Merge branch 'incubation_5mp_google_oauth2_not_configured' into 'master'

Access restrictions for project /google_cloud

See merge request gitlab-org/gitlab!73569

app/controllers/projects/google_cloud_controller.rb

 # frozen_string_literal: true
 
 class Projects::GoogleCloudController < Projects::ApplicationController
-  before_action :authorize_can_manage_google_cloud_deployments!
+  feature_category :google_cloud
 
-  feature_category :release_orchestration
+  before_action :admin_project_google_cloud?
+  before_action :google_oauth2_enabled?
+  before_action :feature_flag_enabled?
 
   def index
   end
 
   private
 
-  def authorize_can_manage_google_cloud_deployments!
-    access_denied! unless can?(current_user, :manage_project_google_cloud, project)
+  def admin_project_google_cloud?
+    access_denied! unless can?(current_user, :admin_project_google_cloud, project)
+  end
+
+  def google_oauth2_enabled?
+    config = Gitlab::Auth::OAuth::Provider.config_for('google_oauth2')
+    if config.app_id.blank? || config.app_secret.blank?
+      access_denied! 'This GitLab instance not configured for Google Oauth2.'
+    end
+  end
+
+  def feature_flag_enabled?
+    access_denied! unless Feature.enabled?(:incubation_5mp_google_cloud)
   end
 end

app/policies/project_policy.rb

@@ -439,7 +439,7 @@ class ProjectPolicy < BasePolicy
     enable :destroy_freeze_period
     enable :admin_feature_flags_client
     enable :update_runners_registration_token
-    enable :manage_project_google_cloud
+    enable :admin_project_google_cloud
   end
 
   rule { public_project & metrics_dashboard_allowed }.policy do

app/views/projects/google_cloud/index.html.haml

@@ -4,80 +4,3 @@
 - @content_class = "limit-container-width" unless fluid_layout
 
 #js-google-cloud
-
-  %h1.gl-font-size-h1 Google Cloud
-
-  %section#js-section-google-cloud-service-accounts
-
-    %h2.gl-font-size-h2 Service Accounts
-
-    %p= _('Service Accounts keys are required to authorize GitLab to deploy your Google Cloud project.')
-
-    %table.table.b-table.gl-table
-
-      %thead
-        %tr
-          %th Environment
-          %th GCP Project ID
-          %th Service Account Key
-
-      %tbody
-
-        %tr
-          %td *
-          %td serving-salutes-453
-          %td .....
-
-        %tr
-          %td production
-          %td crimson-corey-234
-          %td .....
-
-        %tr
-          %td review/*
-          %td roving-river-379
-          %td .....
-
-    %a.gl-button.btn.btn-primary= _('Add new service account')
-
-  %br
-
-  %section#js-section-google-cloud-deployments
-
-    .row.row-fluid
-
-      .col-lg-4
-        %h2.gl-font-size-h2 Deployments
-        %p= _('Google Cloud offers several deployment targets. Select the one most suitable for your project.')
-        %p
-          = _('Deployments to Google Kubernetes Engine can be ')
-          %a{ href: '#' }= _('managed')
-          = _('in Infrastructure :: Kubernetes clusters')
-
-      .col-lg-8
-
-        %br
-
-        .gl-card.gl-mb-6
-          .gl-card-body
-            .gl-display-flex.gl-align-items-baseline
-              %strong.gl-font-lg App Engine
-              .gl-ml-auto.gl-text-gray-500 Disabled
-            %p= _('App Engine description and apps that are suitable for this deployment target')
-            %button.gl-button.btn.btn-default= _('Configure via Merge Request')
-
-        .gl-card.gl-mb-6
-          .gl-card-body
-            .gl-display-flex.gl-align-items-baseline
-              %strong.gl-font-lg Cloud Functions
-              .gl-ml-auto.gl-text-gray-500 Disabled
-            %p= _('Cloud Functions description and apps that are suitable for this deployment target')
-            %button.gl-button.btn.btn-default= _('Configure via Merge Request')
-
-        .gl-card.gl-mb-6
-          .gl-card-body
-            .gl-display-flex.gl-align-items-baseline
-              %strong.gl-font-lg Cloud Run
-              .gl-ml-auto.gl-text-gray-500 Disabled
-            %p= _('Cloud Run description and apps that are suitable for this deployment target')
-            %button.gl-button.btn.btn-default= _('Configure via Merge Request')

config/feature_categories.yml

@@ -57,6 +57,7 @@
 - gitaly
 - gitlab_docs
 - global_search
+- google_cloud
 - helm_chart_registry
 - horse
 - importers

lib/sidebars/projects/menus/infrastructure_menu.rb

@@ -91,7 +91,7 @@ module Sidebars
 
         def google_cloud_menu_item
           feature_is_enabled = Feature.enabled?(:incubation_5mp_google_cloud)
-          user_has_permissions = can?(context.current_user, :manage_project_google_cloud, context.project)
+          user_has_permissions = can?(context.current_user, :admin_project_google_cloud, context.project)
 
           unless feature_is_enabled && user_has_permissions
             return ::Sidebars::NilMenuItem.new(item_id: :incubation_5mp_google_cloud)

locale/gitlab.pot

@@ -2047,9 +2047,6 @@ msgstr ""
 msgid "Add new directory"
 msgstr ""
 
-msgid "Add new service account"
-msgstr ""
-
 msgid "Add or remove previously merged commits"
 msgstr ""
 
@@ -3987,9 +3984,6 @@ msgstr ""
 msgid "Any namespace"
 msgstr ""
 
-msgid "App Engine description and apps that are suitable for this deployment target"
-msgstr ""
-
 msgid "App ID"
 msgstr ""
 
@@ -7283,12 +7277,6 @@ msgstr ""
 msgid "Closes this %{quick_action_target}."
 msgstr ""
 
-msgid "Cloud Functions description and apps that are suitable for this deployment target"
-msgstr ""
-
-msgid "Cloud Run description and apps that are suitable for this deployment target"
-msgstr ""
-
 msgid "Cluster"
 msgstr ""
 
@@ -8728,9 +8716,6 @@ msgstr ""
 msgid "Configure the way a user creates a new account."
 msgstr ""
 
-msgid "Configure via Merge Request"
-msgstr ""
-
 msgid "Configure which lists are shown for anyone who visits this board"
 msgstr ""
 
@@ -11554,9 +11539,6 @@ msgstr ""
 msgid "Deployments"
 msgstr ""
 
-msgid "Deployments to Google Kubernetes Engine can be "
-msgstr ""
-
 msgid "Deployments|%{deployments} environment impacted."
 msgid_plural "Deployments|%{deployments} environments impacted."
 msgstr[0] ""
@@ -16052,9 +16034,6 @@ msgstr ""
 msgid "Google Cloud"
 msgstr ""
 
-msgid "Google Cloud offers several deployment targets. Select the one most suitable for your project."
-msgstr ""
-
 msgid "Google authentication is not %{link_start}properly configured%{link_end}. Ask your GitLab administrator if you want to use this service."
 msgstr ""
 
@@ -31306,9 +31285,6 @@ msgstr ""
 msgid "Service"
 msgstr ""
 
-msgid "Service Accounts keys are required to authorize GitLab to deploy your Google Cloud project."
-msgstr ""
-
 msgid "Service Desk"
 msgstr ""
 
@@ -40769,9 +40745,6 @@ msgstr ""
 msgid "in"
 msgstr ""
 
-msgid "in Infrastructure :: Kubernetes clusters"
-msgstr ""
-
 msgid "in all GitLab"
 msgstr ""
 
@@ -40936,9 +40909,6 @@ msgstr ""
 msgid "log in"
 msgstr ""
 
-msgid "managed"
-msgstr ""
-
 msgid "manual"
 msgstr ""
 

spec/policies/project_policy_spec.rb

@@ -955,6 +955,28 @@ RSpec.describe ProjectPolicy do
     end
   end
 
+  context 'infrastructure google cloud feature' do
+    %w(guest reporter developer).each do |role|
+      context role do
+        let(:current_user) { send(role) }
+
+        it 'disallows managing google cloud' do
+          expect_disallowed(:admin_project_google_cloud)
+        end
+      end
+    end
+
+    %w(maintainer owner).each do |role|
+      context role do
+        let(:current_user) { send(role) }
+
+        it 'allows managing google cloud' do
+          expect_allowed(:admin_project_google_cloud)
+        end
+      end
+    end
+  end
+
   describe 'design permissions' do
     include DesignManagementTestHelpers
 

spec/requests/projects/google_cloud_controller_spec.rb

@@ -2,48 +2,106 @@
 
 require 'spec_helper'
 
+# Mock Types
+MockGoogleOAuth2Credentials = Struct.new(:app_id, :app_secret)
+
 RSpec.describe Projects::GoogleCloudController do
   let_it_be(:project) { create(:project, :public) }
 
   describe 'GET index' do
     let_it_be(:url) { "#{project_google_cloud_index_path(project)}" }
 
-    let(:subject) { get url }
+    context 'when a public request is made' do
+      it 'returns not found' do
+        get url
 
-    context 'when user is authorized' do
-      let(:user) { project.creator }
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
 
-      before do
+    context 'when a project.guest makes request' do
+      let(:user) { create(:user) }
+
+      it 'returns not found' do
+        project.add_guest(user)
         sign_in(user)
-        subject
+
+        get url
+
+        expect(response).to have_gitlab_http_status(:not_found)
       end
+    end
 
-      it 'renders content' do
-        expect(response).to be_successful
+    context 'when project.developer makes request' do
+      let(:user) { create(:user) }
+
+      it 'returns not found' do
+        project.add_developer(user)
+        sign_in(user)
+
+        get url
+
+        expect(response).to have_gitlab_http_status(:not_found)
       end
     end
 
-    context 'when user is unauthorized' do
+    context 'when project.maintainer makes request' do
       let(:user) { create(:user) }
 
-      before do
-        project.add_guest(user)
+      it 'returns successful' do
+        project.add_maintainer(user)
         sign_in(user)
-        subject
+
+        get url
+
+        expect(response).to be_successful
       end
+    end
 
-      it 'shows 404' do
-        expect(response).to have_gitlab_http_status(:not_found)
+    context 'when project.creator makes request' do
+      let(:user) { project.creator }
+
+      it 'returns successful' do
+        sign_in(user)
+
+        get url
+
+        expect(response).to be_successful
       end
     end
 
-    context 'when no user is present' do
-      before do
-        subject
+    describe 'when authorized user makes request' do
+      let(:user) { project.creator }
+
+      context 'but gitlab instance is not configured for google oauth2' do
+        before do
+          unconfigured_google_oauth2 = MockGoogleOAuth2Credentials.new('', '')
+          allow(Gitlab::Auth::OAuth::Provider).to receive(:config_for)
+                                                    .with('google_oauth2')
+                                                    .and_return(unconfigured_google_oauth2)
+        end
+
+        it 'returns forbidden' do
+          sign_in(user)
+
+          get url
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
       end
 
-      it 'shows 404' do
-        expect(response).to have_gitlab_http_status(:not_found)
+      context 'but feature flag is disabled' do
+        before do
+          stub_feature_flags(incubation_5mp_google_cloud: false)
+        end
+
+        it 'returns not found' do
+          sign_in(user)
+
+          get url
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
       end
     end
   end