Merge branch 'mwaw/218861-enable-read-pod-logs-to-developer-access-lvl' into 'master'

Make Kubernetes Logs available to Developer See merge request gitlab-org/gitlab!38467

Merge branch 'mwaw/218861-enable-read-pod-logs-to-developer-access-lvl' into 'master'
Make Kubernetes Logs available to Developer See merge request gitlab-org/gitlab!38467
f0e5acf3 · Michael Kozono · c71c699b · 7f366ac0 · f0e5acf3 · f0e5acf3
Commit f0e5acf3 authored Aug 04, 2020 by Michael Kozono
7 changed files
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -328,6 +328,7 @@ class ProjectPolicy < BasePolicy
    enable :move_design
    enable :destroy_design
    enable :read_terraform_state
+    enable :read_pod_logs
  end

  rule { can?(:developer_access) & user_confirmed? }.policy do
@@ -367,7 +368,6 @@ class ProjectPolicy < BasePolicy
    enable :admin_operations
    enable :read_deploy_token
    enable :create_deploy_token
-    enable :read_pod_logs
    enable :destroy_deploy_token
    enable :read_prometheus_alerts
    enable :admin_terraform_state

--- a/changelogs/unreleased/mwaw-218861-enable-read-pod-logs-to-developer-access-lvl.yml
+++ b/changelogs/unreleased/mwaw-218861-enable-read-pod-logs-to-developer-access-lvl.yml
+---
+title: Allow users with developer access level for given project to view kubernetes
+  pod logs
+merge_request: 38467
+author:
+type: changed
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -142,7 +142,7 @@ The following table depicts the various user permission levels in a project.
 | Remove GitLab Pages                               |         |            |             | ✓        | ✓      |
 | Manage clusters                                   |         |            |             | ✓        | ✓      |
 | Manage Project Operations                         |         |            |             | ✓        | ✓      |
-| View Pods logs                                    |         |            |             | ✓        | ✓      |
+| View Pods logs                                    |         |            | ✓           | ✓        | ✓      |
 | Read Terraform state                              |         |            | ✓           | ✓        | ✓      |
 | Manage Terraform state                            |         |            |             | ✓        | ✓      |
 | Manage license policy **(ULTIMATE)**              |         |            |             | ✓        | ✓      |

--- a/ee/spec/serializers/clusters/environment_entity_spec.rb
+++ b/ee/spec/serializers/clusters/environment_entity_spec.rb
@@ -62,6 +62,16 @@ RSpec.describe Clusters::EnvironmentEntity do
        group.add_developer(user)
      end

+      it 'exposes logs_path' do
+        expect(subject).to include(:logs_path)
+      end
+    end
+
+    context 'with reporter access' do
+      before do
+        group.add_reporter(user)
+      end
+
      it 'does not expose logs_path' do
        expect(subject).not_to include(:logs_path)
      end

--- a/spec/controllers/projects/logs_controller_spec.rb
+++ b/spec/controllers/projects/logs_controller_spec.rb
@@ -22,8 +22,8 @@ RSpec.describe Projects::LogsController do
  describe 'GET #index' do
    let(:empty_project) { create(:project) }

-    it 'returns 404 with developer access' do
-      project.add_developer(user)
+    it 'returns 404 with reporter access' do
+      project.add_reporter(user)

      get :index, params: environment_params

@@ -31,7 +31,7 @@ RSpec.describe Projects::LogsController do
    end

    it 'renders empty logs page if no environment exists' do
-      empty_project.add_maintainer(user)
+      empty_project.add_developer(user)

      get :index, params: { namespace_id: empty_project.namespace, project_id: empty_project }

@@ -40,7 +40,7 @@ RSpec.describe Projects::LogsController do
    end

    it 'renders index template' do
-      project.add_maintainer(user)
+      project.add_developer(user)

      get :index, params: environment_params

@@ -69,14 +69,27 @@ RSpec.describe Projects::LogsController do
      end
    end

-    it 'returns 404 with developer access' do
-      project.add_developer(user)
+    it 'returns 404 with reporter access' do
+      project.add_reporter(user)

      get endpoint, params: environment_params(pod_name: pod_name, format: :json)

      expect(response).to have_gitlab_http_status(:not_found)
    end

+    context 'with developer access' do
+      before do
+        project.add_developer(user)
+      end
+
+      it 'returns the service result' do
+        get endpoint, params: environment_params(pod_name: pod_name, format: :json)
+
+        expect(response).to have_gitlab_http_status(:success)
+        expect(json_response).to eq(service_result_json)
+      end
+    end
+
    context 'with maintainer access' do
      before do
        project.add_maintainer(user)

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -46,7 +46,7 @@ RSpec.describe ProjectPolicy do
      resolve_note create_container_image update_container_image destroy_container_image daily_statistics
      create_environment update_environment create_deployment update_deployment create_release update_release
      create_metrics_dashboard_annotation delete_metrics_dashboard_annotation update_metrics_dashboard_annotation
-      read_terraform_state
+      read_terraform_state read_pod_logs
    ]
  end


--- a/spec/serializers/environment_entity_spec.rb
+++ b/spec/serializers/environment_entity_spec.rb
@@ -83,9 +83,9 @@ RSpec.describe EnvironmentEntity do
  end

  context 'pod_logs' do
-    context 'with developer access' do
+    context 'with reporter access' do
      before do
-        project.add_developer(user)
+        project.add_reporter(user)
      end

      it 'does not expose logs keys' do
@@ -95,9 +95,9 @@ RSpec.describe EnvironmentEntity do
      end
    end

-    context 'with maintainer access' do
+    context 'with developer access' do
      before do
-        project.add_maintainer(user)
+        project.add_developer(user)
      end

      it 'exposes logs keys' do