diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 17:11:15 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-29 17:11:34 +0300 |
commit | 222fda90362a3be9e54323af32234d038b99908d (patch) | |
tree | 9678d10e85608009dfe340c635f979e1e2bcc3a6 /spec | |
parent | 4279c892b46b4a9de9f0580cf011173e716ebf6c (diff) |
Add latest changes from gitlab-org/security/gitlab@15-1-stable-ee
Diffstat (limited to 'spec')
-rw-r--r-- | spec/finders/ci/runner_jobs_finder_spec.rb | 53 | ||||
-rw-r--r-- | spec/models/user_spec.rb | 35 | ||||
-rw-r--r-- | spec/requests/api/ci/runners_spec.rb | 17 |
3 files changed, 103 insertions, 2 deletions
diff --git a/spec/finders/ci/runner_jobs_finder_spec.rb b/spec/finders/ci/runner_jobs_finder_spec.rb index 3569582d70f..755b21ec08f 100644 --- a/spec/finders/ci/runner_jobs_finder_spec.rb +++ b/spec/finders/ci/runner_jobs_finder_spec.rb @@ -5,12 +5,17 @@ require 'spec_helper' RSpec.describe Ci::RunnerJobsFinder do let(:project) { create(:project) } let(:runner) { create(:ci_runner, :instance) } + let(:user) { create(:user) } + let(:params) { {} } - subject { described_class.new(runner, params).execute } + subject { described_class.new(runner, user, params).execute } + + before do + project.add_developer(user) + end describe '#execute' do context 'when params is empty' do - let(:params) { {} } let!(:job) { create(:ci_build, runner: runner, project: project) } let!(:job1) { create(:ci_build, project: project) } @@ -20,6 +25,50 @@ RSpec.describe Ci::RunnerJobsFinder do end end + context 'when the user has guest access' do + it 'does not returns jobs the user does not have permission to see' do + another_project = create(:project) + job = create(:ci_build, runner: runner, project: another_project) + + another_project.add_guest(user) + + is_expected.not_to match_array(job) + end + end + + context 'when the user has permission to read all resources' do + let(:user) { create(:user, :admin) } + + it 'returns all the jobs assigned to a runner' do + jobs = create_list(:ci_build, 5, runner: runner, project: project) + + is_expected.to match_array(jobs) + end + end + + context 'when the user has different access levels in different projects' do + it 'returns only the jobs the user has permission to see' do + guest_project = create(:project) + reporter_project = create(:project) + + _guest_jobs = create_list(:ci_build, 2, runner: runner, project: guest_project) + reporter_jobs = create_list(:ci_build, 3, runner: runner, project: reporter_project) + + guest_project.add_guest(user) + reporter_project.add_reporter(user) + + is_expected.to match_array(reporter_jobs) + end + end + + context 'when the user has reporter access level or greater' do + it 'returns jobs assigned to the Runner that the user has accesss to' do + jobs = create_list(:ci_build, 3, runner: runner, project: project) + + is_expected.to match_array(jobs) + end + end + context 'when params contains status' do Ci::HasStatus::AVAILABLE_STATUSES.each do |target_status| context "when status is #{target_status}" do diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index dcf6b224009..abc02dd1f55 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -4057,6 +4057,41 @@ RSpec.describe User do end end + describe '#authorized_project_mirrors' do + it 'returns project mirrors where the user has access equal to or above the given level' do + guest_project = create(:project) + reporter_project = create(:project) + maintainer_project = create(:project) + + guest_group = create(:group) + reporter_group = create(:group) + maintainer_group = create(:group) + + _guest_group_project = create(:project, group: guest_group) + reporter_group_project = create(:project, group: reporter_group) + maintainer_group_project = create(:project, group: maintainer_group) + + user = create(:user) + + guest_project.add_guest(user) + reporter_project.add_reporter(user) + maintainer_project.add_maintainer(user) + + guest_group.add_guest(user) + reporter_group.add_reporter(user) + maintainer_group.add_maintainer(user) + + project_mirrors = user.authorized_project_mirrors(Gitlab::Access::REPORTER) + + expect(project_mirrors.pluck(:project_id)).to contain_exactly( + reporter_group_project.id, + maintainer_group_project.id, + reporter_project.id, + maintainer_project.id + ) + end + end + shared_context '#ci_owned_runners' do let(:user) { create(:user) } diff --git a/spec/requests/api/ci/runners_spec.rb b/spec/requests/api/ci/runners_spec.rb index 3000bdc2ce7..31b85a0b1d6 100644 --- a/spec/requests/api/ci/runners_spec.rb +++ b/spec/requests/api/ci/runners_spec.rb @@ -804,6 +804,23 @@ RSpec.describe API::Ci::Runners do expect(json_response).to be_an(Array) expect(json_response.length).to eq(2) end + + context 'when user does not have authorization to see all jobs' do + it 'shows only jobs it has permission to see' do + create(:ci_build, :running, runner: two_projects_runner, project: project) + create(:ci_build, :running, runner: two_projects_runner, project: project2) + + project.add_guest(user2) + project2.add_maintainer(user2) + get api("/runners/#{two_projects_runner.id}/jobs", user2) + + expect(response).to have_gitlab_http_status(:ok) + expect(response).to include_pagination_headers + + expect(json_response).to be_an(Array) + expect(json_response.length).to eq(1) + end + end end context 'when valid status is provided' do |