Follow-up of cluster agent policy

c16d6be7 · Shinya Maeda · 76d36bc7 · c16d6be7 · c16d6be7 · c16d6be7
--- a/app/models/clusters/agent.rb
+++ b/app/models/clusters/agent.rb
@@ -51,6 +51,12 @@ def activity_event_deletion_cutoff
    def to_ability_name
      :cluster
    end
+
+    # TODO: Use Agents::ProjectAuthorization
+    # TODO: Use Agents::GroupAuthorization
+    def shared_to_user?(user)
+
+    end
  end
 end


--- a/app/policies/clusters/agent_policy.rb
+++ b/app/policies/clusters/agent_policy.rb
@@ -5,5 +5,11 @@ class AgentPolicy < BasePolicy
    alias_method :cluster_agent, :subject

    delegate { cluster_agent.project }
+
+    condition(:shared_agent) do
+      cluster_agent.shared_to_user?(@user)
+    end
+
+    rule { shared_agent }.enable :read_cluster_agent
  end
 end
--- a/app/policies/clusters/instance_policy.rb
+++ b/app/policies/clusters/instance_policy.rb
@@ -9,7 +9,6 @@ class InstancePolicy < BasePolicy
      enable :update_cluster
      enable :admin_cluster
      enable :read_prometheus
-      enable :use_k8s_proxies
    end
  end
 end

--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -168,7 +168,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
    enable :read_cluster # Deprecated as certificate-based cluster integration (`Clusters::Cluster`).
    enable :read_cluster_agent
    enable :read_group_all_available_runners
-    enable :use_k8s_proxies
  end

  rule { reporter }.policy do

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -463,7 +463,6 @@ class ProjectPolicy < BasePolicy
    enable :update_deployment
    enable :read_cluster # Deprecated as certificate-based cluster integration (`Clusters::Cluster`).
    enable :read_cluster_agent
-    enable :use_k8s_proxies
    enable :create_release
    enable :update_release
    enable :destroy_release

--- a/app/services/clusters/agents/authorize_proxy_user_service.rb
+++ b/app/services/clusters/agents/authorize_proxy_user_service.rb
@@ -16,6 +16,7 @@ def execute
        access_as = user_access_config[:access_as]
        return forbidden unless access_as.present?
        return forbidden if access_as.size != 1
+        return forbidden unless current_user.can?(:read_cluster_agent, agent)

        if authorizations = handle_access(access_as, user_access_config)
          return success(payload: authorizations)
@@ -47,31 +48,9 @@ def response_base
      end

      def access_as_agent(user_access)
-        projects = authorized_projects(user_access)
-        groups = authorized_groups(user_access)
-        return unless projects.size + groups.size > 0
-
        response_base.merge(access_as: { agent: {} })
      end

-      def authorized_projects(user_access)
-        strong_memoize_with(:authorized_projects, user_access) do
-          user_access.fetch(:projects, [])
-            .first(::Clusters::Agents::RefreshAuthorizationService::AUTHORIZED_ENTITY_LIMIT)
-            .map { |project| ::Project.find_by_full_path(project[:id]) }
-            .select { |project| current_user.can?(:use_k8s_proxies, project) }
-        end
-      end
-
-      def authorized_groups(user_access)
-        strong_memoize_with(:authorized_groups, user_access) do
-          user_access.fetch(:groups, [])
-            .first(::Clusters::Agents::RefreshAuthorizationService::AUTHORIZED_ENTITY_LIMIT)
-            .map { |group| ::Group.find_by_full_path(group[:id]) }
-            .select { |group| current_user.can?(:use_k8s_proxies, group) }
-        end
-      end
-
      def user_access_config
        # TODO: Read the configuration from the database once it has been
        #       indexed. See https://gitlab.com/gitlab-org/gitlab/-/issues/389430

--- a/ee/app/services/ee/clusters/agents/authorize_proxy_user_service.rb
+++ b/ee/app/services/ee/clusters/agents/authorize_proxy_user_service.rb
@@ -28,6 +28,24 @@ def access_as_user(user_access)
          )
        end

+        # TODO: Use Agents::ProjectAuthorization
+        def authorized_projects(user_access)
+          strong_memoize_with(:authorized_projects, user_access) do
+            user_access.fetch(:projects, [])
+              .first(::Clusters::Agents::RefreshAuthorizationService::AUTHORIZED_ENTITY_LIMIT)
+              .map { |project| ::Project.find_by_full_path(project[:id]) }
+          end
+        end
+  
+        # TODO: Use Agents::GroupAuthorization
+        def authorized_groups(user_access)
+          strong_memoize_with(:authorized_groups, user_access) do
+            user_access.fetch(:groups, [])
+              .first(::Clusters::Agents::RefreshAuthorizationService::AUTHORIZED_ENTITY_LIMIT)
+              .map { |group| ::Group.find_by_full_path(group[:id]) }
+          end
+        end
+
        def project_roles(project)
          user_access_level = current_user.max_member_access_for_project(project.id)
          ::Gitlab::Access.sym_options_with_owner