diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-01 18:33:31 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-01 18:33:31 +0000 |
commit | 0fcbe48468f0e566929599dda36b2dedd72e5708 (patch) | |
tree | 0a33f7a23aee7cffaa0d07046c5c0573aec3a7d2 | |
parent | cf599b3cb9210c48820e7d88c4393303aa28826e (diff) | |
download | gitlab-ce-0fcbe48468f0e566929599dda36b2dedd72e5708.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-8-stable-ee
-rw-r--r-- | app/models/integration.rb | 2 | ||||
-rw-r--r-- | app/services/resource_access_tokens/create_service.rb | 2 | ||||
-rw-r--r-- | doc/development/integrations/index.md | 9 | ||||
-rw-r--r-- | spec/models/integration_spec.rb | 9 | ||||
-rw-r--r-- | spec/services/resource_access_tokens/create_service_spec.rb | 51 |
5 files changed, 29 insertions, 44 deletions
diff --git a/app/models/integration.rb b/app/models/integration.rb index 4e5c90bffa1..54eeab10360 100644 --- a/app/models/integration.rb +++ b/app/models/integration.rb @@ -510,7 +510,7 @@ class Integration < ApplicationRecord end def api_field_names - fields.reject { _1[:type] == 'password' || _1[:name] == 'webhook' }.pluck(:name) + fields.reject { _1[:type] == 'password' }.pluck(:name) end def form_fields diff --git a/app/services/resource_access_tokens/create_service.rb b/app/services/resource_access_tokens/create_service.rb index f6fe23b4555..c6948536053 100644 --- a/app/services/resource_access_tokens/create_service.rb +++ b/app/services/resource_access_tokens/create_service.rb @@ -125,7 +125,7 @@ module ResourceAccessTokens def do_not_allow_owner_access_level_for_project_bot?(access_level) resource.is_a?(Project) && - access_level.to_i == Gitlab::Access::OWNER && + access_level == Gitlab::Access::OWNER && !current_user.can?(:manage_owners, resource) end end diff --git a/doc/development/integrations/index.md b/doc/development/integrations/index.md index ceb64ba2bb7..9fd8fb7eb61 100644 --- a/doc/development/integrations/index.md +++ b/doc/development/integrations/index.md @@ -249,15 +249,6 @@ To expose the integration in the [REST API](../../api/integrations.md): You can also refer to our [REST API style guide](../api_styleguide.md). -Sensitive fields are not exposed over the API. Sensitive fields are those fields that contain any of the following in their name: - -- `key` -- `passphrase` -- `password` -- `secret` -- `token` -- `webhook` - #### GraphQL API Integrations use the `Types::Projects::ServiceType` type by default, diff --git a/spec/models/integration_spec.rb b/spec/models/integration_spec.rb index 3c6f9ad7fea..9b3250e3c08 100644 --- a/spec/models/integration_spec.rb +++ b/spec/models/integration_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe Integration, feature_category: :integrations do +RSpec.describe Integration do using RSpec::Parameterized::TableSyntax let_it_be(:group) { create(:group) } @@ -854,7 +854,6 @@ RSpec.describe Integration, feature_category: :integrations do { name: 'api_key', type: 'password' }, { name: 'password', type: 'password' }, { name: 'password_field', type: 'password' }, - { name: 'webhook' }, { name: 'some_safe_field' }, { name: 'safe_field' }, { name: 'url' }, @@ -882,7 +881,6 @@ RSpec.describe Integration, feature_category: :integrations do field :api_key, type: 'password' field :password, type: 'password' field :password_field, type: 'password' - field :webhook field :some_safe_field field :safe_field field :url @@ -1092,8 +1090,6 @@ RSpec.describe Integration, feature_category: :integrations do field :bar, type: 'password' field :password - field :webhook - field :with_help, help: -> { 'help' } field :select, type: 'select' field :boolean, type: 'checkbox' @@ -1144,7 +1140,7 @@ RSpec.describe Integration, feature_category: :integrations do it 'registers fields in the fields list' do expect(integration.fields.pluck(:name)).to match_array %w[ - foo foo_p foo_dt bar password with_help select boolean webhook + foo foo_p foo_dt bar password with_help select boolean ] expect(integration.api_field_names).to match_array %w[ @@ -1159,7 +1155,6 @@ RSpec.describe Integration, feature_category: :integrations do have_attributes(name: 'foo_dt', type: 'text'), have_attributes(name: 'bar', type: 'password'), have_attributes(name: 'password', type: 'password'), - have_attributes(name: 'webhook', type: 'text'), have_attributes(name: 'with_help', help: 'help'), have_attributes(name: 'select', type: 'select'), have_attributes(name: 'boolean', type: 'checkbox') diff --git a/spec/services/resource_access_tokens/create_service_spec.rb b/spec/services/resource_access_tokens/create_service_spec.rb index a8c8d41ca09..442232920f9 100644 --- a/spec/services/resource_access_tokens/create_service_spec.rb +++ b/spec/services/resource_access_tokens/create_service_spec.rb @@ -27,13 +27,6 @@ RSpec.describe ResourceAccessTokens::CreateService do end end - shared_examples 'correct error message' do - it 'returns correct error message' do - expect(subject.error?).to be true - expect(subject.errors).to include(error_message) - end - end - shared_examples 'allows creation of bot with valid params' do it { expect { subject }.to change { User.count }.by(1) } @@ -207,11 +200,16 @@ RSpec.describe ResourceAccessTokens::CreateService do end context 'when invalid scope is passed' do - let(:error_message) { 'Scopes can only contain available scopes' } let_it_be(:params) { { scopes: [:invalid_scope] } } it_behaves_like 'token creation fails' - it_behaves_like 'correct error message' + + it 'returns the scope error message' do + response = subject + + expect(response.error?).to be true + expect(response.errors).to include("Scopes can only contain available scopes") + end end end @@ -219,7 +217,6 @@ RSpec.describe ResourceAccessTokens::CreateService do let_it_be(:bot_user) { create(:user, :project_bot) } let(:unpersisted_member) { build(:project_member, source: resource, user: bot_user) } - let(:error_message) { 'Could not provision maintainer access to project access token' } before do allow_next_instance_of(ResourceAccessTokens::CreateService) do |service| @@ -229,7 +226,13 @@ RSpec.describe ResourceAccessTokens::CreateService do end it_behaves_like 'token creation fails' - it_behaves_like 'correct error message' + + it 'returns the provisioning error message' do + response = subject + + expect(response.error?).to be true + expect(response.errors).to include("Could not provision maintainer access to project access token") + end end end @@ -243,10 +246,14 @@ RSpec.describe ResourceAccessTokens::CreateService do end shared_examples 'when user does not have permission to create a resource bot' do - let(:error_message) { "User does not have permission to create #{resource_type} access token" } - it_behaves_like 'token creation fails' - it_behaves_like 'correct error message' + + it 'returns the permission error message' do + response = subject + + expect(response.error?).to be true + expect(response.errors).to include("User does not have permission to create #{resource_type} access token") + end end context 'when resource is a project' do @@ -266,19 +273,11 @@ RSpec.describe ResourceAccessTokens::CreateService do let_it_be(:params) { { access_level: Gitlab::Access::OWNER } } context 'when the executor is a MAINTAINER' do - let(:error_message) { 'Could not provision owner access to project access token' } - - context 'with OWNER access_level, in integer format' do - it_behaves_like 'token creation fails' - it_behaves_like 'correct error message' - end - - context 'with OWNER access_level, in string format' do - let(:error_message) { 'Could not provision owner access to project access token' } - let_it_be(:params) { { access_level: Gitlab::Access::OWNER.to_s } } + it 'does not add the bot user with the specified access level in the resource' do + response = subject - it_behaves_like 'token creation fails' - it_behaves_like 'correct error message' + expect(response.error?).to be true + expect(response.errors).to include('Could not provision owner access to project access token') end end |