From ff27c151a0f283a0c6b4fee41482c265ba14fdea Mon Sep 17 00:00:00 2001
From: Pedro Pombeiro <noreply@pedro.pombei.ro>
Date: Wed, 23 Aug 2023 18:39:15 +0200
Subject: [PATCH] GraphQL: Mask CiJob.shortSha when non-authorized
Changelog: fixed
---
app/graphql/types/ci/job_base_field.rb | 10 +++++++++-
app/graphql/types/ci/job_type.rb | 3 ++-
spec/graphql/types/ci/job_base_field_spec.rb | 5 ++---
spec/requests/api/graphql/ci/runner_spec.rb | 2 +-
4 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/app/graphql/types/ci/job_base_field.rb b/app/graphql/types/ci/job_base_field.rb
index f5bdd2260b55..979f17484946 100644
--- a/app/graphql/types/ci/job_base_field.rb
+++ b/app/graphql/types/ci/job_base_field.rb
@@ -7,7 +7,15 @@ module Ci
# rubocop: disable Graphql/AuthorizeTypes
class JobBaseField < ::Types::BaseField
PUBLIC_FIELDS = %i[allow_failure duration id kind status created_at finished_at queued_at queued_duration
- updated_at runner short_sha].freeze
+ updated_at runner].freeze
+
+ attr_accessor :if_unauthorized
+
+ def initialize(**kwargs, &block)
+ @if_unauthorized = kwargs.delete(:if_unauthorized)
+
+ super
+ end
def authorized?(object, args, ctx)
current_user = ctx[:current_user]
diff --git a/app/graphql/types/ci/job_type.rb b/app/graphql/types/ci/job_type.rb
index 976103e1510a..490ab397d468 100644
--- a/app/graphql/types/ci/job_type.rb
+++ b/app/graphql/types/ci/job_type.rb
@@ -105,7 +105,8 @@ class JobType < BaseObject
field :scheduling_type, GraphQL::Types::String, null: true,
description: 'Type of job scheduling. Value is `dag` if the job uses the `needs` keyword, and `stage` otherwise.'
field :short_sha, type: GraphQL::Types::String, null: false,
- description: 'Short SHA1 ID of the commit.'
+ description: 'Short SHA1 ID of the commit.',
+ if_unauthorized: 'Unauthorized'
field :stuck, GraphQL::Types::Boolean, null: false, method: :stuck?,
description: 'Indicates the job is stuck.'
field :trace, Types::Ci::JobTraceType, null: true,
diff --git a/spec/graphql/types/ci/job_base_field_spec.rb b/spec/graphql/types/ci/job_base_field_spec.rb
index e9b1407d249a..2d283ce854d7 100644
--- a/spec/graphql/types/ci/job_base_field_spec.rb
+++ b/spec/graphql/types/ci/job_base_field_spec.rb
@@ -22,8 +22,7 @@
using RSpec::Parameterized::TableSyntax
where(:current_field_name) do
- %i[allow_failure duration id kind status created_at finished_at queued_at queued_duration updated_at runner
- short_sha]
+ %i[allow_failure duration id kind status created_at finished_at queued_at queued_duration updated_at runner]
end
with_them do
@@ -34,7 +33,7 @@
end
context 'with private field' do
- let(:current_field_name) { 'private_field' }
+ let(:current_field_name) { 'short_sha' }
context 'when permission is not allowed' do
it 'returns false' do
diff --git a/spec/requests/api/graphql/ci/runner_spec.rb b/spec/requests/api/graphql/ci/runner_spec.rb
index 3d7020b03b73..388c284d83cf 100644
--- a/spec/requests/api/graphql/ci/runner_spec.rb
+++ b/spec/requests/api/graphql/ci/runner_spec.rb
@@ -411,7 +411,7 @@
status: other_build.status.upcase,
project: nil, tags: nil, web_path: nil,
runner: a_graphql_entity_for(project_runner),
- short_sha: other_build.short_sha, finished_at: other_build.finished_at&.iso8601,
+ short_sha: 'Unauthorized', finished_at: other_build.finished_at&.iso8601,
duration: a_value_within(0.001).of(other_build.duration),
queued_duration: a_value_within(0.001).of((other_build.started_at - other_build.queued_at).to_f)),
a_graphql_entity_for(owned_build,
--
GitLab