Flagsmith · novakzaballa · Jun 12, 2024 · Jun 13, 2024 · Jun 14, 2024 · Jun 18, 2024
diff --git a/.github/workflows/platform-docker-build-test-publish.yml b/.github/workflows/platform-docker-build-test-publish.yml
@@ -92,6 +92,8 @@ jobs:
             concurrency: 2
           - tests: versioning
             concurrency: 1
+          - tests: organisation-permission environment-permission project-permission roles
+            concurrency: 1
 
   docker-publish-api:
     needs: [docker-build-api, run-e2e-tests]

diff --git a/.github/workflows/platform-pull-request.yml b/.github/workflows/platform-pull-request.yml
@@ -154,3 +154,23 @@ jobs:
             concurrency: 2
           - tests: versioning
             concurrency: 1
+
+  run-e2e-tests-private-cloud:
+    if: needs.permissions-check.outputs.can-write == 'true' && !cancelled()
+    needs: [permissions-check, docker-build-private-cloud, docker-build-e2e]
+    uses: ./.github/workflows/.reusable-docker-e2e-tests.yml
+    with:
+      runs-on: ${{ matrix.runs-on }}
+      e2e-image: ${{ needs.docker-build-e2e.outputs.image }}
+      api-image: ${{ needs.docker-build-private-cloud.outputs.image }}
+      concurrency: ${{ matrix.args.concurrency }}
+      tests: ${{ matrix.args.tests }}
+    secrets:
+      gcr-token: ${{ needs.permissions-check.outputs.can-write == 'true' && secrets.GITHUB_TOKEN || '' }}
+
+    strategy:
+      matrix:
+        runs-on: [ubuntu-latest, ARM64-2c]
+        args:
+          - tests: organisation-permission environment-permission project-permission roles
+            concurrency: 1
@@ -377,6 +377,7 @@ store.dispatcherIndex = Dispatcher.register(store, (payload) => {
       controller.invalidateInviteLink(action.link)
       break
     case Actions.LOGOUT:
+      store.model = null
       store.id = null
       break
     default:

@@ -276,6 +276,9 @@ store.dispatcherIndex = Dispatcher.register(store, (payload) => {
     case Actions.EDIT_PROJECT:
       controller.editProject(action.id, action.project)
       break
+    case Actions.LOGOUT:
+      store.model = null
+      break
     default:
   }
 })

@@ -1,5 +1,12 @@
 const E2E_EMAIL_DOMAIN = 'flagsmithe2etestdomain.io'
 export const E2E_SIGN_UP_USER = `e2e_signup_user@${E2E_EMAIL_DOMAIN}`
 export const E2E_USER = `e2e_user@${E2E_EMAIL_DOMAIN}`
+export const E2E_NON_ADMIN_USER = `e2e_user@${E2E_EMAIL_DOMAIN}`
+//e2e_non_admin_user_with_project_permissions@flagsmithe2etestdomain.io
+export const E2E_NON_ADMIN_USER_WITH_ORG_PERMISSIONS = `e2e_non_admin_user_with_org_permissions@${E2E_EMAIL_DOMAIN}`
+export const E2E_NON_ADMIN_USER_WITH_PROJECT_PERMISSIONS = `e2e_non_admin_user_with_project_permissions@${E2E_EMAIL_DOMAIN}`
+export const E2E_NON_ADMIN_USER_WITH_PROJECT_READ_PERMISSIONS = `e2e_non_admin_user_with_project_read_permissions@${E2E_EMAIL_DOMAIN}`
+export const E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS = `e2e_non_admin_user_with_env_permissions@${E2E_EMAIL_DOMAIN}`
+export const E2E_NON_ADMIN_USER_WITH_A_ROLE = `e2e_non_admin_user_with_a_role@${E2E_EMAIL_DOMAIN}`
 export const E2E_CHANGE_MAIL = `e2e_change_email@${E2E_EMAIL_DOMAIN}`
 export const PASSWORD = 'Str0ngp4ssw0rd!'
@@ -1,5 +1,7 @@
 import { RequestLogger, Selector, t } from 'testcafe'
 import { FlagsmithValue } from '../common/types/responses';
+import { E2E_USER, PASSWORD } from './config';
+import { cli } from 'yaml/dist/cli';
 
 export const LONG_TIMEOUT = 40000
 
@@ -35,6 +37,24 @@ export const waitForElementVisible = async (selector: string) => {
     .ok(`waitForElementVisible(${selector})`, { timeout: LONG_TIMEOUT })
 }
 
+export const waitForElementNotClickable = async (selector: string) => {
+  logUsingLastSection(`Waiting element visible ${selector}`)
+  await t
+    .expect(Selector(selector).visible)
+    .ok(`waitForElementVisible(${selector})`, { timeout: LONG_TIMEOUT })
+  await t
+      .expect(Selector(selector).hasAttribute('disabled')).ok()
+}
+
+export const waitForElementClickable = async (selector: string) => {
+  logUsingLastSection(`Waiting element visible ${selector}`)
+  await t
+    .expect(Selector(selector).visible)
+    .ok(`waitForElementVisible(${selector})`, { timeout: LONG_TIMEOUT })
+  await t
+      .expect(Selector(selector).hasAttribute('disabled')).notOk()
+}
+
 export const logResults = async (requests: LoggedRequest[], t) => {
   if (!t.testRun?.errs?.length) {
     log('Finished without errors')
@@ -88,6 +108,17 @@ export const click = async (selector: string) => {
     .click(selector)
 }
 
+export const clickByText = async (text:string, element = 'button') => {
+  logUsingLastSection(`Click by text ${text} ${element}`)
+  const selector = Selector(element).withText(text);
+  await t
+      .scrollIntoView(selector)
+      .expect(Selector(selector).hasAttribute('disabled'))
+      .notOk('ready for testing', { timeout: 5000 })
+      .hover(selector)
+      .click(selector)
+}
+
 export const gotoSegments = async () => {
   await click('#segments-link')
 }
@@ -219,6 +250,12 @@ export const saveFeatureSegments = async () => {
   await waitForElementNotExist('#create-feature-modal')
 }
 
+export const createEnvironment = async (name:string) => {
+  await setText('[name="envName"]', name)
+  await click('#create-env-btn')
+  await waitForElementVisible(byId(`switch-environment-${name.toLowerCase()}-active`))
+}
+
 export const goToUser = async (index: number) => {
   await click('#features-link')
   await click('#users-link')
@@ -257,7 +294,7 @@ export const login = async (email: string, password: string) => {
   await click('#login-btn')
   await waitForElementVisible('#project-manage-widget')
 }
-export const logout = async (t) => {
+export const logout = async () => {
   await click('#account-settings-link')
   await click('#logout-link')
   await waitForElementVisible('#login-page')
@@ -413,6 +450,14 @@ export const toggleFeature = async (index: number, toValue: boolean) => {
   )
 }
 
+export const setUserPermissions = async (index: number, toValue: boolean) => {
+  await click(byId(`feature-switch-${index}${toValue ? '-off' : 'on'}`))
+  await click('#confirm-toggle-feature-btn')
+  await waitForElementVisible(
+    byId(`feature-switch-${index}${toValue ? '-on' : 'off'}`),
+  )
+}
+
 export const setSegmentRule = async (
   ruleIndex: number,
   orIndex: number,
@@ -478,4 +523,44 @@ export const refreshUntilElementVisible = async (selector: string, maxRetries=20
   return t.scrollIntoView(element)
 }
 
+const permissionsMap = {
+  'CREATE_PROJECT': 'organisation',
+  'MANAGE_USERS': 'organisation',
+  'MANAGE_USER_GROUPS': 'organisation',
+  'VIEW_PROJECT': 'project',
+  'CREATE_ENVIRONMENT': 'project',
+  'DELETE_FEATURE': 'project',
+  'CREATE_FEATURE': 'project',
+  'MANAGE_SEGMENTS': 'project',
+  'VIEW_AUDIT_LOG': 'project',
+  'VIEW_ENVIRONMENT': 'environment',
+  'UPDATE_FEATURE_STATE': 'environment',
+  'MANAGE_IDENTITIES': 'environment',
+  'CREATE_CHANGE_REQUEST': 'environment',
+  'APPROVE_CHANGE_REQUEST': 'environment',
+  'VIEW_IDENTITIES': 'environment',
+  'MANAGE_SEGMENT_OVERRIDES': 'environment',
+  'MANAGE_TAGS': 'project',
+} as const;
+
+
+export const setUserPermission = async (email: string, permission: keyof typeof permissionsMap | 'ADMIN', entityName:string|null, entityLevel?: 'project'|'environment'|'organisation', parentName?: string) => {
+  await click(byId('users-and-permissions'))
+  await click(byId(`user-${email}`))
+  const level = permissionsMap[permission] || entityLevel
+  await click(byId(`${level}-permissions-tab`))
+  if(parentName) {
+    await clickByText(parentName, 'a')
+  }
+  if(entityName) {
+    await click(byId(`permissions-${entityName.toLowerCase()}`))
+  }
+  if(permission==='ADMIN') {
+    await click(byId(`admin-switch-${level}`))
+  } else {
+    await click(byId(`permission-switch-${permission}`))
+  }
+  await closeModal()
+}
+
 export default {}
@@ -21,10 +21,15 @@ createTestCafe()
         testcafe = tc;
         await new Promise((resolve) => {
             process.env.PORT = 3000;
-            server = fork('./api/index');
-            server.on('message', () => {
-                resolve();
-            });
+            console.log(process.env.E2E_LOCAL)
+            if(process.env.E2E_LOCAL) {
+                resolve()
+            } else {
+                server = fork('./api/index');
+                server.on('message', () => {
+                    resolve();
+                });
+            }
         });
         const runner = testcafe.createRunner()
         const args = process.argv.splice(2).map(value => value.toLowerCase());

@@ -10,7 +10,11 @@ import projectTest from './tests/project-test'
 import { testSegment1, testSegment2, testSegment3 } from './tests/segment-test'
 import initialiseTests from './tests/initialise-tests'
 import flagTests from './tests/flag-tests'
-import versioningTests from './tests/versioning-tests';
+import versioningTests from './tests/versioning-tests'
+import organisationPermissionTest from './tests/organisation-permission-test'
+import projectPermissionTest from './tests/project-permission-test'
+import environmentPermissionTest from './tests/environment-permission-test'
+import rolesTest from './tests/roles-test'
 
 require('dotenv').config()
 
@@ -124,3 +128,18 @@ test('Versioning', async () => {
   await versioningTests()
   await logout()
 })
+
+test('Organisation-permission', async () => {
+  await organisationPermissionTest()
+  await logout()
+})
+
+test('Project-permission', async () => {
+  await projectPermissionTest()
+  await logout()
+})
+
+test('Environment-permission', async () => {
+  await environmentPermissionTest()
+  await logout()
+})
@@ -0,0 +1,147 @@
+import {
+  byId,
+  click, clickByText, closeModal, createEnvironment,
+  createFeature, editRemoteConfig,
+  gotoTraits,
+  log,
+  login, logout, setUserPermission,
+  toggleFeature, waitForElementClickable, waitForElementNotClickable, waitForElementNotExist, waitForElementVisible,
+} from '../helpers.cafe';
+import {
+  PASSWORD,
+  E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS,
+  E2E_USER,
+  E2E_NON_ADMIN_USER_WITH_PROJECT_PERMISSIONS,
+} from '../config';
+import { Selector, t } from 'testcafe'
+import { cli } from 'yaml/dist/cli';
+
+export default async function () {
+  log('Login')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  log('User only can see an project')
+  await click('#project-select-0')
+  await t
+    .expect(Selector('#project-select-1').exists)
+    .notOk('The element"#project-select-1" should not be present')
+  await logout()
+
+  log('User with permissions can Handle the Features')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await createFeature(0, 'test_feature', false)
+  await toggleFeature(0, true)
+  await logout()
+
+  log('User without permissions cannot create traits')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await gotoTraits()
+  const createTraitBtn = Selector(byId('add-trait'))
+  await t.expect(createTraitBtn.hasAttribute('disabled')).ok()
+  await logout()
+
+  log('User without permissions cannot see audit logs')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await waitForElementNotExist(byId('audit-log-link'))
+  await logout()
+
+  log('Create new environment')
+  await login(E2E_USER, PASSWORD)
+  await clickByText('My Test Project 6 Env Permission')
+  await click('#create-env-link')
+  await createEnvironment('Production')
+  await logout()
+  log('User without permissions cannot see environment')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await waitForElementVisible(byId('switch-environment-development'))
+  await waitForElementNotExist(byId('switch-environment-production'))
+  await logout()
+
+  log('Grant view environment permission')
+  await login(E2E_USER, PASSWORD)
+  await setUserPermission(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, 'VIEW_ENVIRONMENT', 'Production', 'environment', 'My Test Project 6 Env Permission' )
+  await logout()
+  log('User with permissions can see environment')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await waitForElementVisible(byId('switch-environment-production'))
+  await waitForElementVisible(byId('switch-environment-production'))
+  await logout()
+
+  log('User with permissions can update feature state')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await createFeature(0,'my_feature',"foo",'A test feature')
+  await editRemoteConfig(0, 'bar')
+  await logout()
+  log('User without permission cannot create a segment override')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await click(byId('feature-item-0'))
+  await click(byId('segment_overrides'))
+  await waitForElementNotClickable('#update-feature-segments-btn')
+  await closeModal()
+  await logout()
+  log('Grant MANAGE_IDENTITIES permission')
+  await login(E2E_USER, PASSWORD)
+  await setUserPermission(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, 'MANAGE_SEGMENT_OVERRIDES', 'Development', 'environment', 'My Test Project 6 Env Permission' )
+  await logout()
+  log('User with permission can create a segment override')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await click(byId('feature-item-0'))
+  await click(byId('segment_overrides'))
+  await waitForElementClickable('#update-feature-segments-btn')
+  await closeModal()
+  await logout()
+
+  log('User without permissions cannot update feature state')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await waitForElementClickable(byId('feature-switch-0-on'))
+  await click(byId('switch-environment-production'))
+  await waitForElementNotClickable(byId('feature-switch-0-on'))
+  await click(byId('feature-item-0'))
+  await waitForElementNotClickable(byId('update-feature-btn'))
+  await closeModal()
+  await logout()
+
+  log('User with permissions can view identities')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await waitForElementVisible('#users-link')
+  await logout()
+
+  log('User without permissions cannot add user trait')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await click('#users-link')
+  await click(byId('user-item-0'))
+  await waitForElementNotClickable(byId('add-trait'))
+  await logout()
+
+  log('Grant MANAGE_IDENTITIES permission')
+  await login(E2E_USER, PASSWORD)
+  await setUserPermission(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, 'MANAGE_IDENTITIES', 'Development', 'environment', 'My Test Project 6 Env Permission' )
+  await logout()
+  log('User with permissions can add user trait')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await click('#users-link')
+  await click(byId('user-item-0'))
+  await waitForElementClickable(byId('add-trait'))
+  await logout()
+
+
+  log('Remove VIEW_IDENTITIES permission')
+  await login(E2E_USER, PASSWORD)
+  await setUserPermission(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, 'VIEW_IDENTITIES', 'Development', 'environment', 'My Test Project 6 Env Permission' )
+  await logout()
+  log('User without permissions cannot view identities')
+  await login(E2E_NON_ADMIN_USER_WITH_ENV_PERMISSIONS, PASSWORD)
+  await click('#project-select-0')
+  await waitForElementNotExist('#users-link')
+}