From 141d658e8c8676dbaf70881bded9834fb757e521 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C5=82gorzata=20Ksionek?= Date: Wed, 17 Apr 2019 13:13:48 +0200 Subject: [PATCH 1/2] Add new api class for projects events Refactor api events class to use external helper Move specs from old class Add changelog and magic string Refactor events class to be more explicit Remove blank line --- ...read-user-scope-to-read-project-events.yml | 5 + lib/api/api.rb | 1 + lib/api/events.rb | 49 +----- lib/api/helpers/events_helpers.rb | 31 ++++ lib/api/project_events.rb | 29 ++++ spec/requests/api/events_spec.rb | 135 --------------- spec/requests/api/project_events_spec.rb | 156 ++++++++++++++++++ 7 files changed, 224 insertions(+), 182 deletions(-) create mode 100644 changelogs/unreleased/secure-disallow-read-user-scope-to-read-project-events.yml create mode 100644 lib/api/helpers/events_helpers.rb create mode 100644 lib/api/project_events.rb create mode 100644 spec/requests/api/project_events_spec.rb diff --git a/changelogs/unreleased/secure-disallow-read-user-scope-to-read-project-events.yml b/changelogs/unreleased/secure-disallow-read-user-scope-to-read-project-events.yml new file mode 100644 index 00000000000..4a91bfa8827 --- /dev/null +++ b/changelogs/unreleased/secure-disallow-read-user-scope-to-read-project-events.yml @@ -0,0 +1,5 @@ +--- +title: Allow to see project events only with api scope token +merge_request: +author: +type: security diff --git a/lib/api/api.rb b/lib/api/api.rb index bf8ddba6f0d..a572cca24e9 100644 --- a/lib/api/api.rb +++ b/lib/api/api.rb @@ -134,6 +134,7 @@ module API mount ::API::Pipelines mount ::API::PipelineSchedules mount ::API::ProjectClusters + mount ::API::ProjectEvents mount ::API::ProjectExport mount ::API::ProjectImport mount ::API::ProjectHooks diff --git a/lib/api/events.rb b/lib/api/events.rb index b98aa9f31e1..e4c017fab42 100644 --- a/lib/api/events.rb +++ b/lib/api/events.rb @@ -4,34 +4,11 @@ module API class Events < Grape::API include PaginationParams include APIGuard + helpers ::API::Helpers::EventsHelpers - helpers do - params :event_filter_params do - optional :action, type: String, values: Event.actions, desc: 'Event action to filter on' - optional :target_type, type: String, values: Event.target_types, desc: 'Event target type to filter on' - optional :before, type: Date, desc: 'Include only events created before this date' - optional :after, type: Date, desc: 'Include only events created after this date' - end - - params :sort_params do - optional :sort, type: String, values: %w[asc desc], default: 'desc', - desc: 'Return events sorted in ascending and descending order' - end - - def present_events(events) - events = paginate(events) - - present events, with: Entities::Event - end - - def find_events(source) - EventsFinder.new(params.merge(source: source, current_user: current_user, with_associations: true)).execute - end - end + allow_access_with_scope :read_user, if: -> (request) { request.get? } resource :events do - allow_access_with_scope :read_user, if: -> (request) { request.get? } - desc "List currently authenticated user's events" do detail 'This feature was introduced in GitLab 9.3.' success Entities::Event @@ -55,8 +32,6 @@ module API requires :id, type: String, desc: 'The ID or Username of the user' end resource :users do - allow_access_with_scope :read_user, if: -> (request) { request.get? } - desc 'Get the contribution events of a specified user' do detail 'This feature was introduced in GitLab 8.13.' success Entities::Event @@ -76,25 +51,5 @@ module API present_events(events) end end - - params do - requires :id, type: String, desc: 'The ID of a project' - end - resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do - desc "List a Project's visible events" do - success Entities::Event - end - params do - use :pagination - use :event_filter_params - use :sort_params - end - - get ":id/events" do - events = find_events(user_project) - - present_events(events) - end - end end end diff --git a/lib/api/helpers/events_helpers.rb b/lib/api/helpers/events_helpers.rb new file mode 100644 index 00000000000..bf3b76bb92d --- /dev/null +++ b/lib/api/helpers/events_helpers.rb @@ -0,0 +1,31 @@ +# frozen_string_literal: true + +module API + module Helpers + module EventsHelpers + extend Grape::API::Helpers + + params :event_filter_params do + optional :action, type: String, values: Event.actions, desc: 'Event action to filter on' + optional :target_type, type: String, values: Event.target_types, desc: 'Event target type to filter on' + optional :before, type: Date, desc: 'Include only events created before this date' + optional :after, type: Date, desc: 'Include only events created after this date' + end + + params :sort_params do + optional :sort, type: String, values: %w[asc desc], default: 'desc', + desc: 'Return events sorted in ascending and descending order' + end + + def present_events(events) + events = paginate(events) + + present events, with: Entities::Event + end + + def find_events(source) + EventsFinder.new(params.merge(source: source, current_user: current_user, with_associations: true)).execute + end + end + end +end diff --git a/lib/api/project_events.rb b/lib/api/project_events.rb new file mode 100644 index 00000000000..734311e1142 --- /dev/null +++ b/lib/api/project_events.rb @@ -0,0 +1,29 @@ +# frozen_string_literal: true + +module API + class ProjectEvents < Grape::API + include PaginationParams + include APIGuard + helpers ::API::Helpers::EventsHelpers + + params do + requires :id, type: String, desc: 'The ID of a project' + end + resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do + desc "List a Project's visible events" do + success Entities::Event + end + params do + use :pagination + use :event_filter_params + use :sort_params + end + + get ":id/events" do + events = find_events(user_project) + + present_events(events) + end + end + end +end diff --git a/spec/requests/api/events_spec.rb b/spec/requests/api/events_spec.rb index 0ac23505de7..018691e8099 100644 --- a/spec/requests/api/events_spec.rb +++ b/spec/requests/api/events_spec.rb @@ -164,139 +164,4 @@ describe API::Events do expect(json_response['message']).to eq('404 User Not Found') end end - - describe 'GET /projects/:id/events' do - context 'when unauthenticated ' do - it 'returns 404 for private project' do - get api("/projects/#{private_project.id}/events") - - expect(response).to have_gitlab_http_status(404) - end - - it 'returns 200 status for a public project' do - public_project = create(:project, :public) - - get api("/projects/#{public_project.id}/events") - - expect(response).to have_gitlab_http_status(200) - end - end - - context 'with inaccessible events' do - let(:public_project) { create(:project, :public, creator_id: user.id, namespace: user.namespace) } - let(:confidential_issue) { create(:closed_issue, confidential: true, project: public_project, author: user) } - let!(:confidential_event) { create(:event, project: public_project, author: user, target: confidential_issue, action: Event::CLOSED) } - let(:public_issue) { create(:closed_issue, project: public_project, author: user) } - let!(:public_event) { create(:event, project: public_project, author: user, target: public_issue, action: Event::CLOSED) } - - it 'returns only accessible events' do - get api("/projects/#{public_project.id}/events", non_member) - - expect(response).to have_gitlab_http_status(200) - expect(json_response.size).to eq(1) - end - - it 'returns all events when the user has access' do - get api("/projects/#{public_project.id}/events", user) - - expect(response).to have_gitlab_http_status(200) - expect(json_response.size).to eq(2) - end - end - - context 'pagination' do - let(:public_project) { create(:project, :public) } - - before do - create(:event, - project: public_project, - target: create(:issue, project: public_project, title: 'Issue 1'), - action: Event::CLOSED, - created_at: Date.parse('2018-12-10')) - create(:event, - project: public_project, - target: create(:issue, confidential: true, project: public_project, title: 'Confidential event'), - action: Event::CLOSED, - created_at: Date.parse('2018-12-11')) - create(:event, - project: public_project, - target: create(:issue, project: public_project, title: 'Issue 2'), - action: Event::CLOSED, - created_at: Date.parse('2018-12-12')) - end - - it 'correctly returns the second page without inaccessible events' do - get api("/projects/#{public_project.id}/events", user), params: { per_page: 2, page: 2 } - - titles = json_response.map { |event| event['target_title'] } - - expect(titles.first).to eq('Issue 1') - expect(titles).not_to include('Confidential event') - end - - it 'correctly returns the first page without inaccessible events' do - get api("/projects/#{public_project.id}/events", user), params: { per_page: 2, page: 1 } - - titles = json_response.map { |event| event['target_title'] } - - expect(titles.first).to eq('Issue 2') - expect(titles).not_to include('Confidential event') - end - end - - context 'when not permitted to read' do - it 'returns 404' do - get api("/projects/#{private_project.id}/events", non_member) - - expect(response).to have_gitlab_http_status(404) - end - end - - context 'when authenticated' do - it 'returns project events' do - get api("/projects/#{private_project.id}/events?action=closed&target_type=issue&after=2016-12-1&before=2016-12-31", user) - - expect(response).to have_gitlab_http_status(200) - expect(response).to include_pagination_headers - expect(json_response).to be_an Array - expect(json_response.size).to eq(1) - end - - it 'returns 404 if project does not exist' do - get api("/projects/1234/events", user) - - expect(response).to have_gitlab_http_status(404) - end - end - - context 'when exists some events' do - let(:merge_request1) { create(:merge_request, :closed, author: user, assignee: user, source_project: private_project, title: 'Test') } - let(:merge_request2) { create(:merge_request, :closed, author: user, assignee: user, source_project: private_project, title: 'Test') } - - before do - create_event(merge_request1) - end - - it 'avoids N+1 queries' do - control_count = ActiveRecord::QueryRecorder.new(skip_cached: false) do - get api("/projects/#{private_project.id}/events", user), params: { target_type: :merge_request } - end.count - - create_event(merge_request2) - - expect do - get api("/projects/#{private_project.id}/events", user), params: { target_type: :merge_request } - end.not_to exceed_all_query_limit(control_count) - - expect(response).to have_gitlab_http_status(200) - expect(response).to include_pagination_headers - expect(json_response.size).to eq(2) - expect(json_response.map { |r| r['target_id'] }).to match_array([merge_request1.id, merge_request2.id]) - end - - def create_event(target) - create(:event, project: private_project, author: user, target: target) - end - end - end end diff --git a/spec/requests/api/project_events_spec.rb b/spec/requests/api/project_events_spec.rb new file mode 100644 index 00000000000..43df9993eb9 --- /dev/null +++ b/spec/requests/api/project_events_spec.rb @@ -0,0 +1,156 @@ +require 'spec_helper' + +describe API::ProjectEvents do + include ApiHelpers + + let(:user) { create(:user) } + let(:non_member) { create(:user) } + let(:private_project) { create(:project, :private, creator_id: user.id, namespace: user.namespace) } + let(:closed_issue) { create(:closed_issue, project: private_project, author: user) } + let!(:closed_issue_event) { create(:event, project: private_project, author: user, target: closed_issue, action: Event::CLOSED, created_at: Date.new(2016, 12, 30)) } + + describe 'GET /projects/:id/events' do + context 'when unauthenticated ' do + it 'returns 404 for private project' do + get api("/projects/#{private_project.id}/events") + + expect(response).to have_gitlab_http_status(404) + end + + it 'returns 200 status for a public project' do + public_project = create(:project, :public) + + get api("/projects/#{public_project.id}/events") + + expect(response).to have_gitlab_http_status(200) + end + end + + context 'with inaccessible events' do + let(:public_project) { create(:project, :public, creator_id: user.id, namespace: user.namespace) } + let(:confidential_issue) { create(:closed_issue, confidential: true, project: public_project, author: user) } + let!(:confidential_event) { create(:event, project: public_project, author: user, target: confidential_issue, action: Event::CLOSED) } + let(:public_issue) { create(:closed_issue, project: public_project, author: user) } + let!(:public_event) { create(:event, project: public_project, author: user, target: public_issue, action: Event::CLOSED) } + + it 'returns only accessible events' do + get api("/projects/#{public_project.id}/events", non_member) + + expect(response).to have_gitlab_http_status(200) + expect(json_response.size).to eq(1) + end + + it 'returns all events when the user has access' do + get api("/projects/#{public_project.id}/events", user) + + expect(response).to have_gitlab_http_status(200) + expect(json_response.size).to eq(2) + end + end + + context 'pagination' do + let(:public_project) { create(:project, :public) } + + before do + create(:event, + project: public_project, + target: create(:issue, project: public_project, title: 'Issue 1'), + action: Event::CLOSED, + created_at: Date.parse('2018-12-10')) + create(:event, + project: public_project, + target: create(:issue, confidential: true, project: public_project, title: 'Confidential event'), + action: Event::CLOSED, + created_at: Date.parse('2018-12-11')) + create(:event, + project: public_project, + target: create(:issue, project: public_project, title: 'Issue 2'), + action: Event::CLOSED, + created_at: Date.parse('2018-12-12')) + end + + it 'correctly returns the second page without inaccessible events' do + get api("/projects/#{public_project.id}/events", user), params: { per_page: 2, page: 2 } + + titles = json_response.map { |event| event['target_title'] } + + expect(titles.first).to eq('Issue 1') + expect(titles).not_to include('Confidential event') + end + + it 'correctly returns the first page without inaccessible events' do + get api("/projects/#{public_project.id}/events", user), params: { per_page: 2, page: 1 } + + titles = json_response.map { |event| event['target_title'] } + + expect(titles.first).to eq('Issue 2') + expect(titles).not_to include('Confidential event') + end + end + + context 'when not permitted to read' do + it 'returns 404' do + get api("/projects/#{private_project.id}/events", non_member) + + expect(response).to have_gitlab_http_status(404) + end + end + + context 'when authenticated' do + it 'returns project events' do + get api("/projects/#{private_project.id}/events?action=closed&target_type=issue&after=2016-12-1&before=2016-12-31", user) + + expect(response).to have_gitlab_http_status(200) + expect(response).to include_pagination_headers + expect(json_response).to be_an Array + expect(json_response.size).to eq(1) + end + + it 'returns 404 if project does not exist' do + get api("/projects/1234/events", user) + + expect(response).to have_gitlab_http_status(404) + end + + context 'when the requesting token does not have "api" scope' do + let(:token) { create(:personal_access_token, scopes: ['read_user'], user: user) } + + it 'returns a "403" response' do + get api("/projects/#{private_project.id}/events", personal_access_token: token) + + expect(response).to have_gitlab_http_status(403) + end + end + end + + context 'when exists some events' do + let(:merge_request1) { create(:merge_request, :closed, author: user, assignees: [user], source_project: private_project, title: 'Test') } + let(:merge_request2) { create(:merge_request, :closed, author: user, assignees: [user], source_project: private_project, title: 'Test') } + + before do + create_event(merge_request1) + end + + it 'avoids N+1 queries' do + control_count = ActiveRecord::QueryRecorder.new(skip_cached: false) do + get api("/projects/#{private_project.id}/events", user), params: { target_type: :merge_request } + end.count + + create_event(merge_request2) + + expect do + get api("/projects/#{private_project.id}/events", user), params: { target_type: :merge_request } + end.not_to exceed_all_query_limit(control_count) + + expect(response).to have_gitlab_http_status(200) + expect(response).to include_pagination_headers + expect(json_response.size).to eq(2) + expect(json_response.map { |r| r['target_id'] }).to match_array([merge_request1.id, merge_request2.id]) + end + + def create_event(target) + create(:event, project: private_project, author: user, target: target) + end + end + end +end -- GitLab From 29305d10453b401c0a10fb1a719c7a9bf0223e14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C5=82gorzata=20Ksionek?= Date: Thu, 25 Apr 2019 11:41:02 +0200 Subject: [PATCH 2/2] Fix specs --- spec/requests/api/project_events_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/requests/api/project_events_spec.rb b/spec/requests/api/project_events_spec.rb index 43df9993eb9..f5974ef9400 100644 --- a/spec/requests/api/project_events_spec.rb +++ b/spec/requests/api/project_events_spec.rb @@ -124,8 +124,8 @@ describe API::ProjectEvents do end context 'when exists some events' do - let(:merge_request1) { create(:merge_request, :closed, author: user, assignees: [user], source_project: private_project, title: 'Test') } - let(:merge_request2) { create(:merge_request, :closed, author: user, assignees: [user], source_project: private_project, title: 'Test') } + let(:merge_request1) { create(:merge_request, :closed, author: user, assignee: user, source_project: private_project, title: 'Test') } + let(:merge_request2) { create(:merge_request, :closed, author: user, assignee: user, source_project: private_project, title: 'Test') } before do create_event(merge_request1) -- GitLab