Prevent runners from picking IP restricted jobs

Merge branch 'security-682-jobs-with-restricted-ip-addresses-14-10' into '14-10-stable-ee' See merge request gitlab-org/security/gitlab!2503 Changelog: security

Prevent runners from picking IP restricted jobs
Merge branch 'security-682-jobs-with-restricted-ip-addresses-14-10' into '14-10-stable-ee' See merge request gitlab-org/security/gitlab!2503 Changelog: security
0fad0cdd · Marius Bobin · GitLab Release Tools Bot · 43645436 · 0fad0cdd · 0fad0cdd
Commit 0fad0cdd authored Jun 29, 2022 by Marius Bobin Committed by GitLab Release Tools Bot Jun 29, 2022
5 changed files
--- a/app/models/concerns/enums/ci/commit_status.rb
+++ b/app/models/concerns/enums/ci/commit_status.rb
@@ -35,7 +35,8 @@ module Enums
          bridge_pipeline_is_child_pipeline: 1_006, # not used anymore, but cannot be deleted because of old data
          downstream_pipeline_creation_failed: 1_007,
          secrets_provider_not_found: 1_008,
-          reached_max_descendant_pipelines_depth: 1_009
+          reached_max_descendant_pipelines_depth: 1_009,
+          ip_restriction_failure: 1_010
        }
      end
    end

--- a/app/presenters/commit_status_presenter.rb
+++ b/app/presenters/commit_status_presenter.rb
@@ -30,7 +30,8 @@ class CommitStatusPresenter < Gitlab::View::Presenter::Delegated
    trace_size_exceeded: 'The job log size limit was reached',
    builds_disabled: 'The CI/CD is disabled for this project',
    environment_creation_failure: 'This job could not be executed because it would create an environment with an invalid parameter.',
-    deployment_rejected: 'This deployment job was rejected.'
+    deployment_rejected: 'This deployment job was rejected.',
+    ip_restriction_failure: "This job could not be executed because group IP address restrictions are enabled, and the runner's IP address is not in the allowed range."
  }.freeze

  TROUBLESHOOTING_DOC = {

--- a/ee/app/services/ee/ci/register_job_service.rb
+++ b/ee/app/services/ee/ci/register_job_service.rb
@@ -8,7 +8,8 @@ module EE
      override :pre_assign_runner_checks
      def pre_assign_runner_checks
        super.merge({
-          secrets_provider_not_found: -> (build, _) { build.ci_secrets_management_available? && build.secrets? && !build.secrets_provider? }
+          secrets_provider_not_found: -> (build, _) { build.ci_secrets_management_available? && build.secrets? && !build.secrets_provider? },
+          ip_restriction_failure: ->(build, _) { build.project.group && !::Gitlab::IpRestriction::Enforcer.new(build.project.group).allows_current_ip? }
        })
      end
    end

--- a/ee/spec/services/ci/register_job_service_spec.rb
+++ b/ee/spec/services/ci/register_job_service_spec.rb
@@ -362,4 +362,72 @@ RSpec.describe Ci::RegisterJobService, '#execute' do
      include_examples 'namespace minutes quota'
    end
  end
+
+  describe 'when group has IP address restrictions' do
+    let(:group) { create(:group) }
+    let(:project) { create :project, shared_runners_enabled: true, group: group }
+    let(:group_ip_restriction) { true }
+
+    before do
+      allow(Gitlab::IpAddressState).to receive(:current).and_return('192.168.0.2')
+      stub_licensed_features(group_ip_restriction: group_ip_restriction)
+
+      create(:ip_restriction, group: group, range: range)
+    end
+
+    subject(:result) { described_class.new(shared_runner).execute.build }
+
+    shared_examples 'drops the build' do
+      it 'does not pick the build', :aggregate_failures do
+        expect(result).to be_nil
+        expect(pending_build.reload).to be_failed
+        expect(pending_build.failure_reason).to eq('ip_restriction_failure')
+      end
+    end
+
+    shared_examples 'does not drop the build' do
+      it 'picks the build', :aggregate_failures do
+        expect(result).to be_kind_of(Ci::Build)
+        expect(result).to be_running
+      end
+    end
+
+    context 'address is within the range' do
+      let(:range) { '192.168.0.0/24' }
+
+      it_behaves_like 'does not drop the build'
+
+      context 'when group is subgroup' do
+        let(:sub_group) { create(:group, parent: group) }
+        let(:project) { create :project, shared_runners_enabled: true, group: sub_group }
+
+        it_behaves_like 'does not drop the build'
+      end
+
+      context 'when group_ip_restriction is not available' do
+        let(:group_ip_restriction) { false }
+
+        it_behaves_like 'does not drop the build'
+      end
+    end
+
+    context 'address is outside the range' do
+      let(:range) { '10.0.0.0/8' }
+
+      it_behaves_like 'drops the build'
+
+      context 'when group is subgroup' do
+        let(:sub_group) { create(:group, parent: group) }
+        let(:project) { create :project, shared_runners_enabled: true, group: sub_group }
+
+        it_behaves_like 'drops the build'
+      end
+
+      context 'when group_ip_restriction is not available' do
+        let(:group_ip_restriction) { false }
+
+        it_behaves_like 'does not drop the build'
+      end
+    end
+  end
 end
--- a/lib/gitlab/ci/status/build/failed.rb
+++ b/lib/gitlab/ci/status/build/failed.rb
@@ -35,7 +35,8 @@ module Gitlab
            trace_size_exceeded: 'log size limit exceeded',
            builds_disabled: 'project builds are disabled',
            environment_creation_failure: 'environment creation failure',
-            deployment_rejected: 'deployment rejected'
+            deployment_rejected: 'deployment rejected',
+            ip_restriction_failure: 'IP address restriction failure'
          }.freeze

          private_constant :REASONS