Commit 756fb242 authored by David Fernandez's avatar David Fernandez Committed by GitLab Release Tools Bot

Fix the required access level in the Conan packages finder

Merge branch 'security-conan-packages-finder-min-access-level-14-10' into '14-10-stable-ee'

See merge request gitlab-org/security/gitlab!2485

Changelog: security
parent d118e6c4
......@@ -25,7 +25,7 @@ module Packages
end
def projects_visible_to_current_user
::Project.public_or_visible_to_user(current_user)
::Project.public_or_visible_to_user(current_user, ::Gitlab::Access::REPORTER)
end
end
end
......
# frozen_string_literal: true
class AddInstallableConanPackagesIndexToPackages < Gitlab::Database::Migration[2.0]
disable_ddl_transaction!
INDEX_NAME = 'idx_installable_conan_pkgs_on_project_id_id'
# as defined by Packages::Package.package_types
CONAN_PACKAGE_TYPE = 3
# as defined by Packages::Package::INSTALLABLE_STATUSES
DEFAULT_STATUS = 0
HIDDEN_STATUS = 1
def up
where = "package_type = #{CONAN_PACKAGE_TYPE} AND status IN (#{DEFAULT_STATUS}, #{HIDDEN_STATUS})"
add_concurrent_index :packages_packages,
[:project_id, :id],
where: where,
name: INDEX_NAME
end
def down
remove_concurrent_index_by_name :packages_packages, INDEX_NAME
end
end
1fdb60b1c72b687aa8bede083ac7038097d538dc815e334d74296b1d39c2acb8
\ No newline at end of file
......@@ -26544,6 +26544,8 @@ CREATE UNIQUE INDEX idx_environment_merge_requests_unique_index ON deployment_me
CREATE INDEX idx_geo_con_rep_updated_events_on_container_repository_id ON geo_container_repository_updated_events USING btree (container_repository_id);
CREATE INDEX idx_installable_conan_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id) WHERE ((package_type = 3) AND (status = ANY (ARRAY[0, 1])));
CREATE INDEX idx_installable_helm_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id);
CREATE INDEX idx_installable_npm_pkgs_on_project_id_name_version_id ON packages_packages USING btree (project_id, name, version, id) WHERE ((package_type = 2) AND (status = 0));
......@@ -2,22 +2,53 @@
require 'spec_helper'
RSpec.describe ::Packages::Conan::PackageFinder do
using RSpec::Parameterized::TableSyntax
let_it_be_with_reload(:project) { create(:project) }
let_it_be(:user) { create(:user) }
let_it_be(:project) { create(:project, :public) }
let_it_be(:private_project) { create(:project, :private) }
let_it_be(:conan_package) { create(:conan_package, project: project) }
let_it_be(:conan_package2) { create(:conan_package, project: project) }
let_it_be(:errored_package) { create(:conan_package, :error, project: project) }
let_it_be(:private_package) { create(:conan_package, project: private_project) }
describe '#execute' do
let!(:conan_package) { create(:conan_package, project: project) }
let!(:conan_package2) { create(:conan_package, project: project) }
let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" }
let(:finder) { described_class.new(user, query: query) }
subject { finder.execute }
where(:visibility, :role, :packages_visible) do
:private | :maintainer | true
:private | :developer | true
:private | :reporter | true
:private | :guest | false
:private | :anonymous | false
:internal | :maintainer | true
:internal | :developer | true
:internal | :reporter | true
:internal | :guest | true
:internal | :anonymous | false
:public | :maintainer | true
:public | :developer | true
:public | :reporter | true
:public | :guest | true
:public | :anonymous | true
end
subject { described_class.new(user, query: query).execute }
with_them do
let(:expected_packages) { packages_visible ? [conan_package, conan_package2] : [] }
let(:user) { role == :anonymous ? nil : super() }
context 'packages that are not installable' do
let!(:conan_package3) { create(:conan_package, :error, project: project) }
let!(:non_visible_project) { create(:project, :private) }
let!(:non_visible_conan_package) { create(:conan_package, project: non_visible_project) }
let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" }
before do
project.update_column(:visibility_level, Gitlab::VisibilityLevel.string_options[visibility.to_s])
project.add_user(user, role) unless role == :anonymous
end
it { is_expected.to eq [conan_package, conan_package2] }
it { is_expected.to eq(expected_packages) }
end
end
end
......@@ -19,33 +19,66 @@ RSpec.shared_examples 'conan ping endpoint' do
end
RSpec.shared_examples 'conan search endpoint' do
before do
project.update_column(:visibility_level, Gitlab::VisibilityLevel::PUBLIC)
# Do not pass the HTTP_AUTHORIZATION header,
# in order to test that this public project's packages
# are visible to anonymous search.
get api(url), params: params
end
using RSpec::Parameterized::TableSyntax
subject { json_response['results'] }
context 'returns packages with a matching name' do
let(:params) { { q: package.conan_recipe } }
context 'with a public project' do
before do
project.update!(visibility: 'public')
# Do not pass the HTTP_AUTHORIZATION header,
# in order to test that this public project's packages
# are visible to anonymous search.
get api(url), params: params
end
context 'returns packages with a matching name' do
let(:params) { { q: package.conan_recipe } }
it { is_expected.to contain_exactly(package.conan_recipe) }
end
context 'returns packages using a * wildcard' do
let(:params) { { q: "#{package.name[0, 3]}*" } }
it { is_expected.to contain_exactly(package.conan_recipe) }
it { is_expected.to contain_exactly(package.conan_recipe) }
end
context 'does not return non-matching packages' do
let(:params) { { q: "foo" } }
it { is_expected.to be_blank }
end
end
context 'returns packages using a * wildcard' do
context 'with a private project' do
let(:params) { { q: "#{package.name[0, 3]}*" } }
it { is_expected.to contain_exactly(package.conan_recipe) }
end
where(:role, :packages_visible) do
:maintainer | true
:developer | true
:reporter | true
:guest | false
:anonymous | false
end
context 'does not return non-matching packages' do
let(:params) { { q: "foo" } }
with_them do
before do
project.update!(visibility: 'private')
project.team.truncate
user.project_authorizations.delete_all
project.add_user(user, role) unless role == :anonymous
get api(url), params: params, headers: headers
end
it { is_expected.to be_blank }
if params[:packages_visible]
it { is_expected.to contain_exactly(package.conan_recipe) }
else
it { is_expected.to be_blank }
end
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment