Commit d7d681bb authored by Furkan Ayhan's avatar Furkan Ayhan

Restrict access to project pipeline metrics reports

Public projects can restrict access to pipeline.
However, metrics_reports endpoint is publicly accessible
even it is restricted in UI.

This commit:
- adds metrics_reports to authorize_read_pipeline! filter.
- adds and refactor tests
parent bc23c3cc
---
title: Restrict access to project pipeline metrics reports
merge_request:
author:
type: security
...@@ -16,7 +16,8 @@ module EE ...@@ -16,7 +16,8 @@ module EE
before_action :whitelist_query_limiting_ee_merge, only: [:merge] before_action :whitelist_query_limiting_ee_merge, only: [:merge]
before_action :whitelist_query_limiting_ee_show, only: [:show] before_action :whitelist_query_limiting_ee_show, only: [:show]
before_action :authorize_read_pipeline!, only: [:container_scanning_reports, :dependency_scanning_reports, :sast_reports, :dast_reports] before_action :authorize_read_pipeline!, only: [:container_scanning_reports, :dependency_scanning_reports,
:sast_reports, :dast_reports, :metrics_reports]
end end
def approve def approve
......
...@@ -90,6 +90,29 @@ shared_examples 'approvals' do ...@@ -90,6 +90,29 @@ shared_examples 'approvals' do
end end
end end
shared_examples 'authorize read pipeline' do
context 'public project with private builds' do
let(:comparison_status) { {} }
let(:project) { create(:project, :public, :builds_private) }
it 'restricts access to signed out users' do
sign_out user
subject
expect(response).to have_gitlab_http_status(:not_found)
end
it 'restricts access to other users' do
sign_in create(:user)
subject
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
describe Projects::MergeRequestsController do describe Projects::MergeRequestsController do
include ProjectForksHelper include ProjectForksHelper
...@@ -462,20 +485,7 @@ describe Projects::MergeRequestsController do ...@@ -462,20 +485,7 @@ describe Projects::MergeRequestsController do
end end
end end
context 'public project with private builds' do it_behaves_like 'authorize read pipeline'
let(:comparison_status) { {} }
let(:project) { create(:project, :public, :builds_private) }
before do
sign_out user
end
it 'restricts unauthorized access' do
subject
expect(response).to have_gitlab_http_status(:not_found)
end
end
end end
describe 'GET #container_scanning_reports' do describe 'GET #container_scanning_reports' do
...@@ -545,20 +555,7 @@ describe Projects::MergeRequestsController do ...@@ -545,20 +555,7 @@ describe Projects::MergeRequestsController do
end end
end end
context 'public project with private builds' do it_behaves_like 'authorize read pipeline'
let(:comparison_status) { {} }
let(:project) { create(:project, :public, :builds_private) }
before do
sign_out user
end
it 'restricts unauthorized access' do
subject
expect(response).to have_gitlab_http_status(:not_found)
end
end
end end
describe 'GET #sast_reports' do describe 'GET #sast_reports' do
...@@ -628,20 +625,7 @@ describe Projects::MergeRequestsController do ...@@ -628,20 +625,7 @@ describe Projects::MergeRequestsController do
end end
end end
context 'public project with private builds' do it_behaves_like 'authorize read pipeline'
let(:comparison_status) { {} }
let(:project) { create(:project, :public, :builds_private) }
before do
sign_out user
end
it 'restricts unauthorized access' do
subject
expect(response).to have_gitlab_http_status(:not_found)
end
end
end end
describe 'GET #dast_reports' do describe 'GET #dast_reports' do
...@@ -711,26 +695,7 @@ describe Projects::MergeRequestsController do ...@@ -711,26 +695,7 @@ describe Projects::MergeRequestsController do
end end
end end
context 'public project with private builds' do it_behaves_like 'authorize read pipeline'
let(:comparison_status) { {} }
let(:project) { create(:project, :public, :builds_private) }
it 'restricts access to signed out users' do
sign_out user
subject
expect(response).to have_gitlab_http_status(:not_found)
end
it 'restricts access to other users' do
sign_in create(:user)
subject
expect(response).to have_gitlab_http_status(:not_found)
end
end
end end
describe 'GET #license_management_reports' do describe 'GET #license_management_reports' do
...@@ -868,6 +833,8 @@ describe Projects::MergeRequestsController do ...@@ -868,6 +833,8 @@ describe Projects::MergeRequestsController do
expect(json_response).to eq({ 'status_reason' => 'Failed to parse test reports' }) expect(json_response).to eq({ 'status_reason' => 'Failed to parse test reports' })
end end
end end
it_behaves_like 'authorize read pipeline'
end end
it_behaves_like DescriptionDiffActions do it_behaves_like DescriptionDiffActions do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment