Commit e78d9834 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'bvl-classification-only' into 'master'

Allow enabling External Policy Control without URL

Closes #4786

See merge request gitlab-org/gitlab-ee!5083
parents 58ee6fc1 bab948a3
......@@ -37,7 +37,9 @@ admin area under the settings page:
The available required properties are:
- **Service URL**: The URL to make authorization requests to
- **Service URL**: The URL to make authorization requests to. When leaving the
URL blank, cross project features will remain available while still being able
to specify classification labels for projects.
- **External authorization request timeout**: The timeout after which an
authorization request is aborted. When a request times out, access is denied
to the user.
......
......@@ -13,6 +13,12 @@ module EE
"denied.")
end
def external_authorization_url_help_text
_("When leaving the URL blank, classification labels can still be "\
"specified whitout disabling cross project features or performing "\
"external authorization checks.")
end
override :visible_attributes
def visible_attributes
super + [
......
......@@ -40,14 +40,12 @@ module EE
presence: { message: "can't be blank when using aws hosted elasticsearch" },
if: ->(setting) { setting.elasticsearch_indexing? && setting.elasticsearch_aws? }
validates :external_authorization_service_url,
:external_authorization_service_default_label,
:external_authorization_service_timeout,
validates :external_authorization_service_default_label,
presence: true,
if: :external_authorization_service_enabled?
validates :external_authorization_service_url,
url: true,
url: true, allow_blank: true,
if: :external_authorization_service_enabled?
validates :external_authorization_service_timeout,
......
......@@ -4,7 +4,7 @@ module EE
prepended do
condition(:external_authorization_enabled, scope: :global, score: 0) do
::EE::Gitlab::ExternalAuthorization.enabled?
::EE::Gitlab::ExternalAuthorization.perform_check?
end
rule { external_authorization_enabled & ~admin & ~auditor }.policy do
......
......@@ -13,6 +13,8 @@
= link_to icon('question-circle'), help_page_path('user/admin_area/settings/external_authorization')
.form-group
= f.label :external_authorization_service_url, _('Service URL'), class: 'control-label col-sm-2'
%span.help-block
= external_authorization_url_help_text
.col-sm-10
= f.text_field :external_authorization_service_url, class: 'form-control'
.form-group
......
---
title: Allow enabling classification policy control without external authorization
service
merge_request: 5083
author:
type: changed
......@@ -4,7 +4,7 @@ module EE
RequestFailed = Class.new(StandardError)
def self.access_allowed?(user, label)
return true unless enabled?
return true unless perform_check?
return false unless user
access_for_user_to_label(user, label).has_access?
......@@ -33,6 +33,10 @@ module EE
.external_authorization_service_enabled?
end
def self.perform_check?
enabled? && service_url.present?
end
def self.service_url
::Gitlab::CurrentSettings
.current_application_settings
......
......@@ -93,7 +93,7 @@ describe Boards::IssuesController do
context 'with external authorization' do
before do
sign_in(user)
enable_external_authorization_service
enable_external_authorization_service_check
end
it 'returns a 404 for group boards' do
......
......@@ -9,7 +9,7 @@ describe Dashboard::GroupsController do
describe '#index' do
it 'works when the external authorization service is enabled' do
enable_external_authorization_service
enable_external_authorization_service_check
get :index
......
......@@ -11,7 +11,7 @@ describe Dashboard::ProjectsController do
subject { get :index }
it 'it works when the external authorization service is enabled' do
enable_external_authorization_service
enable_external_authorization_service_check
get :index
......
......@@ -12,7 +12,7 @@ describe Groups::AvatarsController do
end
it 'works when external authorization service is enabled' do
enable_external_authorization_service
enable_external_authorization_service_check
delete :destroy, group_id: group
......
......@@ -12,7 +12,7 @@ describe Groups::ChildrenController do
end
it 'works when external authorization service is enabled' do
enable_external_authorization_service
enable_external_authorization_service_check
get :index, group_id: group, format: :json
......
......@@ -14,7 +14,7 @@ describe Groups::GroupMembersController do
context 'with external authorization enabled' do
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
describe 'GET #index' do
......
......@@ -13,7 +13,7 @@ describe GroupsController do
context 'with external authorization service enabled' do
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
describe 'GET #show' do
......
......@@ -13,7 +13,7 @@ describe Groups::Settings::CiCdController do
context 'with external authorization enabled' do
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
describe 'GET #show' do
......
......@@ -13,7 +13,7 @@ describe Groups::VariablesController do
context 'with external authorization enabled' do
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
describe 'GET #show' do
......
......@@ -13,7 +13,7 @@ describe SearchController do
context 'with external authorization service enabled' do
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
describe 'GET #show' do
......
......@@ -23,7 +23,7 @@ feature 'The group dashboard' do
end
it 'hides some links when an external authorization service is enabled' do
enable_external_authorization_service
enable_external_authorization_service_check
visit dashboard_groups_path
within('.navbar') do
......
......@@ -11,24 +11,35 @@ feature 'The group page' do
group.add_owner(user)
end
def expect_all_sidebar_links
within('.nav-sidebar') do
expect(page).to have_link('Overview')
expect(page).to have_link('Details')
expect(page).to have_link('Activity')
expect(page).to have_link('Contribution Analytics')
expect(page).to have_link('Issues')
expect(page).to have_link('Merge Requests')
expect(page).to have_link('Members')
end
end
describe 'The sidebar' do
it 'has all the expected links' do
visit group_path(group)
within('.nav-sidebar') do
expect(page).to have_link('Overview')
expect(page).to have_link('Details')
expect(page).to have_link('Activity')
expect(page).to have_link('Contribution Analytics')
expect_all_sidebar_links
end
expect(page).to have_link('Issues')
expect(page).to have_link('Merge Requests')
expect(page).to have_link('Members')
end
it 'shows all project features when policy control is enabled' do
stub_ee_application_setting(external_authorization_service_enabled: true)
visit group_path(group)
expect_all_sidebar_links
end
it 'hides some links when an external authorization service is enabled' do
enable_external_authorization_service
it 'hides some links when an external authorization service configured with an url' do
enable_external_authorization_service_check
visit group_path(group)
within('.nav-sidebar') do
......@@ -57,7 +68,7 @@ feature 'The group page' do
end
it 'hides the epics link when an external authorization service is enabled' do
enable_external_authorization_service
enable_external_authorization_service_check
visit group_path(group)
within('.nav-sidebar') do
......
require 'spec_helper'
describe 'Classification label on project pages' do
include ExternalAuthorizationServiceHelpers
let(:project) do
create(:project, external_authorization_classification_label: 'authorized label')
end
let(:user) { create(:user) }
before do
stub_ee_application_setting(external_authorization_service_enabled: true)
project.add_master(user)
sign_in(user)
end
it 'shows the classification label on the project page when the feature is enabled' do
external_service_allow_access(user, project)
stub_licensed_features(external_authorization_service: true)
visit project_path(project)
......
......@@ -23,7 +23,7 @@ describe 'listing forks of a project' do
end
it 'does not show the commit message when an external authorization service is used' do
enable_external_authorization_service
enable_external_authorization_service_check
visit project_forks_path(source)
......
......@@ -73,7 +73,7 @@ describe 'viewing an issue with cross project references' do
context 'when an external authorization service is enabled' do
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
it 'only hits the external service for the project the user is viewing' do
......
require 'spec_helper'
describe 'Project settings > [EE] repository' do
include ExternalAuthorizationServiceHelpers
let(:user) { create(:user) }
let(:project) { create(:project_empty_repo) }
......@@ -12,7 +10,7 @@ describe 'Project settings > [EE] repository' do
end
it 'shows the field to set a classification label when the feature is enabled' do
external_service_allow_access(user, project)
stub_ee_application_setting(external_authorization_service_enabled: true)
visit edit_project_path(project)
......
......@@ -12,7 +12,7 @@ describe 'User page' do
describe 'when external authorization is enabled' do
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
it 'hides the most recent activity' do
......
......@@ -33,7 +33,7 @@ describe EE::Gitlab::ExternalAuthorization, :request_store do
describe '#access_for_user_to_label' do
it 'only loads the access once per request' do
enable_external_authorization_service
enable_external_authorization_service_check
expect(EE::Gitlab::ExternalAuthorization::Access)
.to receive(:new).with(user, label).once.and_call_original
......
......@@ -30,9 +30,9 @@ describe ApplicationSetting do
setting.external_authorization_service_enabled = true
end
it { is_expected.not_to allow_value(nil).for(:external_authorization_service_url) }
it { is_expected.not_to allow_value('not a URL').for(:external_authorization_service_url) }
it { is_expected.to allow_value('https://example.com').for(:external_authorization_service_url) }
it { is_expected.to allow_value('').for(:external_authorization_service_url) }
it { is_expected.not_to allow_value(nil).for(:external_authorization_service_default_label) }
it { is_expected.not_to allow_value(11).for(:external_authorization_service_timeout) }
it { is_expected.not_to allow_value(0).for(:external_authorization_service_timeout) }
......
......@@ -66,7 +66,7 @@ describe Issue do
context 'when an external authentication service' do
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
describe '#publicly_visible?' do
......
......@@ -1269,7 +1269,7 @@ describe Project do
describe '#external_authorization_classification_label' do
it 'falls back to the default when none is configured' do
enable_external_authorization_service
enable_external_authorization_service_check
expect(build(:project).external_authorization_classification_label)
.to eq('default_label')
......@@ -1286,7 +1286,7 @@ describe Project do
end
it 'returns the classification label if it was configured on the project' do
enable_external_authorization_service
enable_external_authorization_service_check
project = build(:project,
external_authorization_classification_label: 'hello')
......@@ -1296,7 +1296,7 @@ describe Project do
end
it 'does not break when not stubbing the license check' do
enable_external_authorization_service
enable_external_authorization_service_check
enable_namespace_license_check!
project = build(:project)
......
......@@ -13,7 +13,7 @@ describe BasePolicy do
context 'when an external authorization service is enabled' do
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
it { is_expected.not_to be_allowed(:read_cross_project) }
......
......@@ -139,7 +139,7 @@ describe EpicPolicy do
let(:group) { create(:group) }
before do
enable_external_authorization_service
enable_external_authorization_service_check
group.add_owner(user)
end
......
......@@ -10,7 +10,7 @@ describe IssuePolicy do
let(:policies) { described_class.new(user, issue) }
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
it 'can read the issue iid without accessing the external service' do
......
......@@ -118,7 +118,7 @@ describe MergeRequestPolicy do
let(:policies) { described_class.new(user, merge_request) }
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
it 'can read the issue iid without accessing the external service' do
......
......@@ -139,7 +139,7 @@ describe ProjectPolicy do
context 'with an external authorization service' do
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
it 'allows access when the external service allows it' do
......
......@@ -19,7 +19,7 @@ describe GroupChildEntity do
end
before do
enable_external_authorization_service
enable_external_authorization_service_check
object.add_master(user)
end
......
......@@ -23,7 +23,7 @@ describe EE::NotificationService, :mailer do
context 'when the service is enabled' do
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
it 'does not send an email' do
......
module ExternalAuthorizationServiceHelpers
def enable_external_authorization_service
def enable_external_authorization_service_check
stub_licensed_features(external_authorization_service: true)
# Not using `stub_application_setting` because the method is prepended in
# `EE::ApplicationSetting` which breaks when using `any_instance`
# https://gitlab.com/gitlab-org/gitlab-ce/issues/33587
allow(::Gitlab::CurrentSettings.current_application_settings)
.to receive(:external_authorization_service_enabled) { true }
allow(::Gitlab::CurrentSettings.current_application_settings)
.to receive(:external_authorization_service_enabled?) { true }
stub_ee_application_setting(external_authorization_service_enabled: true)
stub_application_setting(external_authorization_service_url: 'https://authorize.me')
stub_application_setting(external_authorization_service_default_label: 'default_label')
stub_ee_application_setting(external_authorization_service_url: 'https://authorize.me')
stub_ee_application_setting(external_authorization_service_default_label: 'default_label')
stub_request(:post, "https://authorize.me").to_return(status: 200)
end
def external_service_set_access(allowed, user, project)
enable_external_authorization_service
enable_external_authorization_service_check
classification_label = ::Gitlab::CurrentSettings.current_application_settings
.external_authorization_service_default_label
......
......@@ -10,7 +10,7 @@ shared_examples 'disabled when using an external authorization service' do
end
it 'renders a 404 with a message when the feature is enabled' do
enable_external_authorization_service
enable_external_authorization_service_check
subject
......
......@@ -16,7 +16,7 @@ shared_examples 'a finder with external authorization service' do
context 'with an external authorization service' do
before do
enable_external_authorization_service
enable_external_authorization_service_check
end
it 'does not include the subject when no project was given' do
......
......@@ -8,8 +8,8 @@ msgid ""
msgstr ""
"Project-Id-Version: gitlab 1.0.0\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2018-03-14 16:41+0100\n"
"PO-Revision-Date: 2018-03-14 16:41+0100\n"
"POT-Creation-Date: 2018-03-23 20:21+0100\n"
"PO-Revision-Date: 2018-03-23 20:21+0100\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: \n"
......@@ -385,6 +385,9 @@ msgstr ""
msgid "Assign to"
msgstr ""
msgid "Assigned to :name"
msgstr ""
msgid "Assignee"
msgstr ""
......@@ -690,7 +693,7 @@ msgstr ""
msgid "Cancel"
msgstr ""
msgid "Cancel edit"
msgid "Cannot be merged automatically"
msgstr ""
msgid "Cannot modify managed Kubernetes cluster"
......@@ -1249,6 +1252,9 @@ msgstr ""
msgid "Compare Revisions"
msgstr ""
msgid "Compare changes with the last commit"
msgstr ""
msgid "CompareBranches|%{source_branch} and %{target_branch} are the same."
msgstr ""
......@@ -1264,6 +1270,9 @@ msgstr ""
msgid "CompareBranches|There isn't anything to compare."
msgstr ""
msgid "Confidential"
msgstr ""
msgid "Confidentiality"
msgstr ""
......@@ -1581,6 +1590,9 @@ msgstr ""
msgid "DownloadSource|Download"
msgstr ""
msgid "Downvotes"
msgstr ""
msgid "Due date"
msgstr ""
......@@ -1593,6 +1605,9 @@ msgstr ""
msgid "Edit files in the editor and commit changes here"
msgstr ""
msgid "Editing"
msgstr ""
msgid "Emails"
msgstr ""
......@@ -2090,9 +2105,6 @@ msgstr ""
msgid "GroupsEmptyState|You can manage your group member’s permissions and access to each project in the group."
msgstr ""
msgid "GroupsTree|Are you sure you want to leave the \"${group.fullName}\" group?"
msgstr ""
msgid "GroupsTree|Create a project in this group."
msgstr ""
......@@ -2141,6 +2153,9 @@ msgstr ""
msgid "HealthCheck|Unhealthy"
msgstr ""
msgid "Help"
msgstr ""
msgid "Hide value"
msgid_plural "Hide values"
msgstr[0] ""
......@@ -2408,6 +2423,9 @@ msgstr ""
msgid "Make everyone on your team more productive regardless of their location. GitLab Geo creates read-only mirrors of your GitLab instance so you can reduce the time it takes to clone and fetch large repos."
msgstr ""
msgid "Manage all notifications"
msgstr ""
msgid "Manage group labels"
msgstr ""
......@@ -3319,6 +3337,9 @@ msgstr ""
msgid "Related Merged Requests"
msgstr ""
msgid "Related merge requests"
msgstr ""
msgid "Remind later"
msgstr ""
......@@ -3372,12 +3393,18 @@ msgstr ""
msgid "Revert this merge request"
msgstr ""
msgid "Reviewing"
msgstr ""
msgid "Roadmap"
msgstr ""
msgid "Run CI/CD pipelines for external repositories"
msgstr ""
msgid "Runners"
msgstr ""
msgid "Running"
msgstr ""
......@@ -3545,7 +3572,7 @@ msgstr ""
msgid "Something went wrong when toggling the button"
msgstr ""
msgid "Something went wrong while closing the %{issuable}. Please try again later"
msgid "Something went wrong while fetching Dependency Scanning."
msgstr ""
msgid "Something went wrong while fetching SAST."
......@@ -3557,12 +3584,6 @@ msgstr ""
msgid "Something went wrong while fetching the registry list."
msgstr ""
msgid "Something went wrong while reopening the %{issuable}. Please try again later"
msgstr ""
msgid "Something went wrong while resolving this discussion. Please try again."
msgstr ""
msgid "Something went wrong. Please try again."
msgstr ""
......@@ -3799,6 +3820,9 @@ msgstr ""
msgid "Target Branch"
msgstr ""
msgid "Target branch"
msgstr ""
msgid "Team"
msgstr ""
......@@ -4211,9 +4235,6 @@ msgstr ""
msgid "Turn on Service Desk"
msgstr ""
msgid "Unable to load the diff."
msgstr ""
msgid "Unknown"
msgstr ""
......@@ -4262,6 +4283,9 @@ msgstr ""
msgid "UploadLink|click to upload"
msgstr ""
msgid "Upvotes"
msgstr ""
msgid "Use Service Desk to connect with your users (e.g. to offer customer support) through email right inside GitLab"
msgstr ""
......@@ -4274,6 +4298,9 @@ msgstr ""
msgid "Variables are applied to environments via the runner. They can be protected by only exposing them to protected branches or tags. You can use variables for passwords, secret keys, or whatever you want."
msgstr ""
msgid "View and edit lines"
msgstr ""
msgid "View epics list"
msgstr ""
......@@ -4328,6 +4355,9 @@ msgstr ""
msgid "Weight"
msgstr ""
msgid "When leaving the URL blank, classification labels can still be specified whitout disabling cross project features or performing external authorization checks."
msgstr ""
msgid "Wiki"
msgstr ""
......@@ -4457,6 +4487,12 @@ msgstr ""
msgid "You are going to transfer %{project_full_name} to another owner. Are you ABSOLUTELY sure?"
msgstr ""
msgid "You are on a read-only GitLab instance."
msgstr ""
msgid "You are on a secondary (read-only) Geo node. If you want to make any changes, you must visit the %{primary_node}."
msgstr ""
msgid "You can also create a project from the command line."
msgstr ""
......@@ -4529,6 +4565,9 @@ msgstr ""
msgid "You'll need to use different branch names to get a valid comparison."
msgstr ""
msgid "You're receiving this email because of your account on %{host}. %{manage_notifications_link} &middot; %{help_link}"
msgstr ""
msgid "Your Kubernetes cluster information on this page is still editable, but you are advised to disable and reconfigure"
msgstr ""
......@@ -4568,6 +4607,18 @@ msgstr ""
msgid "ciReport|DAST detected no alerts by analyzing the review app"
msgstr ""
msgid "ciReport|Dependency scanning"
msgstr ""
msgid "ciReport|Dependency scanning detected"
msgstr ""
msgid "ciReport|Dependency scanning detected no new security vulnerabilities"
msgstr ""
msgid "ciReport|Dependency scanning detected no security vulnerabilities"
msgstr ""
msgid "ciReport|Failed to load %{reportName} report"
msgstr ""
......@@ -4595,9 +4646,6 @@ msgstr ""
msgid "ciReport|SAST"
msgstr ""
msgid "ciReport|SAST degraded on"
msgstr ""
msgid "ciReport|SAST detected"
msgstr ""
......@@ -4616,15 +4664,12 @@ msgstr ""
msgid "ciReport|Unapproved vulnerabilities (red) can be marked as approved. %{helpLink}"
msgstr ""
msgid "ciReport|no security vulnerabilities"
msgid "ciReport|no vulnerabilities"
msgstr ""
msgid "command line instructions"
msgstr ""
msgid "commit"
msgstr ""
msgid "confidentiality|You are going to turn off the confidentiality. This means <strong>everyone</strong> will be able to see and leave a comment on this issue."
msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment