Add basic runners management API

- add feature to list runners - add feature to show runners details - add feature to delete runner - add feature to update runner
author: Tomasz Maczukin <tomasz@maczukin.pl> 2016-01-26 19:03:38 +0300
committer: Tomasz Maczukin <tomasz@maczukin.pl> 2016-02-19 15:18:46 +0300
commit: 128be3c0103f601b2c80f3489646e57e202f6327 (patch)
tree: 293399797a6cb9cc5814eac25acd6e5d57c9f1ea
parent: e586858eb58cc628f700c4f0d6ae7b574def3be9 (diff)
5 files changed, 398 insertions, 0 deletions
diff --git a/app/models/ci/runner.rb b/app/models/ci/runner.rb
index 38b20cd7faa..1e914b44499 100644
--- a/app/models/ci/runner.rb
+++ b/app/models/ci/runner.rb
@@ -22,6 +22,7 @@ module Ci
     extend Ci::Model
 
     LAST_CONTACT_TIME = 5.minutes.ago
+    AVAILABLE_SCOPES = ['specific', 'shared', 'active', 'paused', 'online']
     
     has_many :builds, class_name: 'Ci::Build'
     has_many :runner_projects, dependent: :destroy, class_name: 'Ci::RunnerProject'
@@ -38,6 +39,11 @@ module Ci
     scope :online, ->() { where('contacted_at > ?', LAST_CONTACT_TIME) }
     scope :ordered, ->() { order(id: :desc) }
 
+    scope :owned_or_shared, ->(project_id) do
+      joins('LEFT JOIN ci_runner_projects ON ci_runner_projects.runner_id = ci_runners.id')
+        .where("ci_runner_projects.gl_project_id = #{project_id} OR ci_runners.is_shared = true")
+    end
+
     acts_as_taggable
 
     def self.search(query)
diff --git a/lib/api/api.rb b/lib/api/api.rb
index 7efe0a0262f..7d65145176b 100644
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -56,5 +56,6 @@ module API
     mount Triggers
     mount Builds
     mount Variables
+    mount Runners
   end
 end
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index a9c09ffdb31..bdbf2cf5082 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -377,6 +377,12 @@ module API
       expose :name
     end
 
+    class RunnerDetails < Runner
+      expose :tag_list
+      expose :version, :revision, :platform, :architecture
+      expose :contacted_at, as: :last_contact
+    end
+
     class Build < Grape::Entity
       expose :id, :status, :stage, :name, :ref, :tag, :coverage
       expose :created_at, :started_at, :finished_at
diff --git a/lib/api/runners.rb b/lib/api/runners.rb
new file mode 100644
index 00000000000..7d4ca3f1587
--- /dev/null
+++ b/lib/api/runners.rb
@@ -0,0 +1,107 @@
+module API
+  # Runners API
+  class Runners < Grape::API
+    before { authenticate! }
+
+    resource :runners do
+      # Get available shared runners
+      #
+      # Example Request:
+      #   GET /runners
+      get do
+        runners =
+          if current_user.is_admin?
+            Ci::Runner.all
+          else
+            current_user.ci_authorized_runners
+          end
+
+        runners = filter_runners(runners, params[:scope])
+        present paginate(runners), with: Entities::Runner
+      end
+
+      get ':id' do
+        runner = get_runner(params[:id])
+        can_show_runner?(runner) unless current_user.is_admin?
+
+        present runner, with: Entities::RunnerDetails
+      end
+
+      put ':id' do
+        runner = get_runner(params[:id])
+        can_update_runner?(runner) unless current_user.is_admin?
+
+        attrs = attributes_for_keys [:description, :active, :tag_list]
+        if runner.update(attrs)
+          present runner, with: Entities::RunnerDetails
+        else
+          render_validation_error!(runner)
+        end
+      end
+
+      delete ':id' do
+        runner = get_runner(params[:id])
+        can_delete_runner?(runner)
+        runner.destroy!
+
+        present runner, with: Entities::RunnerDetails
+      end
+    end
+
+    resource :projects do
+      before { authorize_admin_project }
+
+      # Get runners available for project
+      #
+      # Example Request:
+      #   GET /projects/:id/runners
+      get ':id/runners' do
+        runners = filter_runners(Ci::Runner.owned_or_shared(user_project.id), params[:scope])
+        present paginate(runners), with: Entities::Runner
+      end
+    end
+
+    helpers do
+      def filter_runners(runners, scope)
+        return runners unless scope.present?
+
+        available_scopes = ::Ci::Runner::AVAILABLE_SCOPES
+        unless (available_scopes && scope).empty?
+          runners.send(scope)
+        else
+          render_api_error!('Scope contains invalid value', 400)
+        end
+      end
+
+      def get_runner(id)
+        runner = Ci::Runner.find(id)
+        not_found!('Runner') unless runner
+        runner
+      end
+
+      def can_show_runner?(runner)
+        return true if runner.is_shared
+        forbidden!("Can't show runner's details - no access granted") unless user_can_access_runner?(runner)
+      end
+
+      def can_update_runner?(runner)
+        return true if current_user.is_admin?
+        forbidden!("Can't update shared runner") if runner.is_shared?
+        forbidden!("Can't update runner - no access granted") unless user_can_access_runner?(runner)
+      end
+
+      def can_delete_runner?(runner)
+        return true if current_user.is_admin?
+        forbidden!("Can't delete shared runner") if runner.is_shared?
+        forbidden!("Can't delete runner - associated with more than one project") if runner.projects.count > 1
+        forbidden!("Can't delete runner - no access granted") unless user_can_access_runner?(runner)
+      end
+
+      def user_can_access_runner?(runner)
+        runner.projects.inject(false) do |final, project|
+          final ||= abilities.allowed?(current_user, :admin_project, project)
+        end
+      end
+    end
+  end
+end
diff --git a/spec/requests/api/runners_spec.rb b/spec/requests/api/runners_spec.rb
new file mode 100644
index 00000000000..e5c837d051b
--- /dev/null
+++ b/spec/requests/api/runners_spec.rb
@@ -0,0 +1,278 @@
+require 'spec_helper'
+
+describe API::API, api: true  do
+  include ApiHelpers
+
+  let(:admin) { create(:user, :admin) }
+  let(:user) { create(:user) }
+  let(:user2) { create(:user) }
+  let!(:project) { create(:project, creator_id: user.id) }
+  let!(:project2) { create(:project, creator_id: user.id) }
+  let!(:master) { create(:project_member, user: user, project: project, access_level: ProjectMember::MASTER) }
+  let!(:developer) { create(:project_member, user: user2, project: project, access_level: ProjectMember::REPORTER) }
+  let!(:shared_runner) { create(:ci_shared_runner, tag_list: ['mysql', 'ruby'], active: true) }
+  let!(:specific_runner) { create(:ci_specific_runner, tag_list: ['mysql', 'ruby']) }
+  let!(:specific_runner_project) { create(:ci_runner_project, runner: specific_runner, project: project) }
+  let!(:specific_runner2) { create(:ci_specific_runner) }
+  let!(:specific_runner2_project) { create(:ci_runner_project, runner: specific_runner2, project: project2) }
+  let!(:unused_specific_runner) { create(:ci_specific_runner) }
+  let!(:two_projects_runner) { create(:ci_specific_runner) }
+  let!(:two_projects_runner_project) { create(:ci_runner_project, runner: two_projects_runner, project: project) }
+  let!(:two_projects_runner_project2) { create(:ci_runner_project, runner: two_projects_runner, project: project2) }
+
+  describe 'GET /runners' do
+    context 'authorized user with admin privileges' do
+      it 'should return all runners' do
+        get api('/runners', admin)
+        shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr}
+
+        expect(response.status).to eq(200)
+        expect(json_response).to be_an Array
+        expect(shared).to be_truthy
+      end
+
+      it 'should filter runners by scope' do
+        get api('/runners?scope=specific', admin)
+        shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr}
+
+        expect(response.status).to eq(200)
+        expect(json_response).to be_an Array
+        expect(shared).to be_falsey
+      end
+    end
+
+    context 'authorized user without admin privileges' do
+      it 'should return user available runners' do
+        get api('/runners', user)
+        shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr}
+
+        expect(response.status).to eq(200)
+        expect(json_response).to be_an Array
+        expect(shared).to be_falsey
+      end
+    end
+
+    context 'unauthorized user' do
+      it 'should not return runners' do
+        get api('/runners')
+
+        expect(response.status).to eq(401)
+      end
+    end
+  end
+
+  describe 'GET /runners/:id' do
+    context 'admin user' do
+      it "should return runner's details" do
+        get api("/runners/#{specific_runner.id}", admin)
+
+        expect(response.status).to eq(200)
+        expect(json_response['description']).to eq(specific_runner.description)
+      end
+
+      it "should return shared runner's details" do
+        get api("/runners/#{shared_runner.id}", admin)
+
+        expect(response.status).to eq(200)
+        expect(json_response['description']).to eq(shared_runner.description)
+      end
+
+      it 'should return 404 if runner does not exists' do
+        get api('/runners/9999', admin)
+
+        expect(response.status).to eq(404)
+      end
+    end
+
+    context "runner project's administrative user" do
+      it "should return runner's details" do
+        get api("/runners/#{specific_runner.id}", user)
+
+        expect(response.status).to eq(200)
+        expect(json_response['description']).to eq(specific_runner.description)
+      end
+
+      it "should return shared runner's details" do
+        get api("/runners/#{shared_runner.id}", user)
+
+        expect(response.status).to eq(200)
+        expect(json_response['description']).to eq(shared_runner.description)
+      end
+    end
+
+    context 'other authorized user' do
+      it "should not return runner's details" do
+        get api("/runners/#{specific_runner.id}", user2)
+
+        expect(response.status).to eq(403)
+      end
+    end
+
+    context 'unauthorized user' do
+      it "should not return runner's details" do
+        get api("/runners/#{specific_runner.id}")
+
+        expect(response.status).to eq(401)
+      end
+    end
+  end
+
+  describe 'PUT /runners/:id' do
+    context 'admin user' do
+      it 'should update shared runner' do
+        description = shared_runner.description
+        active = shared_runner.active
+        tag_list = shared_runner.tag_list
+        put api("/runners/#{shared_runner.id}", admin), description: "#{description}_updated", active: !active,
+                                                        tag_list: ['ruby2.1', 'pgsql', 'mysql']
+        shared_runner.reload
+
+        expect(response.status).to eq(200)
+        expect(shared_runner.description).not_to eq(description)
+        expect(shared_runner.active).not_to eq(active)
+        expect(shared_runner.tag_list).not_to eq(tag_list)
+      end
+
+      it 'should update specific runner' do
+        description = specific_runner.description
+        put api("/runners/#{specific_runner.id}", admin), description: 'test'
+        specific_runner.reload
+
+        expect(response.status).to eq(200)
+        expect(specific_runner.description).to eq('test')
+        expect(specific_runner.description).not_to eq(description)
+      end
+
+      it 'should return 404 if runner does not exists' do
+        put api('/runners/9999', admin), description: 'test'
+
+        expect(response.status).to eq(404)
+      end
+    end
+
+    context 'authorized user' do
+      it 'should not update shared runner' do
+        put api("/runners/#{shared_runner.id}", user), description: 'test'
+
+        expect(response.status).to eq(403)
+      end
+
+      it 'should not update specific runner without access to' do
+        put api("/runners/#{specific_runner.id}", user2), description: 'test'
+
+        expect(response.status).to eq(403)
+      end
+
+      it 'should update specific runner' do
+        description = specific_runner.description
+        put api("/runners/#{specific_runner.id}", admin), description: 'test'
+        specific_runner.reload
+
+        expect(response.status).to eq(200)
+        expect(specific_runner.description).to eq('test')
+        expect(specific_runner.description).not_to eq(description)
+      end
+
+    end
+
+    context 'unauthorized user' do
+      it 'should not delete runner' do
+        put api("/runners/#{specific_runner.id}"), description: 'test'
+
+        expect(response.status).to eq(401)
+      end
+    end
+  end
+
+  describe 'DELETE /runners/:id' do
+    context 'admin user' do
+      it 'should delete shared runner' do
+        expect do
+          delete api("/runners/#{shared_runner.id}", admin)
+        end.to change{ Ci::Runner.shared.count }.by(-1)
+        expect(response.status).to eq(200)
+      end
+
+      it 'should delete unused specific runner' do
+        expect do
+          delete api("/runners/#{unused_specific_runner.id}", admin)
+        end.to change{ Ci::Runner.specific.count }.by(-1)
+        expect(response.status).to eq(200)
+      end
+
+      it 'should delete used specific runner' do
+        expect do
+          delete api("/runners/#{specific_runner.id}", admin)
+        end.to change{ Ci::Runner.specific.count }.by(-1)
+        expect(response.status).to eq(200)
+      end
+
+      it 'should return 404 if runner does not exists' do
+        delete api('/runners/9999', admin)
+
+        expect(response.status).to eq(404)
+      end
+    end
+
+    context 'authorized user' do
+      it 'should not delete shared runner' do
+        delete api("/runners/#{shared_runner.id}", user)
+        expect(response.status).to eq(403)
+      end
+
+      it 'should not delete runner without access to' do
+        delete api("/runners/#{specific_runner.id}", user2)
+        expect(response.status).to eq(403)
+      end
+
+      it 'should not delete runner with more than one associated project' do
+        delete api("/runners/#{two_projects_runner.id}", user)
+        expect(response.status).to eq(403)
+      end
+
+      it 'should delete runner for one owned project' do
+        expect do
+          delete api("/runners/#{specific_runner.id}", user)
+        end.to change{ Ci::Runner.specific.count }.by(-1)
+        expect(response.status).to eq(200)
+      end
+    end
+
+    context 'unauthorized user' do
+      it 'should not delete runner' do
+        delete api("/runners/#{specific_runner.id}")
+
+        expect(response.status).to eq(401)
+      end
+    end
+  end
+
+  describe 'GET /projects/:id/runners' do
+    context 'authorized user with master privileges' do
+      it "should return project's runners" do
+        get api("/projects/#{project.id}/runners", user)
+        shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr}
+
+        expect(response.status).to eq(200)
+        expect(json_response).to be_an Array
+        expect(shared).to be_truthy
+      end
+    end
+
+    context 'authorized user without master privileges' do
+      it "should not return project's runners" do
+        get api("/projects/#{project.id}/runners", user2)
+
+        expect(response.status).to eq(403)
+      end
+    end
+
+    context 'unauthorized user' do
+      it "should not return project's runners" do
+        get api("/projects/#{project.id}/runners")
+
+        expect(response.status).to eq(401)
+      end
+    end
+  end
+end
author	Tomasz Maczukin <tomasz@maczukin.pl>	2016-01-26 19:03:38 +0300
committer	Tomasz Maczukin <tomasz@maczukin.pl>	2016-02-19 15:18:46 +0300
commit	128be3c0103f601b2c80f3489646e57e202f6327 (patch)
tree	293399797a6cb9cc5814eac25acd6e5d57c9f1ea
parent	e586858eb58cc628f700c4f0d6ae7b574def3be9 (diff)