Restrict CI lint access to pipeline creators

Merge branch 'security-aw-355738-restrict-ci-config-access-14-10' into '14-10-stable-ee'

See merge request gitlab-org/security/gitlab!2515

Changelog: security

app/graphql/resolvers/ci/config_resolver.rb

@@ -12,7 +12,7 @@ module Resolvers
         Should not be requested more than once per request.
       MD
 
-      authorize :read_pipeline
+      authorize :create_pipeline
 
       argument :project_path, GraphQL::Types::ID,
                required: true,

doc/update/index.md

@@ -407,6 +407,9 @@ and [Helm Chart deployments](https://docs.gitlab.com/charts/). They come with ap
 - The upgrade to GitLab 14.10 executes a [concurrent index drop](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84308) of unneeded
   entries from the `ci_job_artifacts` database table. This could potentially run for multiple minutes, especially if the table has a lot of
   traffic and the migration is unable to acquire a lock. It is advised to let this process finish as restarting may result in data loss.
+- Unauthenticated requests to the [`ciConfig` GraphQL field](../api/graphql/reference/index.md#queryciconfig) are no longer supported.
+  Before you upgrade to GitLab 15.1, add an [access token](../api/index.md#authentication) to your requests.
+  The user creating the token must have [permission](../user/permissions.md) to create pipelines in the project.
 
 ### 14.9.0
 

spec/graphql/resolvers/ci/config_resolver_spec.rb

@@ -7,24 +7,13 @@ RSpec.describe Resolvers::Ci::ConfigResolver do
 
   describe '#resolve' do
     let_it_be(:user) { create(:user) }
-    let_it_be(:project) { create(:project, :repository, creator: user, namespace: user.namespace) }
+    let_it_be(:project) { create(:project, :repository) }
     let_it_be(:sha) { nil }
 
     let_it_be(:content) do
       File.read(Rails.root.join('spec/support/gitlab_stubs/gitlab_ci_includes.yml'))
     end
 
-    let(:ci_lint) do
-      ci_lint_double = instance_double(::Gitlab::Ci::Lint)
-      allow(ci_lint_double).to receive(:validate).and_return(fake_result)
-
-      ci_lint_double
-    end
-
-    before do
-      allow(::Gitlab::Ci::Lint).to receive(:new).and_return(ci_lint)
-    end
-
     subject(:response) do
       resolve(described_class,
               args: { project_path: project.full_path, content: content, sha: sha },
@@ -49,51 +38,76 @@ RSpec.describe Resolvers::Ci::ConfigResolver do
       end
     end
 
-    context 'with a valid .gitlab-ci.yml' do
-      context 'with a sha' do
-        let(:sha) { '1231231' }
+    context 'when the user can create a pipeline' do
+      let(:ci_lint) do
+        ci_lint_double = instance_double(::Gitlab::Ci::Lint)
+        allow(ci_lint_double).to receive(:validate).and_return(fake_result)
 
-        it_behaves_like 'a valid config file'
+        ci_lint_double
       end
 
-      context 'without a sha' do
-        it_behaves_like 'a valid config file'
+      before do
+        allow(::Gitlab::Ci::Lint).to receive(:new).and_return(ci_lint)
+
+        project.add_developer(user)
       end
-    end
 
-    context 'with an invalid .gitlab-ci.yml' do
-      let(:content) { 'invalid' }
+      context 'with a valid .gitlab-ci.yml' do
+        context 'with a sha' do
+          let(:sha) { '1231231' }
 
-      let(:fake_result) do
-        Gitlab::Ci::Lint::Result.new(
-          jobs: [],
-          merged_yaml: content,
-          errors: ['Invalid configuration format'],
-          warnings: []
-        )
+          it_behaves_like 'a valid config file'
+        end
+
+        context 'without a sha' do
+          it_behaves_like 'a valid config file'
+        end
       end
 
-      it 'responds with errors about invalid syntax' do
-        expect(response[:status]).to eq(:invalid)
-        expect(response[:errors]).to eq(['Invalid configuration format'])
+      context 'with an invalid .gitlab-ci.yml' do
+        let(:content) { 'invalid' }
+
+        let(:fake_result) do
+          Gitlab::Ci::Lint::Result.new(
+            jobs: [],
+            merged_yaml: content,
+            errors: ['Invalid configuration format'],
+            warnings: []
+          )
+        end
+
+        it 'responds with errors about invalid syntax' do
+          expect(response[:status]).to eq(:invalid)
+          expect(response[:errors]).to match_array(['Invalid configuration format'])
+        end
       end
-    end
 
-    context 'with an invalid SHA' do
-      let_it_be(:sha) { ':' }
+      context 'with an invalid SHA' do
+        let_it_be(:sha) { ':' }
 
-      let(:ci_lint) do
-        ci_lint_double = instance_double(::Gitlab::Ci::Lint)
-        allow(ci_lint_double).to receive(:validate).and_raise(GRPC::InvalidArgument)
+        let(:ci_lint) do
+          ci_lint_double = instance_double(::Gitlab::Ci::Lint)
+          allow(ci_lint_double).to receive(:validate).and_raise(GRPC::InvalidArgument)
 
-        ci_lint_double
+          ci_lint_double
+        end
+
+        it 'logs the invalid SHA to Sentry' do
+          expect(Gitlab::ErrorTracking).to receive(:track_and_raise_exception)
+            .with(GRPC::InvalidArgument, sha: ':')
+
+          response
+        end
       end
+    end
 
-      it 'logs the invalid SHA to Sentry' do
-        expect(Gitlab::ErrorTracking).to receive(:track_and_raise_exception)
-          .with(GRPC::InvalidArgument, sha: ':')
+    context 'when the user cannot create a pipeline' do
+      before do
+        project.add_guest(user)
+      end
 
-        response
+      it 'returns an error stating that the user cannot access the linting' do
+        expect { response }.to raise_error(::Gitlab::Graphql::Errors::ResourceNotAvailable)
       end
     end
   end