Allow users to add cluster with ancestors

Include a new policy in Clusterables
(projects and groups), which checks if another cluster
can be added

clusterable_has_cluster? and multiple_clusters_available
private methods will be overriden in EE

Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/34758

3 files changed, 30 insertions, 1 deletions

diff --git a/app/policies/concerns/clusterable_actions.rb b/app/policies/concerns/clusterable_actions.rb
new file mode 100644
index 00000000000..08ddd742ea9
--- /dev/null
+++ b/app/policies/concerns/clusterable_actions.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module ClusterableActions
+  private
+
+  # Overridden on EE module
+  def multiple_clusters_available?
+    false
+  end
+
+  def clusterable_has_clusters?
+    !subject.clusters.empty?
+  end
+end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 6b4e56ef5e4..ac98b80dc5c 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class GroupPolicy < BasePolicy
+  include ClusterableActions
+
   desc "Group is public"
   with_options scope: :subject, score: 0
   condition(:public_group) { @subject.public? }
@@ -27,6 +29,9 @@ class GroupPolicy < BasePolicy
     GroupProjectsFinder.new(group: @subject, current_user: @user, options: { include_subgroups: true }).execute.any?
   end
 
+  condition(:has_clusters, scope: :subject) { clusterable_has_clusters? }
+  condition(:can_have_multiple_clusters) { multiple_clusters_available? }
+
   with_options scope: :subject, score: 0
   condition(:request_access_enabled) { @subject.request_access_enabled }
 
@@ -44,7 +49,7 @@ class GroupPolicy < BasePolicy
     enable :read_label
   end
 
-  rule { admin }             .enable :read_group
+  rule { admin }.enable :read_group
 
   rule { has_projects }.policy do
     enable :read_group
@@ -66,6 +71,7 @@ class GroupPolicy < BasePolicy
     enable :admin_pipeline
     enable :admin_build
     enable :read_cluster
+    enable :add_cluster
     enable :create_cluster
     enable :update_cluster
     enable :admin_cluster
@@ -105,6 +111,8 @@ class GroupPolicy < BasePolicy
 
   rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock
 
+  rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster
+
   def access_level
     return GroupMember::NO_ACCESS if @user.nil?
 
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 1c082945299..bcbd9676f2e 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -2,6 +2,7 @@
 
 class ProjectPolicy < BasePolicy
   extend ClassMethods
+  include ClusterableActions
 
   READONLY_FEATURES_WHEN_ARCHIVED = %i[
     issue
@@ -103,6 +104,9 @@ class ProjectPolicy < BasePolicy
     @subject.feature_available?(:merge_requests, @user)
   end
 
+  condition(:has_clusters, scope: :subject) { clusterable_has_clusters? }
+  condition(:can_have_multiple_clusters) { multiple_clusters_available? }
+
   features = %w[
     merge_requests
     issues
@@ -257,6 +261,7 @@ class ProjectPolicy < BasePolicy
     enable :read_pages
     enable :update_pages
     enable :read_cluster
+    enable :add_cluster
     enable :create_cluster
     enable :update_cluster
     enable :admin_cluster
@@ -381,6 +386,8 @@ class ProjectPolicy < BasePolicy
     (can?(:read_project_for_iids) & merge_requests_visible_to_user) | can?(:read_merge_request)
   end.enable :read_merge_request_iid
 
+  rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster
+
   private
 
   def team_member?