Commit 03c9b6af authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-only-job-owner-runs-terminal-14-10' into '14-10-stable-ee'

Allow only job owner to run interactive terminal

See merge request gitlab-org/security/gitlab!2433
parents d118e6c4 b0819e77
...@@ -84,7 +84,7 @@ module Ci ...@@ -84,7 +84,7 @@ module Ci
enable :update_commit_status enable :update_commit_status
end end
rule { can?(:update_build) & terminal }.enable :create_build_terminal rule { can?(:update_build) & terminal & owner_of_job }.enable :create_build_terminal
rule { can?(:update_build) }.enable :play_job rule { can?(:update_build) }.enable :play_job
......
...@@ -183,7 +183,7 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do ...@@ -183,7 +183,7 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do
end end
context 'with web terminal' do context 'with web terminal' do
let(:job) { create(:ci_build, :running, :with_runner_session, pipeline: pipeline) } let(:job) { create(:ci_build, :running, :with_runner_session, pipeline: pipeline, user: user) }
it 'exposes the terminal path' do it 'exposes the terminal path' do
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
...@@ -1284,7 +1284,7 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do ...@@ -1284,7 +1284,7 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do
context 'when job exists' do context 'when job exists' do
context 'and it has a terminal' do context 'and it has a terminal' do
let!(:job) { create(:ci_build, :running, :with_runner_session, pipeline: pipeline) } let!(:job) { create(:ci_build, :running, :with_runner_session, pipeline: pipeline, user: user) }
it 'has a job' do it 'has a job' do
get_terminal(id: job.id) get_terminal(id: job.id)
...@@ -1295,7 +1295,7 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do ...@@ -1295,7 +1295,7 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do
end end
context 'and does not have a terminal' do context 'and does not have a terminal' do
let!(:job) { create(:ci_build, :running, pipeline: pipeline) } let!(:job) { create(:ci_build, :running, pipeline: pipeline, user: user) }
it 'returns not_found' do it 'returns not_found' do
get_terminal(id: job.id) get_terminal(id: job.id)
...@@ -1324,7 +1324,7 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do ...@@ -1324,7 +1324,7 @@ RSpec.describe Projects::JobsController, :clean_gitlab_redis_shared_state do
end end
describe 'GET #terminal_websocket_authorize' do describe 'GET #terminal_websocket_authorize' do
let!(:job) { create(:ci_build, :running, :with_runner_session, pipeline: pipeline) } let!(:job) { create(:ci_build, :running, :with_runner_session, pipeline: pipeline, user: user) }
before do before do
project.add_developer(user) project.add_developer(user)
......
...@@ -405,4 +405,52 @@ RSpec.describe Ci::BuildPolicy do ...@@ -405,4 +405,52 @@ RSpec.describe Ci::BuildPolicy do
end end
end end
end end
describe 'ability :create_build_terminal' do
let(:project) { create(:project, :private) }
subject { described_class.new(user, build) }
context 'when user can update_build' do
before do
project.add_maintainer(user)
end
context 'when job has terminal' do
before do
allow(build).to receive(:has_terminal?).and_return(true)
end
context 'when current user is the job owner' do
before do
build.update!(user: user)
end
it { expect_allowed(:create_build_terminal) }
end
context 'when current user is not the job owner' do
it { expect_disallowed(:create_build_terminal) }
end
end
context 'when job does not have terminal' do
before do
allow(build).to receive(:has_terminal?).and_return(false)
build.update!(user: user)
end
it { expect_disallowed(:create_build_terminal) }
end
end
context 'when user cannot update build' do
before do
project.add_guest(user)
allow(build).to receive(:has_terminal?).and_return(true)
end
it { expect_disallowed(:create_build_terminal) }
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment