Add latest changes from gitlab-org/security/gitlab@13-12-stable-ee

0799e20f · GitLab Bot · 933025a9 · 0799e20f · 0799e20f · 0799e20f
Commit 0799e20f authored Aug 03, 2021 by GitLab Bot
7 changed files
--- a/app/controllers/projects/pipelines_controller.rb
+++ b/app/controllers/projects/pipelines_controller.rb
@@ -9,7 +9,7 @@ class Projects::PipelinesController < Projects::ApplicationController
  before_action :set_pipeline_path, only: [:show]
  before_action :authorize_read_pipeline!
  before_action :authorize_read_build!, only: [:index, :show]
-  before_action :authorize_read_analytics!, only: [:charts]
+  before_action :authorize_read_ci_cd_analytics!, only: [:charts]
  before_action :authorize_create_pipeline!, only: [:new, :create, :config_variables]
  before_action :authorize_update_pipeline!, only: [:retry, :cancel]
  before_action do

--- a/app/graphql/resolvers/project_pipeline_statistics_resolver.rb
+++ b/app/graphql/resolvers/project_pipeline_statistics_resolver.rb
@@ -2,8 +2,12 @@
 module Resolvers
  class ProjectPipelineStatisticsResolver < BaseResolver
+    include Gitlab::Graphql::Authorize::AuthorizeResource
    type Types::Ci::AnalyticsType, null: true
+    authorizes_object!
+    authorize :read_ci_cd_analytics
    def resolve
      weekly_stats = Gitlab::Ci::Charts::WeekChart.new(object)
      monthly_stats = Gitlab::Ci::Charts::MonthChart.new(object)

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -264,6 +264,7 @@ class ProjectPolicy < BasePolicy
    enable :read_package
    enable :read_product_analytics
    enable :read_group_timelogs
+    enable :read_ci_cd_analytics
  end
  # We define `:public_user_access` separately because there are cases in gitlab-ee
@@ -460,6 +461,7 @@ class ProjectPolicy < BasePolicy
    prevent(:read_insights)
    prevent(:read_cycle_analytics)
    prevent(:read_repository_graphs)
+    prevent(:read_ci_cd_analytics)
  end
  rule { wiki_disabled }.policy do
@@ -533,6 +535,7 @@ class ProjectPolicy < BasePolicy
    enable :read_cycle_analytics
    enable :read_pages_content
    enable :read_analytics
+    enable :read_ci_cd_analytics
    enable :read_insights
    # NOTE: may be overridden by IssuePolicy

--- a/lib/sidebars/projects/menus/analytics_menu.rb
+++ b/lib/sidebars/projects/menus/analytics_menu.rb
@@ -46,6 +46,7 @@ module Sidebars
        def ci_cd_analytics_menu_item
          if !context.project.feature_available?(:builds, context.current_user) ||
            !can?(context.current_user, :read_build, context.project) ||
+            !can?(context.current_user, :read_ci_cd_analytics, context.project) ||
            context.project.empty_repo?
            return ::Sidebars::NilMenuItem.new(item_id: :ci_cd_analytics)
          end

--- a/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb
+++ b/spec/graphql/resolvers/project_pipeline_statistics_resolver_spec.rb
@@ -5,14 +5,24 @@ require 'spec_helper'
 RSpec.describe Resolvers::ProjectPipelineStatisticsResolver do
  include GraphqlHelpers
-  let_it_be(:project) { create(:project) }
+  let_it_be(:project) { create(:project, :private) }
+  let_it_be(:guest) { create(:user) }
+  let_it_be(:reporter) { create(:user) }
+  let(:current_user) { reporter }
+  before_all do
+    project.add_guest(guest)
+    project.add_reporter(reporter)
+  end
  specify do
    expect(described_class).to have_nullable_graphql_type(::Types::Ci::AnalyticsType)
  end
  def resolve_statistics(project, args)
-    resolve(described_class, obj: project, args: args)
+    ctx = { current_user: current_user }
+    resolve(described_class, obj: project, args: args, ctx: ctx)
  end
  describe '#resolve' do
@@ -32,5 +42,15 @@ RSpec.describe Resolvers::ProjectPipelineStatisticsResolver do
        :pipeline_times_values
      )
    end
+    context 'when the user does not have access to the CI/CD analytics data' do
+      let(:current_user) { guest }
+      it 'returns nil' do
+        result = resolve_statistics(project, {})
+        expect(result).to be_nil
+      end
+    end
  end
 end
--- a/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb
+++ b/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb
@@ -4,15 +4,19 @@ require 'spec_helper'
 RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do
  let_it_be(:project) { create(:project, :repository) }
+  let_it_be(:guest) do
+    create(:user).tap { |u| project.add_guest(u) }
+  end
-  let(:user) { project.owner }
+  let(:owner) { project.owner }
-  let(:context) { Sidebars::Projects::Context.new(current_user: user, container: project, current_ref: project.repository.root_ref) }
+  let(:current_user) { owner }
+  let(:context) { Sidebars::Projects::Context.new(current_user: current_user, container: project, current_ref: project.repository.root_ref) }
  subject { described_class.new(context) }
  describe '#render?' do
    context 'whe user cannot read analytics' do
-      let(:user) { nil }
+      let(:current_user) { nil }
      it 'returns false' do
        expect(subject.render?).to be false
@@ -79,7 +83,7 @@ RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do
      end
      describe 'when the user does not have access' do
-        let(:user) { nil }
+        let(:current_user) { guest }
        specify { is_expected.to be_nil }
      end
@@ -99,7 +103,7 @@ RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do
      end
      describe 'when the user does not have access' do
-        let(:user) { nil }
+        let(:current_user) { nil }
        specify { is_expected.to be_nil }
      end
@@ -111,7 +115,7 @@ RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do
      specify { is_expected.not_to be_nil }
      describe 'when the user does not have access' do
-        let(:user) { nil }
+        let(:current_user) { nil }
        specify { is_expected.to be_nil }
      end

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -1099,12 +1099,20 @@ RSpec.describe ProjectPolicy do
      let_it_be(:project_with_analytics_enabled) { create(:project, :analytics_enabled) }
      before do
+        project_with_analytics_disabled.add_guest(guest)
+        project_with_analytics_private.add_guest(guest)
+        project_with_analytics_enabled.add_guest(guest)
+        project_with_analytics_disabled.add_reporter(reporter)
+        project_with_analytics_private.add_reporter(reporter)
+        project_with_analytics_enabled.add_reporter(reporter)
        project_with_analytics_disabled.add_developer(developer)
        project_with_analytics_private.add_developer(developer)
        project_with_analytics_enabled.add_developer(developer)
      end
-      context 'when analytics is enabled for the project' do
+      context 'when analytics is disabled for the project' do
        let(:project) { project_with_analytics_disabled }
        context 'for guest user' do
@@ -1113,6 +1121,16 @@ RSpec.describe ProjectPolicy do
          it { is_expected.to be_disallowed(:read_cycle_analytics) }
          it { is_expected.to be_disallowed(:read_insights) }
          it { is_expected.to be_disallowed(:read_repository_graphs) }
+          it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
+        end
+        context 'for reporter user' do
+          let(:current_user) { reporter }
+          it { is_expected.to be_disallowed(:read_cycle_analytics) }
+          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_disallowed(:read_repository_graphs) }
+          it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
        end
        context 'for developer' do
@@ -1121,6 +1139,7 @@ RSpec.describe ProjectPolicy do
          it { is_expected.to be_disallowed(:read_cycle_analytics) }
          it { is_expected.to be_disallowed(:read_insights) }
          it { is_expected.to be_disallowed(:read_repository_graphs) }
+          it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
        end
      end
@@ -1130,9 +1149,19 @@ RSpec.describe ProjectPolicy do
        context 'for guest user' do
          let(:current_user) { guest }
-          it { is_expected.to be_disallowed(:read_cycle_analytics) }
+          it { is_expected.to be_allowed(:read_cycle_analytics) }
-          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_allowed(:read_insights) }
          it { is_expected.to be_disallowed(:read_repository_graphs) }
+          it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
+        end
+        context 'for reporter user' do
+          let(:current_user) { reporter }
+          it { is_expected.to be_allowed(:read_cycle_analytics) }
+          it { is_expected.to be_allowed(:read_insights) }
+          it { is_expected.to be_allowed(:read_repository_graphs) }
+          it { is_expected.to be_allowed(:read_ci_cd_analytics) }
        end
        context 'for developer' do
@@ -1141,18 +1170,29 @@ RSpec.describe ProjectPolicy do
          it { is_expected.to be_allowed(:read_cycle_analytics) }
          it { is_expected.to be_allowed(:read_insights) }
          it { is_expected.to be_allowed(:read_repository_graphs) }
+          it { is_expected.to be_allowed(:read_ci_cd_analytics) }
        end
      end
      context 'when analytics is enabled for the project' do
-        let(:project) { project_with_analytics_private }
+        let(:project) { project_with_analytics_enabled }
        context 'for guest user' do
          let(:current_user) { guest }
-          it { is_expected.to be_disallowed(:read_cycle_analytics) }
+          it { is_expected.to be_allowed(:read_cycle_analytics) }
-          it { is_expected.to be_disallowed(:read_insights) }
+          it { is_expected.to be_allowed(:read_insights) }
          it { is_expected.to be_disallowed(:read_repository_graphs) }
+          it { is_expected.to be_disallowed(:read_ci_cd_analytics) }
+        end
+        context 'for reporter user' do
+          let(:current_user) { reporter }
+          it { is_expected.to be_allowed(:read_cycle_analytics) }
+          it { is_expected.to be_allowed(:read_insights) }
+          it { is_expected.to be_allowed(:read_repository_graphs) }
+          it { is_expected.to be_allowed(:read_ci_cd_analytics) }
        end
        context 'for developer' do
@@ -1161,6 +1201,7 @@ RSpec.describe ProjectPolicy do
          it { is_expected.to be_allowed(:read_cycle_analytics) }
          it { is_expected.to be_allowed(:read_insights) }
          it { is_expected.to be_allowed(:read_repository_graphs) }
+          it { is_expected.to be_allowed(:read_ci_cd_analytics) }
        end
      end
    end