Merge branch 'authorize_same_project_agent' into 'master'

Authorize the project if it's the agent's project

See merge request gitlab-org/gitlab!48314

app/models/clusters/agent.rb

@@ -19,5 +19,9 @@ module Clusters
         with: Gitlab::Regex.cluster_agent_name_regex,
         message: Gitlab::Regex.cluster_agent_name_regex_message
       }
+
+    def has_access_to?(requested_project)
+      requested_project == project
+    end
   end
 end

changelogs/unreleased/authorize_same_project_agent.yml

+---
+title: Authorize the project for the cluster agent if it is the agent's project
+merge_request: 48314
+author:
+type: changed

doc/user/clusters/agent/index.md

@@ -378,9 +378,12 @@ subjects:
 In a previous step, you configured a `config.yaml` to point to the GitLab projects
 the Agent should synchronize. In each of those projects, you must create a `manifest.yaml`
 file for the Agent to monitor. You can auto-generate this `manifest.yaml` with a
-templating engine or other means. Only public projects are supported as
-manifest projects. Support for private projects is planned in the issue
-[Agent authorization for private manifest projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
+templating engine or other means.
+
+The agent is authorized to download manifests for the configuration
+project, and public projects. Support for other private projects is
+planned in the issue [Agent authorization for private manifest
+projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
 
 Each time you commit and push a change to this file, the Agent logs the change:
 

lib/api/internal/kubernetes.rb

@@ -85,9 +85,7 @@ module API
           get '/project_info' do
             project = find_project(params[:id])
 
-            # TODO sort out authorization for real
-            # https://gitlab.com/gitlab-org/gitlab/-/issues/220912
-            unless Ability.allowed?(nil, :download_code, project)
+            unless Guest.can?(:download_code, project) || agent.has_access_to?(project)
               not_found!
             end
 

spec/models/clusters/agent_spec.rb

@@ -57,4 +57,16 @@ RSpec.describe Clusters::Agent do
       end
     end
   end
+
+  describe '#has_access_to?' do
+    let(:agent) { build(:cluster_agent) }
+
+    it 'has access to own project' do
+      expect(agent.has_access_to?(agent.project)).to be_truthy
+    end
+
+    it 'does not have access to other projects' do
+      expect(agent.has_access_to?(create(:project))).to be_falsey
+    end
+  end
 end

spec/requests/api/internal/kubernetes_spec.rb

@@ -137,9 +137,7 @@ RSpec.describe API::Internal::Kubernetes do
     include_examples 'agent authentication'
 
     context 'an agent is found' do
-      let!(:agent_token) { create(:cluster_agent_token) }
-
-      let(:agent) { agent_token.agent }
+      let_it_be(:agent_token) { create(:cluster_agent_token) }
 
       context 'project is public' do
         let(:project) { create(:project, :public) }
@@ -186,6 +184,16 @@ RSpec.describe API::Internal::Kubernetes do
 
           expect(response).to have_gitlab_http_status(:not_found)
         end
+
+        context 'and agent belongs to project' do
+          let(:agent_token) { create(:cluster_agent_token, agent: create(:cluster_agent, project: project)) }
+
+          it 'returns 200' do
+            send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+            expect(response).to have_gitlab_http_status(:success)
+          end
+        end
       end
 
       context 'project is internal' do