Merge branch 'd0c-s4vage-allowlist-gitlab-service-accounts-spam' into 'master'

Allows GitLab-owned service users to bypass spam See merge request gitlab-org/gitlab!45310

Merge branch 'd0c-s4vage-allowlist-gitlab-service-accounts-spam' into 'master'
Allows GitLab-owned service users to bypass spam See merge request gitlab-org/gitlab!45310
68ec34f2 · Dmytro Zaporozhets (DZ) · da688e4b · 4b65fd03 · 68ec34f2 · 68ec34f2
Commit 68ec34f2 authored Oct 19, 2020 by Dmytro Zaporozhets (DZ)
4 changed files
--- a/app/services/spam/spam_action_service.rb
+++ b/app/services/spam/spam_action_service.rb
@@ -45,7 +45,7 @@ module Spam
    attr_reader :user, :context

    def allowlisted?(user)
-      user.try(:gitlab_employee?) || user.try(:gitlab_bot?)
+      user.try(:gitlab_employee?) || user.try(:gitlab_bot?) || user.try(:gitlab_service_user?)
    end

    def perform_spam_service_check(api)

--- a/ee/app/models/ee/user.rb
+++ b/ee/app/models/ee/user.rb
@@ -343,6 +343,12 @@ module EE
      end
    end

+    def gitlab_service_user?
+      strong_memoize(:gitlab_service_user) do
+        service_user? && ::Gitlab::Com.gitlab_com_group_member_id?(id)
+      end
+    end
+
    def gitlab_bot?
      strong_memoize(:gitlab_bot) do
        bot? && ::Gitlab::Com.gitlab_com_group_member_id?(id)

--- a/ee/changelogs/unreleased/d0c-s4vage-allowlist-gitlab-service-accounts-spam.yml
+++ b/ee/changelogs/unreleased/d0c-s4vage-allowlist-gitlab-service-accounts-spam.yml
+---
+title: Allows GitLab-owned service users to bypass certain spam checks
+merge_request: 45310
+author:
+type: changed
--- a/ee/spec/models/user_spec.rb
+++ b/ee/spec/models/user_spec.rb
@@ -1422,6 +1422,68 @@ RSpec.describe User do
    end
  end

+  describe '#gitlab_service_user?' do
+    subject { user.gitlab_service_user? }
+
+    let_it_be(:gitlab_group) { create(:group, name: 'gitlab-com') }
+    let_it_be(:random_group) { create(:group, name: 'random-group') }
+
+    context 'based on group membership' do
+      context 'when user belongs to gitlab-com group' do
+        let(:user) { create(:user, user_type: :service_user) }
+
+        before do
+          allow(Gitlab).to receive(:com?).and_return(true)
+          gitlab_group.add_user(user, Gitlab::Access::DEVELOPER)
+        end
+
+        it { is_expected.to be true }
+      end
+
+      context 'when user does not belong to gitlab-com group' do
+        let(:user) { create(:user, user_type: :service_user) }
+
+        before do
+          allow(Gitlab).to receive(:com?).and_return(true)
+          random_group.add_user(user, Gitlab::Access::DEVELOPER)
+        end
+
+        it { is_expected.to be false }
+      end
+    end
+
+    context 'based on user type' do
+      using RSpec::Parameterized::TableSyntax
+
+      where(:is_com, :user_type, :answer) do
+        true  | :service_user | true
+        true  | :alert_bot    | false
+        true  | :human        | false
+        true  | :ghost        | false
+        false | :service_user | false
+        false | :alert_bot    | false
+        false | :human        | false
+        false | :ghost        | false
+      end
+
+      with_them do
+        before do
+          allow(Gitlab).to receive(:com?).and_return(is_com)
+        end
+
+        let(:user) do
+          user = create(:user, user_type: user_type)
+          gitlab_group.add_user(user, Gitlab::Access::DEVELOPER)
+          user
+        end
+
+        it "returns if the user is a GitLab-owned service user" do
+          expect(subject).to be answer
+        end
+      end
+    end
+  end
+
  describe '#security_dashboard' do
    let(:user) { create(:user) }