From a95a8847071680f16dbd7c0c0511f6492d00fc45 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 23 Aug 2021 09:10:23 +0000
Subject: Add latest changes from gitlab-org/gitlab@master

---
 .../agents/refresh_authorization_service.rb        | 59 ++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 app/services/clusters/agents/refresh_authorization_service.rb

(limited to 'app/services/clusters/agents')

diff --git a/app/services/clusters/agents/refresh_authorization_service.rb b/app/services/clusters/agents/refresh_authorization_service.rb
new file mode 100644
index 00000000000..0da012da861
--- /dev/null
+++ b/app/services/clusters/agents/refresh_authorization_service.rb
@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Clusters
+  module Agents
+    class RefreshAuthorizationService
+      include Gitlab::Utils::StrongMemoize
+
+      AUTHORIZED_GROUP_LIMIT = 100
+
+      delegate :project, to: :agent, private: true
+
+      def initialize(agent, config:)
+        @agent = agent
+        @config = config
+      end
+
+      def execute
+        if allowed_group_configurations.present?
+          group_ids = allowed_group_configurations.map { |config| config.fetch(:group_id) }
+
+          agent.with_lock do
+            agent.group_authorizations.upsert_all(allowed_group_configurations, unique_by: [:agent_id, :group_id])
+            agent.group_authorizations.where.not(group_id: group_ids).delete_all # rubocop: disable CodeReuse/ActiveRecord
+          end
+        else
+          agent.group_authorizations.delete_all(:delete_all)
+        end
+
+        true
+      end
+
+      private
+
+      attr_reader :agent, :config
+
+      def allowed_group_configurations
+        strong_memoize(:allowed_group_configurations) do
+          group_entries = config.dig('ci_access', 'groups')&.first(AUTHORIZED_GROUP_LIMIT)
+
+          if group_entries
+            groups_by_path = group_entries.index_by { |config| config.delete('id') }
+
+            allowed_groups.where_full_path_in(groups_by_path.keys).map do |group|
+              { group_id: group.id, config: groups_by_path[group.full_path] }
+            end
+          end
+        end
+      end
+
+      def allowed_groups
+        if project.root_ancestor.group?
+          project.root_ancestor.self_and_descendants
+        else
+          ::Group.none
+        end
+      end
+    end
+  end
+end
-- 
cgit v1.2.3