Merge branch 'disable-cert-based-cluster-api' into 'master'

Disable clusters API if :certificate_based_clusters is disabled See merge request gitlab-org/gitlab!81867

Merge branch 'disable-cert-based-cluster-api' into 'master'
Disable clusters API if :certificate_based_clusters is disabled See merge request gitlab-org/gitlab!81867
20b6f31d · Gabriel Mazetto · f3a5ca4b · 33c56fb6 · 20b6f31d · 20b6f31d
Commit 20b6f31d authored Mar 05, 2022 by Gabriel Mazetto
7 changed files
--- a/lib/api/admin/instance_clusters.rb
+++ b/lib/api/admin/instance_clusters.rb
@@ -9,6 +9,7 @@ module API
      before do
        authenticated_as_admin!
+        ensure_feature_enabled!
      end
      namespace 'admin' do
@@ -133,6 +134,10 @@ module API
        def update_cluster_params
          declared_params(include_missing: false).without(:cluster_id)
        end
+        def ensure_feature_enabled!
+          not_found! unless Feature.enabled?(:certificate_based_clusters, clusterable_instance, default_enabled: :yaml, type: :ops)
+        end
      end
    end
  end

--- a/lib/api/group_clusters.rb
+++ b/lib/api/group_clusters.rb
@@ -4,7 +4,10 @@ module API
  class GroupClusters < ::API::Base
    include PaginationParams
-    before { authenticate! }
+    before do
+      authenticate!
+      ensure_feature_enabled!
+    end
    feature_category :kubernetes_management
@@ -133,6 +136,10 @@ module API
      def update_cluster_params
        declared_params(include_missing: false).without(:cluster_id)
      end
+      def ensure_feature_enabled!
+        not_found! unless Feature.enabled?(:certificate_based_clusters, user_group, default_enabled: :yaml, type: :ops)
+      end
    end
  end
 end
--- a/lib/api/project_clusters.rb
+++ b/lib/api/project_clusters.rb
@@ -4,7 +4,10 @@ module API
  class ProjectClusters < ::API::Base
    include PaginationParams
-    before { authenticate! }
+    before do
+      authenticate!
+      ensure_feature_enabled!
+    end
    feature_category :kubernetes_management
@@ -138,6 +141,10 @@ module API
      def update_cluster_params
        declared_params(include_missing: false).without(:cluster_id)
      end
+      def ensure_feature_enabled!
+        not_found! unless Feature.enabled?(:certificate_based_clusters, user_project, default_enabled: :yaml, type: :ops)
+      end
    end
  end
 end
--- a/spec/requests/api/admin/instance_clusters_spec.rb
+++ b/spec/requests/api/admin/instance_clusters_spec.rb
@@ -21,6 +21,10 @@ RSpec.describe ::API::Admin::InstanceClusters do
      create_list(:cluster, 3, :provided_by_gcp, :instance, :production_environment)
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { get api("/admin/clusters", admin_user) }
+    end
    context "when authenticated as a non-admin user" do
      it 'returns 403' do
        get api('/admin/clusters', regular_user)
@@ -62,6 +66,10 @@ RSpec.describe ::API::Admin::InstanceClusters do
    let(:cluster_id) { cluster.id }
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { get api("/admin/clusters/#{cluster_id}", admin_user) }
+    end
    context "when authenticated as admin" do
      before do
        get api("/admin/clusters/#{cluster_id}", admin_user)
@@ -188,6 +196,10 @@ RSpec.describe ::API::Admin::InstanceClusters do
      }
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { post api('/admin/clusters/add', admin_user), params: cluster_params }
+    end
    context 'authorized user' do
      before do
        post api('/admin/clusters/add', admin_user), params: cluster_params
@@ -317,6 +329,10 @@ RSpec.describe ::API::Admin::InstanceClusters do
      create(:cluster, :instance, :provided_by_gcp, domain: 'old-domain.com')
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { put api("/admin/clusters/#{cluster.id}", admin_user), params: update_params }
+    end
    context 'authorized user' do
      before do
        put api("/admin/clusters/#{cluster.id}", admin_user), params: update_params
@@ -448,6 +464,10 @@ RSpec.describe ::API::Admin::InstanceClusters do
      create(:cluster, :instance, :provided_by_gcp)
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { delete api("/admin/clusters/#{cluster.id}", admin_user), params: cluster_params }
+    end
    context 'authorized user' do
      before do
        delete api("/admin/clusters/#{cluster.id}", admin_user), params: cluster_params

--- a/spec/requests/api/group_clusters_spec.rb
+++ b/spec/requests/api/group_clusters_spec.rb
@@ -22,6 +22,10 @@ RSpec.describe API::GroupClusters do
                  groups: [group])
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { get api("/groups/#{group.id}/clusters", current_user) }
+    end
    context 'non-authorized user' do
      it 'responds with 403' do
        get api("/groups/#{group.id}/clusters", unauthorized_user)
@@ -66,6 +70,10 @@ RSpec.describe API::GroupClusters do
             groups: [group])
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { get api("/groups/#{group.id}/clusters/#{cluster_id}", current_user) }
+    end
    context 'non-authorized user' do
      it 'responds with 403' do
        get api("/groups/#{group.id}/clusters/#{cluster_id}", unauthorized_user)
@@ -181,6 +189,10 @@ RSpec.describe API::GroupClusters do
      }
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { post api("/groups/#{group.id}/clusters/user", current_user), params: cluster_params }
+    end
    context 'non-authorized user' do
      it 'responds with 403' do
        post api("/groups/#{group.id}/clusters/user", unauthorized_user), params: cluster_params
@@ -362,6 +374,10 @@ RSpec.describe API::GroupClusters do
             groups: [group], domain: 'old-domain.com')
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { put api("/groups/#{group.id}/clusters/#{cluster.id}", current_user), params: update_params }
+    end
    context 'non-authorized user' do
      it 'responds with 403' do
        put api("/groups/#{group.id}/clusters/#{cluster.id}", unauthorized_user), params: update_params
@@ -503,6 +519,10 @@ RSpec.describe API::GroupClusters do
             groups: [group])
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { delete api("/groups/#{group.id}/clusters/#{cluster.id}", current_user), params: cluster_params }
+    end
    context 'non-authorized user' do
      it 'responds with 403' do
        delete api("/groups/#{group.id}/clusters/#{cluster.id}", unauthorized_user), params: cluster_params

--- a/spec/requests/api/project_clusters_spec.rb
+++ b/spec/requests/api/project_clusters_spec.rb
@@ -24,6 +24,10 @@ RSpec.describe API::ProjectClusters do
                  projects: [project])
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { get api("/projects/#{project.id}/clusters", developer_user) }
+    end
    context 'non-authorized user' do
      it 'responds with 403' do
        get api("/projects/#{project.id}/clusters", reporter_user)
@@ -67,6 +71,10 @@ RSpec.describe API::ProjectClusters do
             projects: [project])
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { get api("/projects/#{project.id}/clusters/#{cluster_id}", developer_user) }
+    end
    context 'non-authorized user' do
      it 'responds with 403' do
        get api("/projects/#{project.id}/clusters/#{cluster_id}", reporter_user)
@@ -182,6 +190,10 @@ RSpec.describe API::ProjectClusters do
      }
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { post api("/projects/#{project.id}/clusters/user", maintainer_user), params: cluster_params }
+    end
    context 'non-authorized user' do
      it 'responds with 403' do
        post api("/projects/#{project.id}/clusters/user", developer_user), params: cluster_params
@@ -361,6 +373,10 @@ RSpec.describe API::ProjectClusters do
             projects: [project])
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { put api("/projects/#{project.id}/clusters/#{cluster.id}", maintainer_user), params: update_params }
+    end
    context 'non-authorized user' do
      it 'responds with 403' do
        put api("/projects/#{project.id}/clusters/#{cluster.id}", developer_user), params: update_params
@@ -493,6 +509,10 @@ RSpec.describe API::ProjectClusters do
             projects: [project])
    end
+    include_examples ':certificate_based_clusters feature flag API responses' do
+      let(:subject) { delete api("/projects/#{project.id}/clusters/#{cluster.id}", maintainer_user), params: cluster_params }
+    end
    context 'non-authorized user' do
      it 'responds with 403' do
        delete api("/projects/#{project.id}/clusters/#{cluster.id}", developer_user), params: cluster_params

--- a/spec/support/shared_examples/requests/clusters/certificate_based_clusters_feature_flag_shared_examples.rb
+++ b/spec/support/shared_examples/requests/clusters/certificate_based_clusters_feature_flag_shared_examples.rb
+# frozen_string_literal: true
+RSpec.shared_examples ':certificate_based_clusters feature flag API responses' do
+  context 'feature flag is disabled' do
+    before do
+      stub_feature_flags(certificate_based_clusters: false)
+    end
+    it 'responds with :not_found' do
+      subject
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+  end
+end