Disable wiki access with CI_JOB_TOKEN when improper access level

Merge branch 'security-wiki-access-from-jobs-14-10' into '14-10-stable-ee' See merge request gitlab-org/security/gitlab!2408 Changelog: security

Disable wiki access with CI_JOB_TOKEN when improper access level
Merge branch 'security-wiki-access-from-jobs-14-10' into '14-10-stable-ee' See merge request gitlab-org/security/gitlab!2408 Changelog: security
516dbcd8 · Allison Browne · GitLab Release Tools Bot · 0a0775a3 · 516dbcd8 · 516dbcd8
Commit 516dbcd8 authored Apr 29, 2022 by Allison Browne Committed by GitLab Release Tools Bot Apr 29, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 110 additions and 42 deletions

lib/gitlab/git_access_wiki.rb lib/gitlab/git_access_wiki.rb +13 -1

spec/lib/gitlab/git_access_wiki_spec.rb spec/lib/gitlab/git_access_wiki_spec.rb +97 -41

No files found.
--- a/lib/gitlab/git_access_wiki.rb
+++ b/lib/gitlab/git_access_wiki.rb
@@ -31,7 +31,8 @@ module Gitlab
    def check_download_access!
      super

-      raise ForbiddenError, download_forbidden_message if deploy_token && !deploy_token.can?(:download_wiki_code, container)
+      raise ForbiddenError, download_forbidden_message if build_cannot_download?
+      raise ForbiddenError, download_forbidden_message if deploy_token_cannot_download?
    end

    override :check_change_access!
@@ -52,6 +53,17 @@ module Gitlab
    def not_found_message
      error_message(:not_found)
    end
+
+    private
+
+    # when accessing via the CI_JOB_TOKEN
+    def build_cannot_download?
+      build_can_download_code? && !user_access.can_do_action?(download_ability)
+    end
+
+    def deploy_token_cannot_download?
+      deploy_token && !deploy_token.can?(download_ability, container)
+    end
  end
 end


--- a/spec/lib/gitlab/git_access_wiki_spec.rb
+++ b/spec/lib/gitlab/git_access_wiki_spec.rb
@@ -4,8 +4,9 @@ require 'spec_helper'

 RSpec.describe Gitlab::GitAccessWiki do
  let_it_be(:user) { create(:user) }
-  let_it_be(:project) { create(:project, :wiki_repo) }
-  let_it_be(:wiki) { create(:project_wiki, project: project) }
+  let_it_be_with_reload(:project) { create(:project, :wiki_repo) }
+
+  let(:wiki) { create(:project_wiki, project: project) }

  let(:changes) { ['6f6d7e7ed 570e7b2ab refs/heads/master'] }
  let(:authentication_abilities) { %i[read_project download_code push_code] }
@@ -17,6 +18,61 @@ RSpec.describe Gitlab::GitAccessWiki do
                        redirected_path: redirected_path)
  end

+  RSpec.shared_examples 'wiki access by level' do
+    where(:project_visibility, :project_member?, :wiki_access_level, :wiki_repo?, :expected_behavior) do
+      [
+        # Private project - is a project member
+        [Gitlab::VisibilityLevel::PRIVATE, true, ProjectFeature::ENABLED, true, :no_error],
+        [Gitlab::VisibilityLevel::PRIVATE, true, ProjectFeature::PRIVATE, true, :no_error],
+        [Gitlab::VisibilityLevel::PRIVATE, true, ProjectFeature::DISABLED, true, :forbidden_wiki],
+        [Gitlab::VisibilityLevel::PRIVATE, true, ProjectFeature::ENABLED, false, :not_found_wiki],
+        [Gitlab::VisibilityLevel::PRIVATE, true, ProjectFeature::DISABLED, false, :not_found_wiki],
+        [Gitlab::VisibilityLevel::PRIVATE, true, ProjectFeature::PRIVATE, false, :not_found_wiki],
+        # Private project - is NOT a project member
+        [Gitlab::VisibilityLevel::PRIVATE, false, ProjectFeature::ENABLED, true, :not_found_wiki],
+        [Gitlab::VisibilityLevel::PRIVATE, false, ProjectFeature::PRIVATE, true, :not_found_wiki],
+        [Gitlab::VisibilityLevel::PRIVATE, false, ProjectFeature::DISABLED, true, :not_found_wiki],
+        [Gitlab::VisibilityLevel::PRIVATE, false, ProjectFeature::ENABLED, false, :not_found_wiki],
+        [Gitlab::VisibilityLevel::PRIVATE, false, ProjectFeature::DISABLED, false, :not_found_wiki],
+        [Gitlab::VisibilityLevel::PRIVATE, false, ProjectFeature::PRIVATE, false, :not_found_wiki],
+        # Public project - is a project member
+        [Gitlab::VisibilityLevel::PUBLIC, true, ProjectFeature::ENABLED, true, :no_error],
+        [Gitlab::VisibilityLevel::PUBLIC, true, ProjectFeature::PRIVATE, true, :no_error],
+        [Gitlab::VisibilityLevel::PUBLIC, true, ProjectFeature::DISABLED, true, :forbidden_wiki],
+        [Gitlab::VisibilityLevel::PUBLIC, true, ProjectFeature::ENABLED, false, :not_found_wiki],
+        [Gitlab::VisibilityLevel::PUBLIC, true, ProjectFeature::DISABLED, false, :not_found_wiki],
+        [Gitlab::VisibilityLevel::PUBLIC, true, ProjectFeature::PRIVATE, false, :not_found_wiki],
+        # Public project - is NOT a project member
+        [Gitlab::VisibilityLevel::PUBLIC, false, ProjectFeature::ENABLED, true, :no_error],
+        [Gitlab::VisibilityLevel::PUBLIC, false, ProjectFeature::PRIVATE, true, :forbidden_wiki],
+        [Gitlab::VisibilityLevel::PUBLIC, false, ProjectFeature::DISABLED, true, :forbidden_wiki],
+        [Gitlab::VisibilityLevel::PUBLIC, false, ProjectFeature::ENABLED, false, :not_found_wiki],
+        [Gitlab::VisibilityLevel::PUBLIC, false, ProjectFeature::DISABLED, false, :not_found_wiki],
+        [Gitlab::VisibilityLevel::PUBLIC, false, ProjectFeature::PRIVATE, false, :not_found_wiki]
+      ]
+    end
+
+    with_them do
+      before do
+        project.update!(visibility_level: project_visibility)
+        project.add_developer(user) if project_member?
+        project.project_feature.update_attribute(:wiki_access_level, wiki_access_level)
+        allow(wiki.repository).to receive(:exists?).and_return(wiki_repo?)
+      end
+
+      it 'provides access by level' do
+        case expected_behavior
+        when :no_error
+          expect { subject }.not_to raise_error
+        when :forbidden_wiki
+          expect { subject }.to raise_wiki_forbidden
+        when :not_found_wiki
+          expect { subject }.to raise_wiki_not_found
+        end
+      end
+    end
+  end
+
  describe '#push_access_check' do
    subject { access.check('git-receive-pack', changes) }

@@ -28,56 +84,26 @@ RSpec.describe Gitlab::GitAccessWiki do
      it { expect { subject }.not_to raise_error }

      context 'when in a read-only GitLab instance' do
-        let(:message) { "You can't push code to a read-only GitLab instance." }
-
        before do
          allow(Gitlab::Database).to receive(:read_only?) { true }
        end

-        it_behaves_like 'forbidden git access'
+        it_behaves_like 'forbidden git access' do
+          let(:message) { "You can't push code to a read-only GitLab instance." }
+        end
      end
    end

    context 'the user cannot :create_wiki' do
-      it_behaves_like 'not-found git access' do
-        let(:message) { 'The wiki you were looking for could not be found.' }
-      end
+      it { expect { subject }.to raise_wiki_not_found }
    end
  end

  describe '#check_download_access!' do
    subject { access.check('git-upload-pack', Gitlab::GitAccess::ANY) }

-    context 'the user can :download_wiki_code' do
-      before do
-        project.add_developer(user)
-      end
-
-      context 'when wiki feature is disabled' do
-        before do
-          project.project_feature.update_attribute(:wiki_access_level, ProjectFeature::DISABLED)
-        end
-
-        it_behaves_like 'forbidden git access' do
-          let(:message) { include('wiki') }
-        end
-      end
-
-      context 'when the repository does not exist' do
-        before do
-          allow(wiki.repository).to receive(:exists?).and_return(false)
-        end
-
-        it_behaves_like 'not-found git access' do
-          let(:message) { include('for this wiki') }
-        end
-      end
-    end
-
-    context 'the user cannot :download_wiki_code' do
-      it_behaves_like 'not-found git access' do
-        let(:message) { include('wiki') }
-      end
+    context 'when actor is a user' do
+      it_behaves_like 'wiki access by level'
    end

    context 'when the actor is a deploy token' do
@@ -99,10 +125,40 @@ RSpec.describe Gitlab::GitAccessWiki do
      context 'when the wiki is disabled' do
        let(:wiki_access_level) { ProjectFeature::DISABLED }

-        it_behaves_like 'forbidden git access' do
-          let(:message) { 'You are not allowed to download files from this wiki.' }
-        end
+        it { expect { subject }.to raise_wiki_forbidden }
      end
    end
+
+    describe 'when actor is a user provided by build via CI_JOB_TOKEN' do
+      let(:protocol) { 'http' }
+      let(:authentication_abilities) { [:build_download_code] }
+      let(:auth_result_type) { :build }
+
+      before do
+        project.project_feature.update_attribute(:wiki_access_level, wiki_access_level)
+      end
+
+      subject { access.check('git-upload-pack', changes) }
+
+      it_behaves_like 'wiki access by level'
+    end
+  end
+
+  RSpec::Matchers.define :raise_wiki_not_found do
+    match do |actual|
+      expect { actual.call }.to raise_error(Gitlab::GitAccess::NotFoundError, include('wiki'))
+    end
+    def supports_block_expectations?
+      true
+    end
+  end
+
+  RSpec::Matchers.define :raise_wiki_forbidden do
+    match do |actual|
+      expect { subject }.to raise_error(Gitlab::GitAccess::ForbiddenError, include('wiki'))
+    end
+    def supports_block_expectations?
+      true
+    end
  end
 end