Add latest changes from gitlab-org/security/gitlab@14-10-stable-ee

2 files changed, 91 insertions, 27 deletions

diff --git a/spec/finders/packages/conan/package_finder_spec.rb b/spec/finders/packages/conan/package_finder_spec.rb
index b26f8900090..6848786818b 100644
--- a/spec/finders/packages/conan/package_finder_spec.rb
+++ b/spec/finders/packages/conan/package_finder_spec.rb
@@ -2,22 +2,53 @@
 require 'spec_helper'
 
 RSpec.describe ::Packages::Conan::PackageFinder do
+  using RSpec::Parameterized::TableSyntax
+
+  let_it_be_with_reload(:project) { create(:project) }
   let_it_be(:user) { create(:user) }
-  let_it_be(:project) { create(:project, :public) }
+  let_it_be(:private_project) { create(:project, :private) }
+
+  let_it_be(:conan_package) { create(:conan_package, project: project) }
+  let_it_be(:conan_package2) { create(:conan_package, project: project) }
+  let_it_be(:errored_package) { create(:conan_package, :error, project: project) }
+  let_it_be(:private_package) { create(:conan_package, project: private_project) }
 
   describe '#execute' do
-    let!(:conan_package) { create(:conan_package, project: project) }
-    let!(:conan_package2) { create(:conan_package, project: project) }
+    let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" }
+    let(:finder) { described_class.new(user, query: query) }
+
+    subject { finder.execute }
+
+    where(:visibility, :role, :packages_visible) do
+      :private  | :maintainer | true
+      :private  | :developer  | true
+      :private  | :reporter   | true
+      :private  | :guest      | false
+      :private  | :anonymous  | false
+
+      :internal | :maintainer | true
+      :internal | :developer  | true
+      :internal | :reporter   | true
+      :internal | :guest      | true
+      :internal | :anonymous  | false
+
+      :public   | :maintainer | true
+      :public   | :developer  | true
+      :public   | :reporter   | true
+      :public   | :guest      | true
+      :public   | :anonymous  | true
+    end
 
-    subject { described_class.new(user, query: query).execute }
+    with_them do
+      let(:expected_packages) { packages_visible ? [conan_package, conan_package2] : [] }
+      let(:user) { role == :anonymous ? nil : super() }
 
-    context 'packages that are not installable' do
-      let!(:conan_package3) { create(:conan_package, :error, project: project) }
-      let!(:non_visible_project) { create(:project, :private) }
-      let!(:non_visible_conan_package) { create(:conan_package, project: non_visible_project) }
-      let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" }
+      before do
+        project.update_column(:visibility_level, Gitlab::VisibilityLevel.string_options[visibility.to_s])
+        project.add_user(user, role) unless role == :anonymous
+      end
 
-      it { is_expected.to eq [conan_package, conan_package2] }
+      it { is_expected.to eq(expected_packages) }
     end
   end
 end
diff --git a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
index 135fa4cf5a4..e6b0772aec1 100644
--- a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
@@ -19,33 +19,66 @@ RSpec.shared_examples 'conan ping endpoint' do
 end
 
 RSpec.shared_examples 'conan search endpoint' do
-  before do
-    project.update_column(:visibility_level, Gitlab::VisibilityLevel::PUBLIC)
-
-    # Do not pass the HTTP_AUTHORIZATION header,
-    # in order to test that this public project's packages
-    # are visible to anonymous search.
-    get api(url), params: params
-  end
+  using RSpec::Parameterized::TableSyntax
 
   subject { json_response['results'] }
 
-  context 'returns packages with a matching name' do
-    let(:params) { { q: package.conan_recipe } }
+  context 'with a public project' do
+    before do
+      project.update!(visibility: 'public')
+
+      # Do not pass the HTTP_AUTHORIZATION header,
+      # in order to test that this public project's packages
+      # are visible to anonymous search.
+      get api(url), params: params
+    end
+
+    context 'returns packages with a matching name' do
+      let(:params) { { q: package.conan_recipe } }
+
+      it { is_expected.to contain_exactly(package.conan_recipe) }
+    end
+
+    context 'returns packages using a * wildcard' do
+      let(:params) { { q: "#{package.name[0, 3]}*" } }
 
-    it { is_expected.to contain_exactly(package.conan_recipe) }
+      it { is_expected.to contain_exactly(package.conan_recipe) }
+    end
+
+    context 'does not return non-matching packages' do
+      let(:params) { { q: "foo" } }
+
+      it { is_expected.to be_blank }
+    end
   end
 
-  context 'returns packages using a * wildcard' do
+  context 'with a private project' do
     let(:params) { { q: "#{package.name[0, 3]}*" } }
 
-    it { is_expected.to contain_exactly(package.conan_recipe) }
-  end
+    where(:role, :packages_visible) do
+      :maintainer | true
+      :developer  | true
+      :reporter   | true
+      :guest      | false
+      :anonymous  | false
+    end
 
-  context 'does not return non-matching packages' do
-    let(:params) { { q: "foo" } }
+    with_them do
+      before do
+        project.update!(visibility: 'private')
+        project.team.truncate
+        user.project_authorizations.delete_all
+        project.add_user(user, role) unless role == :anonymous
+
+        get api(url), params: params, headers: headers
+      end
 
-    it { is_expected.to be_blank }
+      if params[:packages_visible]
+        it { is_expected.to contain_exactly(package.conan_recipe) }
+      else
+        it { is_expected.to be_blank }
+      end
+    end
   end
 end