Add latest changes from gitlab-org/gitlab@master

5 files changed, 162 insertions, 154 deletions

diff --git a/app/services/clusters/agents/authorizations/ci_access/filter_service.rb b/app/services/clusters/agents/authorizations/ci_access/filter_service.rb
new file mode 100644
index 00000000000..cd08aaa12d4
--- /dev/null
+++ b/app/services/clusters/agents/authorizations/ci_access/filter_service.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Clusters
+  module Agents
+    module Authorizations
+      module CiAccess
+        class FilterService
+          def initialize(authorizations, filter_params)
+            @authorizations = authorizations
+            @filter_params = filter_params
+
+            @environments_matcher = {}
+          end
+
+          def execute
+            filter_by_environment(authorizations)
+          end
+
+          private
+
+          attr_reader :authorizations, :filter_params
+
+          def filter_by_environment(auths)
+            return auths unless filter_by_environment?
+
+            auths.select do |auth|
+              next true if auth.config['environments'].blank?
+
+              auth.config['environments'].any? { |environment_pattern| matches_environment?(environment_pattern) }
+            end
+          end
+
+          def filter_by_environment?
+            filter_params.has_key?(:environment)
+          end
+
+          def environment_filter
+            @environment_filter ||= filter_params[:environment]
+          end
+
+          def matches_environment?(environment_pattern)
+            return false if environment_filter.nil?
+
+            environments_matcher(environment_pattern).match?(environment_filter)
+          end
+
+          def environments_matcher(environment_pattern)
+            @environments_matcher[environment_pattern] ||= ::Gitlab::Ci::EnvironmentMatcher.new(environment_pattern)
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/app/services/clusters/agents/authorizations/ci_access/refresh_service.rb b/app/services/clusters/agents/authorizations/ci_access/refresh_service.rb
new file mode 100644
index 00000000000..047a0725a2c
--- /dev/null
+++ b/app/services/clusters/agents/authorizations/ci_access/refresh_service.rb
@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module Clusters
+  module Agents
+    module Authorizations
+      module CiAccess
+        class RefreshService
+          include Gitlab::Utils::StrongMemoize
+
+          AUTHORIZED_ENTITY_LIMIT = 100
+
+          delegate :project, to: :agent, private: true
+          delegate :root_ancestor, to: :project, private: true
+
+          def initialize(agent, config:)
+            @agent = agent
+            @config = config
+          end
+
+          def execute
+            refresh_projects!
+            refresh_groups!
+
+            true
+          end
+
+          private
+
+          attr_reader :agent, :config
+
+          def refresh_projects!
+            if allowed_project_configurations.present?
+              project_ids = allowed_project_configurations.map { |config| config.fetch(:project_id) }
+
+              agent.with_lock do
+                agent.ci_access_project_authorizations.upsert_all(allowed_project_configurations, unique_by: [:agent_id, :project_id])
+                agent.ci_access_project_authorizations.where.not(project_id: project_ids).delete_all # rubocop: disable CodeReuse/ActiveRecord
+              end
+            else
+              agent.ci_access_project_authorizations.delete_all(:delete_all)
+            end
+          end
+
+          def refresh_groups!
+            if allowed_group_configurations.present?
+              group_ids = allowed_group_configurations.map { |config| config.fetch(:group_id) }
+
+              agent.with_lock do
+                agent.ci_access_group_authorizations.upsert_all(allowed_group_configurations, unique_by: [:agent_id, :group_id])
+                agent.ci_access_group_authorizations.where.not(group_id: group_ids).delete_all # rubocop: disable CodeReuse/ActiveRecord
+              end
+            else
+              agent.ci_access_group_authorizations.delete_all(:delete_all)
+            end
+          end
+
+          def allowed_project_configurations
+            strong_memoize(:allowed_project_configurations) do
+              project_entries = extract_config_entries(entity: 'projects')
+
+              if project_entries
+                allowed_projects.where_full_path_in(project_entries.keys).map do |project|
+                  { project_id: project.id, config: project_entries[project.full_path.downcase] }
+                end
+              end
+            end
+          end
+
+          def allowed_group_configurations
+            strong_memoize(:allowed_group_configurations) do
+              group_entries = extract_config_entries(entity: 'groups')
+
+              if group_entries
+                allowed_groups.where_full_path_in(group_entries.keys).map do |group|
+                  { group_id: group.id, config: group_entries[group.full_path.downcase] }
+                end
+              end
+            end
+          end
+
+          def extract_config_entries(entity:)
+            config.dig('ci_access', entity)
+              &.first(AUTHORIZED_ENTITY_LIMIT)
+              &.index_by { |config| config.delete('id').downcase }
+          end
+
+          def allowed_projects
+            root_ancestor.all_projects
+          end
+
+          def allowed_groups
+            if group_root_ancestor?
+              root_ancestor.self_and_descendants
+            else
+              ::Group.none
+            end
+          end
+
+          def group_root_ancestor?
+            root_ancestor.group_namespace?
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/app/services/clusters/agents/authorize_proxy_user_service.rb b/app/services/clusters/agents/authorize_proxy_user_service.rb
index ec6645b2db4..ba90d61a7ef 100644
--- a/app/services/clusters/agents/authorize_proxy_user_service.rb
+++ b/app/services/clusters/agents/authorize_proxy_user_service.rb
@@ -57,7 +57,7 @@ module Clusters
       def authorized_projects(user_access)
         strong_memoize_with(:authorized_projects, user_access) do
           user_access.fetch(:projects, [])
-            .first(::Clusters::Agents::RefreshAuthorizationService::AUTHORIZED_ENTITY_LIMIT)
+            .first(::Clusters::Agents::Authorizations::CiAccess::RefreshService::AUTHORIZED_ENTITY_LIMIT)
             .map { |project| ::Project.find_by_full_path(project[:id]) }
             .select { |project| current_user.can?(:use_k8s_proxies, project) }
         end
@@ -66,7 +66,7 @@ module Clusters
       def authorized_groups(user_access)
         strong_memoize_with(:authorized_groups, user_access) do
           user_access.fetch(:groups, [])
-            .first(::Clusters::Agents::RefreshAuthorizationService::AUTHORIZED_ENTITY_LIMIT)
+            .first(::Clusters::Agents::Authorizations::CiAccess::RefreshService::AUTHORIZED_ENTITY_LIMIT)
             .map { |group| ::Group.find_by_full_path(group[:id]) }
             .select { |group| current_user.can?(:use_k8s_proxies, group) }
         end
diff --git a/app/services/clusters/agents/filter_authorizations_service.rb b/app/services/clusters/agents/filter_authorizations_service.rb
deleted file mode 100644
index 68517ceec04..00000000000
--- a/app/services/clusters/agents/filter_authorizations_service.rb
+++ /dev/null
@@ -1,50 +0,0 @@
-# frozen_string_literal: true
-
-module Clusters
-  module Agents
-    class FilterAuthorizationsService
-      def initialize(authorizations, filter_params)
-        @authorizations = authorizations
-        @filter_params = filter_params
-
-        @environments_matcher = {}
-      end
-
-      def execute
-        filter_by_environment(authorizations)
-      end
-
-      private
-
-      attr_reader :authorizations, :filter_params
-
-      def filter_by_environment(auths)
-        return auths unless filter_by_environment?
-
-        auths.select do |auth|
-          next true if auth.config['environments'].blank?
-
-          auth.config['environments'].any? { |environment_pattern| matches_environment?(environment_pattern) }
-        end
-      end
-
-      def filter_by_environment?
-        filter_params.has_key?(:environment)
-      end
-
-      def environment_filter
-        @environment_filter ||= filter_params[:environment]
-      end
-
-      def matches_environment?(environment_pattern)
-        return false if environment_filter.nil?
-
-        environments_matcher(environment_pattern).match?(environment_filter)
-      end
-
-      def environments_matcher(environment_pattern)
-        @environments_matcher[environment_pattern] ||= ::Gitlab::Ci::EnvironmentMatcher.new(environment_pattern)
-      end
-    end
-  end
-end
diff --git a/app/services/clusters/agents/refresh_authorization_service.rb b/app/services/clusters/agents/refresh_authorization_service.rb
deleted file mode 100644
index 23ececef6a1..00000000000
--- a/app/services/clusters/agents/refresh_authorization_service.rb
+++ /dev/null
@@ -1,102 +0,0 @@
-# frozen_string_literal: true
-
-module Clusters
-  module Agents
-    class RefreshAuthorizationService
-      include Gitlab::Utils::StrongMemoize
-
-      AUTHORIZED_ENTITY_LIMIT = 100
-
-      delegate :project, to: :agent, private: true
-      delegate :root_ancestor, to: :project, private: true
-
-      def initialize(agent, config:)
-        @agent = agent
-        @config = config
-      end
-
-      def execute
-        refresh_projects!
-        refresh_groups!
-
-        true
-      end
-
-      private
-
-      attr_reader :agent, :config
-
-      def refresh_projects!
-        if allowed_project_configurations.present?
-          project_ids = allowed_project_configurations.map { |config| config.fetch(:project_id) }
-
-          agent.with_lock do
-            agent.project_authorizations.upsert_all(allowed_project_configurations, unique_by: [:agent_id, :project_id])
-            agent.project_authorizations.where.not(project_id: project_ids).delete_all # rubocop: disable CodeReuse/ActiveRecord
-          end
-        else
-          agent.project_authorizations.delete_all(:delete_all)
-        end
-      end
-
-      def refresh_groups!
-        if allowed_group_configurations.present?
-          group_ids = allowed_group_configurations.map { |config| config.fetch(:group_id) }
-
-          agent.with_lock do
-            agent.group_authorizations.upsert_all(allowed_group_configurations, unique_by: [:agent_id, :group_id])
-            agent.group_authorizations.where.not(group_id: group_ids).delete_all # rubocop: disable CodeReuse/ActiveRecord
-          end
-        else
-          agent.group_authorizations.delete_all(:delete_all)
-        end
-      end
-
-      def allowed_project_configurations
-        strong_memoize(:allowed_project_configurations) do
-          project_entries = extract_config_entries(entity: 'projects')
-
-          if project_entries
-            allowed_projects.where_full_path_in(project_entries.keys).map do |project|
-              { project_id: project.id, config: project_entries[project.full_path.downcase] }
-            end
-          end
-        end
-      end
-
-      def allowed_group_configurations
-        strong_memoize(:allowed_group_configurations) do
-          group_entries = extract_config_entries(entity: 'groups')
-
-          if group_entries
-            allowed_groups.where_full_path_in(group_entries.keys).map do |group|
-              { group_id: group.id, config: group_entries[group.full_path.downcase] }
-            end
-          end
-        end
-      end
-
-      def extract_config_entries(entity:)
-        config.dig('ci_access', entity)
-          &.first(AUTHORIZED_ENTITY_LIMIT)
-          &.index_by { |config| config.delete('id').downcase }
-      end
-
-      def allowed_projects
-        root_ancestor.all_projects
-      end
-
-      def allowed_groups
-        if group_root_ancestor?
-          root_ancestor.self_and_descendants
-        else
-          ::Group.none
-        end
-      end
-
-      def group_root_ancestor?
-        root_ancestor.group_namespace?
-      end
-    end
-  end
-end