Add latest changes from gitlab-org/security/gitlab@14-5-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-03 10:11:19 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-03 10:11:19 +0000
commit: 9a1e9397b4e378e052af12c697a9fbfd70a24bf5 (patch)
tree: bda9287282dfaefa0c717f092947f79839e07102 /spec
parent: 9fb816facef888b8fcdbc443af304105c480547b (diff)
download: gitlab-ce-9a1e9397b4e378e052af12c697a9fbfd70a24bf5.tar.gz
9 files changed, 205 insertions, 5 deletions
diff --git a/spec/features/projects/members/list_spec.rb b/spec/features/projects/members/list_spec.rb
index 25598146604..308098c72a1 100644
--- a/spec/features/projects/members/list_spec.rb
+++ b/spec/features/projects/members/list_spec.rb
@@ -147,7 +147,7 @@ RSpec.describe 'Project members list', :js do
     it 'does not show form used to change roles and "Expiration date" or the remove user button', :aggregate_failures do
       visit_members_page
 
-      page.within find_member_row(project_bot) do
+      page.within find_username_row(project_bot) do
         expect(page).not_to have_button('Maintainer')
         expect(page).to have_field('Expiration date', disabled: true)
         expect(page).not_to have_button('Remove member')
diff --git a/spec/features/projects_spec.rb b/spec/features/projects_spec.rb
index c4619b5498e..26deca9c8f1 100644
--- a/spec/features/projects_spec.rb
+++ b/spec/features/projects_spec.rb
@@ -383,6 +383,24 @@ RSpec.describe 'Project' do
                                           { form: '.rspec-merge-request-settings', input: '#project_printing_merge_request_link_enabled' }]
   end
 
+  describe 'view for a user without an access to a repo' do
+    let(:project) { create(:project, :repository) }
+    let(:user) { create(:user) }
+
+    it 'does not contain default branch information in its content' do
+      default_branch = 'merge-commit-analyze-side-branch'
+
+      project.add_guest(user)
+      project.change_head(default_branch)
+
+      sign_in(user)
+      visit project_path(project)
+
+      lines_with_default_branch = page.html.lines.select { |line| line.include?(default_branch) }
+      expect(lines_with_default_branch).to eq([])
+    end
+  end
+
   def remove_with_confirm(button_text, confirm_with, confirm_button_text = 'Confirm')
     click_button button_text
     fill_in 'confirm_name_input', with: confirm_with
diff --git a/spec/graphql/types/user_type_spec.rb b/spec/graphql/types/user_type_spec.rb
index 0bad8c95ba2..4e3f442dc71 100644
--- a/spec/graphql/types/user_type_spec.rb
+++ b/spec/graphql/types/user_type_spec.rb
@@ -44,6 +44,86 @@ RSpec.describe GitlabSchema.types['User'] do
     expect(described_class).to have_graphql_fields(*expected_fields)
   end
 
+  describe 'name field' do
+    let_it_be(:admin) { create(:user, :admin)}
+    let_it_be(:user) { create(:user) }
+    let_it_be(:requested_user) { create(:user, name: 'John Smith') }
+    let_it_be(:requested_project_bot) { create(:user, :project_bot, name: 'Project bot') }
+    let_it_be(:project) { create(:project, :public) }
+
+    before do
+      project.add_maintainer(requested_project_bot)
+    end
+
+    let(:username) { requested_user.username }
+
+    let(:query) do
+      %(
+        query {
+          user(username: "#{username}") {
+            name
+          }
+        }
+      )
+    end
+
+    subject { GitlabSchema.execute(query, context: { current_user: current_user }).as_json.dig('data', 'user', 'name') }
+
+    context 'user requests' do
+      let(:current_user) { user }
+
+      context 'a user' do
+        it 'returns name' do
+          expect(subject).to eq('John Smith')
+        end
+      end
+
+      context 'a project bot' do
+        let(:username) { requested_project_bot.username }
+
+        context 'when requester is nil' do
+          let(:current_user) { nil }
+
+          it 'returns `****`' do
+            expect(subject).to eq('****')
+          end
+        end
+
+        it 'returns `****` for a regular user' do
+          expect(subject).to eq('****')
+        end
+
+        context 'when requester is a project maintainer' do
+          before do
+            project.add_maintainer(user)
+          end
+
+          it 'returns name' do
+            expect(subject).to eq('Project bot')
+          end
+        end
+      end
+    end
+
+    context 'admin requests', :enable_admin_mode do
+      let(:current_user) { admin }
+
+      context 'a user' do
+        it 'returns name' do
+          expect(subject).to eq('John Smith')
+        end
+      end
+
+      context 'a project bot' do
+        let(:username) { requested_project_bot.username }
+
+        it 'returns name' do
+          expect(subject).to eq('Project bot')
+        end
+      end
+    end
+  end
+
   describe 'snippets field' do
     subject { described_class.fields['snippets'] }
 
diff --git a/spec/helpers/search_helper_spec.rb b/spec/helpers/search_helper_spec.rb
index 9e870658870..17dcbab09bb 100644
--- a/spec/helpers/search_helper_spec.rb
+++ b/spec/helpers/search_helper_spec.rb
@@ -174,12 +174,26 @@ RSpec.describe SearchHelper do
       context "with a current project" do
         before do
           @project = create(:project, :repository)
+
+          allow(self).to receive(:can?).and_return(true)
           allow(self).to receive(:can?).with(user, :read_feature_flag, @project).and_return(false)
         end
 
-        it "includes project-specific sections", :aggregate_failures do
+        it 'returns repository related labels based on users abilities', :aggregate_failures do
           expect(search_autocomplete_opts("Files").size).to eq(1)
           expect(search_autocomplete_opts("Commits").size).to eq(1)
+          expect(search_autocomplete_opts("Network").size).to eq(1)
+          expect(search_autocomplete_opts("Graph").size).to eq(1)
+
+          allow(self).to receive(:can?).with(user, :download_code, @project).and_return(false)
+
+          expect(search_autocomplete_opts("Files").size).to eq(0)
+          expect(search_autocomplete_opts("Commits").size).to eq(0)
+
+          allow(self).to receive(:can?).with(user, :read_repository_graphs, @project).and_return(false)
+
+          expect(search_autocomplete_opts("Network").size).to eq(0)
+          expect(search_autocomplete_opts("Graph").size).to eq(0)
         end
 
         context 'when user does not have access to project' do
diff --git a/spec/lib/api/entities/user_spec.rb b/spec/lib/api/entities/user_spec.rb
index 9c9a157d68a..14dc60e1a5f 100644
--- a/spec/lib/api/entities/user_spec.rb
+++ b/spec/lib/api/entities/user_spec.rb
@@ -12,7 +12,7 @@ RSpec.describe API::Entities::User do
   subject { entity.as_json }
 
   it 'exposes correct attributes' do
-    expect(subject).to include(:bio, :location, :public_email, :skype, :linkedin, :twitter, :website_url, :organization, :job_title, :work_information, :pronouns)
+    expect(subject).to include(:name, :bio, :location, :public_email, :skype, :linkedin, :twitter, :website_url, :organization, :job_title, :work_information, :pronouns)
   end
 
   it 'exposes created_at if the current user can read the user profile' do
@@ -31,12 +31,51 @@ RSpec.describe API::Entities::User do
     expect(subject[:bot]).to be_falsey
   end
 
-  context 'with bot user' do
-    let(:user) { create(:user, :security_bot) }
+  context 'with project bot user' do
+    let(:project) { create(:project) }
+    let(:user) { create(:user, :project_bot, name: 'secret') }
+
+    before do
+      project.add_maintainer(user)
+    end
 
     it 'exposes user as a bot' do
       expect(subject[:bot]).to eq(true)
     end
+
+    context 'when the requester is not an admin' do
+      it 'does not expose project bot user name' do
+        expect(subject[:name]).to eq('****')
+      end
+    end
+
+    context 'when the requester is nil' do
+      let(:current_user) { nil }
+
+      it 'does not expose project bot user name' do
+        expect(subject[:name]).to eq('****')
+      end
+    end
+
+    context 'when the requester is a project maintainer' do
+      let(:current_user) { create(:user) }
+
+      before do
+        project.add_maintainer(current_user)
+      end
+
+      it 'exposes project bot user name' do
+        expect(subject[:name]).to eq('secret')
+      end
+    end
+
+    context 'when the requester is an admin' do
+      let(:current_user) { create(:user, :admin) }
+
+      it 'exposes project bot user name', :enable_admin_mode do
+        expect(subject[:name]).to eq('secret')
+      end
+    end
   end
 
   it 'exposes local_time' do
diff --git a/spec/lib/gitlab/git_access_wiki_spec.rb b/spec/lib/gitlab/git_access_wiki_spec.rb
index 5ada8a6ef40..27175dc8c44 100644
--- a/spec/lib/gitlab/git_access_wiki_spec.rb
+++ b/spec/lib/gitlab/git_access_wiki_spec.rb
@@ -79,5 +79,30 @@ RSpec.describe Gitlab::GitAccessWiki do
         let(:message) { include('wiki') }
       end
     end
+
+    context 'when the actor is a deploy token' do
+      let_it_be(:actor) { create(:deploy_token, projects: [project]) }
+      let_it_be(:user) { actor }
+
+      before do
+        project.project_feature.update_attribute(:wiki_access_level, wiki_access_level)
+      end
+
+      subject { access.check('git-upload-pack', changes) }
+
+      context 'when the wiki is enabled' do
+        let(:wiki_access_level) { ProjectFeature::ENABLED }
+
+        it { expect { subject }.not_to raise_error }
+      end
+
+      context 'when the wiki is disabled' do
+        let(:wiki_access_level) { ProjectFeature::DISABLED }
+
+        it_behaves_like 'forbidden git access' do
+          let(:message) { 'You are not allowed to download files from this wiki.' }
+        end
+      end
+    end
   end
 end
diff --git a/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb b/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb
index 9d5f029fff5..6f2ca719bc9 100644
--- a/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb
+++ b/spec/lib/sidebars/projects/menus/analytics_menu_spec.rb
@@ -102,6 +102,12 @@ RSpec.describe Sidebars::Projects::Menus::AnalyticsMenu do
         specify { is_expected.to be_nil }
       end
 
+      describe 'when a user does not have access to repository graphs' do
+        let(:current_user) { guest }
+
+        specify { is_expected.to be_nil }
+      end
+
       describe 'when the user does not have access' do
         let(:current_user) { nil }
 
diff --git a/spec/requests/api/graphql/user_query_spec.rb b/spec/requests/api/graphql/user_query_spec.rb
index 59b805bb25b..1cba3674d25 100644
--- a/spec/requests/api/graphql/user_query_spec.rb
+++ b/spec/requests/api/graphql/user_query_spec.rb
@@ -488,5 +488,19 @@ RSpec.describe 'getting user information' do
         end
       end
     end
+
+    context 'the user is project bot' do
+      let(:user) { create(:user, :project_bot) }
+
+      before do
+        post_graphql(query, current_user: current_user)
+      end
+
+      context 'we only request basic fields' do
+        let(:user_fields) { %i[id name username state web_url avatar_url] }
+
+        it_behaves_like 'a working graphql query'
+      end
+    end
   end
 end
diff --git a/spec/support/helpers/features/members_helpers.rb b/spec/support/helpers/features/members_helpers.rb
index 2e86e014a1b..bdadcb8af43 100644
--- a/spec/support/helpers/features/members_helpers.rb
+++ b/spec/support/helpers/features/members_helpers.rb
@@ -37,6 +37,10 @@ module Spec
             find_row(user.name)
           end
 
+          def find_username_row(user)
+            find_row(user.username)
+          end
+
           def find_invited_member_row(email)
             find_row(email)
           end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-03 10:11:19 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-03 10:11:19 +0000
commit	9a1e9397b4e378e052af12c697a9fbfd70a24bf5 (patch)
tree	bda9287282dfaefa0c717f092947f79839e07102 /spec
parent	9fb816facef888b8fcdbc443af304105c480547b (diff)
download	gitlab-ce-9a1e9397b4e378e052af12c697a9fbfd70a24bf5.tar.gz