Commit c3245bc5 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-conan-packages-finder-min-access-level-14-10' into '14-10-stable-ee'

Fix the required access level in the Conan packages finder

See merge request gitlab-org/security/gitlab!2485
parents d14aa478 756fb242
...@@ -25,7 +25,7 @@ module Packages ...@@ -25,7 +25,7 @@ module Packages
end end
def projects_visible_to_current_user def projects_visible_to_current_user
::Project.public_or_visible_to_user(current_user) ::Project.public_or_visible_to_user(current_user, ::Gitlab::Access::REPORTER)
end end
end end
end end
......
# frozen_string_literal: true
class AddInstallableConanPackagesIndexToPackages < Gitlab::Database::Migration[2.0]
disable_ddl_transaction!
INDEX_NAME = 'idx_installable_conan_pkgs_on_project_id_id'
# as defined by Packages::Package.package_types
CONAN_PACKAGE_TYPE = 3
# as defined by Packages::Package::INSTALLABLE_STATUSES
DEFAULT_STATUS = 0
HIDDEN_STATUS = 1
def up
where = "package_type = #{CONAN_PACKAGE_TYPE} AND status IN (#{DEFAULT_STATUS}, #{HIDDEN_STATUS})"
add_concurrent_index :packages_packages,
[:project_id, :id],
where: where,
name: INDEX_NAME
end
def down
remove_concurrent_index_by_name :packages_packages, INDEX_NAME
end
end
1fdb60b1c72b687aa8bede083ac7038097d538dc815e334d74296b1d39c2acb8
\ No newline at end of file
...@@ -26544,6 +26544,8 @@ CREATE UNIQUE INDEX idx_environment_merge_requests_unique_index ON deployment_me ...@@ -26544,6 +26544,8 @@ CREATE UNIQUE INDEX idx_environment_merge_requests_unique_index ON deployment_me
CREATE INDEX idx_geo_con_rep_updated_events_on_container_repository_id ON geo_container_repository_updated_events USING btree (container_repository_id); CREATE INDEX idx_geo_con_rep_updated_events_on_container_repository_id ON geo_container_repository_updated_events USING btree (container_repository_id);
CREATE INDEX idx_installable_conan_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id) WHERE ((package_type = 3) AND (status = ANY (ARRAY[0, 1])));
CREATE INDEX idx_installable_helm_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id); CREATE INDEX idx_installable_helm_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id);
CREATE INDEX idx_installable_npm_pkgs_on_project_id_name_version_id ON packages_packages USING btree (project_id, name, version, id) WHERE ((package_type = 2) AND (status = 0)); CREATE INDEX idx_installable_npm_pkgs_on_project_id_name_version_id ON packages_packages USING btree (project_id, name, version, id) WHERE ((package_type = 2) AND (status = 0));
...@@ -2,22 +2,53 @@ ...@@ -2,22 +2,53 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe ::Packages::Conan::PackageFinder do RSpec.describe ::Packages::Conan::PackageFinder do
using RSpec::Parameterized::TableSyntax
let_it_be_with_reload(:project) { create(:project) }
let_it_be(:user) { create(:user) } let_it_be(:user) { create(:user) }
let_it_be(:project) { create(:project, :public) } let_it_be(:private_project) { create(:project, :private) }
let_it_be(:conan_package) { create(:conan_package, project: project) }
let_it_be(:conan_package2) { create(:conan_package, project: project) }
let_it_be(:errored_package) { create(:conan_package, :error, project: project) }
let_it_be(:private_package) { create(:conan_package, project: private_project) }
describe '#execute' do describe '#execute' do
let!(:conan_package) { create(:conan_package, project: project) } let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" }
let!(:conan_package2) { create(:conan_package, project: project) } let(:finder) { described_class.new(user, query: query) }
subject { described_class.new(user, query: query).execute } subject { finder.execute }
context 'packages that are not installable' do where(:visibility, :role, :packages_visible) do
let!(:conan_package3) { create(:conan_package, :error, project: project) } :private | :maintainer | true
let!(:non_visible_project) { create(:project, :private) } :private | :developer | true
let!(:non_visible_conan_package) { create(:conan_package, project: non_visible_project) } :private | :reporter | true
let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" } :private | :guest | false
:private | :anonymous | false
:internal | :maintainer | true
:internal | :developer | true
:internal | :reporter | true
:internal | :guest | true
:internal | :anonymous | false
:public | :maintainer | true
:public | :developer | true
:public | :reporter | true
:public | :guest | true
:public | :anonymous | true
end
with_them do
let(:expected_packages) { packages_visible ? [conan_package, conan_package2] : [] }
let(:user) { role == :anonymous ? nil : super() }
before do
project.update_column(:visibility_level, Gitlab::VisibilityLevel.string_options[visibility.to_s])
project.add_user(user, role) unless role == :anonymous
end
it { is_expected.to eq [conan_package, conan_package2] } it { is_expected.to eq(expected_packages) }
end end
end end
end end
...@@ -19,8 +19,13 @@ RSpec.shared_examples 'conan ping endpoint' do ...@@ -19,8 +19,13 @@ RSpec.shared_examples 'conan ping endpoint' do
end end
RSpec.shared_examples 'conan search endpoint' do RSpec.shared_examples 'conan search endpoint' do
using RSpec::Parameterized::TableSyntax
subject { json_response['results'] }
context 'with a public project' do
before do before do
project.update_column(:visibility_level, Gitlab::VisibilityLevel::PUBLIC) project.update!(visibility: 'public')
# Do not pass the HTTP_AUTHORIZATION header, # Do not pass the HTTP_AUTHORIZATION header,
# in order to test that this public project's packages # in order to test that this public project's packages
...@@ -28,8 +33,6 @@ RSpec.shared_examples 'conan search endpoint' do ...@@ -28,8 +33,6 @@ RSpec.shared_examples 'conan search endpoint' do
get api(url), params: params get api(url), params: params
end end
subject { json_response['results'] }
context 'returns packages with a matching name' do context 'returns packages with a matching name' do
let(:params) { { q: package.conan_recipe } } let(:params) { { q: package.conan_recipe } }
...@@ -47,6 +50,36 @@ RSpec.shared_examples 'conan search endpoint' do ...@@ -47,6 +50,36 @@ RSpec.shared_examples 'conan search endpoint' do
it { is_expected.to be_blank } it { is_expected.to be_blank }
end end
end
context 'with a private project' do
let(:params) { { q: "#{package.name[0, 3]}*" } }
where(:role, :packages_visible) do
:maintainer | true
:developer | true
:reporter | true
:guest | false
:anonymous | false
end
with_them do
before do
project.update!(visibility: 'private')
project.team.truncate
user.project_authorizations.delete_all
project.add_user(user, role) unless role == :anonymous
get api(url), params: params, headers: headers
end
if params[:packages_visible]
it { is_expected.to contain_exactly(package.conan_recipe) }
else
it { is_expected.to be_blank }
end
end
end
end end
RSpec.shared_examples 'conan authenticate endpoint' do RSpec.shared_examples 'conan authenticate endpoint' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment