Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee

5 files changed, 49 insertions, 11 deletions

diff --git a/app/graphql/types/user_interface.rb b/app/graphql/types/user_interface.rb
index 8c67275eb73..7cc201b6df4 100644
--- a/app/graphql/types/user_interface.rb
+++ b/app/graphql/types/user_interface.rb
@@ -29,7 +29,10 @@ module Types
     field :name,
           type: GraphQL::Types::String,
           null: false,
-          description: 'Human-readable name of the user.'
+          resolver_method: :redacted_name,
+          description: 'Human-readable name of the user. ' \
+          'Will return `****` if the user is a project bot and the requester does not have permission to read resource access tokens.'
+
     field :state,
           type: Types::UserStateEnum,
           null: false,
@@ -121,5 +124,16 @@ module Types
         ::Types::UserType
       end
     end
+
+    def redacted_name
+      return object.name unless object.project_bot?
+
+      return object.name if context[:current_user]&.can?(:read_resource_access_tokens, object.projects.first)
+
+      # If the requester does not have permission to read the project bot name,
+      # the API returns an arbitrary string. UI changes will be addressed in a follow up issue:
+      # https://gitlab.com/gitlab-org/gitlab/-/issues/346058
+      '****'
+    end
   end
 end
diff --git a/app/helpers/search_helper.rb b/app/helpers/search_helper.rb
index cb28025c900..aedb7df9e4f 100644
--- a/app/helpers/search_helper.rb
+++ b/app/helpers/search_helper.rb
@@ -201,18 +201,30 @@ module SearchHelper
     if @project && @project.repository.root_ref
       ref = @ref || @project.repository.root_ref
 
-      result = [
-        { category: "In this project", label: _("Files"),          url: project_tree_path(@project, ref) },
-        { category: "In this project", label: _("Commits"),        url: project_commits_path(@project, ref) },
-        { category: "In this project", label: _("Network"),        url: project_network_path(@project, ref) },
-        { category: "In this project", label: _("Graph"),          url: project_graph_path(@project, ref) },
+      result = []
+
+      if can?(current_user, :download_code, @project)
+        result.concat([
+          { category: "In this project", label: _("Files"),          url: project_tree_path(@project, ref) },
+          { category: "In this project", label: _("Commits"),        url: project_commits_path(@project, ref) }
+        ])
+      end
+
+      if can?(current_user, :read_repository_graphs, @project)
+        result.concat([
+          { category: "In this project", label: _("Network"),        url: project_network_path(@project, ref) },
+          { category: "In this project", label: _("Graph"),          url: project_graph_path(@project, ref) }
+        ])
+      end
+
+      result.concat([
         { category: "In this project", label: _("Issues"),         url: project_issues_path(@project) },
         { category: "In this project", label: _("Merge requests"), url: project_merge_requests_path(@project) },
         { category: "In this project", label: _("Milestones"),     url: project_milestones_path(@project) },
         { category: "In this project", label: _("Snippets"),       url: project_snippets_path(@project) },
         { category: "In this project", label: _("Members"),        url: project_project_members_path(@project) },
         { category: "In this project", label: _("Wiki"),           url: project_wikis_path(@project) }
-      ]
+      ])
 
       if can?(current_user, :read_feature_flag, @project)
         result << { category: "In this project", label: _("Feature Flags"), url: project_feature_flags_path(@project) }
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index d81db357162..b3aa49a00ae 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -93,6 +93,11 @@ class ProjectPolicy < BasePolicy
     user.is_a?(DeployToken) && user.has_access_to?(project) && user.write_package_registry
   end
 
+  desc "Deploy token with read access"
+  condition(:download_code_deploy_token) do
+    user.is_a?(DeployToken) && user.has_access_to?(project)
+  end
+
   desc "If user is authenticated via CI job token then the target project should be in scope"
   condition(:project_allowed_for_job_token) do
     !@user&.from_ci_job_token? || @user.ci_job_token_scope.includes?(project)
@@ -506,6 +511,10 @@ class ProjectPolicy < BasePolicy
     prevent(:download_wiki_code)
   end
 
+  rule { download_code_deploy_token }.policy do
+    enable :download_wiki_code
+  end
+
   rule { builds_disabled | repository_disabled }.policy do
     prevent(*create_read_update_admin_destroy(:build))
     prevent(*create_read_update_admin_destroy(:pipeline_schedule))
@@ -687,12 +696,14 @@ class ProjectPolicy < BasePolicy
 
   rule { project_bot }.enable :project_bot_access
 
+  rule { can?(:read_all_resources) }.enable :read_resource_access_tokens
+
   rule { can?(:admin_project) & resource_access_token_feature_available }.policy do
     enable :read_resource_access_tokens
     enable :destroy_resource_access_tokens
   end
 
-  rule { can?(:read_resource_access_tokens) & resource_access_token_creation_allowed }.policy do
+  rule { can?(:admin_project) & resource_access_token_feature_available & resource_access_token_creation_allowed }.policy do
     enable :create_resource_access_tokens
   end
 
diff --git a/app/views/layouts/_search.html.haml b/app/views/layouts/_search.html.haml
index 2d186dfbd91..0350dc82e46 100644
--- a/app/views/layouts/_search.html.haml
+++ b/app/views/layouts/_search.html.haml
@@ -29,8 +29,9 @@
       = hidden_field_tag :scope, search_context.scope
       = hidden_field_tag :search_code, search_context.code_search?
 
+    - ref = search_context.ref if can?(current_user, :download_code, search_context.project)
     = hidden_field_tag :snippets, search_context.for_snippets?
-    = hidden_field_tag :repository_ref, search_context.ref
+    = hidden_field_tag :repository_ref, ref
     = hidden_field_tag :nav_source, 'navbar'
 
     -# workaround for non-JS feature specs, see spec/support/helpers/search_helpers.rb
@@ -38,4 +39,4 @@
       %noscript= button_tag 'Search'
     .search-autocomplete-opts.hide{ :'data-autocomplete-path' => search_autocomplete_path,
                                     :'data-autocomplete-project-id' => search_context.project.try(:id),
-                                    :'data-autocomplete-project-ref' => search_context.ref }
+                                    :'data-autocomplete-project-ref' => ref }
diff --git a/app/views/projects/show.html.haml b/app/views/projects/show.html.haml
index e515f1e7320..1cbb061784e 100644
--- a/app/views/projects/show.html.haml
+++ b/app/views/projects/show.html.haml
@@ -1,5 +1,4 @@
 - current_route_path = request.fullpath.match(%r{-/tree/[^/]+/(.+$)}).to_a[1]
-- add_page_startup_graphql_call('repository/path_last_commit', { projectPath: @project.full_path, ref: current_ref, path: current_route_path || "" })
 - @content_class = "limit-container-width" unless fluid_layout
 - @skip_current_level_breadcrumb = true
 - add_page_specific_style 'page_bundles/project'
@@ -14,6 +13,7 @@
 = render "home_panel"
 
 - if can?(current_user, :download_code, @project) && @project.repository_languages.present?
+  - add_page_startup_graphql_call('repository/path_last_commit', { projectPath: @project.full_path, ref: current_ref, path: current_route_path || "" })
   = repository_languages_bar(@project.repository_languages)
 
 = render "archived_notice", project: @project