Add latest changes from gitlab-org/gitlab@master

5 files changed, 182 insertions, 15 deletions

diff --git a/lib/gitlab/checks/snippet_check.rb b/lib/gitlab/checks/snippet_check.rb
new file mode 100644
index 00000000000..26dd772764a
--- /dev/null
+++ b/lib/gitlab/checks/snippet_check.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Checks
+    class SnippetCheck < BaseChecker
+      ERROR_MESSAGES = {
+        create_delete_branch: 'You can not create or delete branches.'
+      }.freeze
+
+      ATTRIBUTES = %i[oldrev newrev ref branch_name tag_name logger].freeze
+      attr_reader(*ATTRIBUTES)
+
+      def initialize(change, logger:)
+        @oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)
+        @branch_name = Gitlab::Git.branch_name(@ref)
+        @tag_name = Gitlab::Git.tag_name(@ref)
+
+        @logger = logger
+        @logger.append_message("Running checks for ref: #{@branch_name || @tag_name}")
+      end
+
+      def exec
+        if creation? || deletion?
+          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:create_delete_branch]
+        end
+
+        # TODO: https://gitlab.com/gitlab-org/gitlab/issues/205628
+        # Check operation will not result in more than one file in the repository
+
+        true
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index d6c87b858a8..45db423187c 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -60,7 +60,6 @@ module Gitlab
       @logger = Checks::TimedLogger.new(timeout: INTERNAL_TIMEOUT, header: LOG_HEADER)
       @changes = changes
 
-      check_namespace!
       check_protocol!
       check_valid_actor!
       check_active_user!
@@ -72,11 +71,7 @@ module Gitlab
       return custom_action if custom_action
 
       check_db_accessibility!(cmd)
-
-      ensure_project_on_push!(cmd, changes)
-
-      check_project_accessibility!
-      add_project_moved_message!
+      check_project!(changes, cmd)
       check_repository_existence!
 
       case cmd
@@ -113,6 +108,13 @@ module Gitlab
 
     private
 
+    def check_project!(changes, cmd)
+      check_namespace!
+      ensure_project_on_push!(cmd, changes)
+      check_project_accessibility!
+      add_project_moved_message!
+    end
+
     def check_custom_action(cmd)
       nil
     end
diff --git a/lib/gitlab/git_access_snippet.rb b/lib/gitlab/git_access_snippet.rb
index d99b9c3fe89..ff1af9bede4 100644
--- a/lib/gitlab/git_access_snippet.rb
+++ b/lib/gitlab/git_access_snippet.rb
@@ -2,7 +2,13 @@
 
 module Gitlab
   class GitAccessSnippet < GitAccess
+    extend ::Gitlab::Utils::Override
+
     ERROR_MESSAGES = {
+      authentication_mechanism: 'The authentication mechanism is not supported.',
+      read_snippet: 'You are not allowed to read this snippet.',
+      update_snippet: 'You are not allowed to update this snippet.',
+      project_not_found: 'The project you were looking for could not be found.',
       snippet_not_found: 'The snippet you were looking for could not be found.',
       repository_not_found: 'The snippet repository you were looking for could not be found.'
     }.freeze
@@ -12,25 +18,47 @@ module Gitlab
     def initialize(actor, snippet, protocol, **kwargs)
       @snippet = snippet
 
-      super(actor, project, protocol, **kwargs)
+      super(actor, snippet&.project, protocol, **kwargs)
+
+      @auth_result_type = nil
+      @authentication_abilities &= [:download_code, :push_code]
     end
 
-    def check(cmd, _changes)
+    def check(cmd, changes)
+      # TODO: Investigate if expanding actor/authentication types are needed.
+      # https://gitlab.com/gitlab-org/gitlab/issues/202190
+      if actor && !actor.is_a?(User) && !actor.instance_of?(Key)
+        raise UnauthorizedError, ERROR_MESSAGES[:authentication_mechanism]
+      end
+
       unless Feature.enabled?(:version_snippets, user)
-        raise NotFoundError, ERROR_MESSAGES[:snippet_not_found]
+        raise NotFoundError, ERROR_MESSAGES[:project_not_found]
       end
 
       check_snippet_accessibility!
 
-      success_result(cmd)
+      super
     end
 
-    def project
-      snippet&.project
+    private
+
+    override :check_project!
+    def check_project!(cmd, changes)
+      if snippet.is_a?(ProjectSnippet)
+        check_namespace!
+        check_project_accessibility!
+        # TODO add add_project_moved_message! to handle non-project repo https://gitlab.com/gitlab-org/gitlab/issues/205646
+      end
     end
 
-    private
+    override :check_push_access!
+    def check_push_access!
+      raise UnauthorizedError, ERROR_MESSAGES[:update_snippet] unless user
+
+      check_change_access!
+    end
 
+    override :repository
     def repository
       snippet&.repository
     end
@@ -39,10 +67,64 @@ module Gitlab
       if snippet.blank?
         raise NotFoundError, ERROR_MESSAGES[:snippet_not_found]
       end
+    end
+
+    override :check_download_access!
+    def check_download_access!
+      passed = guest_can_download_code? || user_can_download_code?
+
+      unless passed
+        raise UnauthorizedError, ERROR_MESSAGES[:read_snippet]
+      end
+    end
+
+    override :guest_can_download_code?
+    def guest_can_download_code?
+      Guest.can?(:read_snippet, snippet)
+    end
+
+    override :user_can_download_code?
+    def user_can_download_code?
+      authentication_abilities.include?(:download_code) && user_access.can_do_action?(:read_snippet)
+    end
+
+    override :check_change_access!
+    def check_change_access!
+      unless user_access.can_do_action?(:update_snippet)
+        raise UnauthorizedError, ERROR_MESSAGES[:update_snippet]
+      end
+
+      changes_list.each do |change|
+        # If user does not have access to make at least one change, cancel all
+        # push by allowing the exception to bubble up
+        check_single_change_access(change)
+      end
+    end
+
+    def check_single_change_access(change)
+      change_access = Checks::SnippetCheck.new(change, logger: logger)
+
+      change_access.exec
+    rescue Checks::TimedLogger::TimeoutError
+      raise TimeoutError, logger.full_message
+    end
 
-      unless repository&.exists?
+    override :check_repository_existence!
+    def check_repository_existence!
+      unless repository.exists?
         raise NotFoundError, ERROR_MESSAGES[:repository_not_found]
       end
     end
+
+    override :user_access
+    def user_access
+      @user_access ||= UserAccessSnippet.new(user, snippet: snippet)
+    end
+
+    # TODO: Implement EE/Geo https://gitlab.com/gitlab-org/gitlab/issues/205629
+    override :check_custom_action
+    def check_custom_action(cmd)
+      nil
+    end
   end
 end
diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb
index 097b502316e..ae4c77255c5 100644
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -98,7 +98,7 @@ module Gitlab
       @permission_cache ||= {}
     end
 
-    def can_access_git?
+    request_cache def can_access_git?
       user && user.can?(:access_git)
     end
 
diff --git a/lib/gitlab/user_access_snippet.rb b/lib/gitlab/user_access_snippet.rb
new file mode 100644
index 00000000000..bfed86c4df4
--- /dev/null
+++ b/lib/gitlab/user_access_snippet.rb
@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Gitlab
+  class UserAccessSnippet < UserAccess
+    extend ::Gitlab::Cache::RequestCache
+    # TODO: apply override check https://gitlab.com/gitlab-org/gitlab/issues/205677
+
+    request_cache_key do
+      [user&.id, snippet&.id]
+    end
+
+    attr_reader :snippet
+
+    def initialize(user, snippet: nil)
+      @user = user
+      @snippet = snippet
+      @project = snippet&.project
+    end
+
+    def can_do_action?(action)
+      return false unless can_access_git?
+
+      permission_cache[action] =
+        permission_cache.fetch(action) do
+          Ability.allowed?(user, action, snippet)
+        end
+    end
+
+    def can_create_tag?(ref)
+      false
+    end
+
+    def can_delete_branch?(ref)
+      false
+    end
+
+    def can_push_to_branch?(ref)
+      super
+      return false unless snippet
+      return false unless can_do_action?(:update_snippet)
+
+      true
+    end
+
+    def can_merge_to_branch?(ref)
+      false
+    end
+  end
+end