Authorize the project if it's the agent's project

This allows for private projects for agents, but only for the same project case.

Authorize the project if it's the agent's project
This allows for private projects for agents, but only for the same project case.
bfa63107 · Thong Kuah · 07274bf4 · bfa63107 · bfa63107 · bfa63107
Commit bfa63107 authored Nov 23, 2020 by Thong Kuah
6 changed files
--- a/app/models/clusters/agent.rb
+++ b/app/models/clusters/agent.rb
@@ -19,5 +19,9 @@ module Clusters
        with: Gitlab::Regex.cluster_agent_name_regex,
        message: Gitlab::Regex.cluster_agent_name_regex_message
      }
+    def has_access_to?(requested_project)
+      requested_project == project
+    end
  end
 end
--- a/changelogs/unreleased/authorize_same_project_agent.yml
+++ b/changelogs/unreleased/authorize_same_project_agent.yml
+---
+title: Authorize the project for the cluster agent if it is the agent's project
+merge_request: 48314
+author:
+type: changed
--- a/doc/user/clusters/agent/index.md
+++ b/doc/user/clusters/agent/index.md
@@ -378,9 +378,12 @@ subjects:
 In a previous step, you configured a `config.yaml` to point to the GitLab projects
 the Agent should synchronize. In each of those projects, you must create a `manifest.yaml`
 file for the Agent to monitor. You can auto-generate this `manifest.yaml` with a
-templating engine or other means. Only public projects are supported as
+templating engine or other means.
-manifest projects. Support for private projects is planned in the issue
-[Agent authorization for private manifest projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
+The agent is authorized to download manifests for the configuration
+project, and public projects. Support for other private projects is
+planned in the issue [Agent authorization for private manifest
+projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
 Each time you commit and push a change to this file, the Agent logs the change:

--- a/lib/api/internal/kubernetes.rb
+++ b/lib/api/internal/kubernetes.rb
@@ -85,9 +85,7 @@ module API
          get '/project_info' do
            project = find_project(params[:id])
-            # TODO sort out authorization for real
+            unless Guest.can?(:download_code, project) || agent.has_access_to?(project)
-            # https://gitlab.com/gitlab-org/gitlab/-/issues/220912
-            unless Ability.allowed?(nil, :download_code, project)
              not_found!
            end

--- a/spec/models/clusters/agent_spec.rb
+++ b/spec/models/clusters/agent_spec.rb
@@ -57,4 +57,16 @@ RSpec.describe Clusters::Agent do
      end
    end
  end
+  describe '#has_access_to?' do
+    let(:agent) { build(:cluster_agent) }
+    it 'has access to own project' do
+      expect(agent.has_access_to?(agent.project)).to be_truthy
+    end
+    it 'does not have access to other projects' do
+      expect(agent.has_access_to?(create(:project))).to be_falsey
+    end
+  end
 end
--- a/spec/requests/api/internal/kubernetes_spec.rb
+++ b/spec/requests/api/internal/kubernetes_spec.rb
@@ -137,9 +137,7 @@ RSpec.describe API::Internal::Kubernetes do
    include_examples 'agent authentication'
    context 'an agent is found' do
-      let!(:agent_token) { create(:cluster_agent_token) }
+      let_it_be(:agent_token) { create(:cluster_agent_token) }
-      let(:agent) { agent_token.agent }
      context 'project is public' do
        let(:project) { create(:project, :public) }
@@ -186,6 +184,16 @@ RSpec.describe API::Internal::Kubernetes do
          expect(response).to have_gitlab_http_status(:not_found)
        end
+        context 'and agent belongs to project' do
+          let(:agent_token) { create(:cluster_agent_token, agent: create(:cluster_agent, project: project)) }
+          it 'returns 200' do
+            send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+            expect(response).to have_gitlab_http_status(:success)
+          end
+        end
      end
      context 'project is internal' do