From b547946adb3d8120d68ede301df4c8328920a66f Mon Sep 17 00:00:00 2001 From: Martin Emde Date: Wed, 5 Jun 2024 14:49:17 -0700 Subject: [PATCH] Move Avo-related Pundit policies into Admin:: namespace (#4745) * Move all policies under Admin:: namespace * Add basic ApplicationPolicy for userland policies * Add hack around avo not using authorization_policy everywhere yet (fixed in Avo 3) --- .../resources/admin_github_user_resource.rb | 1 + .../show_component.rb | 2 +- app/policies/{ => admin}/api_key_policy.rb | 6 +- .../admin/api_key_rubygem_scope_policy.rb | 11 +++ app/policies/admin/application_policy.rb | 74 +++++++++++++++++++ app/policies/{ => admin}/audit_policy.rb | 4 +- .../concerns/policy_helpers.rb} | 6 +- app/policies/{ => admin}/deletion_policy.rb | 4 +- app/policies/admin/dependency_policy.rb | 11 +++ .../events/rubygem_event_policy.rb | 4 +- .../{ => admin}/events/user_event_policy.rb | 4 +- .../{ => admin}/gem_download_policy.rb | 4 +- .../gem_name_reservation_policy.rb | 4 +- .../{ => admin}/gem_typo_exception_policy.rb | 4 +- app/policies/{ => admin}/geoip_info_policy.rb | 4 +- app/policies/admin/github_user_policy.rb | 4 +- app/policies/{ => admin}/ip_address_policy.rb | 4 +- .../{ => admin}/link_verification_policy.rb | 4 +- app/policies/admin/linkset_policy.rb | 15 ++++ app/policies/{ => admin}/log_ticket_policy.rb | 4 +- .../maintenance_tasks/run_policy.rb | 4 +- .../{ => admin}/oidc/api_key_role_policy.rb | 4 +- .../{ => admin}/oidc/id_token_policy.rb | 4 +- .../oidc/pending_trusted_publisher_policy.rb | 4 +- .../{ => admin}/oidc/provider_policy.rb | 4 +- .../oidc/rubygem_trusted_publisher_policy.rb | 4 +- .../trusted_publisher/github_action_policy.rb | 4 +- app/policies/{ => admin}/ownership_policy.rb | 4 +- app/policies/{ => admin}/rubygem_policy.rb | 4 +- .../{ => admin}/sendgrid_event_policy.rb | 4 +- app/policies/{ => admin}/user_policy.rb | 4 +- app/policies/{ => admin}/version_policy.rb | 4 +- app/policies/{ => admin}/web_hook_policy.rb | 4 +- .../admin/webauthn_credential_policy.rb | 13 ++++ .../admin/webauthn_verification_policy.rb | 13 ++++ app/policies/api_key_rubygem_scope_policy.rb | 11 --- app/policies/application_policy.rb | 67 +++++++---------- app/policies/dependency_policy.rb | 11 --- app/policies/linkset_policy.rb | 15 ---- app/policies/webauthn_credential_policy.rb | 13 ---- app/policies/webauthn_verification_policy.rb | 13 ---- config/initializers/avo.rb | 2 +- lib/admin/authorization_client.rb | 42 +++++++++++ test/policies/admin/api_key_policy_test.rb | 41 ++++++++++ .../api_key_rubygem_scope_policy_test.rb | 42 +++++++++++ .../policies/{ => admin}/audit_policy_test.rb | 2 +- .../policies/{ => admin}/avo_policies_test.rb | 9 ++- test/policies/admin/deletion_policy_test.rb | 44 +++++++++++ .../{ => admin}/dependency_policy_test.rb | 2 +- .../events/rubygem_event_policy_test.rb | 2 +- .../events/user_event_policy_test.rb | 2 +- .../{ => admin}/gem_download_policy_test.rb | 2 +- .../admin/gem_name_reservation_policy_test.rb | 39 ++++++++++ .../admin/gem_typo_exception_policy_test.rb | 47 ++++++++++++ test/policies/admin/geoip_info_policy_test.rb | 44 +++++++++++ .../policies/admin/github_user_policy_test.rb | 32 ++++---- .../{ => admin}/ip_address_policy_test.rb | 2 +- .../admin/link_verification_policy_test.rb | 46 ++++++++++++ test/policies/admin/linkset_policy_test.rb | 43 +++++++++++ test/policies/admin/log_ticket_policy_test.rb | 42 +++++++++++ .../maintenance_tasks/run_policy_test.rb | 43 +++++++++++ .../admin/oidc/api_key_role_policy_test.rb | 46 ++++++++++++ .../admin/oidc/id_token_policy_test.rb | 44 +++++++++++ .../pending_trusted_publisher_policy_test.rb | 44 +++++++++++ .../admin/oidc/provider_policy_test.rb | 46 ++++++++++++ .../rubygem_trusted_publisher_policy_test.rb | 44 +++++++++++ .../github_action_policy_test.rb | 44 +++++++++++ test/policies/admin/ownership_policy_test.rb | 39 ++++++++++ test/policies/admin/rubygem_policy_test.rb | 28 +++++++ .../admin/sendgrid_event_policy_test.rb | 47 ++++++++++++ test/policies/{ => admin}/user_policy_test.rb | 6 +- .../{ => admin}/version_policy_test.rb | 2 +- test/policies/admin/web_hook_policy_test.rb | 48 ++++++++++++ .../admin/webauthn_credential_policy_test.rb | 42 +++++++++++ .../webauthn_verification_policy_test.rb | 42 +++++++++++ test/policies/api_key_policy_test.rb | 41 ---------- .../api_key_rubygem_scope_policy_test.rb | 41 ---------- test/policies/deletion_policy_test.rb | 42 ----------- .../gem_name_reservation_policy_test.rb | 39 ---------- .../gem_typo_exception_policy_test.rb | 42 ----------- test/policies/geoip_info_policy_test.rb | 42 ----------- .../policies/link_verification_policy_test.rb | 44 ----------- test/policies/linkset_policy_test.rb | 41 ---------- test/policies/log_ticket_policy_test.rb | 41 ---------- .../maintenance_tasks/run_policy_test.rb | 41 ---------- .../policies/oidc/api_key_role_policy_test.rb | 42 ----------- test/policies/oidc/id_token_policy_test.rb | 42 ----------- .../pending_trusted_publisher_policy_test.rb | 42 ----------- test/policies/oidc/provider_policy_test.rb | 42 ----------- .../rubygem_trusted_publisher_policy_test.rb | 42 ----------- .../github_action_policy_test.rb | 42 ----------- test/policies/ownership_policy_test.rb | 41 ---------- test/policies/rubygem_policy_test.rb | 18 ----- test/policies/sendgrid_event_policy_test.rb | 46 ------------ test/policies/web_hook_policy_test.rb | 46 ------------ .../webauthn_credential_policy_test.rb | 41 ---------- .../webauthn_verification_policy_test.rb | 41 ---------- test/system/avo/manual_changes_test.rb | 6 +- test/test_helper.rb | 35 +++++++++ 99 files changed, 1285 insertions(+), 1087 deletions(-) rename app/policies/{ => admin}/api_key_policy.rb (55%) create mode 100644 app/policies/admin/api_key_rubygem_scope_policy.rb create mode 100644 app/policies/admin/application_policy.rb rename app/policies/{ => admin}/audit_policy.rb (74%) rename app/policies/{concerns/admin_user.rb => admin/concerns/policy_helpers.rb} (70%) rename app/policies/{ => admin}/deletion_policy.rb (62%) create mode 100644 app/policies/admin/dependency_policy.rb rename app/policies/{ => admin}/events/rubygem_event_policy.rb (61%) rename app/policies/{ => admin}/events/user_event_policy.rb (62%) rename app/policies/{ => admin}/gem_download_policy.rb (62%) rename app/policies/{ => admin}/gem_name_reservation_policy.rb (68%) rename app/policies/{ => admin}/gem_typo_exception_policy.rb (73%) rename app/policies/{ => admin}/geoip_info_policy.rb (60%) rename app/policies/{ => admin}/ip_address_policy.rb (65%) rename app/policies/{ => admin}/link_verification_policy.rb (53%) create mode 100644 app/policies/admin/linkset_policy.rb rename app/policies/{ => admin}/log_ticket_policy.rb (58%) rename app/policies/{ => admin}/maintenance_tasks/run_policy.rb (55%) rename app/policies/{ => admin}/oidc/api_key_role_policy.rb (73%) rename app/policies/{ => admin}/oidc/id_token_policy.rb (66%) rename app/policies/{ => admin}/oidc/pending_trusted_publisher_policy.rb (60%) rename app/policies/{ => admin}/oidc/provider_policy.rb (71%) rename app/policies/{ => admin}/oidc/rubygem_trusted_publisher_policy.rb (60%) rename app/policies/{ => admin}/oidc/trusted_publisher/github_action_policy.rb (70%) rename app/policies/{ => admin}/ownership_policy.rb (57%) rename app/policies/{ => admin}/rubygem_policy.rb (88%) rename app/policies/{ => admin}/sendgrid_event_policy.rb (57%) rename app/policies/{ => admin}/user_policy.rb (88%) rename app/policies/{ => admin}/version_policy.rb (77%) rename app/policies/{ => admin}/web_hook_policy.rb (68%) create mode 100644 app/policies/admin/webauthn_credential_policy.rb create mode 100644 app/policies/admin/webauthn_verification_policy.rb delete mode 100644 app/policies/api_key_rubygem_scope_policy.rb delete mode 100644 app/policies/dependency_policy.rb delete mode 100644 app/policies/linkset_policy.rb delete mode 100644 app/policies/webauthn_credential_policy.rb delete mode 100644 app/policies/webauthn_verification_policy.rb create mode 100644 lib/admin/authorization_client.rb create mode 100644 test/policies/admin/api_key_policy_test.rb create mode 100644 test/policies/admin/api_key_rubygem_scope_policy_test.rb rename test/policies/{ => admin}/audit_policy_test.rb (74%) rename test/policies/{ => admin}/avo_policies_test.rb (74%) create mode 100644 test/policies/admin/deletion_policy_test.rb rename test/policies/{ => admin}/dependency_policy_test.rb (72%) rename test/policies/{ => admin}/events/rubygem_event_policy_test.rb (69%) rename test/policies/{ => admin}/events/user_event_policy_test.rb (70%) rename test/policies/{ => admin}/gem_download_policy_test.rb (72%) create mode 100644 test/policies/admin/gem_name_reservation_policy_test.rb create mode 100644 test/policies/admin/gem_typo_exception_policy_test.rb create mode 100644 test/policies/admin/geoip_info_policy_test.rb rename test/policies/{ => admin}/ip_address_policy_test.rb (73%) create mode 100644 test/policies/admin/link_verification_policy_test.rb create mode 100644 test/policies/admin/linkset_policy_test.rb create mode 100644 test/policies/admin/log_ticket_policy_test.rb create mode 100644 test/policies/admin/maintenance_tasks/run_policy_test.rb create mode 100644 test/policies/admin/oidc/api_key_role_policy_test.rb create mode 100644 test/policies/admin/oidc/id_token_policy_test.rb create mode 100644 test/policies/admin/oidc/pending_trusted_publisher_policy_test.rb create mode 100644 test/policies/admin/oidc/provider_policy_test.rb create mode 100644 test/policies/admin/oidc/rubygem_trusted_publisher_policy_test.rb create mode 100644 test/policies/admin/oidc/trusted_publisher/github_action_policy_test.rb create mode 100644 test/policies/admin/ownership_policy_test.rb create mode 100644 test/policies/admin/rubygem_policy_test.rb create mode 100644 test/policies/admin/sendgrid_event_policy_test.rb rename test/policies/{ => admin}/user_policy_test.rb (65%) rename test/policies/{ => admin}/version_policy_test.rb (73%) create mode 100644 test/policies/admin/web_hook_policy_test.rb create mode 100644 test/policies/admin/webauthn_credential_policy_test.rb create mode 100644 test/policies/admin/webauthn_verification_policy_test.rb delete mode 100644 test/policies/api_key_policy_test.rb delete mode 100644 test/policies/api_key_rubygem_scope_policy_test.rb delete mode 100644 test/policies/deletion_policy_test.rb delete mode 100644 test/policies/gem_name_reservation_policy_test.rb delete mode 100644 test/policies/gem_typo_exception_policy_test.rb delete mode 100644 test/policies/geoip_info_policy_test.rb delete mode 100644 test/policies/link_verification_policy_test.rb delete mode 100644 test/policies/linkset_policy_test.rb delete mode 100644 test/policies/log_ticket_policy_test.rb delete mode 100644 test/policies/maintenance_tasks/run_policy_test.rb delete mode 100644 test/policies/oidc/api_key_role_policy_test.rb delete mode 100644 test/policies/oidc/id_token_policy_test.rb delete mode 100644 test/policies/oidc/pending_trusted_publisher_policy_test.rb delete mode 100644 test/policies/oidc/provider_policy_test.rb delete mode 100644 test/policies/oidc/rubygem_trusted_publisher_policy_test.rb delete mode 100644 test/policies/oidc/trusted_publisher/github_action_policy_test.rb delete mode 100644 test/policies/ownership_policy_test.rb delete mode 100644 test/policies/rubygem_policy_test.rb delete mode 100644 test/policies/sendgrid_event_policy_test.rb delete mode 100644 test/policies/web_hook_policy_test.rb delete mode 100644 test/policies/webauthn_credential_policy_test.rb delete mode 100644 test/policies/webauthn_verification_policy_test.rb diff --git a/app/avo/resources/admin_github_user_resource.rb b/app/avo/resources/admin_github_user_resource.rb index d9a915f1af5..65a1e6c79e3 100644 --- a/app/avo/resources/admin_github_user_resource.rb +++ b/app/avo/resources/admin_github_user_resource.rb @@ -2,6 +2,7 @@ class AdminGitHubUserResource < Avo::BaseResource self.title = :login self.includes = [] self.model_class = ::Admin::GitHubUser + self.authorization_policy = ::Admin::GitHubUserPolicy self.search_query = lambda { scope.where("login LIKE ?", "%#{params[:q]}%") } diff --git a/app/components/avo/audited_changes_record_diff/show_component.rb b/app/components/avo/audited_changes_record_diff/show_component.rb index 15e30b6ca2a..e898fe4593f 100644 --- a/app/components/avo/audited_changes_record_diff/show_component.rb +++ b/app/components/avo/audited_changes_record_diff/show_component.rb @@ -64,7 +64,7 @@ def component_for_field(field, resource) end def authorized? - Pundit.policy!(user, resource.model).avo_show? + Pundit.policy!(user, [:admin, resource.model]).avo_show? end def title_link diff --git a/app/policies/api_key_policy.rb b/app/policies/admin/api_key_policy.rb similarity index 55% rename from app/policies/api_key_policy.rb rename to app/policies/admin/api_key_policy.rb index bea701cfbd8..d8d4499fc67 100644 --- a/app/policies/api_key_policy.rb +++ b/app/policies/admin/api_key_policy.rb @@ -1,5 +1,5 @@ -class ApiKeyPolicy < ApplicationPolicy - class Scope < Scope +class Admin::ApiKeyPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end @@ -10,6 +10,6 @@ def resolve has_association :oidc_id_token def avo_show? - Pundit.policy!(user, record.owner).avo_show? + policy!(user, record.owner).avo_show? end end diff --git a/app/policies/admin/api_key_rubygem_scope_policy.rb b/app/policies/admin/api_key_rubygem_scope_policy.rb new file mode 100644 index 00000000000..3bb6b6ebdf0 --- /dev/null +++ b/app/policies/admin/api_key_rubygem_scope_policy.rb @@ -0,0 +1,11 @@ +class Admin::ApiKeyRubygemScopePolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope + def resolve + scope.all + end + end + + def avo_show? + policy!(user, record.ownership).avo_show? + end +end diff --git a/app/policies/admin/application_policy.rb b/app/policies/admin/application_policy.rb new file mode 100644 index 00000000000..8ad2f0d4846 --- /dev/null +++ b/app/policies/admin/application_policy.rb @@ -0,0 +1,74 @@ +# frozen_string_literal: true + +class Admin::ApplicationPolicy + include Admin::Concerns::PolicyHelpers + include SemanticLogger::Loggable + + attr_reader :user, :record + + def initialize(user, record) + @user = user + @record = record + end + + def avo_index? + false + end + + def avo_show? + false + end + + def avo_create? + false + end + + def avo_new? + avo_create? + end + + def avo_update? + false + end + + def avo_edit? + avo_update? + end + + def avo_destroy? + false + end + + def avo_search? + avo_index? + end + + def act_on? + false + end + + def self.has_association(assocation) # rubocop:disable Naming/PredicateName + %w[create attach detach destroy edit].each do |action| + define_method(:"#{action}_#{assocation}?") { false } + end + define_method(:"show_#{assocation}?") { policy!(user, record).avo_show? } + alias_method :"view_#{assocation}?", :avo_show? + end + + class Scope + include Admin::Concerns::PolicyHelpers + + def initialize(user, scope) + @user = user + @scope = scope + end + + def resolve + raise NotImplementedError, "You must define #resolve in #{self.class}" + end + + private + + attr_reader :user, :scope + end +end diff --git a/app/policies/audit_policy.rb b/app/policies/admin/audit_policy.rb similarity index 74% rename from app/policies/audit_policy.rb rename to app/policies/admin/audit_policy.rb index 915d9d4cfa9..db45584e4c9 100644 --- a/app/policies/audit_policy.rb +++ b/app/policies/admin/audit_policy.rb @@ -1,5 +1,5 @@ -class AuditPolicy < ApplicationPolicy - class Scope < Scope +class Admin::AuditPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope # NOTE: Be explicit about which records you allow access to! def resolve if rubygems_org_admin? diff --git a/app/policies/concerns/admin_user.rb b/app/policies/admin/concerns/policy_helpers.rb similarity index 70% rename from app/policies/concerns/admin_user.rb rename to app/policies/admin/concerns/policy_helpers.rb index a21b1dd2703..362afda6584 100644 --- a/app/policies/concerns/admin_user.rb +++ b/app/policies/admin/concerns/policy_helpers.rb @@ -1,4 +1,4 @@ -module AdminUser +module Admin::Concerns::PolicyHelpers extend ActiveSupport::Concern included do @@ -13,5 +13,9 @@ def belongs_to_team?(slug) def rubygems_org_admin? belongs_to_team?("rubygems-org") end + + def policy!(user, record) + Pundit.policy!(user, [:admin, record]) + end end end diff --git a/app/policies/deletion_policy.rb b/app/policies/admin/deletion_policy.rb similarity index 62% rename from app/policies/deletion_policy.rb rename to app/policies/admin/deletion_policy.rb index 491ccd15578..1e86916fd1b 100644 --- a/app/policies/deletion_policy.rb +++ b/app/policies/admin/deletion_policy.rb @@ -1,5 +1,5 @@ -class DeletionPolicy < ApplicationPolicy - class Scope < Scope +class Admin::DeletionPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/admin/dependency_policy.rb b/app/policies/admin/dependency_policy.rb new file mode 100644 index 00000000000..ad92f6b0f80 --- /dev/null +++ b/app/policies/admin/dependency_policy.rb @@ -0,0 +1,11 @@ +class Admin::DependencyPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope + def resolve + scope.all + end + end + + def avo_show? + rubygems_org_admin? + end +end diff --git a/app/policies/events/rubygem_event_policy.rb b/app/policies/admin/events/rubygem_event_policy.rb similarity index 61% rename from app/policies/events/rubygem_event_policy.rb rename to app/policies/admin/events/rubygem_event_policy.rb index 0c1644d8efa..6f8f45c4a53 100644 --- a/app/policies/events/rubygem_event_policy.rb +++ b/app/policies/admin/events/rubygem_event_policy.rb @@ -1,5 +1,5 @@ -class Events::RubygemEventPolicy < ApplicationPolicy - class Scope < Scope +class Admin::Events::RubygemEventPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/events/user_event_policy.rb b/app/policies/admin/events/user_event_policy.rb similarity index 62% rename from app/policies/events/user_event_policy.rb rename to app/policies/admin/events/user_event_policy.rb index bbe74fb1457..d2d3b02f9d2 100644 --- a/app/policies/events/user_event_policy.rb +++ b/app/policies/admin/events/user_event_policy.rb @@ -1,5 +1,5 @@ -class Events::UserEventPolicy < ApplicationPolicy - class Scope < Scope +class Admin::Events::UserEventPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/gem_download_policy.rb b/app/policies/admin/gem_download_policy.rb similarity index 62% rename from app/policies/gem_download_policy.rb rename to app/policies/admin/gem_download_policy.rb index 24784e3e3aa..ec2322e286c 100644 --- a/app/policies/gem_download_policy.rb +++ b/app/policies/admin/gem_download_policy.rb @@ -1,5 +1,5 @@ -class GemDownloadPolicy < ApplicationPolicy - class Scope < Scope +class Admin::GemDownloadPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope # NOTE: Be explicit about which records you allow access to! def resolve scope.all diff --git a/app/policies/gem_name_reservation_policy.rb b/app/policies/admin/gem_name_reservation_policy.rb similarity index 68% rename from app/policies/gem_name_reservation_policy.rb rename to app/policies/admin/gem_name_reservation_policy.rb index cdc258c3d60..c539d9b0c58 100644 --- a/app/policies/gem_name_reservation_policy.rb +++ b/app/policies/admin/gem_name_reservation_policy.rb @@ -1,5 +1,5 @@ -class GemNameReservationPolicy < ApplicationPolicy - class Scope < Scope +class Admin::GemNameReservationPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/gem_typo_exception_policy.rb b/app/policies/admin/gem_typo_exception_policy.rb similarity index 73% rename from app/policies/gem_typo_exception_policy.rb rename to app/policies/admin/gem_typo_exception_policy.rb index a623733a594..f6056ef61b5 100644 --- a/app/policies/gem_typo_exception_policy.rb +++ b/app/policies/admin/gem_typo_exception_policy.rb @@ -1,5 +1,5 @@ -class GemTypoExceptionPolicy < ApplicationPolicy - class Scope < Scope +class Admin::GemTypoExceptionPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/geoip_info_policy.rb b/app/policies/admin/geoip_info_policy.rb similarity index 60% rename from app/policies/geoip_info_policy.rb rename to app/policies/admin/geoip_info_policy.rb index 42f0aa258dd..d60f1b1ffee 100644 --- a/app/policies/geoip_info_policy.rb +++ b/app/policies/admin/geoip_info_policy.rb @@ -1,5 +1,5 @@ -class GeoipInfoPolicy < ApplicationPolicy - class Scope < Scope +class Admin::GeoipInfoPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/admin/github_user_policy.rb b/app/policies/admin/github_user_policy.rb index 7013e69abe0..91eaabfb6c1 100644 --- a/app/policies/admin/github_user_policy.rb +++ b/app/policies/admin/github_user_policy.rb @@ -1,5 +1,5 @@ -class Admin::GitHubUserPolicy < ApplicationPolicy - class Scope < Scope +class Admin::GitHubUserPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope # NOTE: Be explicit about which records you allow access to! def resolve if rubygems_org_admin? diff --git a/app/policies/ip_address_policy.rb b/app/policies/admin/ip_address_policy.rb similarity index 65% rename from app/policies/ip_address_policy.rb rename to app/policies/admin/ip_address_policy.rb index fda18b72cfa..e05baef361d 100644 --- a/app/policies/ip_address_policy.rb +++ b/app/policies/admin/ip_address_policy.rb @@ -1,5 +1,5 @@ -class IpAddressPolicy < ApplicationPolicy - class Scope < Scope +class Admin::IpAddressPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/link_verification_policy.rb b/app/policies/admin/link_verification_policy.rb similarity index 53% rename from app/policies/link_verification_policy.rb rename to app/policies/admin/link_verification_policy.rb index af62c46bbcf..ff8f2f812cb 100644 --- a/app/policies/link_verification_policy.rb +++ b/app/policies/admin/link_verification_policy.rb @@ -1,5 +1,5 @@ -class LinkVerificationPolicy < ApplicationPolicy - class Scope < Scope +class Admin::LinkVerificationPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/admin/linkset_policy.rb b/app/policies/admin/linkset_policy.rb new file mode 100644 index 00000000000..ff2c35e2280 --- /dev/null +++ b/app/policies/admin/linkset_policy.rb @@ -0,0 +1,15 @@ +class Admin::LinksetPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope + def resolve + scope.all + end + end + + def avo_index? + policy!(user, Rubygem).avo_index? + end + + def avo_show? + policy!(user, record.rubygem).avo_show? + end +end diff --git a/app/policies/log_ticket_policy.rb b/app/policies/admin/log_ticket_policy.rb similarity index 58% rename from app/policies/log_ticket_policy.rb rename to app/policies/admin/log_ticket_policy.rb index c8162d0c774..1c9517c9e36 100644 --- a/app/policies/log_ticket_policy.rb +++ b/app/policies/admin/log_ticket_policy.rb @@ -1,5 +1,5 @@ -class LogTicketPolicy < ApplicationPolicy - class Scope < Scope +class Admin::LogTicketPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/maintenance_tasks/run_policy.rb b/app/policies/admin/maintenance_tasks/run_policy.rb similarity index 55% rename from app/policies/maintenance_tasks/run_policy.rb rename to app/policies/admin/maintenance_tasks/run_policy.rb index bfbf14ab7dc..dab68f1715f 100644 --- a/app/policies/maintenance_tasks/run_policy.rb +++ b/app/policies/admin/maintenance_tasks/run_policy.rb @@ -1,5 +1,5 @@ -class MaintenanceTasks::RunPolicy < ApplicationPolicy - class Scope < Scope +class Admin::MaintenanceTasks::RunPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/oidc/api_key_role_policy.rb b/app/policies/admin/oidc/api_key_role_policy.rb similarity index 73% rename from app/policies/oidc/api_key_role_policy.rb rename to app/policies/admin/oidc/api_key_role_policy.rb index a3f0ffba8da..51f0c3ae0c5 100644 --- a/app/policies/oidc/api_key_role_policy.rb +++ b/app/policies/admin/oidc/api_key_role_policy.rb @@ -1,5 +1,5 @@ -class OIDC::ApiKeyRolePolicy < ApplicationPolicy - class Scope < Scope +class Admin::OIDC::ApiKeyRolePolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/oidc/id_token_policy.rb b/app/policies/admin/oidc/id_token_policy.rb similarity index 66% rename from app/policies/oidc/id_token_policy.rb rename to app/policies/admin/oidc/id_token_policy.rb index f2c5b2553f9..723b0812567 100644 --- a/app/policies/oidc/id_token_policy.rb +++ b/app/policies/admin/oidc/id_token_policy.rb @@ -1,5 +1,5 @@ -class OIDC::IdTokenPolicy < ApplicationPolicy - class Scope < Scope +class Admin::OIDC::IdTokenPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/oidc/pending_trusted_publisher_policy.rb b/app/policies/admin/oidc/pending_trusted_publisher_policy.rb similarity index 60% rename from app/policies/oidc/pending_trusted_publisher_policy.rb rename to app/policies/admin/oidc/pending_trusted_publisher_policy.rb index e7b0ee3b09a..452917695d0 100644 --- a/app/policies/oidc/pending_trusted_publisher_policy.rb +++ b/app/policies/admin/oidc/pending_trusted_publisher_policy.rb @@ -1,5 +1,5 @@ -class OIDC::PendingTrustedPublisherPolicy < ApplicationPolicy - class Scope < Scope +class Admin::OIDC::PendingTrustedPublisherPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/oidc/provider_policy.rb b/app/policies/admin/oidc/provider_policy.rb similarity index 71% rename from app/policies/oidc/provider_policy.rb rename to app/policies/admin/oidc/provider_policy.rb index 84ede4d5f06..2ce7284a943 100644 --- a/app/policies/oidc/provider_policy.rb +++ b/app/policies/admin/oidc/provider_policy.rb @@ -1,5 +1,5 @@ -class OIDC::ProviderPolicy < ApplicationPolicy - class Scope < Scope +class Admin::OIDC::ProviderPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/oidc/rubygem_trusted_publisher_policy.rb b/app/policies/admin/oidc/rubygem_trusted_publisher_policy.rb similarity index 60% rename from app/policies/oidc/rubygem_trusted_publisher_policy.rb rename to app/policies/admin/oidc/rubygem_trusted_publisher_policy.rb index bb16fe9a8f3..eb8877afe0b 100644 --- a/app/policies/oidc/rubygem_trusted_publisher_policy.rb +++ b/app/policies/admin/oidc/rubygem_trusted_publisher_policy.rb @@ -1,5 +1,5 @@ -class OIDC::RubygemTrustedPublisherPolicy < ApplicationPolicy - class Scope < Scope +class Admin::OIDC::RubygemTrustedPublisherPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/oidc/trusted_publisher/github_action_policy.rb b/app/policies/admin/oidc/trusted_publisher/github_action_policy.rb similarity index 70% rename from app/policies/oidc/trusted_publisher/github_action_policy.rb rename to app/policies/admin/oidc/trusted_publisher/github_action_policy.rb index 66837ff5ad3..191795b52ec 100644 --- a/app/policies/oidc/trusted_publisher/github_action_policy.rb +++ b/app/policies/admin/oidc/trusted_publisher/github_action_policy.rb @@ -1,5 +1,5 @@ -class OIDC::TrustedPublisher::GitHubActionPolicy < ApplicationPolicy - class Scope < Scope +class Admin::OIDC::TrustedPublisher::GitHubActionPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/ownership_policy.rb b/app/policies/admin/ownership_policy.rb similarity index 57% rename from app/policies/ownership_policy.rb rename to app/policies/admin/ownership_policy.rb index a13333c77ca..fb446f62cf6 100644 --- a/app/policies/ownership_policy.rb +++ b/app/policies/admin/ownership_policy.rb @@ -1,5 +1,5 @@ -class OwnershipPolicy < ApplicationPolicy - class Scope < Scope +class Admin::OwnershipPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/rubygem_policy.rb b/app/policies/admin/rubygem_policy.rb similarity index 88% rename from app/policies/rubygem_policy.rb rename to app/policies/admin/rubygem_policy.rb index 8c22536f1d7..e7a4f3c932c 100644 --- a/app/policies/rubygem_policy.rb +++ b/app/policies/admin/rubygem_policy.rb @@ -1,5 +1,5 @@ -class RubygemPolicy < ApplicationPolicy - class Scope < Scope +class Admin::RubygemPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve if rubygems_org_admin? scope.all diff --git a/app/policies/sendgrid_event_policy.rb b/app/policies/admin/sendgrid_event_policy.rb similarity index 57% rename from app/policies/sendgrid_event_policy.rb rename to app/policies/admin/sendgrid_event_policy.rb index fcf484b3d53..2a9d008723f 100644 --- a/app/policies/sendgrid_event_policy.rb +++ b/app/policies/admin/sendgrid_event_policy.rb @@ -1,5 +1,5 @@ -class SendgridEventPolicy < ApplicationPolicy - class Scope < Scope +class Admin::SendgridEventPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/user_policy.rb b/app/policies/admin/user_policy.rb similarity index 88% rename from app/policies/user_policy.rb rename to app/policies/admin/user_policy.rb index daf84c1449d..91a1738210f 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/admin/user_policy.rb @@ -1,5 +1,5 @@ -class UserPolicy < ApplicationPolicy - class Scope < Scope +class Admin::UserPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope # NOTE: Be explicit about which records you allow access to! def resolve scope.all diff --git a/app/policies/version_policy.rb b/app/policies/admin/version_policy.rb similarity index 77% rename from app/policies/version_policy.rb rename to app/policies/admin/version_policy.rb index 91da344956d..50670f2ab86 100644 --- a/app/policies/version_policy.rb +++ b/app/policies/admin/version_policy.rb @@ -1,5 +1,5 @@ -class VersionPolicy < ApplicationPolicy - class Scope < Scope +class Admin::VersionPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve if rubygems_org_admin? scope.all diff --git a/app/policies/web_hook_policy.rb b/app/policies/admin/web_hook_policy.rb similarity index 68% rename from app/policies/web_hook_policy.rb rename to app/policies/admin/web_hook_policy.rb index 7555fb6082d..b3ccb7a87b5 100644 --- a/app/policies/web_hook_policy.rb +++ b/app/policies/admin/web_hook_policy.rb @@ -1,5 +1,5 @@ -class WebHookPolicy < ApplicationPolicy - class Scope < Scope +class Admin::WebHookPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope def resolve scope.all end diff --git a/app/policies/admin/webauthn_credential_policy.rb b/app/policies/admin/webauthn_credential_policy.rb new file mode 100644 index 00000000000..9bcd1c888d1 --- /dev/null +++ b/app/policies/admin/webauthn_credential_policy.rb @@ -0,0 +1,13 @@ +class Admin::WebauthnCredentialPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope + def resolve + scope.all + end + end + + has_association :user + + def avo_show? + policy!(user, record.user).avo_show? + end +end diff --git a/app/policies/admin/webauthn_verification_policy.rb b/app/policies/admin/webauthn_verification_policy.rb new file mode 100644 index 00000000000..9b246cb283f --- /dev/null +++ b/app/policies/admin/webauthn_verification_policy.rb @@ -0,0 +1,13 @@ +class Admin::WebauthnVerificationPolicy < Admin::ApplicationPolicy + class Scope < Admin::ApplicationPolicy::Scope + def resolve + scope.all + end + end + + has_association :user + + def avo_show? + policy!(user, record.user).avo_show? + end +end diff --git a/app/policies/api_key_rubygem_scope_policy.rb b/app/policies/api_key_rubygem_scope_policy.rb deleted file mode 100644 index 8379407551b..00000000000 --- a/app/policies/api_key_rubygem_scope_policy.rb +++ /dev/null @@ -1,11 +0,0 @@ -class ApiKeyRubygemScopePolicy < ApplicationPolicy - class Scope < Scope - def resolve - scope.all - end - end - - def avo_show? - Pundit.policy!(user, record.ownership).avo_show? - end -end diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb index 2fdb6243eb1..17b17aa87ab 100644 --- a/app/policies/application_policy.rb +++ b/app/policies/application_policy.rb @@ -1,9 +1,23 @@ # frozen_string_literal: true class ApplicationPolicy - include AdminUser include SemanticLogger::Loggable + class Scope + def initialize(user, scope) + @user = user + @scope = scope + end + + def resolve + raise NotImplementedError, "You must define #resolve in #{self.class}" + end + + private + + attr_reader :user, :scope + end + attr_reader :user, :record def initialize(user, record) @@ -11,64 +25,35 @@ def initialize(user, record) @record = record end - def avo_index? + def index? false end - def avo_show? + def show? false end - def avo_create? + def create? false end - def avo_new? - avo_create? + def new? + create? end - def avo_update? + def update? false end - def avo_edit? - avo_update? + def edit? + update? end - def avo_destroy? + def destroy? false end - def avo_search? - avo_index? - end - - def act_on? - false - end - - def self.has_association(assocation) # rubocop:disable Naming/PredicateName - %w[create attach detach destroy edit].each do |action| - define_method(:"#{action}_#{assocation}?") { false } - end - define_method(:"show_#{assocation}?") { Pundit.policy!(user, record).avo_show? } - alias_method :"view_#{assocation}?", :avo_show? - end - - class Scope - include AdminUser - - def initialize(user, scope) - @user = user - @scope = scope - end - - def resolve - raise NotImplementedError, "You must define #resolve in #{self.class}" - end - - private - - attr_reader :user, :scope + def search? + index? end end diff --git a/app/policies/dependency_policy.rb b/app/policies/dependency_policy.rb deleted file mode 100644 index 21b2bb033d0..00000000000 --- a/app/policies/dependency_policy.rb +++ /dev/null @@ -1,11 +0,0 @@ -class DependencyPolicy < ApplicationPolicy - class Scope < Scope - def resolve - scope.all - end - end - - def avo_show? - rubygems_org_admin? - end -end diff --git a/app/policies/linkset_policy.rb b/app/policies/linkset_policy.rb deleted file mode 100644 index 6fbbd53900d..00000000000 --- a/app/policies/linkset_policy.rb +++ /dev/null @@ -1,15 +0,0 @@ -class LinksetPolicy < ApplicationPolicy - class Scope < Scope - def resolve - scope.all - end - end - - def avo_index? - Pundit.policy!(user, Rubygem).avo_index? - end - - def avo_show? - Pundit.policy!(user, record.rubygem).avo_show? - end -end diff --git a/app/policies/webauthn_credential_policy.rb b/app/policies/webauthn_credential_policy.rb deleted file mode 100644 index 3fa6d688e27..00000000000 --- a/app/policies/webauthn_credential_policy.rb +++ /dev/null @@ -1,13 +0,0 @@ -class WebauthnCredentialPolicy < ApplicationPolicy - class Scope < Scope - def resolve - scope.all - end - end - - has_association :user - - def avo_show? - Pundit.policy!(user, record.user).avo_show? - end -end diff --git a/app/policies/webauthn_verification_policy.rb b/app/policies/webauthn_verification_policy.rb deleted file mode 100644 index 1c2e3300ad1..00000000000 --- a/app/policies/webauthn_verification_policy.rb +++ /dev/null @@ -1,13 +0,0 @@ -class WebauthnVerificationPolicy < ApplicationPolicy - class Scope < Scope - def resolve - scope.all - end - end - - has_association :user - - def avo_show? - Pundit.policy!(user, record.user).avo_show? - end -end diff --git a/config/initializers/avo.rb b/config/initializers/avo.rb index 794d93736ae..f1d8d70c8b7 100644 --- a/config/initializers/avo.rb +++ b/config/initializers/avo.rb @@ -40,7 +40,7 @@ search: 'avo_search?' } config.raise_error_on_missing_policy = true - config.authorization_client = :pundit + config.authorization_client = "Admin::AuthorizationClient" ## == Localization == # config.locale = 'en-US' diff --git a/lib/admin/authorization_client.rb b/lib/admin/authorization_client.rb new file mode 100644 index 00000000000..6a95c709438 --- /dev/null +++ b/lib/admin/authorization_client.rb @@ -0,0 +1,42 @@ +# This class is the same as the default pundit authorization client. +# It just adds the admin scope automatically so that Avo pundit policies can be kept separate. +class Admin::AuthorizationClient < Avo::Services::AuthorizationClients::PunditClient + def authorize(user, record, action, policy_class: nil) + # After https://github.com/avo-hq/avo/pull/2827 lands, we can hopefully remove this hack + policy_class ||= Admin::GitHubUserPolicy if record == Admin::GitHubUser + super(user, [:admin, record], action, policy_class: policy_class) + end + + def policy(user, record) + super(user, [:admin, record]) + end + + def policy!(user, record) + super(user, [:admin, record]) + end + + def apply_policy(user, model, policy_class: nil) + # Try and figure out the scope from a given policy or auto-detected one + scope_from_policy_class = scope_for_policy_class(policy_class) + + # If we discover one use it. + # Else fallback to pundit. + if scope_from_policy_class.present? + scope_from_policy_class.new(user, model).resolve + else + Pundit.policy_scope!(user, [:admin, model]) + end + rescue Pundit::NotDefinedError => e + raise Avo::NoPolicyError, e.message + end + + private + + # Fetches the scope for a given policy + def scope_for_policy_class(policy_class = nil) + return if policy_class.blank? + + return unless policy_class.present? && defined?(Admin.const_get(policy_class.to_s)&.const_get("Scope")) + policy_class::Scope + end +end diff --git a/test/policies/admin/api_key_policy_test.rb b/test/policies/admin/api_key_policy_test.rb new file mode 100644 index 00000000000..97da3b5fb3d --- /dev/null +++ b/test/policies/admin/api_key_policy_test.rb @@ -0,0 +1,41 @@ +require "test_helper" + +class Admin::ApiKeyPolicyTest < AdminPolicyTestCase + setup do + @api_key = FactoryBot.create(:api_key) + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@api_key], policy_scope!( + @admin, + ApiKey + ).to_a + end + + def test_avo_index + refute_authorizes @admin, ApiKey, :avo_index? + refute_authorizes @non_admin, ApiKey, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @api_key, :avo_show? + refute_authorizes @non_admin, @api_key, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, ApiKey, :avo_create? + refute_authorizes @non_admin, ApiKey, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @api_key, :avo_update? + refute_authorizes @non_admin, @api_key, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @api_key, :avo_destroy? + refute_authorizes @non_admin, @api_key, :avo_destroy? + end +end diff --git a/test/policies/admin/api_key_rubygem_scope_policy_test.rb b/test/policies/admin/api_key_rubygem_scope_policy_test.rb new file mode 100644 index 00000000000..c4b65646a28 --- /dev/null +++ b/test/policies/admin/api_key_rubygem_scope_policy_test.rb @@ -0,0 +1,42 @@ +require "test_helper" + +class Admin::ApiKeyRubygemScopePolicyTest < AdminPolicyTestCase + setup do + @scope = FactoryBot.create(:api_key_rubygem_scope) + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@scope], policy_scope!( + @admin, + ApiKeyRubygemScope + ).to_a + end + + def test_avo_index + refute_authorizes @admin, ApiKeyRubygemScope, :avo_index? + refute_authorizes @non_admin, ApiKeyRubygemScope, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @scope, :avo_show? + + refute_authorizes @non_admin, @scope, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, ApiKeyRubygemScope, :avo_create? + refute_authorizes @non_admin, ApiKeyRubygemScope, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @scope, :avo_update? + refute_authorizes @non_admin, @scope, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @scope, :avo_destroy? + refute_authorizes @non_admin, @scope, :avo_destroy? + end +end diff --git a/test/policies/audit_policy_test.rb b/test/policies/admin/audit_policy_test.rb similarity index 74% rename from test/policies/audit_policy_test.rb rename to test/policies/admin/audit_policy_test.rb index acefe6c1e80..d5e8ca21936 100644 --- a/test/policies/audit_policy_test.rb +++ b/test/policies/admin/audit_policy_test.rb @@ -1,6 +1,6 @@ require "test_helper" -class AuditPolicyTest < ActiveSupport::TestCase +class Admin::AuditPolicyTest < AdminPolicyTestCase def test_scope end diff --git a/test/policies/avo_policies_test.rb b/test/policies/admin/avo_policies_test.rb similarity index 74% rename from test/policies/avo_policies_test.rb rename to test/policies/admin/avo_policies_test.rb index a8cb38ee830..e03ee0e9cc0 100644 --- a/test/policies/avo_policies_test.rb +++ b/test/policies/admin/avo_policies_test.rb @@ -1,13 +1,18 @@ require "test_helper" -class AvoPoliciesTest < ActiveSupport::TestCase +class Admin::AvoPoliciesTest < AdminPolicyTestCase def test_association_methods_defined resources = Avo::App.init_resources association_actions = %w[create attach detach destroy edit show view] aggregate_assertions do resources.each do |resource| - policy = Pundit.policy(nil, resource) + policy = + if resource.authorization_policy + resource.authorization_policy.new(nil, resource) + else + policy!(nil, resource) + end refute_nil policy diff --git a/test/policies/admin/deletion_policy_test.rb b/test/policies/admin/deletion_policy_test.rb new file mode 100644 index 00000000000..50508bc5863 --- /dev/null +++ b/test/policies/admin/deletion_policy_test.rb @@ -0,0 +1,44 @@ +require "test_helper" + +class Admin::DeletionPolicyTest < AdminPolicyTestCase + setup do + @version = create(:version) + @deletion = Deletion.create!(version: @version, user: create(:user)) + @admin = create(:admin_github_user, :is_admin) + @non_admin = create(:admin_github_user) + end + + def test_scope + assert_equal [@deletion], policy_scope!( + @admin, + Deletion + ).to_a + end + + def test_avo_index + assert_authorizes @admin, Deletion, :avo_index? + + refute_authorizes @non_admin, Deletion, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @deletion, :avo_show? + + refute_authorizes @non_admin, @deletion, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, Deletion, :avo_create? + refute_authorizes @non_admin, Deletion, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @deletion, :avo_update? + refute_authorizes @non_admin, @deletion, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @deletion, :avo_destroy? + refute_authorizes @non_admin, @deletion, :avo_destroy? + end +end diff --git a/test/policies/dependency_policy_test.rb b/test/policies/admin/dependency_policy_test.rb similarity index 72% rename from test/policies/dependency_policy_test.rb rename to test/policies/admin/dependency_policy_test.rb index cc6a2f66f9f..e056ea610a0 100644 --- a/test/policies/dependency_policy_test.rb +++ b/test/policies/admin/dependency_policy_test.rb @@ -1,6 +1,6 @@ require "test_helper" -class DependencyPolicyTest < ActiveSupport::TestCase +class Admin::DependencyPolicyTest < AdminPolicyTestCase def test_scope end diff --git a/test/policies/events/rubygem_event_policy_test.rb b/test/policies/admin/events/rubygem_event_policy_test.rb similarity index 69% rename from test/policies/events/rubygem_event_policy_test.rb rename to test/policies/admin/events/rubygem_event_policy_test.rb index 2689db7392a..4807bd780a1 100644 --- a/test/policies/events/rubygem_event_policy_test.rb +++ b/test/policies/admin/events/rubygem_event_policy_test.rb @@ -1,6 +1,6 @@ require "test_helper" -class Events::RubygemEventPolicyTest < ActiveSupport::TestCase +class Admin::Events::RubygemEventPolicyTest < AdminPolicyTestCase def test_scope end diff --git a/test/policies/events/user_event_policy_test.rb b/test/policies/admin/events/user_event_policy_test.rb similarity index 70% rename from test/policies/events/user_event_policy_test.rb rename to test/policies/admin/events/user_event_policy_test.rb index 1b485c2ae60..d40fcffe93e 100644 --- a/test/policies/events/user_event_policy_test.rb +++ b/test/policies/admin/events/user_event_policy_test.rb @@ -1,6 +1,6 @@ require "test_helper" -class Events::UserEventPolicyTest < ActiveSupport::TestCase +class Admin::Events::UserEventPolicyTest < AdminPolicyTestCase def test_scope end diff --git a/test/policies/gem_download_policy_test.rb b/test/policies/admin/gem_download_policy_test.rb similarity index 72% rename from test/policies/gem_download_policy_test.rb rename to test/policies/admin/gem_download_policy_test.rb index d20d1d3150b..74598a944f1 100644 --- a/test/policies/gem_download_policy_test.rb +++ b/test/policies/admin/gem_download_policy_test.rb @@ -1,6 +1,6 @@ require "test_helper" -class GemDownloadPolicyTest < ActiveSupport::TestCase +class Admin::GemDownloadPolicyTest < AdminPolicyTestCase def test_scope end diff --git a/test/policies/admin/gem_name_reservation_policy_test.rb b/test/policies/admin/gem_name_reservation_policy_test.rb new file mode 100644 index 00000000000..ec26de4bb90 --- /dev/null +++ b/test/policies/admin/gem_name_reservation_policy_test.rb @@ -0,0 +1,39 @@ +require "test_helper" + +class Admin::GemNameReservationPolicyTest < AdminPolicyTestCase + setup do + @scope = create(:gem_name_reservation) + @admin = create(:admin_github_user, :is_admin) + end + + def test_scope + assert_equal [@scope], policy_scope!( + @admin, + GemNameReservation + ).to_a + end + + def test_avo_index + assert_authorizes @admin, GemNameReservation, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, GemNameReservation, :avo_show? + end + + def test_avo_create + assert_authorizes @admin, GemNameReservation, :avo_create? + end + + def test_avo_destroy + assert_authorizes @admin, GemNameReservation, :avo_destroy? + end + + def test_avo_search + assert_authorizes @admin, GemNameReservation, :avo_search? + end + + def test_avo_update + refute_authorizes @admin, GemNameReservation, :avo_update? + end +end diff --git a/test/policies/admin/gem_typo_exception_policy_test.rb b/test/policies/admin/gem_typo_exception_policy_test.rb new file mode 100644 index 00000000000..85b94f025e1 --- /dev/null +++ b/test/policies/admin/gem_typo_exception_policy_test.rb @@ -0,0 +1,47 @@ +require "test_helper" + +class Admin::GemTypoExceptionPolicyTest < AdminPolicyTestCase + setup do + @exception = create(:gem_typo_exception) + + @admin = create(:admin_github_user, :is_admin) + @non_admin = create(:admin_github_user) + end + + def test_scope + assert_equal [@exception], policy_scope!( + @admin, + GemTypoException + ).to_a + end + + def test_avo_index + assert_authorizes @admin, GemTypoException, :avo_index? + + refute_authorizes @non_admin, GemTypoException, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @exception, :avo_show? + + refute_authorizes @non_admin, @exception, :avo_show? + end + + def test_avo_create + assert_authorizes @admin, GemTypoException, :avo_create? + + refute_authorizes @non_admin, GemTypoException, :avo_create? + end + + def test_avo_update + assert_authorizes @admin, @exception, :avo_update? + + refute_authorizes @non_admin, @exception, :avo_update? + end + + def test_avo_destroy + assert_authorizes @admin, @exception, :avo_destroy? + + refute_authorizes @non_admin, @exception, :avo_destroy? + end +end diff --git a/test/policies/admin/geoip_info_policy_test.rb b/test/policies/admin/geoip_info_policy_test.rb new file mode 100644 index 00000000000..9c81adb8439 --- /dev/null +++ b/test/policies/admin/geoip_info_policy_test.rb @@ -0,0 +1,44 @@ +require "test_helper" + +class Admin::GeoipInfoPolicyTest < AdminPolicyTestCase + setup do + @geoip_info = create(:geoip_info) + + @admin = create(:admin_github_user, :is_admin) + @non_admin = create(:admin_github_user) + end + + def test_scope + assert_equal [@geoip_info], policy_scope!( + @admin, + GeoipInfo + ).to_a + end + + def test_avo_index + assert_authorizes @admin, GeoipInfo, :avo_index? + + refute_authorizes @non_admin, GeoipInfo, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @geoip_info, :avo_show? + + refute_authorizes @non_admin, @geoip_info, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, GeoipInfo, :avo_create? + refute_authorizes @non_admin, GeoipInfo, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @geoip_info, :avo_update? + refute_authorizes @non_admin, @geoip_info, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @geoip_info, :avo_destroy? + refute_authorizes @non_admin, @geoip_info, :avo_destroy? + end +end diff --git a/test/policies/admin/github_user_policy_test.rb b/test/policies/admin/github_user_policy_test.rb index 59f3b83702b..88eed2da631 100644 --- a/test/policies/admin/github_user_policy_test.rb +++ b/test/policies/admin/github_user_policy_test.rb @@ -1,42 +1,48 @@ require "test_helper" -class Admin::GitHubUserPolicyTest < ActiveSupport::TestCase +class Admin::GitHubUserPolicyTest < AdminPolicyTestCase + def policy_class + Admin::GitHubUserPolicy + end + setup do @user = FactoryBot.create(:admin_github_user) @admin = FactoryBot.create(:admin_github_user, :is_admin) end def test_scope - assert_equal [@user], Pundit.policy_scope!( + assert_equal [@user], policy_scope!( @user, Admin::GitHubUser ).to_a - assert_equal [@user, @admin], Pundit.policy_scope!( + assert_equal [@user, @admin], policy_scope!( @admin, Admin::GitHubUser ).to_a end def test_avo_show - assert_predicate Pundit.policy!(@admin, @user), :avo_show? - assert_predicate Pundit.policy!(@admin, @admin), :avo_show? - refute_predicate Pundit.policy!(@user, @user), :avo_show? - refute_predicate Pundit.policy!(@user, @admin), :avo_show? + assert_authorizes @admin, @user, :avo_show? + assert_authorizes @admin, @user, :avo_show? + assert_authorizes @admin, @admin, :avo_show? + + refute_authorizes @user, @user, :avo_show? + refute_authorizes @user, @admin, :avo_show? end def test_avo_create - refute_predicate Pundit.policy!(@user, @user), :avo_create? - refute_predicate Pundit.policy!(@admin, @admin), :avo_create? + refute_authorizes @user, @user, :avo_create? + refute_authorizes @admin, @admin, :avo_create? end def test_avo_update - refute_predicate Pundit.policy!(@user, @user), :avo_update? - refute_predicate Pundit.policy!(@admin, @admin), :avo_update? + refute_authorizes @user, @user, :avo_update? + refute_authorizes @admin, @admin, :avo_update? end def test_avo_destroy - refute_predicate Pundit.policy!(@user, @user), :avo_destroy? - refute_predicate Pundit.policy!(@admin, @admin), :avo_destroy? + refute_authorizes @user, @user, :avo_destroy? + refute_authorizes @admin, @admin, :avo_destroy? end end diff --git a/test/policies/ip_address_policy_test.rb b/test/policies/admin/ip_address_policy_test.rb similarity index 73% rename from test/policies/ip_address_policy_test.rb rename to test/policies/admin/ip_address_policy_test.rb index c27c07fda9d..be4485beed2 100644 --- a/test/policies/ip_address_policy_test.rb +++ b/test/policies/admin/ip_address_policy_test.rb @@ -1,6 +1,6 @@ require "test_helper" -class IpAddressPolicyTest < ActiveSupport::TestCase +class Admin::IpAddressPolicyTest < AdminPolicyTestCase def test_scope end diff --git a/test/policies/admin/link_verification_policy_test.rb b/test/policies/admin/link_verification_policy_test.rb new file mode 100644 index 00000000000..a957581422a --- /dev/null +++ b/test/policies/admin/link_verification_policy_test.rb @@ -0,0 +1,46 @@ +require "test_helper" + +class Admin::LinkVerificationPolicyTest < AdminPolicyTestCase + setup do + @verification = create(:link_verification) + + @admin = create(:admin_github_user, :is_admin) + @non_admin = create(:admin_github_user) + end + + def test_scope + home_verification = @verification.linkable.link_verifications.for_uri(@verification.linkable.linkset.home).sole + + assert_equal [home_verification, @verification], policy_scope!( + @admin, + LinkVerification + ).to_a + end + + def test_avo_index + assert_authorizes @admin, LinkVerification, :avo_index? + + refute_authorizes @non_admin, LinkVerification, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @verification, :avo_show? + + refute_authorizes @non_admin, @verification, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, LinkVerification, :avo_create? + refute_authorizes @non_admin, LinkVerification, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @verification, :avo_update? + refute_authorizes @non_admin, @verification, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @verification, :avo_destroy? + refute_authorizes @non_admin, @verification, :avo_destroy? + end +end diff --git a/test/policies/admin/linkset_policy_test.rb b/test/policies/admin/linkset_policy_test.rb new file mode 100644 index 00000000000..cc849f0fe65 --- /dev/null +++ b/test/policies/admin/linkset_policy_test.rb @@ -0,0 +1,43 @@ +require "test_helper" + +class Admin::LinksetPolicyTest < AdminPolicyTestCase + setup do + @linkset = FactoryBot.create(:rubygem).linkset + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@linkset], policy_scope!( + @admin, + Linkset + ).to_a + end + + def test_avo_index + assert_authorizes @admin, Linkset, :avo_index? + + refute_authorizes @non_admin, Linkset, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @linkset, :avo_show? + + refute_authorizes @non_admin, @linkset, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, Linkset, :avo_create? + refute_authorizes @non_admin, Linkset, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @linkset, :avo_update? + refute_authorizes @non_admin, @linkset, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @linkset, :avo_destroy? + refute_authorizes @non_admin, @linkset, :avo_destroy? + end +end diff --git a/test/policies/admin/log_ticket_policy_test.rb b/test/policies/admin/log_ticket_policy_test.rb new file mode 100644 index 00000000000..b62d007ba1c --- /dev/null +++ b/test/policies/admin/log_ticket_policy_test.rb @@ -0,0 +1,42 @@ +require "test_helper" + +class Admin::LogTicketPolicyTest < AdminPolicyTestCase + setup do + @log_ticket = FactoryBot.create(:log_ticket) + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@log_ticket], policy_scope!( + @admin, + LogTicket + ).to_a + end + + def test_avo_index + refute_authorizes @admin, ApiKey, :avo_index? + refute_authorizes @non_admin, ApiKey, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @log_ticket, :avo_show? + + refute_authorizes @non_admin, @log_ticket, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, ApiKey, :avo_create? + refute_authorizes @non_admin, ApiKey, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @log_ticket, :avo_update? + refute_authorizes @non_admin, @log_ticket, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @log_ticket, :avo_destroy? + refute_authorizes @non_admin, @log_ticket, :avo_destroy? + end +end diff --git a/test/policies/admin/maintenance_tasks/run_policy_test.rb b/test/policies/admin/maintenance_tasks/run_policy_test.rb new file mode 100644 index 00000000000..042dcd00c2b --- /dev/null +++ b/test/policies/admin/maintenance_tasks/run_policy_test.rb @@ -0,0 +1,43 @@ +require "test_helper" + +class Admin::MaintenanceTasks::RunPolicyTest < AdminPolicyTestCase + setup do + @run = create(:maintenance_tasks_run) + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@run], policy_scope!( + @admin, + MaintenanceTasks::Run + ).to_a + end + + def test_avo_index + assert_authorizes @admin, MaintenanceTasks::Run, :avo_index? + + refute_authorizes @non_admin, MaintenanceTasks::Run, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @run, :avo_show? + + refute_authorizes @non_admin, @run, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, MaintenanceTasks::Run, :avo_create? + refute_authorizes @non_admin, MaintenanceTasks::Run, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @run, :avo_update? + refute_authorizes @non_admin, @run, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @run, :avo_destroy? + refute_authorizes @non_admin, @run, :avo_destroy? + end +end diff --git a/test/policies/admin/oidc/api_key_role_policy_test.rb b/test/policies/admin/oidc/api_key_role_policy_test.rb new file mode 100644 index 00000000000..41861431aab --- /dev/null +++ b/test/policies/admin/oidc/api_key_role_policy_test.rb @@ -0,0 +1,46 @@ +require "test_helper" + +class Admin::OIDC::ApiKeyRolePolicyTest < AdminPolicyTestCase + setup do + @api_key_role = FactoryBot.create(:oidc_api_key_role) + + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@api_key_role], policy_scope!( + @admin, + OIDC::ApiKeyRole + ).to_a + end + + def test_avo_index + assert_authorizes @admin, OIDC::ApiKeyRole, :avo_index? + + refute_authorizes @non_admin, OIDC::ApiKeyRole, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @api_key_role, :avo_show? + + refute_authorizes @non_admin, @api_key_role, :avo_show? + end + + def test_avo_create + assert_authorizes @admin, OIDC::ApiKeyRole, :avo_create? + + refute_authorizes @non_admin, OIDC::ApiKeyRole, :avo_create? + end + + def test_avo_update + assert_authorizes @admin, @api_key_role, :avo_update? + + refute_authorizes @non_admin, @api_key_role, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @api_key_role, :avo_destroy? + refute_authorizes @non_admin, @api_key_role, :avo_destroy? + end +end diff --git a/test/policies/admin/oidc/id_token_policy_test.rb b/test/policies/admin/oidc/id_token_policy_test.rb new file mode 100644 index 00000000000..d088feb5f0d --- /dev/null +++ b/test/policies/admin/oidc/id_token_policy_test.rb @@ -0,0 +1,44 @@ +require "test_helper" + +class Admin::OIDC::IdTokenPolicyTest < AdminPolicyTestCase + setup do + @id_token = FactoryBot.create(:oidc_id_token) + + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@id_token], policy_scope!( + @admin, + OIDC::IdToken + ).to_a + end + + def test_avo_index + assert_authorizes @admin, OIDC::IdToken, :avo_index? + + refute_authorizes @non_admin, OIDC::IdToken, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @id_token, :avo_show? + + refute_authorizes @non_admin, @id_token, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, OIDC::IdToken, :avo_create? + refute_authorizes @non_admin, OIDC::IdToken, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @id_token, :avo_update? + refute_authorizes @non_admin, @id_token, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @id_token, :avo_destroy? + refute_authorizes @non_admin, @id_token, :avo_destroy? + end +end diff --git a/test/policies/admin/oidc/pending_trusted_publisher_policy_test.rb b/test/policies/admin/oidc/pending_trusted_publisher_policy_test.rb new file mode 100644 index 00000000000..f49c937f744 --- /dev/null +++ b/test/policies/admin/oidc/pending_trusted_publisher_policy_test.rb @@ -0,0 +1,44 @@ +require "test_helper" + +class Admin::OIDC::PendingTrustedPublisherPolicyTest < AdminPolicyTestCase + setup do + @pending_trusted_publisher = create(:oidc_pending_trusted_publisher) + + @admin = create(:admin_github_user, :is_admin) + @non_admin = create(:admin_github_user) + end + + def test_scope + assert_equal [@pending_trusted_publisher], policy_scope!( + @admin, + OIDC::PendingTrustedPublisher + ).to_a + end + + def test_avo_index + assert_authorizes @admin, OIDC::PendingTrustedPublisher, :avo_index? + + refute_authorizes @non_admin, OIDC::PendingTrustedPublisher, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @pending_trusted_publisher, :avo_show? + + refute_authorizes @non_admin, @pending_trusted_publisher, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, OIDC::PendingTrustedPublisher, :avo_create? + refute_authorizes @non_admin, OIDC::PendingTrustedPublisher, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @pending_trusted_publisher, :avo_update? + refute_authorizes @non_admin, @pending_trusted_publisher, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @pending_trusted_publisher, :avo_destroy? + refute_authorizes @non_admin, @pending_trusted_publisher, :avo_destroy? + end +end diff --git a/test/policies/admin/oidc/provider_policy_test.rb b/test/policies/admin/oidc/provider_policy_test.rb new file mode 100644 index 00000000000..46d74157382 --- /dev/null +++ b/test/policies/admin/oidc/provider_policy_test.rb @@ -0,0 +1,46 @@ +require "test_helper" + +class Admin::OIDC::ProviderPolicyTest < AdminPolicyTestCase + setup do + @provider = FactoryBot.create(:oidc_provider) + + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@provider], policy_scope!( + @admin, + OIDC::Provider + ).to_a + end + + def test_avo_index + assert_authorizes @admin, OIDC::Provider, :avo_index? + + refute_authorizes @non_admin, OIDC::Provider, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @provider, :avo_show? + + refute_authorizes @non_admin, @provider, :avo_show? + end + + def test_avo_create + assert_authorizes @admin, OIDC::Provider, :avo_create? + + refute_authorizes @non_admin, OIDC::Provider, :avo_create? + end + + def test_avo_update + assert_authorizes @admin, @provider, :avo_update? + + refute_authorizes @non_admin, @provider, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @provider, :avo_destroy? + refute_authorizes @non_admin, @provider, :avo_destroy? + end +end diff --git a/test/policies/admin/oidc/rubygem_trusted_publisher_policy_test.rb b/test/policies/admin/oidc/rubygem_trusted_publisher_policy_test.rb new file mode 100644 index 00000000000..87b4d5f18d9 --- /dev/null +++ b/test/policies/admin/oidc/rubygem_trusted_publisher_policy_test.rb @@ -0,0 +1,44 @@ +require "test_helper" + +class Admin::OIDC::RubygemTrustedPublisherPolicyTest < AdminPolicyTestCase + setup do + @rubygem_trusted_publisher = create(:oidc_rubygem_trusted_publisher) + + @admin = create(:admin_github_user, :is_admin) + @non_admin = create(:admin_github_user) + end + + def test_scope + assert_equal [@rubygem_trusted_publisher], policy_scope!( + @admin, + OIDC::RubygemTrustedPublisher + ).to_a + end + + def test_avo_index + assert_authorizes @admin, OIDC::RubygemTrustedPublisher, :avo_index? + + refute_authorizes @non_admin, OIDC::RubygemTrustedPublisher, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @rubygem_trusted_publisher, :avo_show? + + refute_authorizes @non_admin, @rubygem_trusted_publisher, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, OIDC::RubygemTrustedPublisher, :avo_create? + refute_authorizes @non_admin, OIDC::RubygemTrustedPublisher, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @rubygem_trusted_publisher, :avo_update? + refute_authorizes @non_admin, @rubygem_trusted_publisher, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @rubygem_trusted_publisher, :avo_destroy? + refute_authorizes @non_admin, @rubygem_trusted_publisher, :avo_destroy? + end +end diff --git a/test/policies/admin/oidc/trusted_publisher/github_action_policy_test.rb b/test/policies/admin/oidc/trusted_publisher/github_action_policy_test.rb new file mode 100644 index 00000000000..64e6249da70 --- /dev/null +++ b/test/policies/admin/oidc/trusted_publisher/github_action_policy_test.rb @@ -0,0 +1,44 @@ +require "test_helper" + +class Admin::OIDC::TrustedPublisher::GitHubActionPolicyTest < AdminPolicyTestCase + setup do + @trusted_publisher_github_action = create(:oidc_trusted_publisher_github_action) + + @admin = create(:admin_github_user, :is_admin) + @non_admin = create(:admin_github_user) + end + + def test_scope + assert_equal [@trusted_publisher_github_action], policy_scope!( + @admin, + OIDC::TrustedPublisher::GitHubAction + ).to_a + end + + def test_avo_index + assert_authorizes @admin, OIDC::TrustedPublisher::GitHubAction, :avo_index? + + refute_authorizes @non_admin, OIDC::TrustedPublisher::GitHubAction, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @trusted_publisher_github_action, :avo_show? + + refute_authorizes @non_admin, @trusted_publisher_github_action, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, OIDC::TrustedPublisher::GitHubAction, :avo_create? + refute_authorizes @non_admin, OIDC::TrustedPublisher::GitHubAction, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @trusted_publisher_github_action, :avo_update? + refute_authorizes @non_admin, @trusted_publisher_github_action, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @trusted_publisher_github_action, :avo_destroy? + refute_authorizes @non_admin, @trusted_publisher_github_action, :avo_destroy? + end +end diff --git a/test/policies/admin/ownership_policy_test.rb b/test/policies/admin/ownership_policy_test.rb new file mode 100644 index 00000000000..1b43cfcde18 --- /dev/null +++ b/test/policies/admin/ownership_policy_test.rb @@ -0,0 +1,39 @@ +require "test_helper" + +class Admin::OwnershipPolicyTest < AdminPolicyTestCase + setup do + @ownership = FactoryBot.create(:ownership) + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@ownership], policy_scope!(@admin, Ownership).to_a + end + + def test_avo_index + refute_authorizes @admin, Ownership, :avo_index? + refute_authorizes @non_admin, Ownership, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @ownership, :avo_show? + + refute_authorizes @non_admin, @ownership, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, Ownership, :avo_create? + refute_authorizes @non_admin, Ownership, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @ownership, :avo_update? + refute_authorizes @non_admin, @ownership, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @ownership, :avo_destroy? + refute_authorizes @non_admin, @ownership, :avo_destroy? + end +end diff --git a/test/policies/admin/rubygem_policy_test.rb b/test/policies/admin/rubygem_policy_test.rb new file mode 100644 index 00000000000..95cd3b67462 --- /dev/null +++ b/test/policies/admin/rubygem_policy_test.rb @@ -0,0 +1,28 @@ +require "test_helper" + +class Admin::RubygemPolicyTest < AdminPolicyTestCase + setup do + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + @rubygem = FactoryBot.create(:rubygem) + end + + def test_scope + assert_equal [@rubygem], policy_scope!( + @admin, + Rubygem + ).to_a + end + + def test_avo_index + assert_authorizes @admin, Rubygem, :avo_index? + + refute_authorizes @non_admin, Rubygem, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @rubygem, :avo_show? + + refute_authorizes @non_admin, @rubygem, :avo_show? + end +end diff --git a/test/policies/admin/sendgrid_event_policy_test.rb b/test/policies/admin/sendgrid_event_policy_test.rb new file mode 100644 index 00000000000..a51fb48797c --- /dev/null +++ b/test/policies/admin/sendgrid_event_policy_test.rb @@ -0,0 +1,47 @@ +require "test_helper" + +class Admin::SendgridEventPolicyTest < AdminPolicyTestCase + setup do + @sendgrid_event = FactoryBot.create(:sendgrid_event) + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@sendgrid_event], policy_scope!( + @admin, + SendgridEvent + ).to_a + end + + def test_avo_index + refute_authorizes @admin, ApiKey, :avo_index? + refute_authorizes @non_admin, ApiKey, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @sendgrid_event, :avo_show? + + refute_authorizes @non_admin, @sendgrid_event, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, ApiKey, :avo_create? + refute_authorizes @non_admin, ApiKey, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @sendgrid_event, :avo_update? + refute_authorizes @non_admin, @sendgrid_event, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @sendgrid_event, :avo_destroy? + refute_authorizes @non_admin, @sendgrid_event, :avo_destroy? + end + + def test_act_on + refute_authorizes @admin, @sendgrid_event, :act_on? + refute_authorizes @non_admin, @sendgrid_event, :act_on? + end +end diff --git a/test/policies/user_policy_test.rb b/test/policies/admin/user_policy_test.rb similarity index 65% rename from test/policies/user_policy_test.rb rename to test/policies/admin/user_policy_test.rb index 178635f4af4..bcd362c4bed 100644 --- a/test/policies/user_policy_test.rb +++ b/test/policies/admin/user_policy_test.rb @@ -1,6 +1,6 @@ require "test_helper" -class UserPolicyTest < ActiveSupport::TestCase +class Admin::UserPolicyTest < AdminPolicyTestCase setup do @user = FactoryBot.create(:user) @admin = FactoryBot.create(:admin_github_user, :is_admin) @@ -23,7 +23,7 @@ def test_destroy end def test_search - assert_predicate Pundit.policy!(@admin, @user), :avo_search? - refute_predicate Pundit.policy!(@non_admin, @user), :avo_search? + assert_authorizes @admin, @user, :avo_search? + refute_authorizes @non_admin, @user, :avo_search? end end diff --git a/test/policies/version_policy_test.rb b/test/policies/admin/version_policy_test.rb similarity index 73% rename from test/policies/version_policy_test.rb rename to test/policies/admin/version_policy_test.rb index 14b0fcb980b..fa53c031e37 100644 --- a/test/policies/version_policy_test.rb +++ b/test/policies/admin/version_policy_test.rb @@ -1,6 +1,6 @@ require "test_helper" -class VersionPolicyTest < ActiveSupport::TestCase +class Admin::VersionPolicyTest < AdminPolicyTestCase def test_scope end diff --git a/test/policies/admin/web_hook_policy_test.rb b/test/policies/admin/web_hook_policy_test.rb new file mode 100644 index 00000000000..39a75876304 --- /dev/null +++ b/test/policies/admin/web_hook_policy_test.rb @@ -0,0 +1,48 @@ +require "test_helper" + +class Admin::WebHookPolicyTest < AdminPolicyTestCase + setup do + @web_hook = FactoryBot.create(:web_hook) + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@web_hook], policy_scope!( + @admin, + WebHook + ).to_a + end + + def test_avo_index + refute_authorizes @admin, ApiKey, :avo_index? + refute_authorizes @non_admin, ApiKey, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @web_hook, :avo_show? + + refute_authorizes @non_admin, @web_hook, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, ApiKey, :avo_create? + refute_authorizes @non_admin, ApiKey, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @web_hook, :avo_update? + refute_authorizes @non_admin, @web_hook, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @web_hook, :avo_destroy? + refute_authorizes @non_admin, @web_hook, :avo_destroy? + end + + def test_act_on + assert_authorizes @admin, @web_hook, :act_on? + + refute_authorizes @non_admin, @web_hook, :act_on? + end +end diff --git a/test/policies/admin/webauthn_credential_policy_test.rb b/test/policies/admin/webauthn_credential_policy_test.rb new file mode 100644 index 00000000000..4d3370bd927 --- /dev/null +++ b/test/policies/admin/webauthn_credential_policy_test.rb @@ -0,0 +1,42 @@ +require "test_helper" + +class Admin::WebauthnCredentialPolicyTest < AdminPolicyTestCase + setup do + @webauthn_credential = FactoryBot.create(:webauthn_credential) + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@webauthn_credential], policy_scope!( + @admin, + WebauthnCredential + ).to_a + end + + def test_avo_index + refute_authorizes @admin, WebauthnCredential, :avo_index? + refute_authorizes @non_admin, WebauthnCredential, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @webauthn_credential, :avo_show? + + refute_authorizes @non_admin, @webauthn_credential, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, WebauthnCredential, :avo_create? + refute_authorizes @non_admin, WebauthnCredential, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @webauthn_credential, :avo_update? + refute_authorizes @non_admin, @webauthn_credential, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @webauthn_credential, :avo_destroy? + refute_authorizes @non_admin, @webauthn_credential, :avo_destroy? + end +end diff --git a/test/policies/admin/webauthn_verification_policy_test.rb b/test/policies/admin/webauthn_verification_policy_test.rb new file mode 100644 index 00000000000..e4790c02e0e --- /dev/null +++ b/test/policies/admin/webauthn_verification_policy_test.rb @@ -0,0 +1,42 @@ +require "test_helper" + +class Admin::WebauthnVerificationPolicyTest < AdminPolicyTestCase + setup do + @webauthn_verification = FactoryBot.create(:webauthn_verification) + @admin = FactoryBot.create(:admin_github_user, :is_admin) + @non_admin = FactoryBot.create(:admin_github_user) + end + + def test_scope + assert_equal [@webauthn_verification], policy_scope!( + @admin, + WebauthnVerification + ).to_a + end + + def test_avo_index + refute_authorizes @admin, WebauthnVerification, :avo_index? + refute_authorizes @non_admin, WebauthnVerification, :avo_index? + end + + def test_avo_show + assert_authorizes @admin, @webauthn_verification, :avo_show? + + refute_authorizes @non_admin, @webauthn_verification, :avo_show? + end + + def test_avo_create + refute_authorizes @admin, WebauthnVerification, :avo_create? + refute_authorizes @non_admin, WebauthnVerification, :avo_create? + end + + def test_avo_update + refute_authorizes @admin, @webauthn_verification, :avo_update? + refute_authorizes @non_admin, @webauthn_verification, :avo_update? + end + + def test_avo_destroy + refute_authorizes @admin, @webauthn_verification, :avo_destroy? + refute_authorizes @non_admin, @webauthn_verification, :avo_destroy? + end +end diff --git a/test/policies/api_key_policy_test.rb b/test/policies/api_key_policy_test.rb deleted file mode 100644 index 30201da8925..00000000000 --- a/test/policies/api_key_policy_test.rb +++ /dev/null @@ -1,41 +0,0 @@ -require "test_helper" - -class ApiKeyPolicyTest < ActiveSupport::TestCase - setup do - @api_key = FactoryBot.create(:api_key) - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@api_key], Pundit.policy_scope!( - @admin, - ApiKey - ).to_a - end - - def test_avo_index - refute_predicate Pundit.policy!(@admin, ApiKey), :avo_index? - refute_predicate Pundit.policy!(@non_admin, ApiKey), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @api_key), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @api_key), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, ApiKey), :avo_create? - refute_predicate Pundit.policy!(@non_admin, ApiKey), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @api_key), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @api_key), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @api_key), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @api_key), :avo_destroy? - end -end diff --git a/test/policies/api_key_rubygem_scope_policy_test.rb b/test/policies/api_key_rubygem_scope_policy_test.rb deleted file mode 100644 index 5a4e9f46ac6..00000000000 --- a/test/policies/api_key_rubygem_scope_policy_test.rb +++ /dev/null @@ -1,41 +0,0 @@ -require "test_helper" - -class ApiKeyRubygemScopePolicyTest < ActiveSupport::TestCase - setup do - @scope = FactoryBot.create(:api_key_rubygem_scope) - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@scope], Pundit.policy_scope!( - @admin, - ApiKeyRubygemScope - ).to_a - end - - def test_avo_index - refute_predicate Pundit.policy!(@admin, ApiKeyRubygemScope), :avo_index? - refute_predicate Pundit.policy!(@non_admin, ApiKeyRubygemScope), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @scope), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @scope), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, ApiKeyRubygemScope), :avo_create? - refute_predicate Pundit.policy!(@non_admin, ApiKeyRubygemScope), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @scope), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @scope), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @scope), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @scope), :avo_destroy? - end -end diff --git a/test/policies/deletion_policy_test.rb b/test/policies/deletion_policy_test.rb deleted file mode 100644 index f6c2f8b5553..00000000000 --- a/test/policies/deletion_policy_test.rb +++ /dev/null @@ -1,42 +0,0 @@ -require "test_helper" - -class DeletionPolicyTest < ActiveSupport::TestCase - setup do - @version = create(:version) - @deletion = Deletion.create!(version: @version, user: create(:user)) - @admin = create(:admin_github_user, :is_admin) - @non_admin = create(:admin_github_user) - end - - def test_scope - assert_equal [@deletion], Pundit.policy_scope!( - @admin, - Deletion - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, Deletion), :avo_index? - refute_predicate Pundit.policy!(@non_admin, Deletion), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @deletion), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @deletion), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, Deletion), :avo_create? - refute_predicate Pundit.policy!(@non_admin, Deletion), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @deletion), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @deletion), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @deletion), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @deletion), :avo_destroy? - end -end diff --git a/test/policies/gem_name_reservation_policy_test.rb b/test/policies/gem_name_reservation_policy_test.rb deleted file mode 100644 index 77e42a5658c..00000000000 --- a/test/policies/gem_name_reservation_policy_test.rb +++ /dev/null @@ -1,39 +0,0 @@ -require "test_helper" - -class GemNameReservationPolicyTest < ActiveSupport::TestCase - setup do - @scope = create(:gem_name_reservation) - @admin = create(:admin_github_user, :is_admin) - end - - def test_scope - assert_equal [@scope], Pundit.policy_scope!( - @admin, - GemNameReservation - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, GemNameReservation), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, GemNameReservation), :avo_show? - end - - def test_avo_create - assert_predicate Pundit.policy!(@admin, GemNameReservation), :avo_create? - end - - def test_avo_destroy - assert_predicate Pundit.policy!(@admin, GemNameReservation), :avo_destroy? - end - - def test_avo_search - assert_predicate Pundit.policy!(@admin, GemNameReservation), :avo_search? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, GemNameReservation), :avo_update? - end -end diff --git a/test/policies/gem_typo_exception_policy_test.rb b/test/policies/gem_typo_exception_policy_test.rb deleted file mode 100644 index 795827e49c9..00000000000 --- a/test/policies/gem_typo_exception_policy_test.rb +++ /dev/null @@ -1,42 +0,0 @@ -require "test_helper" - -class GemTypoExceptionPolicyTest < ActiveSupport::TestCase - setup do - @exception = create(:gem_typo_exception) - - @admin = create(:admin_github_user, :is_admin) - @non_admin = create(:admin_github_user) - end - - def test_scope - assert_equal [@exception], Pundit.policy_scope!( - @admin, - GemTypoException - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, GemTypoException), :avo_index? - refute_predicate Pundit.policy!(@non_admin, GemTypoException), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @exception), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @exception), :avo_show? - end - - def test_avo_create - assert_predicate Pundit.policy!(@admin, GemTypoException), :avo_create? - refute_predicate Pundit.policy!(@non_admin, GemTypoException), :avo_create? - end - - def test_avo_update - assert_predicate Pundit.policy!(@admin, @exception), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @exception), :avo_update? - end - - def test_avo_destroy - assert_predicate Pundit.policy!(@admin, @exception), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @exception), :avo_destroy? - end -end diff --git a/test/policies/geoip_info_policy_test.rb b/test/policies/geoip_info_policy_test.rb deleted file mode 100644 index 452f55f816c..00000000000 --- a/test/policies/geoip_info_policy_test.rb +++ /dev/null @@ -1,42 +0,0 @@ -require "test_helper" - -class GeoipInfoPolicyTest < ActiveSupport::TestCase - setup do - @geoip_info = create(:geoip_info) - - @admin = create(:admin_github_user, :is_admin) - @non_admin = create(:admin_github_user) - end - - def test_scope - assert_equal [@geoip_info], Pundit.policy_scope!( - @admin, - GeoipInfo - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, GeoipInfo), :avo_index? - refute_predicate Pundit.policy!(@non_admin, GeoipInfo), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @geoip_info), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @geoip_info), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, GeoipInfo), :avo_create? - refute_predicate Pundit.policy!(@non_admin, GeoipInfo), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @geoip_info), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @geoip_info), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @geoip_info), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @geoip_info), :avo_destroy? - end -end diff --git a/test/policies/link_verification_policy_test.rb b/test/policies/link_verification_policy_test.rb deleted file mode 100644 index 58a81f5d22a..00000000000 --- a/test/policies/link_verification_policy_test.rb +++ /dev/null @@ -1,44 +0,0 @@ -require "test_helper" - -class LinkVerificationPolicyTest < ActiveSupport::TestCase - setup do - @verification = create(:link_verification) - - @admin = create(:admin_github_user, :is_admin) - @non_admin = create(:admin_github_user) - end - - def test_scope - home_verification = @verification.linkable.link_verifications.for_uri(@verification.linkable.linkset.home).sole - - assert_equal [home_verification, @verification], Pundit.policy_scope!( - @admin, - LinkVerification - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, LinkVerification), :avo_index? - refute_predicate Pundit.policy!(@non_admin, LinkVerification), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @verification), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @verification), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, LinkVerification), :avo_create? - refute_predicate Pundit.policy!(@non_admin, LinkVerification), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @verification), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @verification), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @verification), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @verification), :avo_destroy? - end -end diff --git a/test/policies/linkset_policy_test.rb b/test/policies/linkset_policy_test.rb deleted file mode 100644 index 6697ebaba45..00000000000 --- a/test/policies/linkset_policy_test.rb +++ /dev/null @@ -1,41 +0,0 @@ -require "test_helper" - -class LinksetPolicyTest < ActiveSupport::TestCase - setup do - @linkset = FactoryBot.create(:rubygem).linkset - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@linkset], Pundit.policy_scope!( - @admin, - Linkset - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, Linkset), :avo_index? - refute_predicate Pundit.policy!(@non_admin, Linkset), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @linkset), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @linkset), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, Linkset), :avo_create? - refute_predicate Pundit.policy!(@non_admin, Linkset), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @linkset), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @linkset), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @linkset), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @linkset), :avo_destroy? - end -end diff --git a/test/policies/log_ticket_policy_test.rb b/test/policies/log_ticket_policy_test.rb deleted file mode 100644 index 416e10c127f..00000000000 --- a/test/policies/log_ticket_policy_test.rb +++ /dev/null @@ -1,41 +0,0 @@ -require "test_helper" - -class LogTicketPolicyTest < ActiveSupport::TestCase - setup do - @log_ticket = FactoryBot.create(:log_ticket) - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@log_ticket], Pundit.policy_scope!( - @admin, - LogTicket - ).to_a - end - - def test_avo_index - refute_predicate Pundit.policy!(@admin, ApiKey), :avo_index? - refute_predicate Pundit.policy!(@non_admin, ApiKey), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @log_ticket), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @log_ticket), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, ApiKey), :avo_create? - refute_predicate Pundit.policy!(@non_admin, ApiKey), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @log_ticket), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @log_ticket), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @log_ticket), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @log_ticket), :avo_destroy? - end -end diff --git a/test/policies/maintenance_tasks/run_policy_test.rb b/test/policies/maintenance_tasks/run_policy_test.rb deleted file mode 100644 index 8879fdcaa47..00000000000 --- a/test/policies/maintenance_tasks/run_policy_test.rb +++ /dev/null @@ -1,41 +0,0 @@ -require "test_helper" - -class MaintenanceTasks::RunPolicyTest < ActiveSupport::TestCase - setup do - @run = create(:maintenance_tasks_run) - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@run], Pundit.policy_scope!( - @admin, - MaintenanceTasks::Run - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, MaintenanceTasks::Run), :avo_index? - refute_predicate Pundit.policy!(@non_admin, MaintenanceTasks::Run), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @run), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @run), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, MaintenanceTasks::Run), :avo_create? - refute_predicate Pundit.policy!(@non_admin, MaintenanceTasks::Run), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @run), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @run), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @run), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @run), :avo_destroy? - end -end diff --git a/test/policies/oidc/api_key_role_policy_test.rb b/test/policies/oidc/api_key_role_policy_test.rb deleted file mode 100644 index ab590a2533d..00000000000 --- a/test/policies/oidc/api_key_role_policy_test.rb +++ /dev/null @@ -1,42 +0,0 @@ -require "test_helper" - -class OIDC::ApiKeyRolePolicyTest < ActiveSupport::TestCase - setup do - @api_key_role = FactoryBot.create(:oidc_api_key_role) - - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@api_key_role], Pundit.policy_scope!( - @admin, - OIDC::ApiKeyRole - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, OIDC::ApiKeyRole), :avo_index? - refute_predicate Pundit.policy!(@non_admin, OIDC::ApiKeyRole), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @api_key_role), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @api_key_role), :avo_show? - end - - def test_avo_create - assert_predicate Pundit.policy!(@admin, OIDC::ApiKeyRole), :avo_create? - refute_predicate Pundit.policy!(@non_admin, OIDC::ApiKeyRole), :avo_create? - end - - def test_avo_update - assert_predicate Pundit.policy!(@admin, @api_key_role), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @api_key_role), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @api_key_role), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @api_key_role), :avo_destroy? - end -end diff --git a/test/policies/oidc/id_token_policy_test.rb b/test/policies/oidc/id_token_policy_test.rb deleted file mode 100644 index 9b5c4ad7790..00000000000 --- a/test/policies/oidc/id_token_policy_test.rb +++ /dev/null @@ -1,42 +0,0 @@ -require "test_helper" - -class OIDC::IdTokenPolicyTest < ActiveSupport::TestCase - setup do - @id_token = FactoryBot.create(:oidc_id_token) - - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@id_token], Pundit.policy_scope!( - @admin, - OIDC::IdToken - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, OIDC::IdToken), :avo_index? - refute_predicate Pundit.policy!(@non_admin, OIDC::IdToken), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @id_token), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @id_token), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, OIDC::IdToken), :avo_create? - refute_predicate Pundit.policy!(@non_admin, OIDC::IdToken), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @id_token), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @id_token), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @id_token), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @id_token), :avo_destroy? - end -end diff --git a/test/policies/oidc/pending_trusted_publisher_policy_test.rb b/test/policies/oidc/pending_trusted_publisher_policy_test.rb deleted file mode 100644 index 74c921e3bdd..00000000000 --- a/test/policies/oidc/pending_trusted_publisher_policy_test.rb +++ /dev/null @@ -1,42 +0,0 @@ -require "test_helper" - -class OIDC::PendingTrustedPublisherPolicyTest < ActiveSupport::TestCase - setup do - @pending_trusted_publisher = create(:oidc_pending_trusted_publisher) - - @admin = create(:admin_github_user, :is_admin) - @non_admin = create(:admin_github_user) - end - - def test_scope - assert_equal [@pending_trusted_publisher], Pundit.policy_scope!( - @admin, - OIDC::PendingTrustedPublisher - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, OIDC::PendingTrustedPublisher), :avo_index? - refute_predicate Pundit.policy!(@non_admin, OIDC::PendingTrustedPublisher), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @pending_trusted_publisher), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @pending_trusted_publisher), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, OIDC::PendingTrustedPublisher), :avo_create? - refute_predicate Pundit.policy!(@non_admin, OIDC::PendingTrustedPublisher), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @pending_trusted_publisher), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @pending_trusted_publisher), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @pending_trusted_publisher), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @pending_trusted_publisher), :avo_destroy? - end -end diff --git a/test/policies/oidc/provider_policy_test.rb b/test/policies/oidc/provider_policy_test.rb deleted file mode 100644 index 6789c0b3c0c..00000000000 --- a/test/policies/oidc/provider_policy_test.rb +++ /dev/null @@ -1,42 +0,0 @@ -require "test_helper" - -class OIDC::ProviderPolicyTest < ActiveSupport::TestCase - setup do - @provider = FactoryBot.create(:oidc_provider) - - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@provider], Pundit.policy_scope!( - @admin, - OIDC::Provider - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, OIDC::Provider), :avo_index? - refute_predicate Pundit.policy!(@non_admin, OIDC::Provider), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @provider), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @provider), :avo_show? - end - - def test_avo_create - assert_predicate Pundit.policy!(@admin, OIDC::Provider), :avo_create? - refute_predicate Pundit.policy!(@non_admin, OIDC::Provider), :avo_create? - end - - def test_avo_update - assert_predicate Pundit.policy!(@admin, @provider), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @provider), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @provider), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @provider), :avo_destroy? - end -end diff --git a/test/policies/oidc/rubygem_trusted_publisher_policy_test.rb b/test/policies/oidc/rubygem_trusted_publisher_policy_test.rb deleted file mode 100644 index 1ec4e6c33cc..00000000000 --- a/test/policies/oidc/rubygem_trusted_publisher_policy_test.rb +++ /dev/null @@ -1,42 +0,0 @@ -require "test_helper" - -class OIDC::RubygemTrustedPublisherPolicyTest < ActiveSupport::TestCase - setup do - @rubygem_trusted_publisher = create(:oidc_rubygem_trusted_publisher) - - @admin = create(:admin_github_user, :is_admin) - @non_admin = create(:admin_github_user) - end - - def test_scope - assert_equal [@rubygem_trusted_publisher], Pundit.policy_scope!( - @admin, - OIDC::RubygemTrustedPublisher - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, OIDC::RubygemTrustedPublisher), :avo_index? - refute_predicate Pundit.policy!(@non_admin, OIDC::RubygemTrustedPublisher), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @rubygem_trusted_publisher), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @rubygem_trusted_publisher), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, OIDC::RubygemTrustedPublisher), :avo_create? - refute_predicate Pundit.policy!(@non_admin, OIDC::RubygemTrustedPublisher), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @rubygem_trusted_publisher), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @rubygem_trusted_publisher), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @rubygem_trusted_publisher), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @rubygem_trusted_publisher), :avo_destroy? - end -end diff --git a/test/policies/oidc/trusted_publisher/github_action_policy_test.rb b/test/policies/oidc/trusted_publisher/github_action_policy_test.rb deleted file mode 100644 index 4d00f78ab02..00000000000 --- a/test/policies/oidc/trusted_publisher/github_action_policy_test.rb +++ /dev/null @@ -1,42 +0,0 @@ -require "test_helper" - -class OIDC::TrustedPublisher::GitHubActionPolicyTest < ActiveSupport::TestCase - setup do - @trusted_publisher_github_action = create(:oidc_trusted_publisher_github_action) - - @admin = create(:admin_github_user, :is_admin) - @non_admin = create(:admin_github_user) - end - - def test_scope - assert_equal [@trusted_publisher_github_action], Pundit.policy_scope!( - @admin, - OIDC::TrustedPublisher::GitHubAction - ).to_a - end - - def test_avo_index - assert_predicate Pundit.policy!(@admin, OIDC::TrustedPublisher::GitHubAction), :avo_index? - refute_predicate Pundit.policy!(@non_admin, OIDC::TrustedPublisher::GitHubAction), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @trusted_publisher_github_action), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @trusted_publisher_github_action), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, OIDC::TrustedPublisher::GitHubAction), :avo_create? - refute_predicate Pundit.policy!(@non_admin, OIDC::TrustedPublisher::GitHubAction), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @trusted_publisher_github_action), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @trusted_publisher_github_action), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @trusted_publisher_github_action), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @trusted_publisher_github_action), :avo_destroy? - end -end diff --git a/test/policies/ownership_policy_test.rb b/test/policies/ownership_policy_test.rb deleted file mode 100644 index 4232efed171..00000000000 --- a/test/policies/ownership_policy_test.rb +++ /dev/null @@ -1,41 +0,0 @@ -require "test_helper" - -class OwnershipPolicyTest < ActiveSupport::TestCase - setup do - @ownership = FactoryBot.create(:ownership) - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@ownership], Pundit.policy_scope!( - @admin, - Ownership - ).to_a - end - - def test_avo_index - refute_predicate Pundit.policy!(@admin, Ownership), :avo_index? - refute_predicate Pundit.policy!(@non_admin, Ownership), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @ownership), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @ownership), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, Ownership), :avo_create? - refute_predicate Pundit.policy!(@non_admin, Ownership), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @ownership), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @ownership), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @ownership), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @ownership), :avo_destroy? - end -end diff --git a/test/policies/rubygem_policy_test.rb b/test/policies/rubygem_policy_test.rb deleted file mode 100644 index ada55a56753..00000000000 --- a/test/policies/rubygem_policy_test.rb +++ /dev/null @@ -1,18 +0,0 @@ -require "test_helper" - -class RubygemPolicyTest < ActiveSupport::TestCase - def test_scope - end - - def test_show - end - - def test_create - end - - def test_update - end - - def test_destroy - end -end diff --git a/test/policies/sendgrid_event_policy_test.rb b/test/policies/sendgrid_event_policy_test.rb deleted file mode 100644 index 9f699ef2bc5..00000000000 --- a/test/policies/sendgrid_event_policy_test.rb +++ /dev/null @@ -1,46 +0,0 @@ -require "test_helper" - -class SendgridEventPolicyTest < ActiveSupport::TestCase - setup do - @sendgrid_event = FactoryBot.create(:sendgrid_event) - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@sendgrid_event], Pundit.policy_scope!( - @admin, - SendgridEvent - ).to_a - end - - def test_avo_index - refute_predicate Pundit.policy!(@admin, ApiKey), :avo_index? - refute_predicate Pundit.policy!(@non_admin, ApiKey), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @sendgrid_event), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @sendgrid_event), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, ApiKey), :avo_create? - refute_predicate Pundit.policy!(@non_admin, ApiKey), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @sendgrid_event), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @sendgrid_event), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @sendgrid_event), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @sendgrid_event), :avo_destroy? - end - - def test_act_on - refute_predicate Pundit.policy!(@admin, @sendgrid_event), :act_on? - refute_predicate Pundit.policy!(@non_admin, @sendgrid_event), :act_on? - end -end diff --git a/test/policies/web_hook_policy_test.rb b/test/policies/web_hook_policy_test.rb deleted file mode 100644 index ff7f2193101..00000000000 --- a/test/policies/web_hook_policy_test.rb +++ /dev/null @@ -1,46 +0,0 @@ -require "test_helper" - -class WebHookPolicyTest < ActiveSupport::TestCase - setup do - @web_hook = FactoryBot.create(:web_hook) - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@web_hook], Pundit.policy_scope!( - @admin, - WebHook - ).to_a - end - - def test_avo_index - refute_predicate Pundit.policy!(@admin, ApiKey), :avo_index? - refute_predicate Pundit.policy!(@non_admin, ApiKey), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @web_hook), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @web_hook), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, ApiKey), :avo_create? - refute_predicate Pundit.policy!(@non_admin, ApiKey), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @web_hook), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @web_hook), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @web_hook), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @web_hook), :avo_destroy? - end - - def test_act_on - assert_predicate Pundit.policy!(@admin, @web_hook), :act_on? - refute_predicate Pundit.policy!(@non_admin, @web_hook), :act_on? - end -end diff --git a/test/policies/webauthn_credential_policy_test.rb b/test/policies/webauthn_credential_policy_test.rb deleted file mode 100644 index 0d947926379..00000000000 --- a/test/policies/webauthn_credential_policy_test.rb +++ /dev/null @@ -1,41 +0,0 @@ -require "test_helper" - -class WebauthnCredentialPolicyTest < ActiveSupport::TestCase - setup do - @webauthn_credential = FactoryBot.create(:webauthn_credential) - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@webauthn_credential], Pundit.policy_scope!( - @admin, - WebauthnCredential - ).to_a - end - - def test_avo_index - refute_predicate Pundit.policy!(@admin, WebauthnCredential), :avo_index? - refute_predicate Pundit.policy!(@non_admin, WebauthnCredential), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @webauthn_credential), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @webauthn_credential), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, WebauthnCredential), :avo_create? - refute_predicate Pundit.policy!(@non_admin, WebauthnCredential), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @webauthn_credential), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @webauthn_credential), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @webauthn_credential), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @webauthn_credential), :avo_destroy? - end -end diff --git a/test/policies/webauthn_verification_policy_test.rb b/test/policies/webauthn_verification_policy_test.rb deleted file mode 100644 index 3afef2dc596..00000000000 --- a/test/policies/webauthn_verification_policy_test.rb +++ /dev/null @@ -1,41 +0,0 @@ -require "test_helper" - -class WebauthnVerificationPolicyTest < ActiveSupport::TestCase - setup do - @webauthn_verification = FactoryBot.create(:webauthn_verification) - @admin = FactoryBot.create(:admin_github_user, :is_admin) - @non_admin = FactoryBot.create(:admin_github_user) - end - - def test_scope - assert_equal [@webauthn_verification], Pundit.policy_scope!( - @admin, - WebauthnVerification - ).to_a - end - - def test_avo_index - refute_predicate Pundit.policy!(@admin, WebauthnVerification), :avo_index? - refute_predicate Pundit.policy!(@non_admin, WebauthnVerification), :avo_index? - end - - def test_avo_show - assert_predicate Pundit.policy!(@admin, @webauthn_verification), :avo_show? - refute_predicate Pundit.policy!(@non_admin, @webauthn_verification), :avo_show? - end - - def test_avo_create - refute_predicate Pundit.policy!(@admin, WebauthnVerification), :avo_create? - refute_predicate Pundit.policy!(@non_admin, WebauthnVerification), :avo_create? - end - - def test_avo_update - refute_predicate Pundit.policy!(@admin, @webauthn_verification), :avo_update? - refute_predicate Pundit.policy!(@non_admin, @webauthn_verification), :avo_update? - end - - def test_avo_destroy - refute_predicate Pundit.policy!(@admin, @webauthn_verification), :avo_destroy? - refute_predicate Pundit.policy!(@non_admin, @webauthn_verification), :avo_destroy? - end -end diff --git a/test/system/avo/manual_changes_test.rb b/test/system/avo/manual_changes_test.rb index ccd71e75855..ad990b0bf1a 100644 --- a/test/system/avo/manual_changes_test.rb +++ b/test/system/avo/manual_changes_test.rb @@ -28,9 +28,9 @@ def sign_in_as(user) admin_user = create(:admin_github_user, :is_admin) sign_in_as admin_user - LogTicketPolicy.any_instance.stubs(:avo_create?).returns(true) - LogTicketPolicy.any_instance.stubs(:avo_update?).returns(true) - LogTicketPolicy.any_instance.stubs(:avo_destroy?).returns(true) + Admin::LogTicketPolicy.any_instance.stubs(:avo_create?).returns(true) + Admin::LogTicketPolicy.any_instance.stubs(:avo_update?).returns(true) + Admin::LogTicketPolicy.any_instance.stubs(:avo_destroy?).returns(true) visit avo.resources_log_tickets_path click_on "Create new log ticket" diff --git a/test/test_helper.rb b/test/test_helper.rb index b7b64ce1f5b..d424e235f6c 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -224,6 +224,41 @@ class SystemTest < ActionDispatch::IntegrationTest end end +class AdminPolicyTestCase < ActiveSupport::TestCase + def setup + @authorization_client = Admin::AuthorizationClient.new + end + + def assert_authorizes(user, record, action) + assert @authorization_client.authorize(user, record, action, policy_class: policy_class) + rescue Avo::NotAuthorizedError + policy_class ||= policy!(user, record).class + + flunk("Expected #{policy_class} to authorize #{action} on #{record} for #{user}") + end + + def refute_authorizes(user, record, action) + @authorization_client.authorize(user, record, action, policy_class: policy_class) + policy_class ||= policy!(user, record).class + + flunk("Expected #{policy_class} not to authorize #{action} on #{record} for #{user}") + rescue Avo::NotAuthorizedError + # Expected + end + + def policy_class + nil + end + + def policy!(user, record) + @authorization_client.policy!(user, record) + end + + def policy_scope!(user, record) + @authorization_client.apply_policy(user, record, policy_class: policy_class) + end +end + class ComponentTest < ActiveSupport::TestCase include Phlex::Testing::Rails::ViewHelper include Capybara::Minitest::Assertions