From 73d9f3809ed46fdbca09d356519626c0672ea969 Mon Sep 17 00:00:00 2001
From: Piers Harding <piers@ompka.net>
Date: Fri, 26 Mar 2021 04:48:20 +1300
Subject: [PATCH] Panic with GitLab project repository auth (#1113)

* panic with GitLab project repository auth

* /api/v4/projects/:id can return nil permissions

Signed-off-by: Piers Harding <piers@ompka.net>

* Add GitLab test for group no access

Signed-off-by: Piers Harding <piers@ompka.net>
---
 providers/gitlab.go      |  7 ++++++-
 providers/gitlab_test.go | 24 ++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/providers/gitlab.go b/providers/gitlab.go
index f54430fc..eb7c2ffa 100644
--- a/providers/gitlab.go
+++ b/providers/gitlab.go
@@ -329,9 +329,14 @@ func (p *GitLabProvider) addProjectsToSession(ctx context.Context, s *sessions.S
 			if perms == nil {
 				// use group project access as fallback
 				perms = projectInfo.Permissions.GroupAccess
+				// group project access is not set for this user then we give up
+				if perms == nil {
+					logger.Errorf("Warning: user %q has no project level access to %s", s.Email, project.Name)
+					continue
+				}
 			}
 
-			if perms.AccessLevel >= project.AccessLevel {
+			if perms != nil && perms.AccessLevel >= project.AccessLevel {
 				s.Groups = append(s.Groups, fmt.Sprintf("project:%s", project.Name))
 			} else {
 				logger.Errorf("Warning: user %q does not have the minimum required access level for project %q", s.Email, project.Name)
diff --git a/providers/gitlab_test.go b/providers/gitlab_test.go
index 62f0a70a..3a903d02 100644
--- a/providers/gitlab_test.go
+++ b/providers/gitlab_test.go
@@ -41,6 +41,7 @@ func testGitLabBackend() *httptest.Server {
 			"groups": ["foo", "bar"]
 		}
 	`
+
 	projectInfo := `
 		{
 			"name": "MyProject",
@@ -56,6 +57,18 @@ func testGitLabBackend() *httptest.Server {
 		}
 	`
 
+	noAccessProjectInfo := `
+		{
+			"name": "NoAccessProject",
+			"archived": false,
+			"path_with_namespace": "no_access_group/no_access_project",
+			"permissions": {
+				"project_access": null,
+				"group_access": null,
+			}
+		}
+	`
+
 	personalProjectInfo := `
 		{
 			"name": "MyPersonalProject",
@@ -105,6 +118,13 @@ func testGitLabBackend() *httptest.Server {
 				} else {
 					w.WriteHeader(401)
 				}
+			case "/api/v4/projects/no_access_group/no_access_project":
+				if r.Header["Authorization"][0] == authHeader {
+					w.WriteHeader(200)
+					w.Write([]byte(noAccessProjectInfo))
+				} else {
+					w.WriteHeader(401)
+				}
 			case "/api/v4/projects/my_group/my_archived_project":
 				if r.Header["Authorization"][0] == authHeader {
 					w.WriteHeader(200)
@@ -219,6 +239,10 @@ var _ = Describe("Gitlab Provider Tests", func() {
 				expectedValue: nil,
 				projects:      []string{"my_group/my_project=40"},
 			}),
+			Entry("project membership invalid on group project, no access at all", entitiesTableInput{
+				expectedValue: nil,
+				projects:      []string{"no_access_group/no_access_project=30"},
+			}),
 			Entry("project membership valid on personnal project", entitiesTableInput{
 				expectedValue: []string{"project:my_profile/my_personal_project"},
 				projects:      []string{"my_profile/my_personal_project"},