diff options
Diffstat (limited to 'app/services/ci')
-rw-r--r-- | app/services/ci/create_pipeline_service.rb | 81 | ||||
-rw-r--r-- | app/services/ci/create_trigger_request_service.rb | 13 | ||||
-rw-r--r-- | app/services/ci/pipeline_trigger_service.rb | 44 |
3 files changed, 118 insertions, 20 deletions
diff --git a/app/services/ci/create_pipeline_service.rb b/app/services/ci/create_pipeline_service.rb index 273386776fa..884b681ff81 100644 --- a/app/services/ci/create_pipeline_service.rb +++ b/app/services/ci/create_pipeline_service.rb @@ -15,12 +15,48 @@ module Ci pipeline_schedule: schedule ) + result = validate(current_user || trigger_request.trigger.owner, + ignore_skip_ci: ignore_skip_ci, + save_on_errors: save_on_errors) + + return result if result + + begin + Ci::Pipeline.transaction do + pipeline.save! + + yield(pipeline) if block_given? + + Ci::CreatePipelineStagesService + .new(project, current_user) + .execute(pipeline) + end + rescue ActiveRecord::RecordInvalid => e + return error("Failed to persist the pipeline: #{e}") + end + + update_merge_requests_head_pipeline + + cancel_pending_pipelines if project.auto_cancel_pending_pipelines? + + pipeline_created_counter.increment(source: source) + + pipeline.tap(&:process!) + end + + private + + def validate(triggering_user, ignore_skip_ci:, save_on_errors:) unless project.builds_enabled? return error('Pipeline is disabled') end - unless trigger_request || can?(current_user, :create_pipeline, project) - return error('Insufficient permissions to create a new pipeline') + unless allowed_to_trigger_pipeline?(triggering_user) + if can?(triggering_user, :create_pipeline, project) + return error("Insufficient permissions for protected ref '#{ref}'") + else + return error('Insufficient permissions to create a new pipeline') + end end unless branch? || tag? @@ -46,24 +82,29 @@ module Ci unless pipeline.has_stage_seeds? return error('No stages / jobs for this pipeline.') end + end - Ci::Pipeline.transaction do - update_merge_requests_head_pipeline if pipeline.save - - Ci::CreatePipelineStagesService - .new(project, current_user) - .execute(pipeline) + def allowed_to_trigger_pipeline?(triggering_user) + if triggering_user + allowed_to_create?(triggering_user) + else # legacy triggers don't have a corresponding user + !project.protected_for?(ref) end + end - cancel_pending_pipelines if project.auto_cancel_pending_pipelines? + def allowed_to_create?(triggering_user) + access = Gitlab::UserAccess.new(triggering_user, project: project) - pipeline_created_counter.increment(source: source) - - pipeline.tap(&:process!) + can?(triggering_user, :create_pipeline, project) && + if branch? + access.can_update_branch?(ref) + elsif tag? + access.can_create_tag?(ref) + else + true # Allow it for now and we'll reject when we check ref existence + end end - private - def update_merge_requests_head_pipeline return unless pipeline.latest? @@ -113,15 +154,21 @@ module Ci end def branch? - project.repository.ref_exists?(Gitlab::Git::BRANCH_REF_PREFIX + ref) + return @is_branch if defined?(@is_branch) + + @is_branch = + project.repository.ref_exists?(Gitlab::Git::BRANCH_REF_PREFIX + ref) end def tag? - project.repository.ref_exists?(Gitlab::Git::TAG_REF_PREFIX + ref) + return @is_tag if defined?(@is_tag) + + @is_tag = + project.repository.ref_exists?(Gitlab::Git::TAG_REF_PREFIX + ref) end def ref - Gitlab::Git.ref_name(origin_ref) + @ref ||= Gitlab::Git.ref_name(origin_ref) end def valid_sha? diff --git a/app/services/ci/create_trigger_request_service.rb b/app/services/ci/create_trigger_request_service.rb index cf3d4aee2bc..b2aa457bbd5 100644 --- a/app/services/ci/create_trigger_request_service.rb +++ b/app/services/ci/create_trigger_request_service.rb @@ -1,12 +1,19 @@ +# This class is deprecated because we're closing Ci::TriggerRequest. +# New class is PipelineTriggerService (app/services/ci/pipeline_trigger_service.rb) +# which is integrated with Ci::PipelineVariable instaed of Ci::TriggerRequest. +# We remove this class after we removed v1 and v3 API. This class is still being +# referred by such legacy code. module Ci - class CreateTriggerRequestService - def execute(project, trigger, ref, variables = nil) + module CreateTriggerRequestService + Result = Struct.new(:trigger_request, :pipeline) + + def self.execute(project, trigger, ref, variables = nil) trigger_request = trigger.trigger_requests.create(variables: variables) pipeline = Ci::CreatePipelineService.new(project, trigger.owner, ref: ref) .execute(:trigger, ignore_skip_ci: true, trigger_request: trigger_request) - trigger_request if pipeline.persisted? + Result.new(trigger_request, pipeline) end end end diff --git a/app/services/ci/pipeline_trigger_service.rb b/app/services/ci/pipeline_trigger_service.rb new file mode 100644 index 00000000000..1e5ad28ba57 --- /dev/null +++ b/app/services/ci/pipeline_trigger_service.rb @@ -0,0 +1,44 @@ +module Ci + class PipelineTriggerService < BaseService + def execute + if trigger_from_token + create_pipeline_from_trigger(trigger_from_token) + end + end + + private + + def create_pipeline_from_trigger(trigger) + # this check is to not leak the presence of the project if user cannot read it + return unless trigger.project == project + + pipeline = Ci::CreatePipelineService.new(project, trigger.owner, ref: params[:ref]) + .execute(:trigger, ignore_skip_ci: true) do |pipeline| + trigger.trigger_requests.create!(pipeline: pipeline) + create_pipeline_variables!(pipeline) + end + + if pipeline.persisted? + success(pipeline: pipeline) + else + error(pipeline.errors.messages, 400) + end + end + + def trigger_from_token + return @trigger if defined?(@trigger) + + @trigger = Ci::Trigger.find_by_token(params[:token].to_s) + end + + def create_pipeline_variables!(pipeline) + return unless params[:variables] + + variables = params[:variables].map do |key, value| + { key: key, value: value } + end + + pipeline.variables.create!(variables) + end + end +end |