Restrict CI lint access to pipeline creators

Merge branch 'security-aw-355738-restrict-ci-config-access-14-10' into '14-10-stable-ee'

See merge request gitlab-org/security/gitlab!2515

Changelog: security

app/graphql/resolvers/ci/config_resolver.rb

@@ -12,7 +12,7 @@ module Resolvers
         Should not be requested more than once per request.
       MD
 
-      authorize :read_pipeline
+      authorize :create_pipeline
 
       argument :project_path, GraphQL::Types::ID,
                required: true,

doc/update/index.md

@@ -407,6 +407,9 @@ and [Helm Chart deployments](https://docs.gitlab.com/charts/). They come with ap
 - The upgrade to GitLab 14.10 executes a [concurrent index drop](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84308) of unneeded
   entries from the `ci_job_artifacts` database table. This could potentially run for multiple minutes, especially if the table has a lot of
   traffic and the migration is unable to acquire a lock. It is advised to let this process finish as restarting may result in data loss.
+- Unauthenticated requests to the [`ciConfig` GraphQL field](../api/graphql/reference/index.md#queryciconfig) are no longer supported.
+  Before you upgrade to GitLab 15.1, add an [access token](../api/index.md#authentication) to your requests.
+  The user creating the token must have [permission](../user/permissions.md) to create pipelines in the project.
 
 ### 14.9.0
 

spec/graphql/resolvers/ci/config_resolver_spec.rb

@@ -7,24 +7,13 @@ RSpec.describe Resolvers::Ci::ConfigResolver do
 
   describe '#resolve' do
     let_it_be(:user) { create(:user) }
-    let_it_be(:project) { create(:project, :repository, creator: user, namespace: user.namespace) }
+    let_it_be(:project) { create(:project, :repository) }
     let_it_be(:sha) { nil }
 
     let_it_be(:content) do
       File.read(Rails.root.join('spec/support/gitlab_stubs/gitlab_ci_includes.yml'))
     end
 
-    let(:ci_lint) do
-      ci_lint_double = instance_double(::Gitlab::Ci::Lint)
-      allow(ci_lint_double).to receive(:validate).and_return(fake_result)
-
-      ci_lint_double
-    end
-
-    before do
-      allow(::Gitlab::Ci::Lint).to receive(:new).and_return(ci_lint)
-    end
-
     subject(:response) do
       resolve(described_class,
               args: { project_path: project.full_path, content: content, sha: sha },
@@ -49,6 +38,20 @@ RSpec.describe Resolvers::Ci::ConfigResolver do
       end
     end
 
+    context 'when the user can create a pipeline' do
+      let(:ci_lint) do
+        ci_lint_double = instance_double(::Gitlab::Ci::Lint)
+        allow(ci_lint_double).to receive(:validate).and_return(fake_result)
+
+        ci_lint_double
+      end
+
+      before do
+        allow(::Gitlab::Ci::Lint).to receive(:new).and_return(ci_lint)
+
+        project.add_developer(user)
+      end
+
       context 'with a valid .gitlab-ci.yml' do
         context 'with a sha' do
           let(:sha) { '1231231' }
@@ -75,7 +78,7 @@ RSpec.describe Resolvers::Ci::ConfigResolver do
 
         it 'responds with errors about invalid syntax' do
           expect(response[:status]).to eq(:invalid)
-        expect(response[:errors]).to eq(['Invalid configuration format'])
+          expect(response[:errors]).to match_array(['Invalid configuration format'])
         end
       end
 
@@ -97,4 +100,15 @@ RSpec.describe Resolvers::Ci::ConfigResolver do
         end
       end
     end
+
+    context 'when the user cannot create a pipeline' do
+      before do
+        project.add_guest(user)
+      end
+
+      it 'returns an error stating that the user cannot access the linting' do
+        expect { response }.to raise_error(::Gitlab::Graphql::Errors::ResourceNotAvailable)
+      end
+    end
+  end
 end