_controller_spec.rb +++ b/spec/controllers/groups/milestones_controller_spec.rb @@ -80,12 +80,6 @@ describe Groups::MilestonesController do expect(response.content_type).to eq 'application/json' end end - - context 'external authorization' do - subject { get :index, params: { group_id: group.to_param } } - - it_behaves_like 'disabled when using an external authorization service' - end end describe '#show' do diff --git a/spec/controllers/groups/settings/ci_cd_controller_spec.rb b/spec/controllers/groups/settings/ci_cd_controller_spec.rb index b998f64ef72d0a5f28b961827c0d17a54a3f0c57..3290ed8b088bafd1d3d5e1310bcaeef0433183d2 100644 --- a/spec/controllers/groups/settings/ci_cd_controller_spec.rb +++ b/spec/controllers/groups/settings/ci_cd_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe Groups::Settings::CiCdController do - include ExternalAuthorizationServiceHelpers - let(:group) { create(:group) } let(:user) { create(:user) } @@ -35,19 +33,6 @@ describe Groups::Settings::CiCdController do expect(response).to have_gitlab_http_status(404) end end - - context 'external authorization' do - before do - enable_external_authorization_service_check - group.add_owner(user) - end - - it 'renders show with 200 status code' do - get :show, params: { group_id: group } - - expect(response).to have_gitlab_http_status(200) - end - end end describe 'PUT #reset_registration_token' do diff --git a/spec/controllers/groups/variables_controller_spec.rb b/spec/controllers/groups/variables_controller_spec.rb index 40f05167350b84204a69a7ad7e2c39b1450d3ed2..29ec35883161486e1b9cc90ef077e542997b7e21 100644 --- a/spec/controllers/groups/variables_controller_spec.rb +++ b/spec/controllers/groups/variables_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe Groups::VariablesController do - include ExternalAuthorizationServiceHelpers - let(:group) { create(:group) } let(:user) { create(:user) } @@ -36,36 +34,4 @@ describe Groups::VariablesController do include_examples 'PATCH #update updates variables' end - - context 'with external authorization enabled' do - before do - enable_external_authorization_service_check - end - - describe 'GET #show' do - let!(:variable) { create(:ci_group_variable, group: group) } - - it 'is successful' do - get :show, params: { group_id: group }, format: :json - - expect(response).to have_gitlab_http_status(200) - end - end - - describe 'PATCH #update' do - let!(:variable) { create(:ci_group_variable, group: group) } - let(:owner) { group } - - it 'is successful' do - patch :update, - params: { - group_id: group, - variables_attributes: [{ id: variable.id, key: 'hello' }] - }, - format: :json - - expect(response).to have_gitlab_http_status(200) - end - end - end end diff --git a/spec/controllers/groups_controller_spec.rb b/spec/controllers/groups_controller_spec.rb index 0adcba4f0b837ba275704145bc2b603cbdd470f6..2b803e7151f593c5bb920e950d4062f15e0a853d 100644 --- a/spec/controllers/groups_controller_spec.rb +++ b/spec/controllers/groups_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe GroupsController do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } let(:admin) { create(:admin) } let(:group) { create(:group, :public) } @@ -660,98 +658,4 @@ describe GroupsController do end end end - - describe 'external authorization' do - before do - group.add_owner(user) - sign_in(user) - end - - context 'with external authorization service enabled' do - before do - enable_external_authorization_service_check - end - - describe 'GET #show' do - it 'is successful' do - get :show, params: { id: group.to_param } - - expect(response).to have_gitlab_http_status(200) - end - - it 'does not allow other formats' do - get :show, params: { id: group.to_param }, format: :atom - - expect(response).to have_gitlab_http_status(403) - end - end - - describe 'GET #edit' do - it 'is successful' do - get :edit, params: { id: group.to_param } - - expect(response).to have_gitlab_http_status(200) - end - end - - describe 'GET #new' do - it 'is successful' do - get :new - - expect(response).to have_gitlab_http_status(200) - end - end - - describe 'GET #index' do - it 'is successful' do - get :index - - # Redirects to the dashboard - expect(response).to have_gitlab_http_status(302) - end - end - - describe 'POST #create' do - it 'creates a group' do - expect do - post :create, params: { group: { name: 'a name', path: 'a-name' } } - end.to change { Group.count }.by(1) - end - end - - describe 'PUT #update' do - it 'updates a group' do - expect do - put :update, params: { id: group.to_param, group: { name: 'world' } } - end.to change { group.reload.name } - end - end - - describe 'DELETE #destroy' do - it 'deletes the group' do - delete :destroy, params: { id: group.to_param } - - expect(response).to have_gitlab_http_status(302) - end - end - end - - describe 'GET #activity' do - subject { get :activity, params: { id: group.to_param } } - - it_behaves_like 'disabled when using an external authorization service' - end - - describe 'GET #issues' do - subject { get :issues, params: { id: group.to_param } } - - it_behaves_like 'disabled when using an external authorization service' - end - - describe 'GET #merge_requests' do - subject { get :merge_requests, params: { id: group.to_param } } - - it_behaves_like 'disabled when using an external authorization service' - end - end end diff --git a/spec/controllers/projects/boards_controller_spec.rb b/spec/controllers/projects/boards_controller_spec.rb index b1203fd00b0608dac081310be205054c20a46628..1eeded06459c7de98f0b1c1b288b84d39960f5cd 100644 --- a/spec/controllers/projects/boards_controller_spec.rb +++ b/spec/controllers/projects/boards_controller_spec.rb @@ -98,10 +98,6 @@ describe Projects::BoardsController do end end - it_behaves_like 'unauthorized when external service denies access' do - subject { list_boards } - end - def list_boards(format: :html) get :index, params: { namespace_id: project.namespace, diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb index bfa23af76d59b3c79b91ea4195d40309c0f4fae7..c34d7c13d577db5f59941dc23d128754e4d19dce 100644 --- a/spec/controllers/projects/issues_controller_spec.rb +++ b/spec/controllers/projects/issues_controller_spec.rb @@ -127,17 +127,6 @@ describe Projects::IssuesController do expect(assigns(:issues).size).to eq(2) end end - - context 'external authorization' do - before do - sign_in user - project.add_developer(user) - end - - it_behaves_like 'unauthorized when external service denies access' do - subject { get :index, params: { namespace_id: project.namespace, project_id: project } } - end - end end describe 'GET #new' do diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb index 1ce06bc877c7b73e9f5d0bbc88ffe86c212bc626..af437c5561bb3bd76d2120ca98606b018f51a2a0 100644 --- a/spec/controllers/projects_controller_spec.rb +++ b/spec/controllers/projects_controller_spec.rb @@ -1,7 +1,6 @@ require('spec_helper') describe ProjectsController do - include ExternalAuthorizationServiceHelpers include ProjectForksHelper let(:project) { create(:project) } @@ -412,37 +411,6 @@ describe ProjectsController do it_behaves_like 'updating a project' end - - context 'as maintainer' do - before do - project.add_maintainer(user) - sign_in(user) - end - - it_behaves_like 'unauthorized when external service denies access' do - subject do - put :update, - params: { - namespace_id: project.namespace, - id: project, - project: { description: 'Hello world' } - } - project.reload - end - - it 'updates when the service allows access' do - external_service_allow_access(user, project) - - expect { subject }.to change(project, :description) - end - - it 'does not update when the service rejects access' do - external_service_deny_access(user, project) - - expect { subject }.not_to change(project, :description) - end - end - end end describe '#transfer' do diff --git a/spec/controllers/search_controller_spec.rb b/spec/controllers/search_controller_spec.rb index 752d6ae55cc51b7b6a4e4102d53623c1aadfaa68..02a0cfe0272bebee0d4487f9f10f5f22c1182eb3 100644 --- a/spec/controllers/search_controller_spec.rb +++ b/spec/controllers/search_controller_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe SearchController do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } before do @@ -78,41 +76,4 @@ describe SearchController do expect(assigns[:search_objects].count).to eq(0) end end - - context 'with external authorization service enabled' do - let(:project) { create(:project, namespace: user.namespace) } - let(:note) { create(:note_on_issue, project: project) } - - before do - enable_external_authorization_service_check - end - - describe 'GET #show' do - it 'renders a 403 when no project is given' do - get :show, params: { scope: 'notes', search: note.note } - - expect(response).to have_gitlab_http_status(403) - end - - it 'renders a 200 when a project was set' do - get :show, params: { project_id: project.id, scope: 'notes', search: note.note } - - expect(response).to have_gitlab_http_status(200) - end - end - - describe 'GET #autocomplete' do - it 'renders a 403 when no project is given' do - get :autocomplete, params: { term: 'hello' } - - expect(response).to have_gitlab_http_status(403) - end - - it 'renders a 200 when a project was set' do - get :autocomplete, params: { project_id: project.id, term: 'hello' } - - expect(response).to have_gitlab_http_status(200) - end - end - end end diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index 42d28c53d348e1693cd9498e5782d8051590f5a7..4f6a6881193b39074354fa66eccc04772605f368 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -223,12 +223,6 @@ describe UsersController do end end - context 'external authorization' do - subject { get :calendar_activities, params: { username: user.username } } - - it_behaves_like 'disabled when using an external authorization service' - end - def create_push_event push_data = Gitlab::DataBuilder::Push.build_sample(project, public_user) EventCreateService.new.push(project, public_user, push_data) @@ -292,12 +286,6 @@ describe UsersController do expect(JSON.parse(response.body)).to have_key('html') end end - - context 'external authorization' do - subject { get :snippets, params: { username: user.username } } - - it_behaves_like 'disabled when using an external authorization service' - end end describe 'GET #exists' do diff --git a/spec/features/dashboard/group_dashboard_with_external_authorization_service_spec.rb b/spec/features/dashboard/group_dashboard_with_external_authorization_service_spec.rb deleted file mode 100644 index 4098dd02141a2823b0f72ce6e762204992a45e7c..0000000000000000000000000000000000000000 --- a/spec/features/dashboard/group_dashboard_with_external_authorization_service_spec.rb +++ /dev/null @@ -1,38 +0,0 @@ -require 'spec_helper' - -describe 'The group dashboard' do - include ExternalAuthorizationServiceHelpers - - let(:user) { create(:user) } - - before do - sign_in user - end - - describe 'The top navigation' do - it 'has all the expected links' do - visit dashboard_groups_path - - within('.navbar') do - expect(page).to have_button('Projects') - expect(page).to have_button('Groups') - expect(page).to have_link('Activity') - expect(page).to have_link('Milestones') - expect(page).to have_link('Snippets') - end - end - - it 'hides some links when an external authorization service is enabled' do - enable_external_authorization_service_check - visit dashboard_groups_path - - within('.navbar') do - expect(page).to have_button('Projects') - expect(page).to have_button('Groups') - expect(page).not_to have_link('Activity') - expect(page).not_to have_link('Milestones') - expect(page).to have_link('Snippets') - end - end - end -end diff --git a/spec/features/groups/group_page_with_external_authorization_service_spec.rb b/spec/features/groups/group_page_with_external_authorization_service_spec.rb deleted file mode 100644 index c05c3f4f3d6143342eacc6ab0d47f0a84b7b92c0..0000000000000000000000000000000000000000 --- a/spec/features/groups/group_page_with_external_authorization_service_spec.rb +++ /dev/null @@ -1,58 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'The group page' do - include ExternalAuthorizationServiceHelpers - - let(:user) { create(:user) } - let(:group) { create(:group) } - - before do - sign_in user - group.add_owner(user) - end - - def expect_all_sidebar_links - within('.nav-sidebar') do - expect(page).to have_link('Overview') - expect(page).to have_link('Details') - expect(page).to have_link('Activity') - expect(page).to have_link('Issues') - expect(page).to have_link('Merge Requests') - expect(page).to have_link('Members') - end - end - - describe 'The sidebar' do - it 'has all the expected links' do - visit group_path(group) - - expect_all_sidebar_links - end - - it 'shows all project features when policy control is enabled' do - stub_application_setting(external_authorization_service_enabled: true) - - visit group_path(group) - - expect_all_sidebar_links - end - - it 'hides some links when an external authorization service configured with an url' do - enable_external_authorization_service_check - visit group_path(group) - - within('.nav-sidebar') do - expect(page).to have_link('Overview') - expect(page).to have_link('Details') - expect(page).not_to have_link('Activity') - expect(page).not_to have_link('Contribution Analytics') - - expect(page).not_to have_link('Issues') - expect(page).not_to have_link('Merge Requests') - expect(page).to have_link('Members') - end - end - end -end diff --git a/spec/features/projects/classification_label_on_project_pages_spec.rb b/spec/features/projects/classification_label_on_project_pages_spec.rb deleted file mode 100644 index 92f8aa8eb8d5ccf15e5bec32b36bb0c8ad40e64c..0000000000000000000000000000000000000000 --- a/spec/features/projects/classification_label_on_project_pages_spec.rb +++ /dev/null @@ -1,22 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'Classification label on project pages' do - let(:project) do - create(:project, external_authorization_classification_label: 'authorized label') - end - let(:user) { create(:user) } - - before do - stub_application_setting(external_authorization_service_enabled: true) - project.add_maintainer(user) - sign_in(user) - end - - it 'shows the classification label on the project page' do - visit project_path(project) - - expect(page).to have_content('authorized label') - end -end diff --git a/spec/features/projects/forks/fork_list_spec.rb b/spec/features/projects/forks/fork_list_spec.rb deleted file mode 100644 index 2c41c61a660f0673aec93ccff4c6f0a92b3c47a3..0000000000000000000000000000000000000000 --- a/spec/features/projects/forks/fork_list_spec.rb +++ /dev/null @@ -1,35 +0,0 @@ -require 'spec_helper' - -describe 'listing forks of a project' do - include ProjectForksHelper - include ExternalAuthorizationServiceHelpers - - let(:source) { create(:project, :public, :repository) } - let!(:fork) { fork_project(source, nil, repository: true) } - let(:user) { create(:user) } - - before do - source.add_maintainer(user) - sign_in(user) - end - - it 'shows the forked project in the list with commit as description' do - visit project_forks_path(source) - - page.within('li.project-row') do - expect(page).to have_content(fork.full_name) - expect(page).to have_css('a.commit-row-message') - end - end - - it 'does not show the commit message when an external authorization service is used' do - enable_external_authorization_service_check - - visit project_forks_path(source) - - page.within('li.project-row') do - expect(page).to have_content(fork.full_name) - expect(page).not_to have_css('a.commit-row-message') - end - end -end diff --git a/spec/features/projects/issues/viewing_issues_with_external_authorization_enabled_spec.rb b/spec/features/projects/issues/viewing_issues_with_external_authorization_enabled_spec.rb deleted file mode 100644 index a8612d77a5e25e18ce5c1add8aece6324fadb03e..0000000000000000000000000000000000000000 --- a/spec/features/projects/issues/viewing_issues_with_external_authorization_enabled_spec.rb +++ /dev/null @@ -1,128 +0,0 @@ -require 'spec_helper' - -describe 'viewing an issue with cross project references' do - include ExternalAuthorizationServiceHelpers - include Gitlab::Routing.url_helpers - - let(:user) { create(:user) } - let(:other_project) do - create(:project, :public, - external_authorization_classification_label: 'other_label') - end - let(:other_issue) do - create(:issue, :closed, - title: 'I am in another project', - project: other_project) - end - let(:other_confidential_issue) do - create(:issue, :confidential, :closed, - title: 'I am in another project and confidential', - project: other_project) - end - let(:other_merge_request) do - create(:merge_request, :closed, - title: 'I am a merge request in another project', - source_project: other_project) - end - let(:description_referencing_other_issue) do - "Referencing: #{other_issue.to_reference(project)}, "\ - "a confidential issue #{confidential_issue.to_reference}, "\ - "a cross project confidential issue #{other_confidential_issue.to_reference(project)}, and "\ - "a cross project merge request #{other_merge_request.to_reference(project)}" - end - let(:project) { create(:project) } - let(:issue) do - create(:issue, - project: project, - description: description_referencing_other_issue ) - end - let(:confidential_issue) do - create(:issue, :confidential, :closed, - title: "I am in the same project and confidential", - project: project) - end - - before do - project.add_developer(user) - sign_in(user) - end - - it 'shows all information related to the cross project reference' do - visit project_issue_path(project, issue) - - expect(page).to have_link("#{other_issue.to_reference(project)} (#{other_issue.state})") - expect(page).to have_xpath("//a[@title='#{other_issue.title}']") - end - - it 'shows a link to the confidential issue in the same project' do - visit project_issue_path(project, issue) - - expect(page).to have_link("#{confidential_issue.to_reference(project)} (#{confidential_issue.state})") - expect(page).to have_xpath("//a[@title='#{confidential_issue.title}']") - end - - it 'does not show the link to a cross project confidential issue when the user does not have access' do - visit project_issue_path(project, issue) - - expect(page).not_to have_link("#{other_confidential_issue.to_reference(project)} (#{other_confidential_issue.state})") - expect(page).not_to have_xpath("//a[@title='#{other_confidential_issue.title}']") - end - - it 'shows the link to a cross project confidential issue when the user has access' do - other_project.add_developer(user) - - visit project_issue_path(project, issue) - - expect(page).to have_link("#{other_confidential_issue.to_reference(project)} (#{other_confidential_issue.state})") - expect(page).to have_xpath("//a[@title='#{other_confidential_issue.title}']") - end - - context 'when an external authorization service is enabled' do - before do - enable_external_authorization_service_check - end - - it 'only hits the external service for the project the user is viewing' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'default_label', any_args).at_least(1).and_return(true) - expect(::Gitlab::ExternalAuthorization) - .not_to receive(:access_allowed?).with(user, 'other_label', any_args) - - visit project_issue_path(project, issue) - end - - it 'shows only the link to the cross project references' do - visit project_issue_path(project, issue) - - expect(page).to have_link("#{other_issue.to_reference(project)}") - expect(page).to have_link("#{other_merge_request.to_reference(project)}") - expect(page).not_to have_content("#{other_issue.to_reference(project)} (#{other_issue.state})") - expect(page).not_to have_xpath("//a[@title='#{other_issue.title}']") - expect(page).not_to have_content("#{other_merge_request.to_reference(project)} (#{other_merge_request.state})") - expect(page).not_to have_xpath("//a[@title='#{other_merge_request.title}']") - end - - it 'does not link a cross project confidential issue if the user does not have access' do - visit project_issue_path(project, issue) - - expect(page).not_to have_link("#{other_confidential_issue.to_reference(project)}") - expect(page).not_to have_xpath("//a[@title='#{other_confidential_issue.title}']") - end - - it 'links a cross project confidential issue without exposing information when the user has access' do - other_project.add_developer(user) - - visit project_issue_path(project, issue) - - expect(page).to have_link("#{other_confidential_issue.to_reference(project)}") - expect(page).not_to have_xpath("//a[@title='#{other_confidential_issue.title}']") - end - - it 'shows a link to the confidential issue in the same project' do - visit project_issue_path(project, issue) - - expect(page).to have_link("#{confidential_issue.to_reference(project)} (#{confidential_issue.state})") - expect(page).to have_xpath("//a[@title='#{confidential_issue.title}']") - end - end -end diff --git a/spec/features/projects/settings/external_authorization_service_settings_spec.rb b/spec/features/projects/settings/external_authorization_service_settings_spec.rb deleted file mode 100644 index 31b2892cf6f1a7bf3c414c029deffe51230cd5e2..0000000000000000000000000000000000000000 --- a/spec/features/projects/settings/external_authorization_service_settings_spec.rb +++ /dev/null @@ -1,21 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -describe 'Projects > Settings > External Authorization Classification Label setting' do - let(:user) { create(:user) } - let(:project) { create(:project_empty_repo) } - - before do - project.add_maintainer(user) - sign_in(user) - end - - it 'shows the field to set a classification label' do - stub_application_setting(external_authorization_service_enabled: true) - - visit edit_project_path(project) - - expect(page).to have_selector('#project_external_authorization_classification_label') - end -end diff --git a/spec/features/users/show_spec.rb b/spec/features/users/show_spec.rb index 351750c017955c3deddfbb469a7792bc95725af9..86379164cf0735cf2ee40bd23c454dc4c9ece335 100644 --- a/spec/features/users/show_spec.rb +++ b/spec/features/users/show_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe 'User page' do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } context 'with public profile' do @@ -88,24 +86,4 @@ describe 'User page' do end end end - - context 'most recent activity' do - it 'shows the most recent activity' do - visit(user_path(user)) - - expect(page).to have_content('Most Recent Activity') - end - - context 'when external authorization is enabled' do - before do - enable_external_authorization_service_check - end - - it 'hides the most recent activity' do - visit(user_path(user)) - - expect(page).not_to have_content('Most Recent Activity') - end - end - end end diff --git a/spec/finders/issues_finder_spec.rb b/spec/finders/issues_finder_spec.rb index 4133987a07ed8bcacb6f2b3d8d1fa783320300d3..fe53fabe54ced24cdc53e0f3126fc86cd565cea9 100644 --- a/spec/finders/issues_finder_spec.rb +++ b/spec/finders/issues_finder_spec.rb @@ -559,13 +559,6 @@ describe IssuesFinder do expect(issues.count).to eq 0 end end - - context 'external authorization' do - it_behaves_like 'a finder with external authorization service' do - let!(:subject) { create(:issue, project: project) } - let(:project_params) { { project_id: project.id } } - end - end end describe '#row_count', :request_store do diff --git a/spec/finders/labels_finder_spec.rb b/spec/finders/labels_finder_spec.rb index 98b4933fef6e3d54b52fe8423b0e11a4d5ec3a9a..3f060ba0553ab39205d61ccac502e274dfb60a7c 100644 --- a/spec/finders/labels_finder_spec.rb +++ b/spec/finders/labels_finder_spec.rb @@ -226,12 +226,5 @@ describe LabelsFinder do expect(finder.execute).to eq [project_label_1] end end - - context 'external authorization' do - it_behaves_like 'a finder with external authorization service' do - let!(:subject) { create(:label, project: project) } - let(:project_params) { { project_id: project.id } } - end - end end end diff --git a/spec/finders/merge_requests_finder_spec.rb b/spec/finders/merge_requests_finder_spec.rb index 9d4b9af3ec3855da074f0371ec839d4d4930658f..f508b9bdb6f068dc898e3a11e9166abdf6560134 100644 --- a/spec/finders/merge_requests_finder_spec.rb +++ b/spec/finders/merge_requests_finder_spec.rb @@ -253,13 +253,6 @@ describe MergeRequestsFinder do expect(finder.row_count).to eq(1) end end - - context 'external authorization' do - it_behaves_like 'a finder with external authorization service' do - let!(:subject) { create(:merge_request, source_project: project) } - let(:project_params) { { project_id: project.id } } - end - end end context 'when projects require different access levels for merge requests' do diff --git a/spec/finders/snippets_finder_spec.rb b/spec/finders/snippets_finder_spec.rb index d367f9015c7f2c4f7478d9bb13c80c09b3b9eec5..93287f3e9b8f06e4e38b7ba64b94ca5d4b42a72a 100644 --- a/spec/finders/snippets_finder_spec.rb +++ b/spec/finders/snippets_finder_spec.rb @@ -1,7 +1,6 @@ require 'spec_helper' describe SnippetsFinder do - include ExternalAuthorizationServiceHelpers include Gitlab::Allowable describe '#initialize' do @@ -165,35 +164,4 @@ describe SnippetsFinder do end it_behaves_like 'snippet visibility' - - context 'external authorization' do - let(:user) { create(:user) } - let(:project) { create(:project) } - let!(:snippet) { create(:project_snippet, :public, project: project) } - - before do - project.add_maintainer(user) - end - - it_behaves_like 'a finder with external authorization service' do - let!(:subject) { create(:project_snippet, project: project) } - let(:project_params) { { project: project } } - end - - it 'includes the result if the external service allows access' do - external_service_allow_access(user, project) - - results = described_class.new(user, project: project).execute - - expect(results).to contain_exactly(snippet) - end - - it 'does not include any results if the external service denies access' do - external_service_deny_access(user, project) - - results = described_class.new(user, project: project).execute - - expect(results).to be_empty - end - end end diff --git a/spec/finders/todos_finder_spec.rb b/spec/finders/todos_finder_spec.rb index 22318a9946a428d49167d5c256ab9f12f43689c4..d4ed41d54f003e2e199f229833a876d7928fc5f1 100644 --- a/spec/finders/todos_finder_spec.rb +++ b/spec/finders/todos_finder_spec.rb @@ -47,13 +47,6 @@ describe TodosFinder do end end end - - context 'external authorization' do - it_behaves_like 'a finder with external authorization service' do - let!(:subject) { create(:todo, project: project, user: user) } - let(:project_params) { { project_id: project.id } } - end - end end describe '#sort' do diff --git a/spec/fixtures/passphrase_x509_certificate.crt b/spec/fixtures/passphrase_x509_certificate.crt deleted file mode 100644 index 6973163b79e1618ddfa08a84457b068d262e81f6..0000000000000000000000000000000000000000 --- a/spec/fixtures/passphrase_x509_certificate.crt +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEpTCCAo0CAQEwDQYJKoZIhvcNAQEFBQAwFDESMBAGA1UEAwwJYXV0aG9yaXR5 -MB4XDTE4MDMyMzE0MDIwOFoXDTE5MDMyMzE0MDIwOFowHTEbMBkGA1UEAwwSZ2l0 -bGFiLXBhc3NwaHJhc2VkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA -zpsWHOewP/khfDsLUWxaRCinrBzVJm2C01bVahKVR3g/JD4vEH901Wod9Pvbh/9e -PEfE+YZmgSUUopbL3JUheMnyW416F43HKE/fPW4+QeuIEceuhCXg20eOXmvnWWNM -0hXZh4hq69rwvMPREC/LkZy/QkTDKhJNLNAqAQu2AJ3C7Yga8hFQYEhx1hpfGtwD -z/Nf3efat9WN/d6yW9hfJ98NCmImTm5l9Pc0YPNWCAf96vsqsNHBrTkFy6CQwkhH -K1ynVYuqnHYxSc4FPCT5SAleD9gR/xFBAHb7pPy4yGxMSEmiWaMjjZCVPsghj1jM -Ej77MTDL3U9LeDfiILhvZ+EeQxqPiFwwG2eaIn3ZEs2Ujvw7Z2VpG9VMcPTnB4jK -ot6qPM1YXnkGWQ6iT0DTPS3h7zg1xIJXI5N2sI6GXuKrXXwZ1wPqzFLKPv+xBjp8 -P6dih+EImfReFi9zIO1LqGMY+XmRcqodsb6jzsmBimJkqBtatJM7FuUUUN56wiaj -q9+BWbm+ZdQ2lvqndMljjUjTh6pNERfGAJgkNuLn3X9hXVE0TSpmn0nOgaL5izP3 -7FWUt0PTyGgK2zq9SEhZmK2TKckLkKMk/ZBBBVM/nrnjs72IlbsqdcVoTnApytZr -xVYTj1hV7QlAfaU3w/M534qXDiy8+HfX5ksWQMtSklECAwEAATANBgkqhkiG9w0B -AQUFAAOCAgEAMMhzSRq9PqCpui74nwjhmn8Dm2ky7A+MmoXNtk70cS/HWrjzaacb -B/rxsAUp7f0pj4QMMM0ETMFpbNs8+NPd2FRY0PfWE4yyDpvZO2Oj1HZKLHX72Gjn -K5KB9DYlVsXhGPfuFWXpxGWF2Az9hDWnj58M3DOAps+6tHuAtudQUuwf5ENQZWwE -ySpr7yoHm1ykgl0Tsb9ZHi9qLrWRRMNYXRT+gvwP1bba8j9jOtjO/xYiIskwMPLM -W8SFmQxbg0Cvi8Q89PB6zoTNOhPQyoyeSlw9meeZJHAMK2zxeglEm8C4EQ+I9Y6/ -yylM5/Sc55TjWAvRFgbsq+OozgMvffk/Q2fzcGF44J9DEQ7nrhmJxJ+X4enLknR5 -Hw4+WhdYA+bwjx3YZBNTh9/YMgNPYwQhf5gtcZGTd6X4j6qZfJ6CXBmhkC1Cbfyl -yM7B7i4JAqPWMeDP50pXCgyKlwgw1JuFW+xkbkYQAj7wtggQ6z1Vjb5W8R8kYn9q -LXClVtThEeSV5KkVwNX21aFcUs8qeQ+zsgKqpEyM5oILQQ1gDSxLTtrr2KuN+WJN -wM0acwD45X7gA/aZYpCGkIgHIBq0zIDP1s6IqeebFJjW8lWofhRxOEWomWdRweJG -N7qQ1WCTQxAPGAkDI8QPjaspvnAhFKmpBG/mR5IXLFKDbttu7WNdYDo= ------END CERTIFICATE----- diff --git a/spec/fixtures/passphrase_x509_certificate_pk.key b/spec/fixtures/passphrase_x509_certificate_pk.key deleted file mode 100644 index f9760dfe70eada8a19b400c29bf94b372e2f013b..0000000000000000000000000000000000000000 --- a/spec/fixtures/passphrase_x509_certificate_pk.key +++ /dev/null @@ -1,54 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,79CCB506B0FD42A6F1BAE6D72E1CB20C - -EuZQOfgaO6LVCNytTHNJmbiq1rbum9xg6ohfBTVt7Cw4+8yLezWva/3sJQtnEk2P -M2yEQYWIiCX+clPkRiRL8WLjRfLTNcYS6QxxuJdpOrowPrBYr4Aig8jBUUBI4VQf -w1ZEUQd0mxQGnyzkKpsudFOntCtZbvbrBsIAQUNLcrKEFk3XW/BqE1Q/ja6WfWqX -b6EKg6DoXi92V90O6sLDfpmTKZq3ThvVDFuWeJ2K/GVp2cs+MkBIBJ8XX+NT1nWg -g+Ok+yaSI/N9ILX4XDgXunJGwcooI8PhHSjkDWRusi8vbo7RFqIKiSF+h6tIwktF -Uss3JESKgXZCQ7upCnHSzK/aWFtwHtXxqOi7esqEZd+1sB0LY+XMnbaxweCMx2Kj -czktKYvoXUs69Whln+yyXULtl5XhJ8lbvlbIG2FbZ9y+/hHOyBqZyeUyCnXDzv8/ -0U0iZwreP3XPVMsy578pIdcdL27q+r05j4yjrJfbX3T9xp2u3F9uVubCa4euEBwV -yrFdsxJLKON8pFeDS49m5gHNsHmeZ0sUeTPZVGNXdabVetkOA0eAAGK4zAoqG79L -hEN7cDenz+E4XHp8gMzwwMiVyU4FuAb6SXkfSodctmSTWVbzNBja0FBek3UXy+pn -9qq7cIpe7NY5gzcbyoy9lSkyYVkAm8j6BIYtY1ZUAmtCklC2ADWARTjd7dI7aEbO -QbXxNIq2+O/zMOXfougSPoDP8SLyLuE1p6SwfWV7Dwf119hn+mjWlGzAZDxxHhsR -yYUQCUe0NIKzuUp3WYIx8xIb7/WFwit/JaFaxurjBnhkkEviBn+TgXiuFBO3tv/d -URpZ39rH0mrDsR61pCiIcoNVkQkynHcAFPd5VtaeSJPvZP280uOCPPS31cr6/0LB -1JX3lZoWWCuA+JQjxtZDaDTcvEUbfOQ2rexQQo4uylNkBF9F5WOdQBkKG/AfqBq8 -S/TdubYzvpcKhFAlXsI67JdbxGlU4HCsxOLwWzSUYclN4W3l7s7KZ5zxt+MU03Uf -vara9uuZHiKUjZohjXeqcXTc+UyC8VH1dF19M3Cj9RNrwl2xEDUMtIiALBjbGp1E -pu2nPj9NhWf9Vw5MtSszutesxXba2nPmvvGvvZ7N3h/k4NsKL7JdENF7XqkI0D2K -jpO1t6d3cazS1VpMWLZS45kWaM3Y07tVR3V+4Iv9Vo1e9H2u/Z5U4YeJ44sgMsct -dBOAhHdUAI5+P+ocLXiCKo+EcS0cKvz+CC4ux0vvcF3JrTqZJN1U/JxRka2EyJ1B -2Xtu3DF36XpBJcs+MJHjJ+kUn6DHYoYxZa+bB8LX6+FQ+G7ue+Dx/RsGlP7if1nq -DAaM6kZg7/FbFzOZyl5xhwAJMxfgNNU7nSbk9lrvQ4mdwgFjvgGu3jlER4+TcleE -4svXInxp1zK6ES44tI9fXkhPaFkafxAL7eUSyjjEwMC06h+FtqK3mmoKLo5NrGJE -zVl69r2WdoSQEylVN1Kbp+U4YbfncInLJqBq2q5w9ASL/8Rhe8b52q6PuVX/bjoz -0pkSu+At4jVbAhRpER5NGlzG884IaqqvBvMYR5zFJeRroIijyUyH0KslK37/sXRk -ty0yKrkm31De9gDa3+XlgAVDAgbEQmGVwVVcV0IYYJbjIf36lUdGh4+3krwxolr/ -vZct5Z7QxfJlBtdOstjz5U9o05yOhjoNrPZJXuKMmWOQjSwr7rRSdqmAABF9IrBf -Pa/ChF1y5j3gJESAFMyiea3kvLq1EbZRaKoybsQE2ctBQ8EQjzUz+OOxVO6GJ4W9 -XHyfcviFrpsVcJEpXQlEtGtKdfKLp48cytob1Fu1JOYPDCrafUQINCZP4H3Nt892 -zZiTmdwux7pbgf4KbONImN5XkpvdCGjQHSkYMmm5ETRK8s7Fmvt2aBPtlyXxJDOq -iJUqwDV5HZXOnQVE/v/yESKgo2Cb8BWqPZ4/8Ubgu/OADYyv/dtjQel8QQ2FMhO4 -2tnwWbBBJk8VpR/vjFHkGSnj+JJfW/vUVQ+06D3wHYhNp7mh4M+37AngwzGCp7k+ -9aFwb2FBGghArB03E4lIO/959T0cX95WZ6tZtLLEsf3+ug7PPOSswCqsoPsXzFJH -MgXVGKFXccNSsWol7VvrX/uja7LC1OE+pZNXxCRzSs4aljJBpvQ6Mty0lk2yBC0R -MdujMoZH9PG9U6stwFd+P17tlGrQdRD3H2uimn82Ck+j2l0z0pzN0JB2WBYEyK0O -1MC36wLICWjgIPLPOxDEEBeZPbc24DCcYfs/F/hSCHv/XTJzVVILCX11ShGPSXlI -FL9qyq6jTNh/pVz6NiN/WhUPBFfOSzLRDyU0MRsSHM8b/HPpf3NOI3Ywmmj65c2k -2kle1F2M5ZTL+XvLS61qLJ/8AgXWvDHP3xWuKGG/pM40CRTUkRW6NAokMr2/pEFw -IHTE2+84dOKnUIEczzMY3aqzNmYDCmhOY0jD/Ieb4hy9tN+1lbQ/msYMIJ1w7CFR -38yB/UbDD90NcuDhjrMbzVUv1At2rW7GM9lSbxGOlYDmtMNEL63md1pQ724v4gSE -mzoFcMkqdh+hjFvv11o4H32lF3mPYcXuL+po76tqxGOiUrLKe/ZqkT5XAclYV/7H -k3Me++PCh4ZqXBRPvR8Xr90NETtiFCkBQXLdhNWXrRe2v0EbSX+cYAWk68FQKCHa -HKTz9T7wAvB6QWBXFhH9iCP8rnQLCEhLEhdrt+4v2KFkIVzBgOlMoHsZsMp0sBeq -c5ZVbJdiKik3P/8ZQTn4jmOnQXCEyWx+LU4acks8Aho4lqq9yKq2DZpwbIRED47E -r7R/NUevhqqzEHZ2SGD6EDqRN+bHJEi64vq0ryaEielusYXZqlnFXDHJcfLCmR5X -3bj5pCwQF4ScTukrGQB/c4henG4vlF4CaD0CIIK3W6tH+AoDohYJts6YK49LGxmK -yXiyKNak8zHYBBoRvd2avRHyGuR5yC9KrN8cbC/kZqMDvAyM65pIK+U7exJwYJhv -ezCcbiH3bK3anpiRpdeNOot2ba/Y+/ks+DRC+xs4QDIhrmSEBCsLv1JbcWjtHSaG -lm+1DSVduUk/kN+fBnlfif+TQV9AP3/wb8ekk8jjKXsL7H1tJKHsLLIIvrgrpxjw ------END RSA PRIVATE KEY----- diff --git a/spec/fixtures/x509_certificate.crt b/spec/fixtures/x509_certificate.crt deleted file mode 100644 index 8a84890b928137dac9a0aa3e0022e71b9cd34664..0000000000000000000000000000000000000000 --- a/spec/fixtures/x509_certificate.crt +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEnDCCAoQCAQEwDQYJKoZIhvcNAQEFBQAwFDESMBAGA1UEAwwJYXV0aG9yaXR5 -MB4XDTE4MDMxOTE1MjYzMloXDTE5MDMxOTE1MjYzMlowFDESMBAGA1UEAwwJbG9j -YWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+tcM7iphsLlR -ccUph2ixabRYnw1HeLCiA4O9a4O31oVUBuzAn/eVU4jyVWkaBym6MHa8CiDOro9H -OXodITMw+3G1sG/yQZ8Y/5dsOP2hEoSfs63/2FAgFWzrB2HnYSShiN8tBeeDI5cJ -ii4JVMfpfi9cvXZUXFR8+P0XR1HDxx6or6UTK37k2kbDQZ41rv1ng2w0AUZt0LRA -NWVE48zvUWIU0y+2JLP1yhrKj85RRjQc5cMK88zzWSZBcSjDGGeJ4C8B5Zh2gFlQ -+1aJkyyklORR3v/RyYO9prTeXPqQ3x/nNsNkI+cyv0Gle6tk+CkOfE1m0CvNWlNg -b8LdQ0XZsOYLZvxfpHk3gHA5GrHXvn5StkM5xMXpdUCsh22CZZHe/4SeFE64amkf -1/LuqY0LYc5UdG2SeJ0SDauPRAIuAr4OV7+Q/nLdY8haMC6KOtpbAWvKX/Jqq0z1 -nUXzQn1JWCNw1QMdq9Uz8wiWOjLTr2D/mIVrVef0pb2mfdtzjzUrYCP0PtnQExPB -rocP6BDXN7Ragcdis5/IfLuCOD6pAkmzy6o8RSvAoEUs9VbPiUfN7WAyU1K1rTYH -KV+zPfWF254nZ2SBeReN9CMKbMJE+TX2chRlq07Q5LDz33h9KXw1LZT8MWRinVJf -RePsQiyHpRBWRG0AhbD+YpiGKHzsat0CAwEAATANBgkqhkiG9w0BAQUFAAOCAgEA -Skp0tbvVsg3RG2pX0GP25j0ix+f78zG0+BJ6LiKGMoCIBtGKitfUjBg83ru/ILpa -fpgrQpNQVUnGQ9tmpnqV605ZBBRUC1CRDsvUnyN6p7+yQAq6Fl+2ZKONHpPk+Bl4 -CIewgdkHjTwTpvIM/1DFVCz4R1FxNjY3uqOVcNDczMYEk2Pn2GZNNN35hUHHxWh4 -89ZvI+XKuRFZq3cDPA60PySeJJpCRScWGgnkdEX1gTtWH3WUlq9llxIvRexyNyzZ -Yqvcfx5UT75/Pp+JPh9lpUCcKLHeUiadjkiLxu3IcrYa4gYx4lA8jgm7adNEahd0 -oMAHoO9DU6XMo7o6tnQH3xQv9RAbQanjuyJR9N7mwmc59bQ6mW+pxCk843GwT73F -slseJ1nE1fQQQD7mn/KGjmeWtxY2ElUjTay9ff9/AgJeQYRW+oH0cSdo8WCpc2+G -+LZtLWfBgFLHseRlmarSe2pP8KmbaTd3q7Bu0GekVQOxYcNX59Pj4muQZDVLh8aX -mSQ+Ifts/ljT649MISHn2AZMR4+BUx63tFcatQhbAGGH5LeFdbaGcaVdsUVyZ9a2 -HBmFWNsgEPtcC+WmNzCXbv7jQsLAJXufKG5MnurJgNf/n5uKCmpGsEJDT/KF1k/3 -x9YnqM7zTyV6un+LS3HjEJvwQmqPWe+vFAeXWGCoWxE= ------END CERTIFICATE----- diff --git a/spec/fixtures/x509_certificate_pk.key b/spec/fixtures/x509_certificate_pk.key deleted file mode 100644 index c02a3cf618968aefbba58e6af1b4cae33fec1463..0000000000000000000000000000000000000000 --- a/spec/fixtures/x509_certificate_pk.key +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKAIBAAKCAgEA+tcM7iphsLlRccUph2ixabRYnw1HeLCiA4O9a4O31oVUBuzA -n/eVU4jyVWkaBym6MHa8CiDOro9HOXodITMw+3G1sG/yQZ8Y/5dsOP2hEoSfs63/ -2FAgFWzrB2HnYSShiN8tBeeDI5cJii4JVMfpfi9cvXZUXFR8+P0XR1HDxx6or6UT -K37k2kbDQZ41rv1ng2w0AUZt0LRANWVE48zvUWIU0y+2JLP1yhrKj85RRjQc5cMK -88zzWSZBcSjDGGeJ4C8B5Zh2gFlQ+1aJkyyklORR3v/RyYO9prTeXPqQ3x/nNsNk -I+cyv0Gle6tk+CkOfE1m0CvNWlNgb8LdQ0XZsOYLZvxfpHk3gHA5GrHXvn5StkM5 -xMXpdUCsh22CZZHe/4SeFE64amkf1/LuqY0LYc5UdG2SeJ0SDauPRAIuAr4OV7+Q -/nLdY8haMC6KOtpbAWvKX/Jqq0z1nUXzQn1JWCNw1QMdq9Uz8wiWOjLTr2D/mIVr -Vef0pb2mfdtzjzUrYCP0PtnQExPBrocP6BDXN7Ragcdis5/IfLuCOD6pAkmzy6o8 -RSvAoEUs9VbPiUfN7WAyU1K1rTYHKV+zPfWF254nZ2SBeReN9CMKbMJE+TX2chRl -q07Q5LDz33h9KXw1LZT8MWRinVJfRePsQiyHpRBWRG0AhbD+YpiGKHzsat0CAwEA -AQKCAgBf1urJ1Meeji/gGETVx9qBWLbDjn9QTayZSyyEd78155tDShIPDLmxQRHW -MGIReo/5FGSkOgS+DWBZRZ77oGOGrtuMnjkheXhDr8dZvw5b1PBv5ntqWrLnfMYP -/Ag7xZMyiJLbPqmMX5j1gsFt8zPzUoVMnnl9DYryV0Edrs/utHgfJCM+6yzleUQB -PkGkqo1yWVVFZ3Nt2nDt9dNsdlC594+dYQ1m2JuArNvYNiw3dpHT98GnhRc1aLh4 -U+q22FiFn3BKGQat43JdlaLa6KO5f8MIQRYWuI8tss2DGPlhRv9AnUcVsLBjAuIH -bmUVrBosxCYUQ6giatjd2sZPfdC+VIDCbIWRthxkXJ9I/Ap8R98xx/7qIcPFc+XA -hcK1xOM7zIq2xgAOFeeh8O8Wq9cH8NmUhMCgzIE0WT32Zo0JAW6l0kZc82Y/Yofz -U+TJKo0NOFZe687HOhanOHbbQSG29XOqxMYTABZ7Ixf+4RZPD5+yQgZWP1BhLluy -PxZhsLl67xvbfB2i9VVorMN7PbFx5hbni3C7/p63Z0rG5q4/uJBbX3Uuh6KdhIo+ -Zh9UC6u29adIthdxz+ZV5wBccTOgaeHB9wRL9Hbp6ZxyqesQB4RTsFtPNXxZ7K43 -fmJgHZvHhF5gSbeB8JAeBf0cy3pytJM49ZxplifeGVzUJP2gAQKCAQEA/1T9quz5 -sOD03FxV//oRWD1kqfunq3v56sIBG4ZMVZKUqc6wLjTmeklLYKq85AWX8gnCHi0g -nmG/xDh/rt1/IngMWP98WVuD67hFbrj87g7A7YGIiwZ2gi6hqhqmALN+5JjCSTPp -XOiPvNnXP0XM4gIHBXV8diHq5rF9NsSh4vx3OExr8KQqVzWoDcnnWNfnDlrFB8cq -ViII+UqdovXp59hAVOsc+pYAe+8JeQDX17H3U/NMkUw4gU2aWUCvUVjxi9oBG/CW -ncIdYuW8zne4qXbX7YLC0QUUIDVOWzhLauAUBduTqRTldJo0KAxu887tf+uStXs8 -RACLGIaBQw7BXQKCAQEA+38NFnpflKquU92xRtmqWAVaW7rm865ZO6EIaS4JII/N -/Ebu1YZrAhT0ruGJQaolYj8w79BEZRF2CYDPZxKFv/ye0O7rWCAGtCdWQ0BXcrIU -7SdlsdfTNXO1R3WbwCyVxyjg6YF7FjbTaaOAoTiosTjDs2ZOgkbdh/sMeWkSN5HB -aQz4c8rqq0kkYucLqp4nWYSWSJn88bL8ctwEwW77MheJiSpo1ohNRP3ExHnbCbYw -RIj7ATSz74ebpd9NMauB5clvMMh4jRG0EQyt7KCoOyfPRFc3fddvTr03LlgFfX/n -qoxd2nejgAS3NnG1XMxdcUa7cPannt46Sef1uZo3gQKCAQB454zquCYQDKXGBu8u -NAKsjv2wxBqESENyV4VgvDo/NxawRdAFQUV12GkaEB87ti5aDSbfVS0h8lV1G+/S -JM5DyybFqcz/Hyebofk20d/q9g+DJ5g5hMjvIhepTc8Xe+d1ZaRyN2Oke/c8TMbx -DiNTTfR3MEfMRIlPzfHl0jx6GGR3wzBFleb6vsyiIt4qoqmlkXPFGBlDCgDH0v5M -ITgucacczuw8+HSoOut4Yd7TI1FjbkzubHJBQDb7VnbuBTjzqTpnOYiIkVeK8hBy -kBxgGodqz0Vi5o2+Jp/A8Co+JHc2wt/r65ovmali4WhUiMLLlQg2aXGDHeK/rUle -MIl9AoIBAQCPKCYSCnyHypRK5uG3W8VsLzfdCUnXogHnQGXiQTMu1szA8ruWzdnx -qG4TcgxIVYrMHv5DNAEKquLOzATDPjbmLu1ULvvGAQzv1Yhz5ZchkZ7507g+gIUY -YxHoaFjNDlP/txQ3tt2SqoizFD/vBap4nsA/SVgdLiuB8PSL07Rr70rx+lEe0H2+ -HHda2Pu6FiZ9/Uvybb0e8+xhkT4fwYW5YM6IRpzAqXuabv1nfZmiMJPPH04JxK88 -BKwjwjVVtbPOUlg5o5ODcXVXUylZjaXVbna8Bw1uU4hngKt9dNtDMeB0I0x1RC7M -e2Ky2g0LksUJ6uJdjfmiJAt38FLeYJuBAoIBAC2oqaqr86Dug5v8xHpgFoC5u7z7 -BRhaiHpVrUr+wnaNJEXfAEmyKf4xF5xDJqldnYG3c9ETG/7bLcg1dcrMPzXx94Si -MI3ykwiPeI/sVWYmUlq4U8zCIC7MY6sWzWt3oCBNoCN/EeYx9e7+eLNBB+fADAXq -v9RMGlUIy7beX0uac8Bs771dsxIb/RrYw58wz+jrwGlzuDmcPWiu+ARu7hnBqCAV -AITlCV/tsEk7u08oBuv47+rVGCh1Qb19pNswyTtTZARAGErJO0Q+39BNuu0M2TIn -G3M8eNmGHC+mNsZTVgKRuyk9Ye0s4Bo0KcqSndiPFGHjcrF7/t+RqEOXr/E= ------END RSA PRIVATE KEY----- diff --git a/spec/lib/gitlab/external_authorization/access_spec.rb b/spec/lib/gitlab/external_authorization/access_spec.rb deleted file mode 100644 index 5dc2521b31009f2d0d1f6ca92ac5a708582ca9fc..0000000000000000000000000000000000000000 --- a/spec/lib/gitlab/external_authorization/access_spec.rb +++ /dev/null @@ -1,142 +0,0 @@ -require 'spec_helper' - -describe Gitlab::ExternalAuthorization::Access, :clean_gitlab_redis_cache do - subject(:access) { described_class.new(build(:user), 'dummy_label') } - - describe '#loaded?' do - it 'is `true` when it was loaded recently' do - Timecop.freeze do - allow(access).to receive(:loaded_at).and_return(5.minutes.ago) - - expect(access).to be_loaded - end - end - - it 'is `false` when there is no loading time' do - expect(access).not_to be_loaded - end - - it 'is `false` when there the result was loaded a long time ago' do - Timecop.freeze do - allow(access).to receive(:loaded_at).and_return(2.weeks.ago) - - expect(access).not_to be_loaded - end - end - end - - describe 'load!' do - let(:fake_client) { double('ExternalAuthorization::Client') } - let(:fake_response) do - double( - 'Response', - 'successful?' => true, - 'valid?' => true, - 'reason' => nil - ) - end - - before do - allow(access).to receive(:load_from_cache) - allow(fake_client).to receive(:request_access).and_return(fake_response) - allow(Gitlab::ExternalAuthorization::Client).to receive(:new) { fake_client } - end - - context 'when loading from the webservice' do - it 'loads from the webservice it the cache was empty' do - expect(access).to receive(:load_from_cache) - expect(access).to receive(:load_from_service).and_call_original - - access.load! - - expect(access).to be_loaded - end - - it 'assigns the accessibility, reason and loaded_at' do - allow(fake_response).to receive(:successful?).and_return(false) - allow(fake_response).to receive(:reason).and_return('Inaccessible label') - - access.load! - - expect(access.reason).to eq('Inaccessible label') - expect(access).not_to have_access - expect(access.loaded_at).not_to be_nil - end - - it 'returns itself' do - expect(access.load!).to eq(access) - end - - it 'stores the result in redis' do - Timecop.freeze do - fake_cache = double - expect(fake_cache).to receive(:store).with(true, nil, Time.now) - expect(access).to receive(:cache).and_return(fake_cache) - - access.load! - end - end - - context 'when the request fails' do - before do - allow(fake_client).to receive(:request_access) do - raise ::Gitlab::ExternalAuthorization::RequestFailed.new('Service unavailable') - end - end - - it 'is loaded' do - access.load! - - expect(access).to be_loaded - end - - it 'assigns the correct accessibility, reason and loaded_at' do - access.load! - - expect(access.reason).to eq('Service unavailable') - expect(access).not_to have_access - expect(access.loaded_at).not_to be_nil - end - - it 'does not store the result in redis' do - fake_cache = double - expect(fake_cache).not_to receive(:store) - allow(access).to receive(:cache).and_return(fake_cache) - - access.load! - end - end - end - - context 'When loading from cache' do - let(:fake_cache) { double('ExternalAuthorization::Cache') } - - before do - allow(access).to receive(:cache).and_return(fake_cache) - end - - it 'does not load from the webservice' do - Timecop.freeze do - expect(fake_cache).to receive(:load).and_return([true, nil, Time.now]) - - expect(access).to receive(:load_from_cache).and_call_original - expect(access).not_to receive(:load_from_service) - - access.load! - end - end - - it 'loads from the webservice when the cached result was too old' do - Timecop.freeze do - expect(fake_cache).to receive(:load).and_return([true, nil, 2.days.ago]) - - expect(access).to receive(:load_from_cache).and_call_original - expect(access).to receive(:load_from_service).and_call_original - allow(fake_cache).to receive(:store) - - access.load! - end - end - end - end -end diff --git a/spec/lib/gitlab/external_authorization/cache_spec.rb b/spec/lib/gitlab/external_authorization/cache_spec.rb deleted file mode 100644 index 58e7d6267074dfdf84baa1f897968cd538c58698..0000000000000000000000000000000000000000 --- a/spec/lib/gitlab/external_authorization/cache_spec.rb +++ /dev/null @@ -1,48 +0,0 @@ -require 'spec_helper' - -describe Gitlab::ExternalAuthorization::Cache, :clean_gitlab_redis_cache do - let(:user) { build_stubbed(:user) } - let(:cache_key) { "external_authorization:user-#{user.id}:label-dummy_label" } - - subject(:cache) { described_class.new(user, 'dummy_label') } - - def read_from_redis(key) - Gitlab::Redis::Cache.with do |redis| - redis.hget(cache_key, key) - end - end - - def set_in_redis(key, value) - Gitlab::Redis::Cache.with do |redis| - redis.hmset(cache_key, key, value) - end - end - - describe '#load' do - it 'reads stored info from redis' do - Timecop.freeze do - set_in_redis(:access, false) - set_in_redis(:reason, 'Access denied for now') - set_in_redis(:refreshed_at, Time.now) - - access, reason, refreshed_at = cache.load - - expect(access).to eq(false) - expect(reason).to eq('Access denied for now') - expect(refreshed_at).to be_within(1.second).of(Time.now) - end - end - end - - describe '#store' do - it 'sets the values in redis' do - Timecop.freeze do - cache.store(true, 'the reason', Time.now) - - expect(read_from_redis(:access)).to eq('true') - expect(read_from_redis(:reason)).to eq('the reason') - expect(read_from_redis(:refreshed_at)).to eq(Time.now.to_s) - end - end - end -end diff --git a/spec/lib/gitlab/external_authorization/client_spec.rb b/spec/lib/gitlab/external_authorization/client_spec.rb deleted file mode 100644 index fa18c1e56e832d4e49a18431ca57f0b823b870cc..0000000000000000000000000000000000000000 --- a/spec/lib/gitlab/external_authorization/client_spec.rb +++ /dev/null @@ -1,97 +0,0 @@ -require 'spec_helper' - -describe Gitlab::ExternalAuthorization::Client do - let(:user) { build(:user, email: 'dummy_user@example.com') } - let(:dummy_url) { 'https://dummy.net/' } - subject(:client) { described_class.new(user, 'dummy_label') } - - before do - stub_application_setting(external_authorization_service_url: dummy_url) - end - - describe '#request_access' do - it 'performs requests to the configured endpoint' do - expect(Excon).to receive(:post).with(dummy_url, any_args) - - client.request_access - end - - it 'adds the correct params for the user to the body of the request' do - expected_body = { - user_identifier: 'dummy_user@example.com', - project_classification_label: 'dummy_label' - }.to_json - expect(Excon).to receive(:post) - .with(dummy_url, hash_including(body: expected_body)) - - client.request_access - end - - it 'respects the the timeout' do - stub_application_setting( - external_authorization_service_timeout: 3 - ) - - expect(Excon).to receive(:post).with(dummy_url, - hash_including( - connect_timeout: 3, - read_timeout: 3, - write_timeout: 3 - )) - - client.request_access - end - - it 'adds the mutual tls params when they are present' do - stub_application_setting( - external_auth_client_cert: 'the certificate data', - external_auth_client_key: 'the key data', - external_auth_client_key_pass: 'open sesame' - ) - expected_params = { - client_cert_data: 'the certificate data', - client_key_data: 'the key data', - client_key_pass: 'open sesame' - } - - expect(Excon).to receive(:post).with(dummy_url, hash_including(expected_params)) - - client.request_access - end - - it 'returns an expected response' do - expect(Excon).to receive(:post) - - expect(client.request_access) - .to be_kind_of(::Gitlab::ExternalAuthorization::Response) - end - - it 'wraps exceptions if the request fails' do - expect(Excon).to receive(:post) { raise Excon::Error.new('the request broke') } - - expect { client.request_access } - .to raise_error(::Gitlab::ExternalAuthorization::RequestFailed) - end - - describe 'for ldap users' do - let(:user) do - create(:omniauth_user, - email: 'dummy_user@example.com', - extern_uid: 'external id', - provider: 'ldapprovider') - end - - it 'includes the ldap dn for ldap users' do - expected_body = { - user_identifier: 'dummy_user@example.com', - project_classification_label: 'dummy_label', - user_ldap_dn: 'external id' - }.to_json - expect(Excon).to receive(:post) - .with(dummy_url, hash_including(body: expected_body)) - - client.request_access - end - end - end -end diff --git a/spec/lib/gitlab/external_authorization/logger_spec.rb b/spec/lib/gitlab/external_authorization/logger_spec.rb deleted file mode 100644 index 81f1b2390e6c7281e3f89c34899cce66d76d2aa6..0000000000000000000000000000000000000000 --- a/spec/lib/gitlab/external_authorization/logger_spec.rb +++ /dev/null @@ -1,45 +0,0 @@ -require 'spec_helper' - -describe Gitlab::ExternalAuthorization::Logger do - let(:request_time) { Time.parse('2018-03-26 20:22:15') } - - def fake_access(has_access, user, load_type = :request) - access = double('access') - allow(access).to receive_messages(user: user, - has_access?: has_access, - loaded_at: request_time, - label: 'dummy_label', - load_type: load_type) - - access - end - - describe '.log_access' do - it 'logs a nice message for an access request' do - expected_message = "GRANTED admin@example.com access to 'dummy_label' (the/project/path)" - fake_access = fake_access(true, build(:user, email: 'admin@example.com')) - - expect(described_class).to receive(:info).with(expected_message) - - described_class.log_access(fake_access, 'the/project/path') - end - - it 'does not trip without a project path' do - expected_message = "DENIED admin@example.com access to 'dummy_label'" - fake_access = fake_access(false, build(:user, email: 'admin@example.com')) - - expect(described_class).to receive(:info).with(expected_message) - - described_class.log_access(fake_access, nil) - end - - it 'adds the load time for cached accesses' do - expected_message = "DENIED admin@example.com access to 'dummy_label' - cache #{request_time}" - fake_access = fake_access(false, build(:user, email: 'admin@example.com'), :cache) - - expect(described_class).to receive(:info).with(expected_message) - - described_class.log_access(fake_access, nil) - end - end -end diff --git a/spec/lib/gitlab/external_authorization/response_spec.rb b/spec/lib/gitlab/external_authorization/response_spec.rb deleted file mode 100644 index 43211043ecaf915412cc288948dfe481543bbf4a..0000000000000000000000000000000000000000 --- a/spec/lib/gitlab/external_authorization/response_spec.rb +++ /dev/null @@ -1,52 +0,0 @@ -require 'spec_helper' - -describe Gitlab::ExternalAuthorization::Response do - let(:excon_response) { double } - subject(:response) { described_class.new(excon_response) } - - describe '#valid?' do - it 'is valid for 200, 401, and 403 responses' do - [200, 401, 403].each do |status| - allow(excon_response).to receive(:status).and_return(status) - - expect(response).to be_valid - end - end - - it "is invalid for other statuses" do - expect(excon_response).to receive(:status).and_return(500) - - expect(response).not_to be_valid - end - end - - describe '#reason' do - it 'returns a reason if it was included in the response body' do - expect(excon_response).to receive(:body).and_return({ reason: 'Not authorized' }.to_json) - - expect(response.reason).to eq('Not authorized') - end - - it 'returns nil when there was no body' do - expect(excon_response).to receive(:body).and_return('') - - expect(response.reason).to eq(nil) - end - end - - describe '#successful?' do - it 'is `true` if the status is 200' do - allow(excon_response).to receive(:status).and_return(200) - - expect(response).to be_successful - end - - it 'is `false` if the status is 401 or 403' do - [401, 403].each do |status| - allow(excon_response).to receive(:status).and_return(status) - - expect(response).not_to be_successful - end - end - end -end diff --git a/spec/lib/gitlab/external_authorization_spec.rb b/spec/lib/gitlab/external_authorization_spec.rb deleted file mode 100644 index 7394fbfe0ceb28c135038085ba60346d08acf0b8..0000000000000000000000000000000000000000 --- a/spec/lib/gitlab/external_authorization_spec.rb +++ /dev/null @@ -1,54 +0,0 @@ -require 'spec_helper' - -describe Gitlab::ExternalAuthorization, :request_store do - include ExternalAuthorizationServiceHelpers - - let(:user) { build(:user) } - let(:label) { 'dummy_label' } - - describe '#access_allowed?' do - it 'is always true when the feature is disabled' do - # Not using `stub_application_setting` because the method is prepended in - # `EE::ApplicationSetting` which breaks when using `any_instance` - # https://gitlab.com/gitlab-org/gitlab-ce/issues/33587 - expect(::Gitlab::CurrentSettings.current_application_settings) - .to receive(:external_authorization_service_enabled) { false } - - expect(described_class).not_to receive(:access_for_user_to_label) - - expect(described_class.access_allowed?(user, label)).to be_truthy - end - end - - describe '#rejection_reason' do - it 'is always nil when the feature is disabled' do - expect(::Gitlab::CurrentSettings.current_application_settings) - .to receive(:external_authorization_service_enabled) { false } - - expect(described_class).not_to receive(:access_for_user_to_label) - - expect(described_class.rejection_reason(user, label)).to be_nil - end - end - - describe '#access_for_user_to_label' do - it 'only loads the access once per request' do - enable_external_authorization_service_check - - expect(::Gitlab::ExternalAuthorization::Access) - .to receive(:new).with(user, label).once.and_call_original - - 2.times { described_class.access_for_user_to_label(user, label, nil) } - end - - it 'logs the access request once per request' do - expect(::Gitlab::ExternalAuthorization::Logger) - .to receive(:log_access) - .with(an_instance_of(::Gitlab::ExternalAuthorization::Access), - 'the/project/path') - .once - - 2.times { described_class.access_for_user_to_label(user, label, 'the/project/path') } - end - end -end diff --git a/spec/lib/gitlab/import_export/safe_model_attributes.yml b/spec/lib/gitlab/import_export/safe_model_attributes.yml index 30bb58ac99038ce82796f5046958cbb338728d21..d0ed588f05f587cea7c43e854e507402cb6d3df0 100644 --- a/spec/lib/gitlab/import_export/safe_model_attributes.yml +++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml @@ -496,7 +496,6 @@ Project: - merge_requests_ff_only_enabled - merge_requests_rebase_enabled - jobs_cache_index -- external_authorization_classification_label - pages_https_only Author: - name diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb index c7d7dbac7364190bf1f408ed829b381e879486ed..c81572d739ec8ff3ac8aaa4b4c6c84fbf0d8e50c 100644 --- a/spec/models/application_setting_spec.rb +++ b/spec/models/application_setting_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' describe ApplicationSetting do - subject(:setting) { described_class.create_from_defaults } + let(:setting) { described_class.create_from_defaults } it { include(CacheableAttributes) } it { include(ApplicationSettingImplementation) } @@ -284,52 +284,6 @@ describe ApplicationSetting do expect(subject).to be_valid end end - - describe 'when external authorization service is enabled' do - before do - setting.external_authorization_service_enabled = true - end - - it { is_expected.not_to allow_value('not a URL').for(:external_authorization_service_url) } - it { is_expected.to allow_value('https://example.com').for(:external_authorization_service_url) } - it { is_expected.to allow_value('').for(:external_authorization_service_url) } - it { is_expected.not_to allow_value(nil).for(:external_authorization_service_default_label) } - it { is_expected.not_to allow_value(11).for(:external_authorization_service_timeout) } - it { is_expected.not_to allow_value(0).for(:external_authorization_service_timeout) } - it { is_expected.not_to allow_value('not a certificate').for(:external_auth_client_cert) } - it { is_expected.to allow_value('').for(:external_auth_client_cert) } - it { is_expected.to allow_value('').for(:external_auth_client_key) } - - context 'when setting a valid client certificate for external authorization' do - let(:certificate_data) { File.read('spec/fixtures/passphrase_x509_certificate.crt') } - - before do - setting.external_auth_client_cert = certificate_data - end - - it 'requires a valid client key when a certificate is set' do - expect(setting).not_to allow_value('fefefe').for(:external_auth_client_key) - end - - it 'requires a matching certificate' do - other_private_key = File.read('spec/fixtures/x509_certificate_pk.key') - - expect(setting).not_to allow_value(other_private_key).for(:external_auth_client_key) - end - - it 'the credentials are valid when the private key can be read and matches the certificate' do - tls_attributes = [:external_auth_client_key_pass, - :external_auth_client_key, - :external_auth_client_cert] - setting.external_auth_client_key = File.read('spec/fixtures/passphrase_x509_certificate_pk.key') - setting.external_auth_client_key_pass = '5iveL!fe' - - setting.validate - - expect(setting.errors).not_to include(*tls_attributes) - end - end - end end context 'restrict creating duplicates' do diff --git a/spec/models/concerns/protected_ref_access_spec.rb b/spec/models/concerns/protected_ref_access_spec.rb index f63ad958ed37ae4f199c8289f60da36c7f1d2413..94798f0590d7b8ad6190d0015a6a0a473efccca3 100644 --- a/spec/models/concerns/protected_ref_access_spec.rb +++ b/spec/models/concerns/protected_ref_access_spec.rb @@ -3,8 +3,6 @@ require 'spec_helper' describe ProtectedRefAccess do - include ExternalAuthorizationServiceHelpers - subject(:protected_ref_access) do create(:protected_branch, :maintainers_can_push).push_access_levels.first end @@ -31,15 +29,5 @@ describe ProtectedRefAccess do expect(protected_ref_access.check_access(developer)).to be_falsy end - - context 'external authorization' do - it 'is false if external authorization denies access' do - maintainer = create(:user) - project.add_maintainer(maintainer) - external_service_deny_access(maintainer, project) - - expect(protected_ref_access.check_access(maintainer)).to be_falsey - end - end end end diff --git a/spec/models/issue_spec.rb b/spec/models/issue_spec.rb index 0cd69cb4817e8716fe764fde06a190abaefa35cd..892dd053e398105de8b0041c9b9f87a88fe32f87 100644 --- a/spec/models/issue_spec.rb +++ b/spec/models/issue_spec.rb @@ -3,8 +3,6 @@ require 'spec_helper' describe Issue do - include ExternalAuthorizationServiceHelpers - describe "Associations" do it { is_expected.to belong_to(:milestone) } it { is_expected.to have_many(:assignees) } @@ -781,47 +779,4 @@ describe Issue do it_behaves_like 'throttled touch' do subject { create(:issue, updated_at: 1.hour.ago) } end - - context 'when an external authentication service' do - before do - enable_external_authorization_service_check - end - - describe '#visible_to_user?' do - it 'is `false` when an external authorization service is enabled' do - issue = build(:issue, project: build(:project, :public)) - - expect(issue).not_to be_visible_to_user - end - - it 'checks the external service to determine if an issue is readable by a user' do - project = build(:project, :public, - external_authorization_classification_label: 'a-label') - issue = build(:issue, project: project) - user = build(:user) - - expect(::Gitlab::ExternalAuthorization).to receive(:access_allowed?).with(user, 'a-label') { false } - expect(issue.visible_to_user?(user)).to be_falsy - end - - it 'does not check the external service if a user does not have access to the project' do - project = build(:project, :private, - external_authorization_classification_label: 'a-label') - issue = build(:issue, project: project) - user = build(:user) - - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - expect(issue.visible_to_user?(user)).to be_falsy - end - - it 'does not check the external webservice for admins' do - issue = build(:issue) - user = build(:admin) - - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - issue.visible_to_user?(user) - end - end - end end diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index 7222580e11545c28e3202d2521abd5c4fb49157c..5eb31430ccd5f5b0c1f1852e626833b0f84ff226 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -5,7 +5,6 @@ require 'spec_helper' describe Project do include ProjectForksHelper include GitHelpers - include ExternalAuthorizationServiceHelpers it_behaves_like 'having unique enum values' @@ -4418,25 +4417,6 @@ describe Project do end end - describe '#external_authorization_classification_label' do - it 'falls back to the default when none is configured' do - enable_external_authorization_service_check - - expect(build(:project).external_authorization_classification_label) - .to eq('default_label') - end - - it 'returns the classification label if it was configured on the project' do - enable_external_authorization_service_check - - project = build(:project, - external_authorization_classification_label: 'hello') - - expect(project.external_authorization_classification_label) - .to eq('hello') - end - end - describe "#pages_https_only?" do subject { build(:project) } diff --git a/spec/policies/base_policy_spec.rb b/spec/policies/base_policy_spec.rb index 09be831dcd533b5bca7f3ff800cab7fc4b5f10ce..c03d95b34db1ee10e50883875288734581a9d541 100644 --- a/spec/policies/base_policy_spec.rb +++ b/spec/policies/base_policy_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe BasePolicy do - include ExternalAuthorizationServiceHelpers - describe '.class_for' do it 'detects policy class based on the subject ancestors' do expect(DeclarativePolicy.class_for(GenericCommitStatus.new)).to eq(CommitStatusPolicy) @@ -18,25 +16,4 @@ describe BasePolicy do expect(DeclarativePolicy.class_for(:global)).to eq(GlobalPolicy) end end - - describe 'read cross project' do - let(:current_user) { create(:user) } - let(:user) { create(:user) } - - subject { described_class.new(current_user, [user]) } - - it { is_expected.to be_allowed(:read_cross_project) } - - context 'when an external authorization service is enabled' do - before do - enable_external_authorization_service_check - end - - it { is_expected.not_to be_allowed(:read_cross_project) } - - it 'allows admins' do - expect(described_class.new(build(:admin), nil)).to be_allowed(:read_cross_project) - end - end - end end diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb index b149dbcf871f875fc9c85821c60e81608c505ffc..008d118b5578cb0f678f297fd16539a4e10e17b5 100644 --- a/spec/policies/issue_policy_spec.rb +++ b/spec/policies/issue_policy_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe IssuePolicy do - include ExternalAuthorizationServiceHelpers - let(:guest) { create(:user) } let(:author) { create(:user) } let(:assignee) { create(:user) } @@ -206,21 +204,4 @@ describe IssuePolicy do end end end - - context 'with external authorization enabled' do - let(:user) { create(:user) } - let(:project) { create(:project, :public) } - let(:issue) { create(:issue, project: project) } - let(:policies) { described_class.new(user, issue) } - - before do - enable_external_authorization_service_check - end - - it 'can read the issue iid without accessing the external service' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(policies).to be_allowed(:read_issue_iid) - end - end end diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb index 81279225d619b2c2595b93af68e78e062d8c103d..1efa70addc2b195bc1a82faca2930d4d9fd7b116 100644 --- a/spec/policies/merge_request_policy_spec.rb +++ b/spec/policies/merge_request_policy_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe MergeRequestPolicy do - include ExternalAuthorizationServiceHelpers - let(:guest) { create(:user) } let(:author) { create(:user) } let(:developer) { create(:user) } @@ -49,21 +47,4 @@ describe MergeRequestPolicy do expect(permissions(guest, merge_request_locked)).to be_disallowed(:reopen_merge_request) end end - - context 'with external authorization enabled' do - let(:user) { create(:user) } - let(:project) { create(:project, :public) } - let(:merge_request) { create(:merge_request, source_project: project) } - let(:policies) { described_class.new(user, merge_request) } - - before do - enable_external_authorization_service_check - end - - it 'can read the issue iid without accessing the external service' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(policies).to be_allowed(:read_merge_request_iid) - end - end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 42f8bf3137b21ed53eb89ace16ec62cba781bdf0..125ed818bc6893d2acb80f2a50025be7d3a8304d 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -1,7 +1,6 @@ require 'spec_helper' describe ProjectPolicy do - include ExternalAuthorizationServiceHelpers include_context 'ProjectPolicy context' set(:guest) { create(:user) } set(:reporter) { create(:user) } @@ -293,56 +292,4 @@ describe ProjectPolicy do projects: [clusterable]) end end - - context 'reading a project' do - it 'allows access when a user has read access to the repo' do - expect(described_class.new(owner, project)).to be_allowed(:read_project) - expect(described_class.new(developer, project)).to be_allowed(:read_project) - expect(described_class.new(admin, project)).to be_allowed(:read_project) - end - - it 'never checks the external service' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(described_class.new(owner, project)).to be_allowed(:read_project) - end - - context 'with an external authorization service' do - before do - enable_external_authorization_service_check - end - - it 'allows access when the external service allows it' do - external_service_allow_access(owner, project) - external_service_allow_access(developer, project) - - expect(described_class.new(owner, project)).to be_allowed(:read_project) - expect(described_class.new(developer, project)).to be_allowed(:read_project) - end - - it 'does not check the external service for admins and allows access' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(described_class.new(admin, project)).to be_allowed(:read_project) - end - - it 'prevents all but seeing a public project in a list when access is denied' do - [developer, owner, build(:user), nil].each do |user| - external_service_deny_access(user, project) - policy = described_class.new(user, project) - - expect(policy).not_to be_allowed(:read_project) - expect(policy).not_to be_allowed(:owner_access) - expect(policy).not_to be_allowed(:change_namespace) - end - end - - it 'passes the full path to external authorization for logging purposes' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(owner, 'default_label', project.full_path).and_call_original - - described_class.new(owner, project).allowed?(:read_project) - end - end - end end diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index 352ea448c00610b3efa0465da306cea7d4101de4..2bfb17d9c9a504f6a376f9955a95b35c3a71b0f7 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -46,8 +46,6 @@ shared_examples 'languages and percentages JSON response' do end describe API::Projects do - include ExternalAuthorizationServiceHelpers - let(:user) { create(:user) } let(:user2) { create(:user) } let(:user3) { create(:user) } @@ -1338,39 +1336,6 @@ describe API::Projects do end end end - - context 'with external authorization' do - let(:project) do - create(:project, - namespace: user.namespace, - external_authorization_classification_label: 'the-label') - end - - context 'when the user has access to the project' do - before do - external_service_allow_access(user, project) - end - - it 'includes the label in the response' do - get api("/projects/#{project.id}", user) - - expect(response).to have_gitlab_http_status(200) - expect(json_response['external_authorization_classification_label']).to eq('the-label') - end - end - - context 'when the external service denies access' do - before do - external_service_deny_access(user, project) - end - - it 'returns a 404' do - get api("/projects/#{project.id}", user) - - expect(response).to have_gitlab_http_status(404) - end - end - end end describe 'GET /projects/:id/users' do @@ -1925,20 +1890,6 @@ describe API::Projects do expect(response).to have_gitlab_http_status(403) end end - - context 'when updating external classification' do - before do - enable_external_authorization_service_check - end - - it 'updates the classification label' do - put(api("/projects/#{project.id}", user), params: { external_authorization_classification_label: 'new label' }) - - expect(response).to have_gitlab_http_status(200) - - expect(project.reload.external_authorization_classification_label).to eq('new label') - end - end end describe 'POST /projects/:id/archive' do diff --git a/spec/requests/api/settings_spec.rb b/spec/requests/api/settings_spec.rb index 2d6b2d5da23a9cdabc29a6b08f9d2973b142911c..f33eb5b9e0208401d457a7d7940724e527ed1611 100644 --- a/spec/requests/api/settings_spec.rb +++ b/spec/requests/api/settings_spec.rb @@ -114,39 +114,6 @@ describe API::Settings, 'Settings' do expect(json_response['performance_bar_allowed_group_id']).to be_nil end - context 'external policy classification settings' do - let(:settings) do - { - external_authorization_service_enabled: true, - external_authorization_service_url: 'https://custom.service/', - external_authorization_service_default_label: 'default', - external_authorization_service_timeout: 9.99, - external_auth_client_cert: File.read('spec/fixtures/passphrase_x509_certificate.crt'), - external_auth_client_key: File.read('spec/fixtures/passphrase_x509_certificate_pk.key'), - external_auth_client_key_pass: "5iveL!fe" - } - end - let(:attribute_names) { settings.keys.map(&:to_s) } - - it 'includes the attributes in the API' do - get api("/application/settings", admin) - - expect(response).to have_gitlab_http_status(200) - attribute_names.each do |attribute| - expect(json_response.keys).to include(attribute) - end - end - - it 'allows updating the settings' do - put api("/application/settings", admin), params: settings - - expect(response).to have_gitlab_http_status(200) - settings.each do |attribute, value| - expect(ApplicationSetting.current.public_send(attribute)).to eq(value) - end - end - end - context "missing plantuml_url value when plantuml_enabled is true" do it "returns a blank parameter error message" do put api("/application/settings", admin), params: { plantuml_enabled: true } diff --git a/spec/serializers/group_child_entity_spec.rb b/spec/serializers/group_child_entity_spec.rb index b58d95ccb43917e0cb9016e93854221461f6debe..d02b4c554b1c6bc57f77737dc674b14759a77ef9 100644 --- a/spec/serializers/group_child_entity_spec.rb +++ b/spec/serializers/group_child_entity_spec.rb @@ -1,7 +1,6 @@ require 'spec_helper' describe GroupChildEntity do - include ExternalAuthorizationServiceHelpers include Gitlab::Routing.url_helpers let(:user) { create(:user) } @@ -110,22 +109,4 @@ describe GroupChildEntity do it_behaves_like 'group child json' end - - describe 'for a project with external authorization enabled' do - let(:object) do - create(:project, :with_avatar, - description: 'Awesomeness') - end - - before do - enable_external_authorization_service_check - object.add_maintainer(user) - end - - it 'does not hit the external authorization service' do - expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?) - - expect(json[:can_edit]).to eq(false) - end - end end diff --git a/spec/services/application_settings/update_service_spec.rb b/spec/services/application_settings/update_service_spec.rb index 258e5635113408ee41d20b9efbd02d407a274857..a4a733eff77dd4f594acb90cfd58a36a398bf470 100644 --- a/spec/services/application_settings/update_service_spec.rb +++ b/spec/services/application_settings/update_service_spec.rb @@ -1,8 +1,6 @@ require 'spec_helper' describe ApplicationSettings::UpdateService do - include ExternalAuthorizationServiceHelpers - let(:application_settings) { create(:application_setting) } let(:admin) { create(:user, :admin) } let(:params) { {} } @@ -145,37 +143,4 @@ describe ApplicationSettings::UpdateService do end end end - - context 'when external authorization is enabled' do - before do - enable_external_authorization_service_check - end - - it 'does not save the settings with an error if the service denies access' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(admin, 'new-label') { false } - - described_class.new(application_settings, admin, { external_authorization_service_default_label: 'new-label' }).execute - - expect(application_settings.errors[:external_authorization_service_default_label]).to be_present - end - - it 'saves the setting when the user has access to the label' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(admin, 'new-label') { true } - - described_class.new(application_settings, admin, { external_authorization_service_default_label: 'new-label' }).execute - - # Read the attribute directly to avoid the stub from - # `enable_external_authorization_service_check` - expect(application_settings[:external_authorization_service_default_label]).to eq('new-label') - end - - it 'does not validate the label if it was not passed' do - expect(::Gitlab::ExternalAuthorization) - .not_to receive(:access_allowed?) - - described_class.new(application_settings, admin, { home_page_url: 'http://foo.bar' }).execute - end - end end diff --git a/spec/services/notification_service_spec.rb b/spec/services/notification_service_spec.rb index 794a4b4ccd3acaa1e86c2dbec3af32a9f182eed7..9ba4a11104a6e5850ed67a9c5a0f39f3769f9445 100644 --- a/spec/services/notification_service_spec.rb +++ b/spec/services/notification_service_spec.rb @@ -2,7 +2,6 @@ require 'spec_helper' describe NotificationService, :mailer do include EmailSpec::Matchers - include ExternalAuthorizationServiceHelpers include NotificationHelpers let(:notification) { described_class.new } @@ -2218,46 +2217,6 @@ describe NotificationService, :mailer do end end - context 'with external authorization service' do - let(:issue) { create(:issue) } - let(:project) { issue.project } - let(:note) { create(:note, noteable: issue, project: project) } - let(:member) { create(:user) } - - subject { NotificationService.new } - - before do - project.add_maintainer(member) - member.global_notification_setting.update!(level: :watch) - end - - it 'sends email when the service is not enabled' do - expect(Notify).to receive(:new_issue_email).at_least(:once).with(member.id, issue.id, nil).and_call_original - - subject.new_issue(issue, member) - end - - context 'when the service is enabled' do - before do - enable_external_authorization_service_check - end - - it 'does not send an email' do - expect(Notify).not_to receive(:new_issue_email) - - subject.new_issue(issue, member) - end - - it 'still delivers email to admins' do - member.update!(admin: true) - - expect(Notify).to receive(:new_issue_email).at_least(:once).with(member.id, issue.id, nil).and_call_original - - subject.new_issue(issue, member) - end - end - end - def build_team(project) @u_watcher = create_global_setting_for(create(:user), :watch) @u_participating = create_global_setting_for(create(:user), :participating) diff --git a/spec/services/projects/create_service_spec.rb b/spec/services/projects/create_service_spec.rb index e1ec932918e0154b0ca6d1eecb49dde98450ecae..e8418b09dc2302d506bf5a925edb5886c41508a7 100644 --- a/spec/services/projects/create_service_spec.rb +++ b/spec/services/projects/create_service_spec.rb @@ -1,7 +1,6 @@ require 'spec_helper' describe Projects::CreateService, '#execute' do - include ExternalAuthorizationServiceHelpers include GitHelpers let(:gitlab_shell) { Gitlab::Shell.new } @@ -345,42 +344,6 @@ describe Projects::CreateService, '#execute' do expect(rugged.config['gitlab.fullpath']).to eq project.full_path end - context 'with external authorization enabled' do - before do - enable_external_authorization_service_check - end - - it 'does not save the project with an error if the service denies access' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'new-label', any_args) { false } - - project = create_project(user, opts.merge({ external_authorization_classification_label: 'new-label' })) - - expect(project.errors[:external_authorization_classification_label]).to be_present - expect(project).not_to be_persisted - end - - it 'saves the project when the user has access to the label' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'new-label', any_args) { true } - - project = create_project(user, opts.merge({ external_authorization_classification_label: 'new-label' })) - - expect(project).to be_persisted - expect(project.external_authorization_classification_label).to eq('new-label') - end - - it 'does not save the project when the user has no access to the default label and no label is provided' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'default_label', any_args) { false } - - project = create_project(user, opts) - - expect(project.errors[:external_authorization_classification_label]).to be_present - expect(project).not_to be_persisted - end - end - def create_project(user, opts) Projects::CreateService.new(user, opts).execute end diff --git a/spec/services/projects/update_service_spec.rb b/spec/services/projects/update_service_spec.rb index 95eb17b5e3a7a8abba259d870463c25bdf4a0699..90eaea9c87286bff430e618fa04575627f2d0455 100644 --- a/spec/services/projects/update_service_spec.rb +++ b/spec/services/projects/update_service_spec.rb @@ -1,7 +1,6 @@ require 'spec_helper' describe Projects::UpdateService do - include ExternalAuthorizationServiceHelpers include ProjectForksHelper let(:user) { create(:user) } @@ -362,46 +361,6 @@ describe Projects::UpdateService do call_service end end - - context 'with external authorization enabled' do - before do - enable_external_authorization_service_check - end - - it 'does not save the project with an error if the service denies access' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'new-label') { false } - - result = update_project(project, user, { external_authorization_classification_label: 'new-label' }) - - expect(result[:message]).to be_present - expect(result[:status]).to eq(:error) - end - - it 'saves the new label if the service allows access' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'new-label') { true } - - result = update_project(project, user, { external_authorization_classification_label: 'new-label' }) - - expect(result[:status]).to eq(:success) - expect(project.reload.external_authorization_classification_label).to eq('new-label') - end - - it 'checks the default label when the classification label was cleared' do - expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'default_label') { true } - - update_project(project, user, { external_authorization_classification_label: '' }) - end - - it 'does not check the label when it does not change' do - expect(::Gitlab::ExternalAuthorization) - .not_to receive(:access_allowed?) - - update_project(project, user, { name: 'New name' }) - end - end end describe '#run_auto_devops_pipeline?' do diff --git a/spec/support/external_authorization_service_helpers.rb b/spec/support/external_authorization_service_helpers.rb deleted file mode 100644 index 79dd9a3d58e97091df153d872f1c41bcac7cf600..0000000000000000000000000000000000000000 --- a/spec/support/external_authorization_service_helpers.rb +++ /dev/null @@ -1,33 +0,0 @@ -module ExternalAuthorizationServiceHelpers - def enable_external_authorization_service_check - stub_application_setting(external_authorization_service_enabled: true) - - stub_application_setting(external_authorization_service_url: 'https://authorize.me') - stub_application_setting(external_authorization_service_default_label: 'default_label') - stub_request(:post, "https://authorize.me").to_return(status: 200) - end - - def external_service_set_access(allowed, user, project) - enable_external_authorization_service_check - classification_label = ::Gitlab::CurrentSettings.current_application_settings - .external_authorization_service_default_label - - # Reload the project so cached licensed features are reloaded - if project - classification_label = Project.find(project.id).external_authorization_classification_label - end - - allow(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?) - .with(user, classification_label, any_args) - .and_return(allowed) - end - - def external_service_allow_access(user, project = nil) - external_service_set_access(true, user, project) - end - - def external_service_deny_access(user, project = nil) - external_service_set_access(false, user, project) - end -end diff --git a/spec/support/shared_examples/controllers/external_authorization_service_shared_examples.rb b/spec/support/shared_examples/controllers/external_authorization_service_shared_examples.rb deleted file mode 100644 index 8dd78fd0a256aab274403081c1e397585b17c9bd..0000000000000000000000000000000000000000 --- a/spec/support/shared_examples/controllers/external_authorization_service_shared_examples.rb +++ /dev/null @@ -1,40 +0,0 @@ -require 'spec_helper' - -shared_examples 'disabled when using an external authorization service' do - include ExternalAuthorizationServiceHelpers - - it 'works when the feature is not enabled' do - subject - - expect(response).to be_success - end - - it 'renders a 404 with a message when the feature is enabled' do - enable_external_authorization_service_check - - subject - - expect(response).to have_gitlab_http_status(403) - end -end - -shared_examples 'unauthorized when external service denies access' do - include ExternalAuthorizationServiceHelpers - - it 'allows access when the authorization service allows it' do - external_service_allow_access(user, project) - - subject - - # Account for redirects after updates - expect(response.status).to be_between(200, 302) - end - - it 'allows access when the authorization service denies it' do - external_service_deny_access(user, project) - - subject - - expect(response).to have_gitlab_http_status(403) - end -end diff --git a/spec/support/shared_examples/finders/finder_with_external_authorization_enabled.rb b/spec/support/shared_examples/finders/finder_with_external_authorization_enabled.rb deleted file mode 100644 index d7e17cc0b7008a4faec511abd2391456ed315b76..0000000000000000000000000000000000000000 --- a/spec/support/shared_examples/finders/finder_with_external_authorization_enabled.rb +++ /dev/null @@ -1,30 +0,0 @@ -require 'spec_helper' - -shared_examples 'a finder with external authorization service' do - include ExternalAuthorizationServiceHelpers - - let(:user) { create(:user) } - let(:project) { create(:project) } - - before do - project.add_maintainer(user) - end - - it 'finds the subject' do - expect(described_class.new(user).execute).to include(subject) - end - - context 'with an external authorization service' do - before do - enable_external_authorization_service_check - end - - it 'does not include the subject when no project was given' do - expect(described_class.new(user).execute).not_to include(subject) - end - - it 'includes the subject when a project id was given' do - expect(described_class.new(user, project_params).execute).to include(subject) - end - end -end diff --git a/spec/validators/x509_certificate_credentials_validator_spec.rb b/spec/validators/x509_certificate_credentials_validator_spec.rb deleted file mode 100644 index 24ef68c1fab8e5a6a58070e9814ae3ca609332b3..0000000000000000000000000000000000000000 --- a/spec/validators/x509_certificate_credentials_validator_spec.rb +++ /dev/null @@ -1,87 +0,0 @@ -require 'spec_helper' - -describe X509CertificateCredentialsValidator do - let(:certificate_data) { File.read('spec/fixtures/x509_certificate.crt') } - let(:pkey_data) { File.read('spec/fixtures/x509_certificate_pk.key') } - - let(:validatable) do - Class.new do - include ActiveModel::Validations - - attr_accessor :certificate, :private_key, :passphrase - - def initialize(certificate, private_key, passphrase = nil) - @certificate, @private_key, @passphrase = certificate, private_key, passphrase - end - end - end - - subject(:validator) do - described_class.new(certificate: :certificate, pkey: :private_key) - end - - it 'is not valid when the certificate is not valid' do - record = validatable.new('not a certificate', nil) - - validator.validate(record) - - expect(record.errors[:certificate]).to include('is not a valid X509 certificate.') - end - - it 'is not valid without a certificate' do - record = validatable.new(nil, nil) - - validator.validate(record) - - expect(record.errors[:certificate]).not_to be_empty - end - - context 'when a valid certificate is passed' do - let(:record) { validatable.new(certificate_data, nil) } - - it 'does not track an error for the certificate' do - validator.validate(record) - - expect(record.errors[:certificate]).to be_empty - end - - it 'adds an error when not passing a correct private key' do - validator.validate(record) - - expect(record.errors[:private_key]).to include('could not read private key, is the passphrase correct?') - end - - it 'has no error when the private key is correct' do - record.private_key = pkey_data - - validator.validate(record) - - expect(record.errors).to be_empty - end - end - - context 'when using a passphrase' do - let(:passphrase_certificate_data) { File.read('spec/fixtures/passphrase_x509_certificate.crt') } - let(:passphrase_pkey_data) { File.read('spec/fixtures/passphrase_x509_certificate_pk.key') } - - let(:record) { validatable.new(passphrase_certificate_data, passphrase_pkey_data, '5iveL!fe') } - - subject(:validator) do - described_class.new(certificate: :certificate, pkey: :private_key, pass: :passphrase) - end - - it 'is valid with the correct data' do - validator.validate(record) - - expect(record.errors).to be_empty - end - - it 'adds an error when the passphrase is wrong' do - record.passphrase = 'wrong' - - validator.validate(record) - - expect(record.errors[:private_key]).not_to be_empty - end - end -end