Merge branch 'fix/group-bot-build-token-git-access' into 'master'

Add missing Git authentication support for group level bot build tokens See merge request gitlab-org/gitlab!78595

Merge branch 'fix/group-bot-build-token-git-access' into 'master'
Add missing Git authentication support for group level bot build tokens See merge request gitlab-org/gitlab!78595
5e6b9a7d · Mayra Cabrera · 2a36ac0c · 3a1dae66 · 5e6b9a7d · 5e6b9a7d
Commit 5e6b9a7d authored Jan 24, 2022 by Mayra Cabrera
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 4 deletions

lib/gitlab/auth.rb lib/gitlab/auth.rb +6 -2

spec/lib/gitlab/auth_spec.rb spec/lib/gitlab/auth_spec.rb +17 -2

No files found.
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -207,7 +207,7 @@ module Gitlab
        return unless valid_scoped_token?(token, all_available_scopes)

        if project && token.user.project_bot?
-          return unless token_bot_in_project?(token.user, project) || token_bot_in_group?(token.user, project)
+          return unless token_bot_in_resource?(token.user, project)
        end

        if token.user.can_log_in_with_non_expired_password? || token.user.project_bot?
@@ -229,6 +229,10 @@ module Gitlab
      end
      # rubocop: enable CodeReuse/ActiveRecord

+      def token_bot_in_resource?(user, project)
+        token_bot_in_project?(user, project) || token_bot_in_group?(user, project)
+      end
+
      def valid_oauth_token?(token)
        token && token.accessible? && valid_scoped_token?(token, Doorkeeper.configuration.scopes)
      end
@@ -309,7 +313,7 @@ module Gitlab
        return unless build.project.builds_enabled?

        if build.user
-          return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && build.project.bots&.include?(build.user))
+          return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && token_bot_in_resource?(build.user, build.project))

          # If user is assigned to build, use restricted credentials of user
          Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)

--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -156,8 +156,9 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
      let(:username) { 'gitlab-ci-token' }

      context 'for running build' do
-        let!(:build) { create(:ci_build, :running) }
-        let(:project) { build.project }
+        let!(:group) { create(:group) }
+        let!(:project) { create(:project, group: group) }
+        let!(:build) { create(:ci_build, :running, project: project) }

        it 'recognises user-less build' do
          expect(subject).to have_attributes(actor: nil, project: build.project, type: :ci, authentication_abilities: described_class.build_authentication_abilities)
@@ -169,6 +170,20 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
          expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
        end

+        it 'recognises project level bot access token' do
+          build.update(user: create(:user, :project_bot))
+          project.add_maintainer(build.user)
+
+          expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
+        end
+
+        it 'recognises group level bot access token' do
+          build.update(user: create(:user, :project_bot))
+          group.add_maintainer(build.user)
+
+          expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
+        end
+
        it 'fails with blocked user token' do
          build.update(user: create(:user, :blocked))