Move Contribution Analytics related spec in spec/features/groups/group_page_with_external_authorization_service_spec to EE

22 files changed, 356 insertions, 10 deletions

diff --git a/app/assets/stylesheets/pages/projects.scss b/app/assets/stylesheets/pages/projects.scss
index 792c618fd40..79558b8604f 100644
--- a/app/assets/stylesheets/pages/projects.scss
+++ b/app/assets/stylesheets/pages/projects.scss
@@ -67,6 +67,10 @@
   }
 }
 
+.classification-label {
+  background-color: $red-500;
+}
+
 .toggle-wrapper {
   margin-top: 5px;
 }
diff --git a/app/controllers/admin/application_settings_controller.rb b/app/controllers/admin/application_settings_controller.rb
index ab792cf7403..b681949ab36 100644
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -124,7 +124,9 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
   end
 
   def visible_application_setting_attributes
-    ApplicationSettingsHelper.visible_attributes + [
+    [
+      *::ApplicationSettingsHelper.visible_attributes,
+      *::ApplicationSettingsHelper.external_authorization_service_attributes,
       :domain_blacklist_file,
       disabled_oauth_sign_in_sources: [],
       import_sources: [],
diff --git a/app/controllers/concerns/project_unauthorized.rb b/app/controllers/concerns/project_unauthorized.rb
index f59440dbc59..d42363b8b17 100644
--- a/app/controllers/concerns/project_unauthorized.rb
+++ b/app/controllers/concerns/project_unauthorized.rb
@@ -1,10 +1,21 @@
 # frozen_string_literal: true
 
 module ProjectUnauthorized
-  extend ActiveSupport::Concern
-
-  # EE would override this
   def project_unauthorized_proc
-    # no-op
+    lambda do |project|
+      if project
+        label = project.external_authorization_classification_label
+        rejection_reason = nil
+
+        unless ::Gitlab::ExternalAuthorization.access_allowed?(current_user, label)
+          rejection_reason = ::Gitlab::ExternalAuthorization.rejection_reason(current_user, label)
+          rejection_reason ||= _('External authorization denied access to this project')
+        end
+
+        if rejection_reason
+          access_denied!(rejection_reason)
+        end
+      end
+    end
   end
 end
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index f76e6663995..b7beac00eda 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -343,6 +343,7 @@ class ProjectsController < Projects::ApplicationController
       :container_registry_enabled,
       :default_branch,
       :description,
+      :external_authorization_classification_label,
       :import_url,
       :issues_tracker,
       :issues_tracker_id,
diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index e635f608237..50b5edf7da4 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -119,6 +119,39 @@ module ApplicationSettingsHelper
     options_for_select(options, selected)
   end
 
+  def external_authorization_description
+    _("If enabled, access to projects will be validated on an external service"\
+        " using their classification label.")
+  end
+
+  def external_authorization_timeout_help_text
+    _("Time in seconds GitLab will wait for a response from the external "\
+        "service. When the service does not respond in time, access will be "\
+        "denied.")
+  end
+
+  def external_authorization_url_help_text
+    _("When leaving the URL blank, classification labels can still be "\
+        "specified without disabling cross project features or performing "\
+        "external authorization checks.")
+  end
+
+  def external_authorization_client_certificate_help_text
+    _("The X509 Certificate to use when mutual TLS is required to communicate "\
+        "with the external authorization service. If left blank, the server "\
+        "certificate is still validated when accessing over HTTPS.")
+  end
+
+  def external_authorization_client_key_help_text
+    _("The private key to use when a client certificate is provided. This value "\
+        "is encrypted at rest.")
+  end
+
+  def external_authorization_client_pass_help_text
+    _("The passphrase required to decrypt the private key. This is optional "\
+        "and the value is encrypted at rest.")
+  end
+
   def visible_attributes
     [
       :admin_notification_email,
@@ -237,6 +270,18 @@ module ApplicationSettingsHelper
     ]
   end
 
+  def external_authorization_service_attributes
+    [
+      :external_auth_client_cert,
+      :external_auth_client_key,
+      :external_auth_client_key_pass,
+      :external_authorization_service_default_label,
+      :external_authorization_service_enabled,
+      :external_authorization_service_timeout,
+      :external_authorization_service_url
+    ]
+  end
+
   def expanded_by_default?
     Rails.env.test?
   end
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index 009dd70c2c9..2ac90eb8d9f 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -303,6 +303,16 @@ module ProjectsHelper
     @path.present?
   end
 
+  def external_classification_label_help_message
+    default_label = ::Gitlab::CurrentSettings.current_application_settings
+                      .external_authorization_service_default_label
+
+    s_(
+      "ExternalAuthorizationService|When no classification label is set the "\
+        "default label `%{default_label}` will be used."
+    ) % { default_label: default_label }
+  end
+
   private
 
   def get_project_nav_tabs(project, current_user)
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 7ec8505b33a..d28a12413bf 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -213,6 +213,40 @@ class ApplicationSetting < ApplicationRecord
 
   validate :terms_exist, if: :enforce_terms?
 
+  validates :external_authorization_service_default_label,
+            presence: true,
+            if: :external_authorization_service_enabled
+
+  validates :external_authorization_service_url,
+            url: true, allow_blank: true,
+            if: :external_authorization_service_enabled
+
+  validates :external_authorization_service_timeout,
+            numericality: { greater_than: 0, less_than_or_equal_to: 10 },
+            if: :external_authorization_service_enabled
+
+  validates :external_auth_client_key,
+            presence: true,
+            if: -> (setting) { setting.external_auth_client_cert.present? }
+
+  validates_with X509CertificateCredentialsValidator,
+                 certificate: :external_auth_client_cert,
+                 pkey: :external_auth_client_key,
+                 pass: :external_auth_client_key_pass,
+                 if: -> (setting) { setting.external_auth_client_cert.present? }
+
+  attr_encrypted :external_auth_client_key,
+                 mode: :per_attribute_iv,
+                 key: Settings.attr_encrypted_db_key_base_truncated,
+                 algorithm: 'aes-256-gcm',
+                 encode: true
+
+  attr_encrypted :external_auth_client_key_pass,
+                 mode: :per_attribute_iv,
+                 key: Settings.attr_encrypted_db_key_base_truncated,
+                 algorithm: 'aes-256-gcm',
+                 encode: true
+
   before_validation :ensure_uuid!
   before_validation :strip_sentry_values
 
diff --git a/app/models/issue.rb b/app/models/issue.rb
index 97c6dcc4745..eb4c87e05d5 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -230,7 +230,13 @@ class Issue < ApplicationRecord
   def visible_to_user?(user = nil)
     return false unless project && project.feature_available?(:issues, user)
 
-    user ? readable_by?(user) : publicly_visible?
+    return publicly_visible? unless user
+
+    return false unless readable_by?(user)
+
+    user.full_private_access? ||
+      ::Gitlab::ExternalAuthorization.access_allowed?(
+        user, project.external_authorization_classification_label)
   end
 
   def check_for_spam?
@@ -298,7 +304,7 @@ class Issue < ApplicationRecord
 
   # Returns `true` if this Issue is visible to everybody.
   def publicly_visible?
-    project.public? && !confidential?
+    project.public? && !confidential? && !::Gitlab::ExternalAuthorization.enabled?
   end
 
   def expire_etag_cache
diff --git a/app/models/project.rb b/app/models/project.rb
index e2869fc2ad5..97e287d3fa2 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -2062,6 +2062,11 @@ class Project < ApplicationRecord
     fetch_branch_allows_collaboration(user, branch_name)
   end
 
+  def external_authorization_classification_label
+    super || ::Gitlab::CurrentSettings.current_application_settings
+               .external_authorization_service_default_label
+  end
+
   def licensed_features
     []
   end
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 72de04203a6..5dd2279ef99 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -22,6 +22,13 @@ class BasePolicy < DeclarativePolicy::Base
     Gitlab::CurrentSettings.current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
   end
 
-  # This is prevented in some cases in `gitlab-ee`
+  condition(:external_authorization_enabled, scope: :global, score: 0) do
+    ::Gitlab::ExternalAuthorization.perform_check?
+  end
+
+  rule { external_authorization_enabled & ~full_private_access }.policy do
+    prevent :read_cross_project
+  end
+
   rule { default }.enable :read_cross_project
 end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 26d7d6e84c4..ba38af9c529 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -89,6 +89,15 @@ class ProjectPolicy < BasePolicy
     ::Gitlab::CurrentSettings.current_application_settings.mirror_available
   end
 
+  with_scope :subject
+  condition(:classification_label_authorized, score: 32) do
+    ::Gitlab::ExternalAuthorization.access_allowed?(
+      @user,
+      @subject.external_authorization_classification_label,
+      @subject.full_path
+    )
+  end
+
   # We aren't checking `:read_issue` or `:read_merge_request` in this case
   # because it could be possible for a user to see an issuable-iid
   # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be
@@ -417,6 +426,25 @@ class ProjectPolicy < BasePolicy
 
   rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster
 
+  rule { ~can?(:read_cross_project) & ~classification_label_authorized }.policy do
+    # Preventing access here still allows the projects to be listed. Listing
+    # projects doesn't check the `:read_project` ability. But instead counts
+    # on the `project_authorizations` table.
+    #
+    # All other actions should explicitly check read project, which would
+    # trigger the `classification_label_authorized` condition.
+    #
+    # `:read_project_for_iids` is not prevented by this condition, as it is
+    # used for cross-project reference checks.
+    prevent :guest_access
+    prevent :public_access
+    prevent :public_user_access
+    prevent :reporter_access
+    prevent :developer_access
+    prevent :maintainer_access
+    prevent :owner_access
+  end
+
   private
 
   def team_member?
diff --git a/app/services/application_settings/update_service.rb b/app/services/application_settings/update_service.rb
index 9146eb96533..7eeaf8aade1 100644
--- a/app/services/application_settings/update_service.rb
+++ b/app/services/application_settings/update_service.rb
@@ -2,9 +2,17 @@
 
 module ApplicationSettings
   class UpdateService < ApplicationSettings::BaseService
+    include ValidatesClassificationLabel
+
     attr_reader :params, :application_setting
 
     def execute
+      validate_classification_label(application_setting, :external_authorization_service_default_label)
+
+      if application_setting.errors.any?
+        return false
+      end
+
       update_terms(@params.delete(:terms))
 
       if params.key?(:performance_bar_allowed_group_path)
diff --git a/app/services/concerns/validates_classification_label.rb b/app/services/concerns/validates_classification_label.rb
new file mode 100644
index 00000000000..ebcf5c24ff8
--- /dev/null
+++ b/app/services/concerns/validates_classification_label.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module ValidatesClassificationLabel
+  def validate_classification_label(record, attribute_name)
+    return unless ::Gitlab::ExternalAuthorization.enabled?
+    return unless classification_label_change?(record, attribute_name)
+
+    new_label = params[attribute_name].presence
+    new_label ||= ::Gitlab::CurrentSettings.current_application_settings
+                    .external_authorization_service_default_label
+
+    unless ::Gitlab::ExternalAuthorization.access_allowed?(current_user, new_label)
+      reason = rejection_reason_for_label(new_label)
+      message = s_('ClassificationLabelUnavailable|is unavailable: %{reason}') % { reason: reason }
+      record.errors.add(attribute_name, message)
+    end
+  end
+
+  def rejection_reason_for_label(label)
+    reason_from_service = ::Gitlab::ExternalAuthorization.rejection_reason(current_user, label).presence
+    reason_from_service || _("Access to '%{classification_label}' not allowed") % { classification_label: label }
+  end
+
+  def classification_label_change?(record, attribute_name)
+    params.key?(attribute_name) || record.new_record?
+  end
+end
diff --git a/app/services/projects/create_service.rb b/app/services/projects/create_service.rb
index d03137b63b2..3723c5ef7d7 100644
--- a/app/services/projects/create_service.rb
+++ b/app/services/projects/create_service.rb
@@ -2,6 +2,8 @@
 
 module Projects
   class CreateService < BaseService
+    include ValidatesClassificationLabel
+
     def initialize(user, params)
       @current_user, @params = user, params.dup
       @skip_wiki = @params.delete(:skip_wiki)
@@ -45,6 +47,8 @@ module Projects
       relations_block&.call(@project)
       yield(@project) if block_given?
 
+      validate_classification_label(@project, :external_authorization_classification_label)
+
       # If the block added errors, don't try to save the project
       return @project if @project.errors.any?
 
diff --git a/app/services/projects/update_service.rb b/app/services/projects/update_service.rb
index 6856009b395..bc36bb8659d 100644
--- a/app/services/projects/update_service.rb
+++ b/app/services/projects/update_service.rb
@@ -3,6 +3,7 @@
 module Projects
   class UpdateService < BaseService
     include UpdateVisibilityLevel
+    include ValidatesClassificationLabel
 
     ValidationError = Class.new(StandardError)
 
@@ -14,6 +15,8 @@ module Projects
 
       yield if block_given?
 
+      validate_classification_label(project, :external_authorization_classification_label)
+
       # If the block added errors, don't try to save the project
       return update_failed! if project.errors.any?
 
diff --git a/app/validators/x509_certificate_credentials_validator.rb b/app/validators/x509_certificate_credentials_validator.rb
new file mode 100644
index 00000000000..d2f18e956c3
--- /dev/null
+++ b/app/validators/x509_certificate_credentials_validator.rb
@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+# X509CertificateCredentialsValidator
+#
+# Custom validator to check if certificate-attribute was signed using the
+# private key stored in an attrebute.
+#
+# This can be used as an `ActiveModel::Validator` as follows:
+#
+#   validates_with X509CertificateCredentialsValidator,
+#                  certificate: :client_certificate,
+#                  pkey: :decrypted_private_key,
+#                  pass: :decrypted_passphrase
+#
+#
+# Required attributes:
+# - certificate: The name of the accessor that returns the certificate to check
+# - pkey: The name of the accessor that returns the private key
+# Optional:
+# - pass: The name of the accessor that returns the passphrase to decrypt the
+#         private key
+class X509CertificateCredentialsValidator < ActiveModel::Validator
+  def initialize(*args)
+    super
+
+    # We can't validate if we don't have a private key or certificate attributes
+    # in which case this validator is useless.
+    if options[:pkey].nil? || options[:certificate].nil?
+      raise 'Provide at least `certificate` and `pkey` attribute names'
+    end
+  end
+
+  def validate(record)
+    unless certificate = read_certificate(record)
+      record.errors.add(options[:certificate], _('is not a valid X509 certificate.'))
+    end
+
+    unless private_key = read_private_key(record)
+      record.errors.add(options[:pkey], _('could not read private key, is the passphrase correct?'))
+    end
+
+    return if private_key.nil? || certificate.nil?
+
+    unless certificate.public_key.fingerprint == private_key.public_key.fingerprint
+      record.errors.add(options[:pkey], _('private key does not match certificate.'))
+    end
+  end
+
+  private
+
+  def read_private_key(record)
+    OpenSSL::PKey.read(pkey(record).to_s, pass(record).to_s)
+  rescue OpenSSL::PKey::PKeyError, ArgumentError
+    # When the primary key could not be read, an ArgumentError is raised.
+    # This hapens when the passed key is not valid or the passphrase is incorrect
+    nil
+  end
+
+  def read_certificate(record)
+    OpenSSL::X509::Certificate.new(certificate(record).to_s)
+  rescue OpenSSL::X509::CertificateError
+    nil
+  end
+
+  # rubocop:disable GitlabSecurity/PublicSend
+  #
+  # Allowing `#public_send` here because we don't want the validator to really
+  # care about the names of the attributes or where they come from.
+  #
+  # The credentials are mostly stored encrypted so we need to go through the
+  # accessors to get the values, `read_attribute` bypasses those.
+  def certificate(record)
+    record.public_send(options[:certificate])
+  end
+
+  def pkey(record)
+    record.public_send(options[:pkey])
+  end
+
+  def pass(record)
+    return unless options[:pass]
+
+    record.public_send(options[:pass])
+  end
+  # rubocop:enable GitlabSecurity/PublicSend
+end
diff --git a/app/views/admin/application_settings/_external_authorization_service_form.html.haml b/app/views/admin/application_settings/_external_authorization_service_form.html.haml
new file mode 100644
index 00000000000..01f6c7afe61
--- /dev/null
+++ b/app/views/admin/application_settings/_external_authorization_service_form.html.haml
@@ -0,0 +1,51 @@
+%section.settings.as-external-auth.no-animate#js-external-auth-settings{ class: ('expanded' if expanded) }
+  .settings-header
+    %h4
+      = _('External authentication')
+    %button.btn.js-settings-toggle{ type: 'button' }
+      = expanded ? 'Collapse' : 'Expand'
+    %p
+    = _('External Classification Policy Authorization')
+  .settings-content
+
+    = form_for @application_setting, url: admin_application_settings_path(anchor: 'js-external-auth-settings'), html: { class: 'fieldset-form' } do |f|
+      = form_errors(@application_setting)
+
+      %fieldset
+        .form-group
+          .form-check
+            = f.check_box :external_authorization_service_enabled, class: 'form-check-input'
+            = f.label :external_authorization_service_enabled, class: 'form-check-label' do
+              = _('Enable classification control using an external service')
+          %span.form-text.text-muted
+            = external_authorization_description
+            = link_to icon('question-circle'), help_page_path('user/admin_area/settings/external_authorization')
+        .form-group
+          = f.label :external_authorization_service_url, _('Service URL'), class: 'label-bold'
+          = f.text_field :external_authorization_service_url, class: 'form-control'
+          %span.form-text.text-muted
+            = external_authorization_url_help_text
+        .form-group
+          = f.label :external_authorization_service_timeout, _('External authorization request timeout'), class: 'label-bold'
+          = f.number_field :external_authorization_service_timeout, class: 'form-control', min: 0.001, max: 10, step: 0.001
+          %span.form-text.text-muted
+            = external_authorization_timeout_help_text
+          = f.label :external_auth_client_cert, _('Client authentication certificate'), class: 'label-bold'
+          = f.text_area :external_auth_client_cert, class: 'form-control'
+          %span.form-text.text-muted
+            = external_authorization_client_certificate_help_text
+        .form-group
+          = f.label :external_auth_client_key, _('Client authentication key'), class: 'label-bold'
+          = f.text_area :external_auth_client_key, class: 'form-control'
+          %span.form-text.text-muted
+            = external_authorization_client_key_help_text
+        .form-group
+          = f.label :external_auth_client_key_pass, _('Client authentication key password'), class: 'label-bold'
+          = f.password_field :external_auth_client_key_pass, class: 'form-control'
+          %span.form-text.text-muted
+            = external_authorization_client_pass_help_text
+        .form-group
+          = f.label :external_authorization_service_default_label, _('Default classification label'), class: 'label-bold'
+          = f.text_field :external_authorization_service_default_label, class: 'form-control'
+
+      = f.submit 'Save changes', class: "btn btn-success"
diff --git a/app/views/admin/application_settings/show.html.haml b/app/views/admin/application_settings/show.html.haml
index fc9dd29b8ca..31f18ba0d56 100644
--- a/app/views/admin/application_settings/show.html.haml
+++ b/app/views/admin/application_settings/show.html.haml
@@ -68,7 +68,7 @@
   .settings-content
     = render 'terms'
 
-= render_if_exists 'admin/application_settings/external_authorization_service_form', expanded: expanded_by_default?
+= render 'admin/application_settings/external_authorization_service_form', expanded: expanded_by_default?
 
 %section.settings.as-terminal.no-animate#js-terminal-settings{ class: ('expanded' if expanded_by_default?) }
   .settings-header
diff --git a/app/views/layouts/_page.html.haml b/app/views/layouts/_page.html.haml
index 1b2a4cd6780..26a1f1e119c 100644
--- a/app/views/layouts/_page.html.haml
+++ b/app/views/layouts/_page.html.haml
@@ -7,6 +7,7 @@
     .alert-wrapper
       = render "layouts/broadcast"
       = render "layouts/header/read_only_banner"
+      = render "layouts/nav/classification_level_banner"
       = yield :flash_message
       = render "shared/ping_consent"
       - unless @hide_breadcrumbs
diff --git a/app/views/layouts/nav/_classification_level_banner.html.haml b/app/views/layouts/nav/_classification_level_banner.html.haml
new file mode 100644
index 00000000000..cc4caf079b8
--- /dev/null
+++ b/app/views/layouts/nav/_classification_level_banner.html.haml
@@ -0,0 +1,5 @@
+- if ::Gitlab::ExternalAuthorization.enabled? && @project
+  = content_for :header_content do
+    %span.badge.color-label.classification-label.has-tooltip{ title: s_('ExternalAuthorizationService|Classification label') }
+      = sprite_icon('lock-open', size: 8, css_class: 'inline')
+      = @project.external_authorization_classification_label
diff --git a/app/views/projects/_classification_policy_settings.html.haml b/app/views/projects/_classification_policy_settings.html.haml
new file mode 100644
index 00000000000..57c7a718d53
--- /dev/null
+++ b/app/views/projects/_classification_policy_settings.html.haml
@@ -0,0 +1,8 @@
+- if ::Gitlab::ExternalAuthorization.enabled?
+  .form-group
+    = f.label :external_authorization_classification_label, class: 'label-bold' do
+      = s_('ExternalAuthorizationService|Classification Label')
+      %span.light (optional)
+    = f.text_field :external_authorization_classification_label, class: "form-control"
+    %span.form-text.text-muted
+      = external_classification_label_help_message
diff --git a/app/views/projects/edit.html.haml b/app/views/projects/edit.html.haml
index 98017bea0c9..abf2fb7dc57 100644
--- a/app/views/projects/edit.html.haml
+++ b/app/views/projects/edit.html.haml
@@ -32,7 +32,7 @@
               %span.light (optional)
             = f.text_area :description, class: "form-control", rows: 3, maxlength: 250
 
-          = render_if_exists 'projects/classification_policy_settings', f: f
+          = render 'projects/classification_policy_settings', f: f
 
         = render_if_exists 'shared/repository_size_limit_setting', form: f, type: :project