Merge branch 'fix/group-bot-build-token-git-access' into 'master'

Add missing Git authentication support for group level bot build tokens

See merge request gitlab-org/gitlab!78595

lib/gitlab/auth.rb

@@ -207,7 +207,7 @@ module Gitlab
         return unless valid_scoped_token?(token, all_available_scopes)
 
         if project && token.user.project_bot?
-          return unless token_bot_in_project?(token.user, project) || token_bot_in_group?(token.user, project)
+          return unless token_bot_in_resource?(token.user, project)
         end
 
         if token.user.can_log_in_with_non_expired_password? || token.user.project_bot?
@@ -229,6 +229,10 @@ module Gitlab
       end
       # rubocop: enable CodeReuse/ActiveRecord
 
+      def token_bot_in_resource?(user, project)
+        token_bot_in_project?(user, project) || token_bot_in_group?(user, project)
+      end
+
       def valid_oauth_token?(token)
         token && token.accessible? && valid_scoped_token?(token, Doorkeeper.configuration.scopes)
       end
@@ -309,7 +313,7 @@ module Gitlab
         return unless build.project.builds_enabled?
 
         if build.user
-          return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && build.project.bots&.include?(build.user))
+          return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && token_bot_in_resource?(build.user, build.project))
 
           # If user is assigned to build, use restricted credentials of user
           Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)

spec/lib/gitlab/auth_spec.rb

@@ -156,8 +156,9 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
       let(:username) { 'gitlab-ci-token' }
 
       context 'for running build' do
-        let!(:build) { create(:ci_build, :running) }
-        let(:project) { build.project }
+        let!(:group) { create(:group) }
+        let!(:project) { create(:project, group: group) }
+        let!(:build) { create(:ci_build, :running, project: project) }
 
         it 'recognises user-less build' do
           expect(subject).to have_attributes(actor: nil, project: build.project, type: :ci, authentication_abilities: described_class.build_authentication_abilities)
@@ -169,6 +170,20 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
           expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
         end
 
+        it 'recognises project level bot access token' do
+          build.update(user: create(:user, :project_bot))
+          project.add_maintainer(build.user)
+
+          expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
+        end
+
+        it 'recognises group level bot access token' do
+          build.update(user: create(:user, :project_bot))
+          group.add_maintainer(build.user)
+
+          expect(subject).to have_attributes(actor: build.user, project: build.project, type: :build, authentication_abilities: described_class.build_authentication_abilities)
+        end
+
         it 'fails with blocked user token' do
           build.update(user: create(:user, :blocked))