summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-06-29 14:13:03 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2022-06-29 14:13:26 +0000
commit9ca24e5c1f715a597e694961ac0d60674166039a (patch)
tree833d04ab4a742a478741ddb19a9cd56d27657e87
parente2e6f2f2e9a5a4e84d724864fc4d27a8f1605c64 (diff)
downloadgitlab-ce-9ca24e5c1f715a597e694961ac0d60674166039a.tar.gz
Add latest changes from gitlab-org/security/gitlab@14-10-stable-ee
Diffstat
-rw-r--r--app/finders/packages/conan/package_finder.rb2
-rw-r--r--db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb25
-rw-r--r--db/schema_migrations/202205201206371
-rw-r--r--db/structure.sql2
-rw-r--r--spec/finders/packages/conan/package_finder_spec.rb51
-rw-r--r--spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb67
6 files changed, 120 insertions, 28 deletions
diff --git a/app/finders/packages/conan/package_finder.rb b/app/finders/packages/conan/package_finder.rb
index 8ebdd358ba6..210b37635b3 100644
--- a/app/finders/packages/conan/package_finder.rb
+++ b/app/finders/packages/conan/package_finder.rb
@@ -25,7 +25,7 @@ module Packages
end
def projects_visible_to_current_user
- ::Project.public_or_visible_to_user(current_user)
+ ::Project.public_or_visible_to_user(current_user, ::Gitlab::Access::REPORTER)
end
end
end
diff --git a/db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb b/db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb
new file mode 100644
index 00000000000..b26d1f5429a
--- /dev/null
+++ b/db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class AddInstallableConanPackagesIndexToPackages < Gitlab::Database::Migration[2.0]
+ disable_ddl_transaction!
+
+ INDEX_NAME = 'idx_installable_conan_pkgs_on_project_id_id'
+ # as defined by Packages::Package.package_types
+ CONAN_PACKAGE_TYPE = 3
+
+ # as defined by Packages::Package::INSTALLABLE_STATUSES
+ DEFAULT_STATUS = 0
+ HIDDEN_STATUS = 1
+
+ def up
+ where = "package_type = #{CONAN_PACKAGE_TYPE} AND status IN (#{DEFAULT_STATUS}, #{HIDDEN_STATUS})"
+ add_concurrent_index :packages_packages,
+ [:project_id, :id],
+ where: where,
+ name: INDEX_NAME
+ end
+
+ def down
+ remove_concurrent_index_by_name :packages_packages, INDEX_NAME
+ end
+end
diff --git a/db/schema_migrations/20220520120637 b/db/schema_migrations/20220520120637
new file mode 100644
index 00000000000..f379ef0d581
--- /dev/null
+++ b/db/schema_migrations/20220520120637
@@ -0,0 +1 @@
+1fdb60b1c72b687aa8bede083ac7038097d538dc815e334d74296b1d39c2acb8 \ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index eaae14bebb8..800f0c3edd0 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -26544,6 +26544,8 @@ CREATE UNIQUE INDEX idx_environment_merge_requests_unique_index ON deployment_me
CREATE INDEX idx_geo_con_rep_updated_events_on_container_repository_id ON geo_container_repository_updated_events USING btree (container_repository_id);
+CREATE INDEX idx_installable_conan_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id) WHERE ((package_type = 3) AND (status = ANY (ARRAY[0, 1])));
+
CREATE INDEX idx_installable_helm_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id);
CREATE INDEX idx_installable_npm_pkgs_on_project_id_name_version_id ON packages_packages USING btree (project_id, name, version, id) WHERE ((package_type = 2) AND (status = 0));
diff --git a/spec/finders/packages/conan/package_finder_spec.rb b/spec/finders/packages/conan/package_finder_spec.rb
index b26f8900090..6848786818b 100644
--- a/spec/finders/packages/conan/package_finder_spec.rb
+++ b/spec/finders/packages/conan/package_finder_spec.rb
@@ -2,22 +2,53 @@
require 'spec_helper'
RSpec.describe ::Packages::Conan::PackageFinder do
+ using RSpec::Parameterized::TableSyntax
+
+ let_it_be_with_reload(:project) { create(:project) }
let_it_be(:user) { create(:user) }
- let_it_be(:project) { create(:project, :public) }
+ let_it_be(:private_project) { create(:project, :private) }
+
+ let_it_be(:conan_package) { create(:conan_package, project: project) }
+ let_it_be(:conan_package2) { create(:conan_package, project: project) }
+ let_it_be(:errored_package) { create(:conan_package, :error, project: project) }
+ let_it_be(:private_package) { create(:conan_package, project: private_project) }
describe '#execute' do
- let!(:conan_package) { create(:conan_package, project: project) }
- let!(:conan_package2) { create(:conan_package, project: project) }
+ let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" }
+ let(:finder) { described_class.new(user, query: query) }
+
+ subject { finder.execute }
+
+ where(:visibility, :role, :packages_visible) do
+ :private | :maintainer | true
+ :private | :developer | true
+ :private | :reporter | true
+ :private | :guest | false
+ :private | :anonymous | false
+
+ :internal | :maintainer | true
+ :internal | :developer | true
+ :internal | :reporter | true
+ :internal | :guest | true
+ :internal | :anonymous | false
+
+ :public | :maintainer | true
+ :public | :developer | true
+ :public | :reporter | true
+ :public | :guest | true
+ :public | :anonymous | true
+ end
- subject { described_class.new(user, query: query).execute }
+ with_them do
+ let(:expected_packages) { packages_visible ? [conan_package, conan_package2] : [] }
+ let(:user) { role == :anonymous ? nil : super() }
- context 'packages that are not installable' do
- let!(:conan_package3) { create(:conan_package, :error, project: project) }
- let!(:non_visible_project) { create(:project, :private) }
- let!(:non_visible_conan_package) { create(:conan_package, project: non_visible_project) }
- let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" }
+ before do
+ project.update_column(:visibility_level, Gitlab::VisibilityLevel.string_options[visibility.to_s])
+ project.add_user(user, role) unless role == :anonymous
+ end
- it { is_expected.to eq [conan_package, conan_package2] }
+ it { is_expected.to eq(expected_packages) }
end
end
end
diff --git a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
index 135fa4cf5a4..e6b0772aec1 100644
--- a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
@@ -19,33 +19,66 @@ RSpec.shared_examples 'conan ping endpoint' do
end
RSpec.shared_examples 'conan search endpoint' do
- before do
- project.update_column(:visibility_level, Gitlab::VisibilityLevel::PUBLIC)
-
- # Do not pass the HTTP_AUTHORIZATION header,
- # in order to test that this public project's packages
- # are visible to anonymous search.
- get api(url), params: params
- end
+ using RSpec::Parameterized::TableSyntax
subject { json_response['results'] }
- context 'returns packages with a matching name' do
- let(:params) { { q: package.conan_recipe } }
+ context 'with a public project' do
+ before do
+ project.update!(visibility: 'public')
+
+ # Do not pass the HTTP_AUTHORIZATION header,
+ # in order to test that this public project's packages
+ # are visible to anonymous search.
+ get api(url), params: params
+ end
+
+ context 'returns packages with a matching name' do
+ let(:params) { { q: package.conan_recipe } }
+
+ it { is_expected.to contain_exactly(package.conan_recipe) }
+ end
+
+ context 'returns packages using a * wildcard' do
+ let(:params) { { q: "#{package.name[0, 3]}*" } }
- it { is_expected.to contain_exactly(package.conan_recipe) }
+ it { is_expected.to contain_exactly(package.conan_recipe) }
+ end
+
+ context 'does not return non-matching packages' do
+ let(:params) { { q: "foo" } }
+
+ it { is_expected.to be_blank }
+ end
end
- context 'returns packages using a * wildcard' do
+ context 'with a private project' do
let(:params) { { q: "#{package.name[0, 3]}*" } }
- it { is_expected.to contain_exactly(package.conan_recipe) }
- end
+ where(:role, :packages_visible) do
+ :maintainer | true
+ :developer | true
+ :reporter | true
+ :guest | false
+ :anonymous | false
+ end
- context 'does not return non-matching packages' do
- let(:params) { { q: "foo" } }
+ with_them do
+ before do
+ project.update!(visibility: 'private')
+ project.team.truncate
+ user.project_authorizations.delete_all
+ project.add_user(user, role) unless role == :anonymous
+
+ get api(url), params: params, headers: headers
+ end
- it { is_expected.to be_blank }
+ if params[:packages_visible]
+ it { is_expected.to contain_exactly(package.conan_recipe) }
+ else
+ it { is_expected.to be_blank }
+ end
+ end
end
end
View Lorry Controller Status