Check instance cluster feature at policy level

Try to simplify feature flag checks by using policies

app/controllers/admin/application_controller.rb

@@ -4,10 +4,7 @@
 #
 # Automatically sets the layout and ensures an administrator is logged in
 class Admin::ApplicationController < ApplicationController
-  before_action :authenticate_admin!
-  layout 'admin'
+  include EnforcesAdminAuthentication
 
-  def authenticate_admin!
-    render_404 unless current_user.admin?
-  end
+  layout 'admin'
 end

app/controllers/admin/clusters/applications_controller.rb

 # frozen_string_literal: true
 
 class Admin::Clusters::ApplicationsController < Clusters::ApplicationsController
+  include EnforcesAdminAuthentication
+
   private
 
   def clusterable

app/controllers/admin/clusters_controller.rb

 # frozen_string_literal: true
 
 class Admin::ClustersController < Clusters::ClustersController
-  prepend_before_action :check_instance_clusters_feature_flag!
+  include EnforcesAdminAuthentication
 
   layout 'admin'
 
   private
 
   def clusterable
-    @clusterable ||= InstanceClusterablePresenter.fabricate(cluster_instance, current_user: current_user)
-  end
-
-  def cluster_instance
-    @cluster_instance ||= Clusters::Instance.new
-  end
-
-  def check_instance_clusters_feature_flag!
-    render_404 unless instance_clusters_enabled?
-  end
-
-  def instance_clusters_enabled?
-    cluster_instance.instance_clusters_enabled?
+    @clusterable ||= InstanceClusterablePresenter.fabricate(Clusters::Instance.new, current_user: current_user)
   end
 end

app/controllers/concerns/enforces_admin_authentication.rb

+# frozen_string_literal: true
+
+# == EnforcesAdminAuthentication
+#
+# Controller concern to enforce that users are authenticated as admins
+#
+# Upon inclusion, adds `authenticate_admin!` as a before_action
+#
+module EnforcesAdminAuthentication
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :authenticate_admin!
+  end
+
+  def authenticate_admin!
+    render_404 unless current_user.admin?
+  end
+end

app/helpers/application_settings_helper.rb

@@ -286,4 +286,8 @@ module ApplicationSettingsHelper
   def expanded_by_default?
     Rails.env.test?
   end
+
+  def instance_clusters_enabled?
+    can?(current_user, :read_cluster, Clusters::Instance.new)
+  end
 end

app/policies/clusters/instance_policy.rb

@@ -6,8 +6,9 @@ module Clusters
 
     condition(:has_clusters, scope: :subject) { clusterable_has_clusters? }
     condition(:can_have_multiple_clusters) { multiple_clusters_available? }
+    condition(:instance_clusters_enabled, scope: :subject) { @subject.instance_clusters_enabled? }
 
-    rule { admin }.policy do
+    rule { admin & instance_clusters_enabled }.policy do
       enable :read_cluster
       enable :add_cluster
       enable :create_cluster

app/views/layouts/nav/sidebar/_admin.html.haml

@@ -132,6 +132,7 @@
                 = _('Abuse Reports')
               %span.badge.badge-pill.count.merge_counter.js-merge-counter.fly-out-badge= number_with_delimiter(AbuseReport.count(:all))
 
+      - if instance_clusters_enabled?
         = nav_link(controller: :clusters) do
           = link_to admin_clusters_path do
             .nav-icon-container

spec/controllers/admin/clusters/applications_controller_spec.rb

@@ -13,6 +13,16 @@ describe Admin::Clusters::ApplicationsController do
     it { expect { subject }.to be_allowed_for(:admin) }
     it { expect { subject }.to be_denied_for(:user) }
     it { expect { subject }.to be_denied_for(:external) }
+
+    context 'when instance clusters are disabled' do
+      before do
+        stub_feature_flags(instance_clusters: false)
+      end
+
+      it 'returns 404' do
+        is_expected.to have_http_status(:not_found)
+      end
+    end
   end
 
   let(:cluster) { create(:cluster, :instance, :provided_by_gcp) }

spec/controllers/concerns/enforces_admin_authentication_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe EnforcesAdminAuthentication do
+  let(:user) { create(:user) }
+
+  before do
+    sign_in(user)
+  end
+
+  controller(ApplicationController) do
+    # `described_class` is not available in this context
+    include EnforcesAdminAuthentication # rubocop:disable RSpec/DescribedClass
+
+    def index
+      head :ok
+    end
+  end
+
+  describe 'authenticate_admin!' do
+    context 'as an admin' do
+      let(:user) { create(:admin) }
+
+      it 'renders ok' do
+        get :index
+        expect(response).to have_gitlab_http_status(200)
+      end
+    end
+
+    context 'as a user' do
+      it 'renders a 404' do
+        get :index
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+  end
+end

spec/policies/clusters/instance_policy_spec.rb

@@ -3,9 +3,8 @@
 require 'spec_helper'
 
 describe Clusters::InstancePolicy do
-  let(:cluster) { create(:cluster, :instance) }
   let(:user) { create(:user) }
-  let(:policy) { described_class.new(user, cluster) }
+  let(:policy) { described_class.new(user, Clusters::Instance.new) }
 
   describe 'rules' do
     context 'when user' do
@@ -17,9 +16,21 @@ describe Clusters::InstancePolicy do
     context 'when admin' do
       let(:user) { create(:admin) }
 
+      context 'with instance_level_clusters enabled' do
         it { expect(policy).to be_allowed :read_cluster }
         it { expect(policy).to be_allowed :update_cluster }
         it { expect(policy).to be_allowed :admin_cluster }
       end
+
+      context 'with instance_level_clusters disabled' do
+        before do
+          stub_feature_flags(instance_clusters: false)
+        end
+
+        it { expect(policy).to be_disallowed :read_cluster }
+        it { expect(policy).to be_disallowed :update_cluster }
+        it { expect(policy).to be_disallowed :admin_cluster }
+      end
+    end
   end
 end