Commit 0d8e9172 authored by Imre Farkas's avatar Imre Farkas

Merge branch 'authorize_same_project_agent' into 'master'

Authorize the project if it's the agent's project

See merge request gitlab-org/gitlab!48314
parents 2abdaa63 bfa63107
...@@ -19,5 +19,9 @@ module Clusters ...@@ -19,5 +19,9 @@ module Clusters
with: Gitlab::Regex.cluster_agent_name_regex, with: Gitlab::Regex.cluster_agent_name_regex,
message: Gitlab::Regex.cluster_agent_name_regex_message message: Gitlab::Regex.cluster_agent_name_regex_message
} }
def has_access_to?(requested_project)
requested_project == project
end
end end
end end
---
title: Authorize the project for the cluster agent if it is the agent's project
merge_request: 48314
author:
type: changed
...@@ -378,9 +378,12 @@ subjects: ...@@ -378,9 +378,12 @@ subjects:
In a previous step, you configured a `config.yaml` to point to the GitLab projects In a previous step, you configured a `config.yaml` to point to the GitLab projects
the Agent should synchronize. In each of those projects, you must create a `manifest.yaml` the Agent should synchronize. In each of those projects, you must create a `manifest.yaml`
file for the Agent to monitor. You can auto-generate this `manifest.yaml` with a file for the Agent to monitor. You can auto-generate this `manifest.yaml` with a
templating engine or other means. Only public projects are supported as templating engine or other means.
manifest projects. Support for private projects is planned in the issue
[Agent authorization for private manifest projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912). The agent is authorized to download manifests for the configuration
project, and public projects. Support for other private projects is
planned in the issue [Agent authorization for private manifest
projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
Each time you commit and push a change to this file, the Agent logs the change: Each time you commit and push a change to this file, the Agent logs the change:
......
...@@ -85,9 +85,7 @@ module API ...@@ -85,9 +85,7 @@ module API
get '/project_info' do get '/project_info' do
project = find_project(params[:id]) project = find_project(params[:id])
# TODO sort out authorization for real unless Guest.can?(:download_code, project) || agent.has_access_to?(project)
# https://gitlab.com/gitlab-org/gitlab/-/issues/220912
unless Ability.allowed?(nil, :download_code, project)
not_found! not_found!
end end
......
...@@ -57,4 +57,16 @@ RSpec.describe Clusters::Agent do ...@@ -57,4 +57,16 @@ RSpec.describe Clusters::Agent do
end end
end end
end end
describe '#has_access_to?' do
let(:agent) { build(:cluster_agent) }
it 'has access to own project' do
expect(agent.has_access_to?(agent.project)).to be_truthy
end
it 'does not have access to other projects' do
expect(agent.has_access_to?(create(:project))).to be_falsey
end
end
end end
...@@ -137,9 +137,7 @@ RSpec.describe API::Internal::Kubernetes do ...@@ -137,9 +137,7 @@ RSpec.describe API::Internal::Kubernetes do
include_examples 'agent authentication' include_examples 'agent authentication'
context 'an agent is found' do context 'an agent is found' do
let!(:agent_token) { create(:cluster_agent_token) } let_it_be(:agent_token) { create(:cluster_agent_token) }
let(:agent) { agent_token.agent }
context 'project is public' do context 'project is public' do
let(:project) { create(:project, :public) } let(:project) { create(:project, :public) }
...@@ -186,6 +184,16 @@ RSpec.describe API::Internal::Kubernetes do ...@@ -186,6 +184,16 @@ RSpec.describe API::Internal::Kubernetes do
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:not_found)
end end
context 'and agent belongs to project' do
let(:agent_token) { create(:cluster_agent_token, agent: create(:cluster_agent, project: project)) }
it 'returns 200' do
send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
expect(response).to have_gitlab_http_status(:success)
end
end
end end
context 'project is internal' do context 'project is internal' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment