Add latest changes from gitlab-org/gitlab@master

2022-11-01 22:00:04 +00:00 · 2022-11-01 22:00:04 +00:00 · f3bcf3c911
parent 42b409c72f
commit f3bcf3c911
5 changed files with 64 additions and 3 deletions
--- a/doc/administration/geo/replication/configuration.md
+++ b/doc/administration/geo/replication/configuration.md
@ -12,7 +12,7 @@ type: howto
 NOTE:
 This is the final step in setting up a **secondary** Geo site. Stages of the
 setup process must be completed in the documented order.
-If not, [complete all prior stages](../setup/index.md#using-omnibus-gitlab) before procceed.
+If not, [complete all prior stages](../setup/index.md#using-omnibus-gitlab) before proceeding.

 Make sure you [set up the database replication](../setup/database.md), and [configured fast lookup of authorized SSH keys](../../operations/fast_ssh_key_lookup.md) in **both primary and secondary sites**.

--- a/lib/api/import_github.rb
+++ b/lib/api/import_github.rb
@ -2,6 +2,8 @@

 module API
  class ImportGithub < ::API::Base
+    before { authenticate! }
+
    feature_category :importers
    urgency :low

--- a/lib/api/resource_access_tokens.rb
+++ b/lib/api/resource_access_tokens.rb
@ -4,6 +4,8 @@ module API
  class ResourceAccessTokens < ::API::Base
    include PaginationParams

+    ALLOWED_RESOURCE_ACCESS_LEVELS = Gitlab::Access.options_with_owner.freeze
+
    before { authenticate! }

    feature_category :authentication_and_authorization
@ -79,8 +81,8 @@ module API
        params do
          requires :id, type: String, desc: "The #{source_type} ID"
          requires :name, type: String, desc: "Resource access token name"
-          requires :scopes, type: Array[String], desc: "The permissions of the token"
-          optional :access_level, type: Integer, desc: "The access level of the token in the #{source_type}"
+          requires :scopes, type: Array[String], values: ::Gitlab::Auth.resource_bot_scopes.map(&:to_s), desc: "The permissions of the token"
+          optional :access_level, type: Integer, values: ALLOWED_RESOURCE_ACCESS_LEVELS.values, default: Gitlab::Access::MAINTAINER, desc: "The access level of the token in the #{source_type}"
          optional :expires_at, type: Date, desc: "The expiration date of the token"
        end
        post ':id/access_tokens' do
--- a/spec/requests/api/import_github_spec.rb
+++ b/spec/requests/api/import_github_spec.rb
@ -89,6 +89,18 @@ RSpec.describe API::ImportGithub do

      expect(response).to have_gitlab_http_status(:unprocessable_entity)
    end
+
+    context 'when unauthenticated user' do
+      it 'returns 403 response' do
+        post api("/import/github"), params: {
+          target_namespace: user.namespace_path,
+          personal_access_token: token,
+          repo_id: non_existing_record_id
+        }
+
+        expect(response).to have_gitlab_http_status(:unauthorized)
+      end
+    end
  end

  describe "POST /import/github/cancel" do
@ -127,5 +139,15 @@ RSpec.describe API::ImportGithub do
        expect(json_response['message']).to eq('The import cannot be canceled because it is finished')
      end
    end
+
+    context 'when unauthenticated user' do
+      it 'returns 403 response' do
+        post api("/import/github/cancel"), params: {
+          project_id: project.id
+        }
+
+        expect(response).to have_gitlab_http_status(:unauthorized)
+      end
+    end
  end
 end
--- a/spec/requests/api/resource_access_tokens_spec.rb
+++ b/spec/requests/api/resource_access_tokens_spec.rb
@ -416,6 +416,41 @@ RSpec.describe API::ResourceAccessTokens do
              expect(response.body).to include("scopes is missing")
            end
          end
+
+          context "when using invalid 'scopes'" do
+            let_it_be(:params) do
+              {
+                name: "test",
+                scopes: ["test"],
+                expires_at: 5.days.from_now
+              }
+            end
+
+            it "does not create a #{source_type} access token with invalid 'scopes'", :aggregate_failures do
+              create_token
+
+              expect(response).to have_gitlab_http_status(:bad_request)
+              expect(response.body).to include("scopes does not have a valid value")
+            end
+          end
+
+          context "when using invalid 'access_level'" do
+            let_it_be(:params) do
+              {
+                name: "test",
+                scopes: ["api"],
+                expires_at: 5.days.from_now,
+                access_level: Gitlab::Access::NO_ACCESS
+              }
+            end
+
+            it "does not create a #{source_type} access token with invalid 'access_level'", :aggregate_failures do
+              create_token
+
+              expect(response).to have_gitlab_http_status(:bad_request)
+              expect(response.body).to include("access_level does not have a valid value")
+            end
+          end
        end

        context "when trying to create a token in a different #{source_type}" do