Commit 25907d0f authored by Kamil Trzciński's avatar Kamil Trzciński

Limit feature flags to EEP

parent 6e01d70d
...@@ -67,6 +67,7 @@ class License < ActiveRecord::Base ...@@ -67,6 +67,7 @@ class License < ActiveRecord::Base
custom_project_templates custom_project_templates
packages packages
code_owner_as_approver_suggestion code_owner_as_approver_suggestion
feature_flags
].freeze ].freeze
EEU_FEATURES = EEP_FEATURES + %i[ EEU_FEATURES = EEP_FEATURES + %i[
......
...@@ -65,6 +65,11 @@ module EE ...@@ -65,6 +65,11 @@ module EE
@subject.feature_available?(:license_management) @subject.feature_available?(:license_management)
end end
with_scope :subject
condition(:feature_flags_disabled) do
!@subject.feature_available?(:feature_flags)
end
rule { admin }.enable :change_repository_storage rule { admin }.enable :change_repository_storage
rule { support_bot }.enable :guest_access rule { support_bot }.enable :guest_access
...@@ -122,6 +127,10 @@ module EE ...@@ -122,6 +127,10 @@ module EE
prevent(*create_read_update_admin_destroy(:package)) prevent(*create_read_update_admin_destroy(:package))
end end
rule { feature_flags_disabled }.policy do
prevent(*create_read_update_admin_destroy(:feature_flag))
end
rule { can?(:maintainer_access) }.policy do rule { can?(:maintainer_access) }.policy do
enable :push_code_to_protected_branches enable :push_code_to_protected_branches
enable :admin_path_locks enable :admin_path_locks
......
...@@ -10,7 +10,8 @@ module API ...@@ -10,7 +10,8 @@ module API
end end
route_param :project_id do route_param :project_id do
before do before do
authenticate_by_unleash_instanceid! authorize_by_unleash_instanceid!
authorize_feature_flags_feature!
end end
get 'features' do get 'features' do
...@@ -39,10 +40,14 @@ module API ...@@ -39,10 +40,14 @@ module API
params[:instanceid] || env['HTTP_UNLEASH_INSTANCEID'] params[:instanceid] || env['HTTP_UNLEASH_INSTANCEID']
end end
def authenticate_by_unleash_instanceid! def authorize_by_unleash_instanceid!
unauthorized! unless Operations::FeatureFlagsClient unauthorized! unless Operations::FeatureFlagsClient
.find_for_project_and_token(project, unleash_instanceid) .find_for_project_and_token(project, unleash_instanceid)
end end
def authorize_feature_flags_feature!
forbidden! unless project.feature_available?(:feature_flags)
end
end end
end end
end end
...@@ -5,11 +5,13 @@ describe Projects::FeatureFlagsController do ...@@ -5,11 +5,13 @@ describe Projects::FeatureFlagsController do
set(:user) { create(:user) } set(:user) { create(:user) }
set(:project) { create(:project) } set(:project) { create(:project) }
let(:feature_enabled) { true }
before do before do
project.add_developer(user) project.add_developer(user)
sign_in(user) sign_in(user)
stub_licensed_features(feature_flags: feature_enabled)
end end
describe 'GET index' do describe 'GET index' do
...@@ -44,6 +46,18 @@ describe Projects::FeatureFlagsController do ...@@ -44,6 +46,18 @@ describe Projects::FeatureFlagsController do
expect(response).to render_template('_new_feature_flag_button') expect(response).to render_template('_new_feature_flag_button')
end end
end end
context 'when feature is not available' do
let(:feature_enabled) { false }
before do
subject
end
it 'shows not found' do
expect(subject).to have_gitlab_http_status(404)
end
end
end end
describe 'GET new' do describe 'GET new' do
......
...@@ -3,9 +3,14 @@ require 'spec_helper' ...@@ -3,9 +3,14 @@ require 'spec_helper'
describe API::Unleash do describe API::Unleash do
set(:project) { create(:project) } set(:project) { create(:project) }
let(:project_id) { project.id } let(:project_id) { project.id }
let(:feature_enabled) { true }
let(:params) { } let(:params) { }
let(:headers) { } let(:headers) { }
before do
stub_licensed_features(feature_flags: feature_enabled)
end
shared_examples 'authenticated request' do shared_examples 'authenticated request' do
context 'when using instanceid' do context 'when using instanceid' do
let(:client) { create(:operations_feature_flags_client, project: project) } let(:client) { create(:operations_feature_flags_client, project: project) }
...@@ -16,6 +21,16 @@ describe API::Unleash do ...@@ -16,6 +21,16 @@ describe API::Unleash do
expect(response).to have_gitlab_http_status(200) expect(response).to have_gitlab_http_status(200)
end end
context 'when feature is not available' do
let(:feature_enabled) { false }
it 'responds with forbidden' do
subject
expect(response).to have_gitlab_http_status(403)
end
end
end end
context 'when using header' do context 'when using header' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment