Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-06-29 17:11:15 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-06-29 17:11:34 +0300
commit: 222fda90362a3be9e54323af32234d038b99908d (patch)
tree: 9678d10e85608009dfe340c635f979e1e2bcc3a6 /spec
parent: 4279c892b46b4a9de9f0580cf011173e716ebf6c (diff)
3 files changed, 103 insertions, 2 deletions
diff --git a/spec/finders/ci/runner_jobs_finder_spec.rb b/spec/finders/ci/runner_jobs_finder_spec.rb
index 3569582d70f..755b21ec08f 100644
--- a/spec/finders/ci/runner_jobs_finder_spec.rb
+++ b/spec/finders/ci/runner_jobs_finder_spec.rb
@@ -5,12 +5,17 @@ require 'spec_helper'
 RSpec.describe Ci::RunnerJobsFinder do
   let(:project) { create(:project) }
   let(:runner) { create(:ci_runner, :instance) }
+  let(:user) { create(:user) }
+  let(:params) { {} }
 
-  subject { described_class.new(runner, params).execute }
+  subject { described_class.new(runner, user, params).execute }
+
+  before do
+    project.add_developer(user)
+  end
 
   describe '#execute' do
     context 'when params is empty' do
-      let(:params) { {} }
       let!(:job) { create(:ci_build, runner: runner, project: project) }
       let!(:job1) { create(:ci_build, project: project) }
 
@@ -20,6 +25,50 @@ RSpec.describe Ci::RunnerJobsFinder do
       end
     end
 
+    context 'when the user has guest access' do
+      it 'does not returns jobs the user does not have permission to see' do
+        another_project = create(:project)
+        job = create(:ci_build, runner: runner, project: another_project)
+
+        another_project.add_guest(user)
+
+        is_expected.not_to match_array(job)
+      end
+    end
+
+    context 'when the user has permission to read all resources' do
+      let(:user) { create(:user, :admin) }
+
+      it 'returns all the jobs assigned to a runner' do
+        jobs = create_list(:ci_build, 5, runner: runner, project: project)
+
+        is_expected.to match_array(jobs)
+      end
+    end
+
+    context 'when the user has different access levels in different projects' do
+      it 'returns only the jobs the user has permission to see' do
+        guest_project = create(:project)
+        reporter_project = create(:project)
+
+        _guest_jobs = create_list(:ci_build, 2, runner: runner, project: guest_project)
+        reporter_jobs = create_list(:ci_build, 3, runner: runner, project: reporter_project)
+
+        guest_project.add_guest(user)
+        reporter_project.add_reporter(user)
+
+        is_expected.to match_array(reporter_jobs)
+      end
+    end
+
+    context 'when the user has reporter access level or greater' do
+      it 'returns jobs assigned to the Runner that the user has accesss to' do
+        jobs = create_list(:ci_build, 3, runner: runner, project: project)
+
+        is_expected.to match_array(jobs)
+      end
+    end
+
     context 'when params contains status' do
       Ci::HasStatus::AVAILABLE_STATUSES.each do |target_status|
         context "when status is #{target_status}" do
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index dcf6b224009..abc02dd1f55 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -4057,6 +4057,41 @@ RSpec.describe User do
     end
   end
 
+  describe '#authorized_project_mirrors' do
+    it 'returns project mirrors where the user has access equal to or above the given level' do
+      guest_project = create(:project)
+      reporter_project = create(:project)
+      maintainer_project = create(:project)
+
+      guest_group = create(:group)
+      reporter_group = create(:group)
+      maintainer_group = create(:group)
+
+      _guest_group_project = create(:project, group: guest_group)
+      reporter_group_project = create(:project, group: reporter_group)
+      maintainer_group_project = create(:project, group: maintainer_group)
+
+      user = create(:user)
+
+      guest_project.add_guest(user)
+      reporter_project.add_reporter(user)
+      maintainer_project.add_maintainer(user)
+
+      guest_group.add_guest(user)
+      reporter_group.add_reporter(user)
+      maintainer_group.add_maintainer(user)
+
+      project_mirrors = user.authorized_project_mirrors(Gitlab::Access::REPORTER)
+
+      expect(project_mirrors.pluck(:project_id)).to contain_exactly(
+        reporter_group_project.id,
+        maintainer_group_project.id,
+        reporter_project.id,
+        maintainer_project.id
+      )
+    end
+  end
+
   shared_context '#ci_owned_runners' do
     let(:user) { create(:user) }
 
diff --git a/spec/requests/api/ci/runners_spec.rb b/spec/requests/api/ci/runners_spec.rb
index 3000bdc2ce7..31b85a0b1d6 100644
--- a/spec/requests/api/ci/runners_spec.rb
+++ b/spec/requests/api/ci/runners_spec.rb
@@ -804,6 +804,23 @@ RSpec.describe API::Ci::Runners do
             expect(json_response).to be_an(Array)
             expect(json_response.length).to eq(2)
           end
+
+          context 'when user does not have authorization to see all jobs' do
+            it 'shows only jobs it has permission to see' do
+              create(:ci_build, :running, runner: two_projects_runner, project: project)
+              create(:ci_build, :running, runner: two_projects_runner, project: project2)
+
+              project.add_guest(user2)
+              project2.add_maintainer(user2)
+              get api("/runners/#{two_projects_runner.id}/jobs", user2)
+
+              expect(response).to have_gitlab_http_status(:ok)
+              expect(response).to include_pagination_headers
+
+              expect(json_response).to be_an(Array)
+              expect(json_response.length).to eq(1)
+            end
+          end
         end
 
         context 'when valid status is provided' do
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-06-29 17:11:15 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-06-29 17:11:34 +0300
commit	222fda90362a3be9e54323af32234d038b99908d (patch)
tree	9678d10e85608009dfe340c635f979e1e2bcc3a6 /spec
parent	4279c892b46b4a9de9f0580cf011173e716ebf6c (diff)