Merge branch 'issue_222856' into 'master'

RUN AS-IF-FOSS: Downgrade support bot code to core See merge request gitlab-org/gitlab!34883

Merge branch 'issue_222856' into 'master'
RUN AS-IF-FOSS: Downgrade support bot code to core See merge request gitlab-org/gitlab!34883
550c4c51 · Nick Thomas · d4103419 · 8b528426 · 550c4c51 · 550c4c51
Commit 550c4c51 authored Jun 22, 2020 by Nick Thomas
14 changed files
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -2414,6 +2414,11 @@ class Project < ApplicationRecord
    super || build_metrics_setting
  end

+  def service_desk_enabled
+    false
+  end
+  alias_method :service_desk_enabled?, :service_desk_enabled
+
  private

  def find_service(services, name)

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -656,6 +656,15 @@ class User < ApplicationRecord
      end
    end

+    def support_bot
+      email_pattern = "support%s@#{Settings.gitlab.host}"
+
+      unique_internal(where(user_type: :support_bot), 'support-bot', email_pattern) do |u|
+        u.bio = 'The GitLab support bot used for Service Desk'
+        u.name = 'GitLab Support Bot'
+      end
+    end
+
    # Return true if there is only single non-internal user in the deployment,
    # ghost user is ignored.
    def single_user?

--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -21,6 +21,10 @@ class BasePolicy < DeclarativePolicy::Base
  with_options scope: :user, score: 0
  condition(:deactivated) { @user&.deactivated? }

+  desc "User is support bot"
+  with_options scope: :user, score: 0
+  condition(:support_bot) { @user&.support_bot? }
+
  desc "User email is unconfirmed or user account is locked"
  with_options scope: :user, score: 0
  condition(:inactive) do

--- a/app/policies/concerns/policy_actor.rb
+++ b/app/policies/concerns/policy_actor.rb
@@ -45,6 +45,10 @@ module PolicyActor
    false
  end

+  def support_bot?
+    false
+  end
+
  def deactivated?
    false
  end

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -123,6 +123,9 @@ class ProjectPolicy < BasePolicy
    !@subject.design_management_enabled?
  end

+  with_scope :subject
+  condition(:service_desk_enabled) { @subject.service_desk_enabled? }
+
  # We aren't checking `:read_issue` or `:read_merge_request` in this case
  # because it could be possible for a user to see an issuable-iid
  # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be
@@ -578,6 +581,12 @@ class ProjectPolicy < BasePolicy
    enable :read_build_report_results
  end

+  rule { support_bot }.enable :guest_access
+  rule { support_bot & ~service_desk_enabled }.policy do
+    prevent :create_note
+    prevent :read_project
+  end
+
  private

  def team_member?
@@ -626,6 +635,7 @@ class ProjectPolicy < BasePolicy

  def lookup_access_level!
    return ::Gitlab::Access::REPORTER if alert_bot?
+    return ::Gitlab::Access::REPORTER if support_bot? && service_desk_enabled?

    # NOTE: max_member_access has its own cache
    project.team.max_member_access(@user.id)

--- a/ee/app/models/ee/project.rb
+++ b/ee/app/models/ee/project.rb
@@ -333,8 +333,9 @@ module EE
        feature_available?(:github_project_service_integration)
    end

+    override :service_desk_enabled
    def service_desk_enabled
-      ::EE::Gitlab::ServiceDesk.enabled?(project: self) && super
+      ::EE::Gitlab::ServiceDesk.enabled?(project: self) && self[:service_desk_enabled]
    end
    alias_method :service_desk_enabled?, :service_desk_enabled


--- a/ee/app/models/ee/user.rb
+++ b/ee/app/models/ee/user.rb
@@ -95,15 +95,6 @@ module EE
    class_methods do
      extend ::Gitlab::Utils::Override

-      def support_bot
-        email_pattern = "support%s@#{Settings.gitlab.host}"
-
-        unique_internal(where(user_type: :support_bot), 'support-bot', email_pattern) do |u|
-          u.bio = 'The GitLab support bot used for Service Desk'
-          u.name = 'GitLab Support Bot'
-        end
-      end
-
      def visual_review_bot
        email_pattern = "visual_review%s@#{Settings.gitlab.host}"


--- a/ee/app/policies/ee/base_policy.rb
+++ b/ee/app/policies/ee/base_policy.rb
@@ -8,9 +8,6 @@ module EE
      with_scope :user
      condition(:auditor, score: 0) { @user&.auditor? }

-      with_scope :user
-      condition(:support_bot, score: 0) { @user&.support_bot? }
-
      with_scope :user
      condition(:visual_review_bot, score: 0) { @user&.visual_review_bot? }


--- a/ee/app/policies/ee/policy_actor.rb
+++ b/ee/app/policies/ee/policy_actor.rb
@@ -6,10 +6,6 @@ module EE
      false
    end

-    def support_bot?
-      false
-    end
-
    def visual_review_bot?
      false
    end

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -18,9 +18,6 @@ module EE
    ].freeze

    prepended do
-      with_scope :subject
-      condition(:service_desk_enabled) { @subject.service_desk_enabled? }
-
      with_scope :subject
      condition(:related_issues_disabled) { !@subject.feature_available?(:related_issues) }

@@ -205,12 +202,6 @@ module EE
        @subject.feature_available?(:group_timelogs)
      end

-      rule { support_bot }.enable :guest_access
-      rule { support_bot & ~service_desk_enabled }.policy do
-        prevent :create_note
-        prevent :read_project
-      end
-
      rule { visual_review_bot }.policy do
        prevent :read_note
        enable :create_note
@@ -440,7 +431,6 @@ module EE
    override :lookup_access_level!
    def lookup_access_level!
      return ::Gitlab::Access::NO_ACCESS if needs_new_sso_session?
-      return ::Gitlab::Access::REPORTER if support_bot? && service_desk_enabled?
      return ::Gitlab::Access::NO_ACCESS if visual_review_bot?

      super

--- a/ee/spec/models/user_spec.rb
+++ b/ee/spec/models/user_spec.rb
@@ -1060,7 +1060,6 @@ RSpec.describe User do

      where(:user_type, :expected_result) do
        'service_user'      | true
-        'support_bot'       | false
        'visual_review_bot' | false
      end


--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -1001,34 +1001,6 @@ RSpec.describe ProjectPolicy do
    end
  end

-  context 'support bot' do
-    let(:current_user) { User.support_bot }
-
-    context 'with service desk disabled' do
-      it { expect_allowed(:guest_access) }
-      it { expect_disallowed(:create_note, :read_project) }
-    end
-
-    context 'with service desk enabled' do
-      let(:project) { create(:project, :public, service_desk_enabled: true) }
-
-      before do
-        allow(::EE::Gitlab::ServiceDesk).to receive(:enabled?).and_return(true)
-        allow(::EE::Gitlab::ServiceDesk).to receive(:enabled?).with(project: project).and_return(true)
-      end
-
-      it { expect_allowed(:reporter_access, :create_note, :read_issue) }
-
-      context 'when issues are protected members only' do
-        before do
-          project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
-        end
-
-        it { expect_allowed(:reporter_access, :create_note, :read_issue) }
-      end
-    end
-  end
-
  context 'visual review bot' do
    let(:current_user) { User.visual_review_bot }


--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -4634,7 +4634,8 @@ describe User do
          [
            { state: 'blocked' },
            { user_type: :ghost },
-            { user_type: :alert_bot }
+            { user_type: :alert_bot },
+            { user_type: :support_bot }
          ]
        end

@@ -4688,6 +4689,7 @@ describe User do
      where(:user_type, :expected_result) do
        'human'             | true
        'alert_bot'         | false
+        'support_bot'       | false
      end

      with_them do
@@ -4756,19 +4758,26 @@ describe User do
    end
  end

-  describe '#migration_bot' do
-    it 'creates the user if it does not exist' do
-      expect do
-        described_class.migration_bot
-      end.to change { User.where(user_type: :migration_bot).count }.by(1)
-    end
+  context 'bot users' do
+    shared_examples 'bot users' do |bot_type|
+      it 'creates the user if it does not exist' do
+        expect do
+          described_class.public_send(bot_type)
+        end.to change { User.where(user_type: bot_type).count }.by(1)
+      end

-    it 'does not create a new user if it already exists' do
-      described_class.migration_bot
+      it 'does not create a new user if it already exists' do
+        described_class.public_send(bot_type)

-      expect do
-        described_class.migration_bot
-      end.not_to change { User.count }
+        expect do
+          described_class.public_send(bot_type)
+        end.not_to change { User.count }
+      end
    end
+
+    it_behaves_like 'bot users', :alert_bot
+    it_behaves_like 'bot users', :support_bot
+    it_behaves_like 'bot users', :migration_bot
+    it_behaves_like 'bot users', :ghost
  end
 end
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -496,6 +496,33 @@ describe ProjectPolicy do
    end
  end

+  context 'support bot' do
+    let(:current_user) { User.support_bot }
+
+    subject { described_class.new(current_user, project) }
+
+    context 'with service desk disabled' do
+      it { expect_allowed(:guest_access) }
+      it { expect_disallowed(:create_note, :read_project) }
+    end
+
+    context 'with service desk enabled' do
+      before do
+        allow(project).to receive(:service_desk_enabled?).and_return(true)
+      end
+
+      it { expect_allowed(:reporter_access, :create_note, :read_issue) }
+
+      context 'when issues are protected members only' do
+        before do
+          project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
+        end
+
+        it { expect_allowed(:reporter_access, :create_note, :read_issue) }
+      end
+    end
+  end
+
  describe 'read_prometheus_alerts' do
    subject { described_class.new(current_user, project) }