Skip to content
Snippets Groups Projects
Unverified Commit 010fb5f1 authored by Saikat Sarkar's avatar Saikat Sarkar Committed by Robert Speicher
Browse files

Tighten the RBAC for GraphQL

parent 4f9c09a1
No related merge requests found
......@@ -26,6 +26,8 @@ module ProjectType
calls_gitaly: true,
description: 'SAST CI configuration for the project',
resolve: -> (project, args, ctx) do
return unless Ability.allowed?(ctx[:current_user], :download_code, project)
sast_ci_configuration(project)
end
......
---
title: Tighten the RBAC for GraphQL in SAST CiConfiguration
merge_request:
author:
type: security
......@@ -26,7 +26,7 @@
describe 'sast_ci_configuration' do
include_context 'read ci configuration for sast enabled project'
let_it_be(:query) do
let(:query) do
%(
query {
project(fullPath: "#{project.full_path}") {
......@@ -109,6 +109,72 @@
expect(analyzer['label']).to eq('Brakeman')
expect(analyzer['enabled']).to eq(true)
end
context "with guest user" do
before do
project.add_guest(user)
end
context 'when project is private' do
let(:project) { create(:project, :private, :repository) }
it "returns no configuration" do
secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration')
expect(secure_analyzers_prefix).to be_nil
end
end
context 'when project is public' do
let(:project) { create(:project, :public, :repository) }
context 'when repository is accessible by everyone' do
it "returns the project's sast configuration for global variables" do
secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
expect(secure_analyzers_prefix['type']).to eq('string')
expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX')
end
end
end
end
context "with non-member user" do
before do
project.team.truncate
end
context 'when project is private' do
let(:project) { create(:project, :private, :repository) }
it "returns no configuration" do
secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration')
expect(secure_analyzers_prefix).to be_nil
end
end
context 'when project is public' do
let(:project) { create(:project, :public, :repository) }
context 'when repository is accessible by everyone' do
it "returns the project's sast configuration for global variables" do
secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
expect(secure_analyzers_prefix['type']).to eq('string')
expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX')
end
end
context 'when repository is accessible only by team members' do
it "returns no configuration" do
project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED,
builds_access_level: ProjectFeature::DISABLED,
repository_access_level: ProjectFeature::PRIVATE)
secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration')
expect(secure_analyzers_prefix).to be_nil
end
end
end
end
end
describe 'security_scanners' do
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment