Merge branch '213924-insights-embeddable' into 'master'

Add endpoint for embeddable insights See merge request gitlab-org/gitlab!35535

Merge branch '213924-insights-embeddable' into 'master'
Add endpoint for embeddable insights See merge request gitlab-org/gitlab!35535
35181b11 · Michael Kozono · ade13005 · 0935dfb5 · 35181b11 · 35181b11
Commit 35181b11 authored Jul 07, 2020 by Michael Kozono
11 changed files
--- a/ee/app/controllers/concerns/insights_actions.rb
+++ b/ee/app/controllers/concerns/insights_actions.rb
@@ -3,6 +3,20 @@
 module InsightsActions
  extend ActiveSupport::Concern

+  module Embeddable
+    extend ActiveSupport::Concern
+    def embedded
+      response.set_header('X-Frame-Options', 'SAMEORIGIN')
+
+      return render_404 unless Feature.enabled?(:embed_analytics_report, insights_entity)
+      return render_404 unless can?(current_user, :embed_analytics_report, insights_entity)
+
+      render :embedded, layout: false
+    end
+  end
+
+  include Embeddable
+
  included do
    before_action :check_insights_available!
    before_action :validate_params, only: [:query]

--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -251,6 +251,8 @@ module EE
      rule { can?(:maintainer_access) & push_rules_available }.enable :change_push_rules

      rule { admin & is_gitlab_com }.enable :update_subscription_limit
+
+      rule { public_group }.enable :embed_analytics_report
    end

    override :lookup_access_level!

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -423,6 +423,8 @@ module EE

      rule { status_page_available & can?(:owner_access) }.enable :mark_issue_for_publication
      rule { status_page_available & can?(:developer_access) }.enable :publish_status_page
+
+      rule { public_project }.enable :embed_analytics_report
    end

    override :lookup_access_level!

--- a/ee/app/views/groups/insights/embedded.html.haml
+++ b/ee/app/views/groups/insights/embedded.html.haml
+- @no_container = true
+
+= render('shared/insights', endpoint: group_insights_path(@group, format: :json), query_endpoint: query_group_insights_path(@group))
--- a/ee/app/views/projects/insights/embedded.html.haml
+++ b/ee/app/views/projects/insights/embedded.html.haml
+- @no_container = true
+
+= render('shared/insights', endpoint: namespace_project_insights_path(@project.namespace, @project, format: :json), query_endpoint: query_namespace_project_insights_path(@project.namespace, @project), notice: project_insights_config.notice_text)
--- a/ee/config/routes/group.rb
+++ b/ee/config/routes/group.rb
@@ -61,6 +61,7 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
    resource :insights, only: [:show], trailing_slash: true do
      collection do
        post :query
+        get :embedded
      end
    end


--- a/ee/config/routes/project.rb
+++ b/ee/config/routes/project.rb
@@ -129,6 +129,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
      resource :insights, only: [:show], trailing_slash: true do
        collection do
          post :query
+          get :embedded
        end
      end
      # All new routes should go under /-/ scope.

--- a/ee/spec/controllers/groups/insights_controller_spec.rb
+++ b/ee/spec/controllers/groups/insights_controller_spec.rb
@@ -145,5 +145,47 @@ RSpec.describe Groups::InsightsController do
        it_behaves_like '200 status'
      end
    end
+
+    describe 'GET #embedded' do
+      subject { get :embedded, params: params.merge(group_id: parent_group.to_param) }
+
+      shared_examples 'has iframe options set' do
+        it 'sets SAMEORIGIN frame option' do
+          subject
+
+          expect(response.headers['X-Frame-Options']).to eq 'SAMEORIGIN'
+        end
+      end
+
+      context 'when feature is disabled' do
+        before do
+          stub_feature_flags(embed_analytics_report: false)
+        end
+
+        it_behaves_like '404 status'
+        include_examples 'has iframe options set'
+      end
+
+      context 'when project is public' do
+        let_it_be(:parent_group) { create(:group, :public) }
+        let_it_be(:project) { create(:project, :public) }
+
+        it_behaves_like '200 status'
+        include_examples 'has iframe options set'
+      end
+
+      context 'when project is internal' do
+        let_it_be(:parent_group) { create(:group, :internal) }
+        let_it_be(:project) { create(:project, :internal) }
+
+        it_behaves_like '404 status'
+        include_examples 'has iframe options set'
+      end
+
+      context 'when project is private' do
+        it_behaves_like '404 status'
+        include_examples 'has iframe options set'
+      end
+    end
  end
 end
--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -1046,4 +1046,6 @@ RSpec.describe GroupPolicy do
  end

  it_behaves_like 'update namespace limit policy'
+
+  include_examples 'analytics report embedding'
 end
--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -1473,4 +1473,6 @@ RSpec.describe ProjectPolicy do
      it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
    end
  end
+
+  include_examples 'analytics report embedding'
 end
--- a/ee/spec/support/shared_examples/policies/analytics_report_embedding_shared_examples.rb
+++ b/ee/spec/support/shared_examples/policies/analytics_report_embedding_shared_examples.rb
+# frozen_string_literal: true
+
+RSpec.shared_examples 'analytics report embedding' do
+  let(:current_user) { nil }
+
+  context 'when subject is not public' do
+    before do
+      allow(subject.subject).to receive(:public?).and_return(false)
+    end
+
+    it { is_expected.to be_disallowed(:embed_analytics_report) }
+  end
+
+  context 'when subject is public' do
+    before do
+      allow(subject.subject).to receive(:public?).and_return(true)
+    end
+
+    it { is_expected.to be_allowed(:embed_analytics_report) }
+  end
+end