Restore 403 functionality for external auth

When we unhooked ClustersController from
Project::ApplicationsController, we missed an EE override to
handle_not_found_or_authorized.

Rather than carry on with override RoutingActions, make a specific proc
for Project that we override in EE instead. Use that proc in both
Clusters::BaseController and Project::ApplicationsController.

app/controllers/clusters/base_controller.rb

@@ -2,6 +2,7 @@
 
 class Clusters::BaseController < ApplicationController
   include RoutableActions
+  include ProjectUnauthorized
 
   skip_before_action :authenticate_user!
   before_action :require_project_id
@@ -21,7 +22,7 @@ class Clusters::BaseController < ApplicationController
   end
 
   def project
-    @project ||= find_routable!(Project, File.join(params[:namespace_id], params[:project_id]))
+    @project ||= find_routable!(Project, File.join(params[:namespace_id], params[:project_id]), not_found_or_authorized_proc: project_unauthorized_proc)
   end
 
   def repository

app/controllers/concerns/project_unauthorized.rb

+# frozen_string_literal: true
+
+module ProjectUnauthorized
+  prepend EE::ProjectUnauthorized
+  extend ActiveSupport::Concern
+
+  # EE would override this
+  def project_unauthorized_proc
+    # no-op
+  end
+end

app/controllers/concerns/routable_actions.rb

@@ -3,23 +3,25 @@
 module RoutableActions
   extend ActiveSupport::Concern
 
-  def find_routable!(routable_klass, requested_full_path, extra_authorization_proc: nil)
+  def find_routable!(routable_klass, requested_full_path, extra_authorization_proc: nil, not_found_or_authorized_proc: nil)
     routable = routable_klass.find_by_full_path(requested_full_path, follow_redirects: request.get?)
     if routable_authorized?(routable, extra_authorization_proc)
       ensure_canonical_path(routable, requested_full_path)
       routable
     else
-      handle_not_found_or_authorized(routable)
+      if not_found_or_authorized_proc
+        not_found_or_authorized_proc.call(routable)
+      end
+
+      route_not_found unless performed?
+
       nil
     end
   end
 
-  # This is overridden in gitlab-ee.
-  def handle_not_found_or_authorized(_routable)
-    route_not_found
-  end
-
   def routable_authorized?(routable, extra_authorization_proc)
+    return false unless routable
+
     action = :"read_#{routable.class.to_s.underscore}"
     return false unless can?(current_user, action, routable)
 

app/controllers/projects/application_controller.rb

 # frozen_string_literal: true
 
 class Projects::ApplicationController < ApplicationController
-  prepend EE::Projects::ApplicationController
   include CookiesHelper
   include RoutableActions
+  include ProjectUnauthorized
   include ChecksCollaboration
 
   skip_before_action :authenticate_user!
@@ -22,7 +22,7 @@ class Projects::ApplicationController < ApplicationController
     path = File.join(params[:namespace_id], params[:project_id] || params[:id])
     auth_proc = ->(project) { !project.pending_delete? }
 
-    @project = find_routable!(Project, path, extra_authorization_proc: auth_proc)
+    @project = find_routable!(Project, path, extra_authorization_proc: auth_proc, not_found_or_authorized_proc: project_unauthorized_proc)
   end
 
   def build_canonical_path(project)

ee/app/controllers/concerns/ee/project_unauthorized.rb

+# frozen_string_literal: true
+
+module EE
+  module ProjectUnauthorized
+    extend ::Gitlab::Utils::Override
+
+    override :project_unauthorized_proc
+    def project_unauthorized_proc
+      lambda do |project|
+        if project
+          label = project.external_authorization_classification_label
+          rejection_reason = nil
+
+          unless EE::Gitlab::ExternalAuthorization.access_allowed?(current_user, label)
+            rejection_reason = EE::Gitlab::ExternalAuthorization.rejection_reason(current_user, label)
+            rejection_reason ||= _('External authorization denied access to this project')
+          end
+
+          if rejection_reason
+            access_denied!(rejection_reason)
+          end
+        end
+      end
+    end
+  end
+end

ee/app/controllers/ee/projects/application_controller.rb

-module EE
-  module Projects
-    module ApplicationController
-      extend ::Gitlab::Utils::Override
-
-      override :handle_not_found_or_authorized
-      def handle_not_found_or_authorized(project)
-        return super unless project
-
-        label = project.external_authorization_classification_label
-        rejection_reason = nil
-
-        unless EE::Gitlab::ExternalAuthorization.access_allowed?(current_user, label)
-          rejection_reason = EE::Gitlab::ExternalAuthorization.rejection_reason(current_user, label)
-          rejection_reason ||= _('External authorization denied access to this project')
-        end
-
-        if rejection_reason
-          access_denied!(rejection_reason)
-        else
-          super
-        end
-      end
-    end
-  end
-end

ee/spec/controllers/ee/projects/application_controller_spec.rb → ee/spec/controllers/concerns/ee/project_unauthorized_spec.rb

 require 'spec_helper'
 
-describe EE::Projects::ApplicationController do
+describe EE::ProjectUnauthorized do
   include ExternalAuthorizationServiceHelpers
   let(:user) { create(:user) }
 
@@ -10,7 +10,7 @@ describe EE::Projects::ApplicationController do
 
   render_views
 
-  describe '#handle_not_found_or_authorized' do
+  describe '#project_unauthorized_proc' do
     controller(::Projects::ApplicationController) do
       def show
         render nothing: true