Fix the required access level in the Conan packages finder

Merge branch 'security-conan-packages-finder-min-access-level-14-10' into '14-10-stable-ee' See merge request gitlab-org/security/gitlab!2485 Changelog: security

Fix the required access level in the Conan packages finder
Merge branch 'security-conan-packages-finder-min-access-level-14-10' into '14-10-stable-ee' See merge request gitlab-org/security/gitlab!2485 Changelog: security
756fb242 · David Fernandez · GitLab Release Tools Bot · d118e6c4 · 756fb242 · 756fb242
Commit 756fb242 authored Jun 29, 2022 by David Fernandez Committed by GitLab Release Tools Bot Jun 29, 2022
6 changed files
--- a/app/finders/packages/conan/package_finder.rb
+++ b/app/finders/packages/conan/package_finder.rb
@@ -25,7 +25,7 @@ module Packages
      end

      def projects_visible_to_current_user
-        ::Project.public_or_visible_to_user(current_user)
+        ::Project.public_or_visible_to_user(current_user, ::Gitlab::Access::REPORTER)
      end
    end
  end

--- a/db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb
+++ b/db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb
+# frozen_string_literal: true
+
+class AddInstallableConanPackagesIndexToPackages < Gitlab::Database::Migration[2.0]
+  disable_ddl_transaction!
+
+  INDEX_NAME = 'idx_installable_conan_pkgs_on_project_id_id'
+  # as defined by Packages::Package.package_types
+  CONAN_PACKAGE_TYPE = 3
+
+  # as defined by Packages::Package::INSTALLABLE_STATUSES
+  DEFAULT_STATUS = 0
+  HIDDEN_STATUS = 1
+
+  def up
+    where = "package_type = #{CONAN_PACKAGE_TYPE} AND status IN (#{DEFAULT_STATUS}, #{HIDDEN_STATUS})"
+    add_concurrent_index :packages_packages,
+                         [:project_id, :id],
+                         where: where,
+                         name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index_by_name :packages_packages, INDEX_NAME
+  end
+end
--- a/db/schema_migrations/20220520120637
+++ b/db/schema_migrations/20220520120637
+1fdb60b1c72b687aa8bede083ac7038097d538dc815e334d74296b1d39c2acb8
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -26544,6 +26544,8 @@ CREATE UNIQUE INDEX idx_environment_merge_requests_unique_index ON deployment_me

 CREATE INDEX idx_geo_con_rep_updated_events_on_container_repository_id ON geo_container_repository_updated_events USING btree (container_repository_id);

+CREATE INDEX idx_installable_conan_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id) WHERE ((package_type = 3) AND (status = ANY (ARRAY[0, 1])));
+
 CREATE INDEX idx_installable_helm_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id);

 CREATE INDEX idx_installable_npm_pkgs_on_project_id_name_version_id ON packages_packages USING btree (project_id, name, version, id) WHERE ((package_type = 2) AND (status = 0));
--- a/spec/finders/packages/conan/package_finder_spec.rb
+++ b/spec/finders/packages/conan/package_finder_spec.rb
@@ -2,22 +2,53 @@
 require 'spec_helper'

 RSpec.describe ::Packages::Conan::PackageFinder do
+  using RSpec::Parameterized::TableSyntax
+
+  let_it_be_with_reload(:project) { create(:project) }
  let_it_be(:user) { create(:user) }
-  let_it_be(:project) { create(:project, :public) }
+  let_it_be(:private_project) { create(:project, :private) }
+
+  let_it_be(:conan_package) { create(:conan_package, project: project) }
+  let_it_be(:conan_package2) { create(:conan_package, project: project) }
+  let_it_be(:errored_package) { create(:conan_package, :error, project: project) }
+  let_it_be(:private_package) { create(:conan_package, project: private_project) }

  describe '#execute' do
-    let!(:conan_package) { create(:conan_package, project: project) }
-    let!(:conan_package2) { create(:conan_package, project: project) }
+    let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" }
+    let(:finder) { described_class.new(user, query: query) }
+
+    subject { finder.execute }
+
+    where(:visibility, :role, :packages_visible) do
+      :private  | :maintainer | true
+      :private  | :developer  | true
+      :private  | :reporter   | true
+      :private  | :guest      | false
+      :private  | :anonymous  | false
+
+      :internal | :maintainer | true
+      :internal | :developer  | true
+      :internal | :reporter   | true
+      :internal | :guest      | true
+      :internal | :anonymous  | false
+
+      :public   | :maintainer | true
+      :public   | :developer  | true
+      :public   | :reporter   | true
+      :public   | :guest      | true
+      :public   | :anonymous  | true
+    end

-    subject { described_class.new(user, query: query).execute }
+    with_them do
+      let(:expected_packages) { packages_visible ? [conan_package, conan_package2] : [] }
+      let(:user) { role == :anonymous ? nil : super() }

-    context 'packages that are not installable' do
-      let!(:conan_package3) { create(:conan_package, :error, project: project) }
-      let!(:non_visible_project) { create(:project, :private) }
-      let!(:non_visible_conan_package) { create(:conan_package, project: non_visible_project) }
-      let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" }
+      before do
+        project.update_column(:visibility_level, Gitlab::VisibilityLevel.string_options[visibility.to_s])
+        project.add_user(user, role) unless role == :anonymous
+      end

-      it { is_expected.to eq [conan_package, conan_package2] }
+      it { is_expected.to eq(expected_packages) }
    end
  end
 end
--- a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
@@ -19,33 +19,66 @@ RSpec.shared_examples 'conan ping endpoint' do
 end

 RSpec.shared_examples 'conan search endpoint' do
-  before do
-    project.update_column(:visibility_level, Gitlab::VisibilityLevel::PUBLIC)
-
-    # Do not pass the HTTP_AUTHORIZATION header,
-    # in order to test that this public project's packages
-    # are visible to anonymous search.
-    get api(url), params: params
-  end
+  using RSpec::Parameterized::TableSyntax

  subject { json_response['results'] }

-  context 'returns packages with a matching name' do
-    let(:params) { { q: package.conan_recipe } }
+  context 'with a public project' do
+    before do
+      project.update!(visibility: 'public')
+
+      # Do not pass the HTTP_AUTHORIZATION header,
+      # in order to test that this public project's packages
+      # are visible to anonymous search.
+      get api(url), params: params
+    end
+
+    context 'returns packages with a matching name' do
+      let(:params) { { q: package.conan_recipe } }
+
+      it { is_expected.to contain_exactly(package.conan_recipe) }
+    end
+
+    context 'returns packages using a * wildcard' do
+      let(:params) { { q: "#{package.name[0, 3]}*" } }

-    it { is_expected.to contain_exactly(package.conan_recipe) }
+      it { is_expected.to contain_exactly(package.conan_recipe) }
+    end
+
+    context 'does not return non-matching packages' do
+      let(:params) { { q: "foo" } }
+
+      it { is_expected.to be_blank }
+    end
  end

-  context 'returns packages using a * wildcard' do
+  context 'with a private project' do
    let(:params) { { q: "#{package.name[0, 3]}*" } }

-    it { is_expected.to contain_exactly(package.conan_recipe) }
-  end
+    where(:role, :packages_visible) do
+      :maintainer | true
+      :developer  | true
+      :reporter   | true
+      :guest      | false
+      :anonymous  | false
+    end

-  context 'does not return non-matching packages' do
-    let(:params) { { q: "foo" } }
+    with_them do
+      before do
+        project.update!(visibility: 'private')
+        project.team.truncate
+        user.project_authorizations.delete_all
+        project.add_user(user, role) unless role == :anonymous
+
+        get api(url), params: params, headers: headers
+      end

-    it { is_expected.to be_blank }
+      if params[:packages_visible]
+        it { is_expected.to contain_exactly(package.conan_recipe) }
+      else
+        it { is_expected.to be_blank }
+      end
+    end
  end
 end