Authorize using read_licenses claim

4ce71931 · mo khan · 0d076e5e · 4ce71931 · 4ce71931 · 4ce71931
Commit 4ce71931 authored Sep 23, 2020 by mo khan
3 changed files
--- a/ee/app/controllers/ee/projects/merge_requests_controller.rb
+++ b/ee/app/controllers/ee/projects/merge_requests_controller.rb
@@ -15,8 +15,8 @@ module EE

        before_action :whitelist_query_limiting_ee_merge, only: [:merge]
        before_action :authorize_read_pipeline!, only: [:container_scanning_reports, :dependency_scanning_reports,
-                                                        :license_scanning_reports,
                                                        :sast_reports, :secret_detection_reports, :dast_reports, :metrics_reports, :coverage_fuzzing_reports]
+        before_action :authorize_read_licenses!, only: [:license_scanning_reports]

        feature_category :container_scanning, only: [:container_scanning_reports]
        feature_category :dependency_scanning, only: [:dependency_scanning_reports]

--- a/ee/changelogs/unreleased/208723-read-licenses.yml
+++ b/ee/changelogs/unreleased/208723-read-licenses.yml
+---
+title: Allow access to license scan report when `read_licenses` claim is satisfied.
+merge_request: 43222
+author:
+type: fixed
--- a/ee/spec/controllers/projects/merge_requests_controller_spec.rb
+++ b/ee/spec/controllers/projects/merge_requests_controller_spec.rb
@@ -733,6 +733,7 @@ RSpec.describe Projects::MergeRequestsController do

  describe 'GET #license_scanning_reports' do
    let(:merge_request) { create(:ee_merge_request, :with_license_scanning_reports, source_project: project, author: create(:user)) }
+    let(:comparison_status) { { status: :parsed, data: { new_licenses: [], existing_licenses: [], removed_licenses: [] } } }

    let(:params) do
      {
@@ -745,6 +746,7 @@ RSpec.describe Projects::MergeRequestsController do
    subject { get :license_scanning_reports, params: params, format: :json }

    before do
+      stub_licensed_features(license_scanning: true)
      allow_any_instance_of(::MergeRequest).to receive(:compare_reports)
        .with(::Ci::CompareLicenseScanningReportsService, viewer).and_return(comparison_status)
    end
@@ -801,8 +803,48 @@ RSpec.describe Projects::MergeRequestsController do
      end
    end

-    context "when authorizing access to license scan reports" do
-      it_behaves_like 'authorize read pipeline'
+    context "when a user is NOT authorized to read licenses on a project" do
+      let(:project) { create(:project, :repository, :private) }
+      let(:viewer) { create(:user) }
+
+      it 'returns a report' do
+        subject
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+
+    context "when a user is authorized to read the licenses" do
+      let(:project) { create(:project, :repository, :private) }
+      let(:viewer) { create(:user) }
+
+      before do
+        project.add_reporter(viewer)
+      end
+
+      it 'returns a report' do
+        subject
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+    end
+
+    context "when a maintainer is authorized to read licenses on a merge request from a forked project" do
+      let(:project) { create(:project, :repository, :public, :builds_private) }
+      let(:forked_project) { fork_project(project, nil, repository: true) }
+      let(:merge_request) { create(:ee_merge_request, :with_license_scanning_reports, source_project: forked_project, target_project: project) }
+      let(:viewer) { create(:user) }
+
+      before do
+        project.add_maintainer(viewer)
+        forked_project.add_maintainer(user)
+      end
+
+      it 'returns a report' do
+        subject
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
    end
  end