From bfa63107458b10cceb14cf96a3dc82dc7994ec55 Mon Sep 17 00:00:00 2001
From: Thong Kuah <tkuah@gitlab.com>
Date: Mon, 23 Nov 2020 17:13:32 +1300
Subject: [PATCH] Authorize the project if it's the agent's project

This allows for private projects for agents, but only for the same
project case.
---
 app/models/clusters/agent.rb                       |  4 ++++
 .../unreleased/authorize_same_project_agent.yml    |  5 +++++
 doc/user/clusters/agent/index.md                   |  9 ++++++---
 lib/api/internal/kubernetes.rb                     |  4 +---
 spec/models/clusters/agent_spec.rb                 | 12 ++++++++++++
 spec/requests/api/internal/kubernetes_spec.rb      | 14 +++++++++++---
 6 files changed, 39 insertions(+), 9 deletions(-)
 create mode 100644 changelogs/unreleased/authorize_same_project_agent.yml

diff --git a/app/models/clusters/agent.rb b/app/models/clusters/agent.rb
index 5feb3b0a1e6071..c58a3bab1a9468 100644
--- a/app/models/clusters/agent.rb
+++ b/app/models/clusters/agent.rb
@@ -19,5 +19,9 @@ class Agent < ApplicationRecord
         with: Gitlab::Regex.cluster_agent_name_regex,
         message: Gitlab::Regex.cluster_agent_name_regex_message
       }
+
+    def has_access_to?(requested_project)
+      requested_project == project
+    end
   end
 end
diff --git a/changelogs/unreleased/authorize_same_project_agent.yml b/changelogs/unreleased/authorize_same_project_agent.yml
new file mode 100644
index 00000000000000..bb2b4f05c791a0
--- /dev/null
+++ b/changelogs/unreleased/authorize_same_project_agent.yml
@@ -0,0 +1,5 @@
+---
+title: Authorize the project for the cluster agent if it is the agent's project
+merge_request: 48314
+author:
+type: changed
diff --git a/doc/user/clusters/agent/index.md b/doc/user/clusters/agent/index.md
index 321de69fabe40c..d564a343a19b37 100644
--- a/doc/user/clusters/agent/index.md
+++ b/doc/user/clusters/agent/index.md
@@ -378,9 +378,12 @@ subjects:
 In a previous step, you configured a `config.yaml` to point to the GitLab projects
 the Agent should synchronize. In each of those projects, you must create a `manifest.yaml`
 file for the Agent to monitor. You can auto-generate this `manifest.yaml` with a
-templating engine or other means. Only public projects are supported as
-manifest projects. Support for private projects is planned in the issue
-[Agent authorization for private manifest projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
+templating engine or other means.
+
+The agent is authorized to download manifests for the configuration
+project, and public projects. Support for other private projects is
+planned in the issue [Agent authorization for private manifest
+projects](https://gitlab.com/gitlab-org/gitlab/-/issues/220912).
 
 Each time you commit and push a change to this file, the Agent logs the change:
 
diff --git a/lib/api/internal/kubernetes.rb b/lib/api/internal/kubernetes.rb
index d4690709de4145..67c6510bf664e9 100644
--- a/lib/api/internal/kubernetes.rb
+++ b/lib/api/internal/kubernetes.rb
@@ -85,9 +85,7 @@ def check_agent_token
           get '/project_info' do
             project = find_project(params[:id])
 
-            # TODO sort out authorization for real
-            # https://gitlab.com/gitlab-org/gitlab/-/issues/220912
-            unless Ability.allowed?(nil, :download_code, project)
+            unless Guest.can?(:download_code, project) || agent.has_access_to?(project)
               not_found!
             end
 
diff --git a/spec/models/clusters/agent_spec.rb b/spec/models/clusters/agent_spec.rb
index 148bb3cf8705d3..49f41570717aba 100644
--- a/spec/models/clusters/agent_spec.rb
+++ b/spec/models/clusters/agent_spec.rb
@@ -57,4 +57,16 @@
       end
     end
   end
+
+  describe '#has_access_to?' do
+    let(:agent) { build(:cluster_agent) }
+
+    it 'has access to own project' do
+      expect(agent.has_access_to?(agent.project)).to be_truthy
+    end
+
+    it 'does not have access to other projects' do
+      expect(agent.has_access_to?(create(:project))).to be_falsey
+    end
+  end
 end
diff --git a/spec/requests/api/internal/kubernetes_spec.rb b/spec/requests/api/internal/kubernetes_spec.rb
index a532b8e59f28d5..b082dc400c064c 100644
--- a/spec/requests/api/internal/kubernetes_spec.rb
+++ b/spec/requests/api/internal/kubernetes_spec.rb
@@ -137,9 +137,7 @@ def send_request(headers: {}, params: {})
     include_examples 'agent authentication'
 
     context 'an agent is found' do
-      let!(:agent_token) { create(:cluster_agent_token) }
-
-      let(:agent) { agent_token.agent }
+      let_it_be(:agent_token) { create(:cluster_agent_token) }
 
       context 'project is public' do
         let(:project) { create(:project, :public) }
@@ -186,6 +184,16 @@ def send_request(headers: {}, params: {})
 
           expect(response).to have_gitlab_http_status(:not_found)
         end
+
+        context 'and agent belongs to project' do
+          let(:agent_token) { create(:cluster_agent_token, agent: create(:cluster_agent, project: project)) }
+
+          it 'returns 200' do
+            send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
+
+            expect(response).to have_gitlab_http_status(:success)
+          end
+        end
       end
 
       context 'project is internal' do
-- 
GitLab