Commit 83380b5e authored by GitLab Bot's avatar GitLab Bot

Add latest changes from gitlab-org/security/gitlab@13-8-stable-ee

parent 21585f82
...@@ -9,6 +9,7 @@ class Projects::PipelinesController < Projects::ApplicationController ...@@ -9,6 +9,7 @@ class Projects::PipelinesController < Projects::ApplicationController
before_action :set_pipeline_path, only: [:show] before_action :set_pipeline_path, only: [:show]
before_action :authorize_read_pipeline! before_action :authorize_read_pipeline!
before_action :authorize_read_build!, only: [:index] before_action :authorize_read_build!, only: [:index]
before_action :authorize_read_analytics!, only: [:charts]
before_action :authorize_create_pipeline!, only: [:new, :create, :config_variables] before_action :authorize_create_pipeline!, only: [:new, :create, :config_variables]
before_action :authorize_update_pipeline!, only: [:retry, :cancel] before_action :authorize_update_pipeline!, only: [:retry, :cancel]
before_action do before_action do
......
...@@ -218,6 +218,7 @@ class ProjectPolicy < BasePolicy ...@@ -218,6 +218,7 @@ class ProjectPolicy < BasePolicy
enable :read_pages_content enable :read_pages_content
enable :read_release enable :read_release
enable :read_analytics enable :read_analytics
enable :read_insights
end end
# These abilities are not allowed to admins that are not members of the project, # These abilities are not allowed to admins that are not members of the project,
...@@ -447,6 +448,9 @@ class ProjectPolicy < BasePolicy ...@@ -447,6 +448,9 @@ class ProjectPolicy < BasePolicy
rule { analytics_disabled }.policy do rule { analytics_disabled }.policy do
prevent(:read_analytics) prevent(:read_analytics)
prevent(:read_insights)
prevent(:read_cycle_analytics)
prevent(:read_repository_graphs)
end end
rule { wiki_disabled }.policy do rule { wiki_disabled }.policy do
...@@ -520,6 +524,7 @@ class ProjectPolicy < BasePolicy ...@@ -520,6 +524,7 @@ class ProjectPolicy < BasePolicy
enable :read_cycle_analytics enable :read_cycle_analytics
enable :read_pages_content enable :read_pages_content
enable :read_analytics enable :read_analytics
enable :read_insights
# NOTE: may be overridden by IssuePolicy # NOTE: may be overridden by IssuePolicy
enable :read_issue enable :read_issue
......
---
title: Prevent Denial of Service Attack on gitlab-shell
merge_request:
author:
type: security
---
title: Enforce the analytics enabled project setting for project-level analytics features
merge_request:
author:
type: security
---
title: Perform SSL verification for FortiTokenCloud Integration
merge_request:
author:
type: security
...@@ -61,8 +61,7 @@ module Gitlab ...@@ -61,8 +61,7 @@ module Gitlab
headers: { headers: {
'Content-Type': 'application/json' 'Content-Type': 'application/json'
}.merge(headers), }.merge(headers),
body: body, body: body
verify: false # FTC API Docs specifically mentions to turn off SSL Verification while making requests.
) )
end end
end end
......
...@@ -28,6 +28,7 @@ FactoryBot.define do ...@@ -28,6 +28,7 @@ FactoryBot.define do
forking_access_level { ProjectFeature::ENABLED } forking_access_level { ProjectFeature::ENABLED }
merge_requests_access_level { ProjectFeature::ENABLED } merge_requests_access_level { ProjectFeature::ENABLED }
repository_access_level { ProjectFeature::ENABLED } repository_access_level { ProjectFeature::ENABLED }
analytics_access_level { ProjectFeature::ENABLED }
pages_access_level do pages_access_level do
visibility_level == Gitlab::VisibilityLevel::PUBLIC ? ProjectFeature::ENABLED : ProjectFeature::PRIVATE visibility_level == Gitlab::VisibilityLevel::PUBLIC ? ProjectFeature::ENABLED : ProjectFeature::PRIVATE
end end
...@@ -63,7 +64,8 @@ FactoryBot.define do ...@@ -63,7 +64,8 @@ FactoryBot.define do
repository_access_level: evaluator.repository_access_level, repository_access_level: evaluator.repository_access_level,
pages_access_level: evaluator.pages_access_level, pages_access_level: evaluator.pages_access_level,
metrics_dashboard_access_level: evaluator.metrics_dashboard_access_level, metrics_dashboard_access_level: evaluator.metrics_dashboard_access_level,
operations_access_level: evaluator.operations_access_level operations_access_level: evaluator.operations_access_level,
analytics_access_level: evaluator.analytics_access_level
} }
project.build_project_feature(hash) project.build_project_feature(hash)
...@@ -335,6 +337,9 @@ FactoryBot.define do ...@@ -335,6 +337,9 @@ FactoryBot.define do
trait(:operations_enabled) { operations_access_level { ProjectFeature::ENABLED } } trait(:operations_enabled) { operations_access_level { ProjectFeature::ENABLED } }
trait(:operations_disabled) { operations_access_level { ProjectFeature::DISABLED } } trait(:operations_disabled) { operations_access_level { ProjectFeature::DISABLED } }
trait(:operations_private) { operations_access_level { ProjectFeature::PRIVATE } } trait(:operations_private) { operations_access_level { ProjectFeature::PRIVATE } }
trait(:analytics_enabled) { analytics_access_level { ProjectFeature::ENABLED } }
trait(:analytics_disabled) { analytics_access_level { ProjectFeature::DISABLED } }
trait(:analytics_private) { analytics_access_level { ProjectFeature::PRIVATE } }
trait :auto_devops do trait :auto_devops do
association :auto_devops, factory: :project_auto_devops association :auto_devops, factory: :project_auto_devops
......
...@@ -13,6 +13,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do ...@@ -13,6 +13,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
let(:otp_verification_url) { url + '/auth' } let(:otp_verification_url) { url + '/auth' }
let(:access_token) { 'an_access_token' } let(:access_token) { 'an_access_token' }
let(:access_token_create_response_body) { '' } let(:access_token_create_response_body) { '' }
let(:access_token_request_body) { { client_id: client_id, client_secret: client_secret } }
let(:headers) { { 'Content-Type': 'application/json' } }
subject(:validate) { described_class.new(user).validate(otp_code) } subject(:validate) { described_class.new(user).validate(otp_code) }
...@@ -27,11 +29,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do ...@@ -27,11 +29,8 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
client_secret: client_secret client_secret: client_secret
) )
access_token_request_body = { client_id: client_id,
client_secret: client_secret }
stub_request(:post, access_token_create_url) stub_request(:post, access_token_create_url)
.with(body: JSON(access_token_request_body), headers: { 'Content-Type' => 'application/json' }) .with(body: JSON(access_token_request_body), headers: headers)
.to_return( .to_return(
status: access_token_create_response_status, status: access_token_create_response_status,
body: Gitlab::Json.generate(access_token_create_response_body), body: Gitlab::Json.generate(access_token_create_response_body),
...@@ -81,6 +80,20 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do ...@@ -81,6 +80,20 @@ RSpec.describe Gitlab::Auth::Otp::Strategies::FortiTokenCloud do
end end
end end
context 'SSL Verification' do
let(:access_token_create_response_status) { 400 }
context 'with `Gitlab::HTTP`' do
it 'does not use a `verify` argument,'\
'thereby always performing SSL verification while making API calls' do
expect(Gitlab::HTTP).to receive(:post)
.with(access_token_create_url, body: JSON(access_token_request_body), headers: headers).and_call_original
validate
end
end
end
def stub_forti_token_cloud_config(forti_token_cloud_settings) def stub_forti_token_cloud_config(forti_token_cloud_settings)
allow(::Gitlab.config.forti_token_cloud).to(receive_messages(forti_token_cloud_settings)) allow(::Gitlab.config.forti_token_cloud).to(receive_messages(forti_token_cloud_settings))
end end
......
...@@ -992,6 +992,78 @@ RSpec.describe ProjectPolicy do ...@@ -992,6 +992,78 @@ RSpec.describe ProjectPolicy do
it { is_expected.to be_allowed(:read_analytics) } it { is_expected.to be_allowed(:read_analytics) }
end end
context 'with various analytics features' do
let_it_be(:project_with_analytics_disabled) { create(:project, :analytics_disabled) }
let_it_be(:project_with_analytics_private) { create(:project, :analytics_private) }
let_it_be(:project_with_analytics_enabled) { create(:project, :analytics_enabled) }
before do
project_with_analytics_disabled.add_developer(developer)
project_with_analytics_private.add_developer(developer)
project_with_analytics_enabled.add_developer(developer)
end
context 'when analytics is enabled for the project' do
let(:project) { project_with_analytics_disabled }
context 'for guest user' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:read_cycle_analytics) }
it { is_expected.to be_disallowed(:read_insights) }
it { is_expected.to be_disallowed(:read_repository_graphs) }
end
context 'for developer' do
let(:current_user) { developer }
it { is_expected.to be_disallowed(:read_cycle_analytics) }
it { is_expected.to be_disallowed(:read_insights) }
it { is_expected.to be_disallowed(:read_repository_graphs) }
end
end
context 'when analytics is private for the project' do
let(:project) { project_with_analytics_private }
context 'for guest user' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:read_cycle_analytics) }
it { is_expected.to be_disallowed(:read_insights) }
it { is_expected.to be_disallowed(:read_repository_graphs) }
end
context 'for developer' do
let(:current_user) { developer }
it { is_expected.to be_allowed(:read_cycle_analytics) }
it { is_expected.to be_allowed(:read_insights) }
it { is_expected.to be_allowed(:read_repository_graphs) }
end
end
context 'when analytics is enabled for the project' do
let(:project) { project_with_analytics_private }
context 'for guest user' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:read_cycle_analytics) }
it { is_expected.to be_disallowed(:read_insights) }
it { is_expected.to be_disallowed(:read_repository_graphs) }
end
context 'for developer' do
let(:current_user) { developer }
it { is_expected.to be_allowed(:read_cycle_analytics) }
it { is_expected.to be_allowed(:read_insights) }
it { is_expected.to be_allowed(:read_repository_graphs) }
end
end
end
context 'project member' do context 'project member' do
let(:project) { private_project } let(:project) { private_project }
......
...@@ -886,6 +886,7 @@ RSpec.describe API::Projects do ...@@ -886,6 +886,7 @@ RSpec.describe API::Projects do
merge_method: 'ff' merge_method: 'ff'
}).tap do |attrs| }).tap do |attrs|
attrs[:operations_access_level] = 'disabled' attrs[:operations_access_level] = 'disabled'
attrs[:analytics_access_level] = 'disabled'
end end
post api('/projects', user), params: project post api('/projects', user), params: project
......
File mode changed from 100644 to 100755
File mode changed from 100644 to 100755
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment