From 874ead9c3a50de4c4ca4551eaf5b7eb976d26b50 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Tue, 14 Apr 2020 15:09:44 +0000
Subject: Add latest changes from gitlab-org/gitlab@master

---
 app/services/clusters/create_service.rb            |  7 +++
 ...idate_management_project_permissions_service.rb | 54 ++++++++++++++++++++++
 app/services/clusters/update_service.rb            | 41 +---------------
 app/services/environments/auto_stop_service.rb     |  2 +-
 app/services/notification_service.rb               |  6 +++
 .../obtain_lets_encrypt_certificate_service.rb     |  2 +
 6 files changed, 72 insertions(+), 40 deletions(-)
 create mode 100644 app/services/clusters/management/validate_management_project_permissions_service.rb

(limited to 'app/services')

diff --git a/app/services/clusters/create_service.rb b/app/services/clusters/create_service.rb
index 5c26c611e00..7b5bf6b32c2 100644
--- a/app/services/clusters/create_service.rb
+++ b/app/services/clusters/create_service.rb
@@ -23,6 +23,8 @@ module Clusters
         cluster.errors.add(:base, _('Instance does not support multiple Kubernetes clusters'))
       end
 
+      validate_management_project_permissions(cluster)
+
       return cluster if cluster.errors.present?
 
       cluster.tap do |cluster|
@@ -57,6 +59,11 @@ module Clusters
     def can_create_cluster?
       clusterable.clusters.empty?
     end
+
+    def validate_management_project_permissions(cluster)
+      Clusters::Management::ValidateManagementProjectPermissionsService.new(current_user)
+        .execute(cluster, params[:management_project_id])
+    end
   end
 end
 
diff --git a/app/services/clusters/management/validate_management_project_permissions_service.rb b/app/services/clusters/management/validate_management_project_permissions_service.rb
new file mode 100644
index 00000000000..e89a0afe6d2
--- /dev/null
+++ b/app/services/clusters/management/validate_management_project_permissions_service.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Clusters
+  module Management
+    class ValidateManagementProjectPermissionsService
+      attr_reader :current_user
+
+      def initialize(user = nil)
+        @current_user = user
+      end
+
+      def execute(cluster, management_project_id)
+        if management_project_id.present?
+          management_project = management_project_scope(cluster).find_by_id(management_project_id)
+
+          unless management_project && can_admin_pipeline_for_project?(management_project)
+            cluster.errors.add(:management_project_id, _('Project does not exist or you don\'t have permission to perform this action'))
+
+            return false
+          end
+        end
+
+        true
+      end
+
+      private
+
+      def can_admin_pipeline_for_project?(project)
+        Ability.allowed?(current_user, :admin_pipeline, project)
+      end
+
+      def management_project_scope(cluster)
+        return ::Project.all if cluster.instance_type?
+
+        group =
+          if cluster.group_type?
+            cluster.first_group
+          elsif cluster.project_type?
+            cluster.first_project&.namespace
+          end
+
+        # Prevent users from selecting nested projects until
+        # https://gitlab.com/gitlab-org/gitlab/issues/34650 is resolved
+        include_subgroups = cluster.group_type?
+
+        ::GroupProjectsFinder.new(
+          group: group,
+          current_user: current_user,
+          options: { only_owned: true, include_subgroups: include_subgroups }
+        ).execute
+      end
+    end
+  end
+end
diff --git a/app/services/clusters/update_service.rb b/app/services/clusters/update_service.rb
index 8cb77040b14..2315df612a1 100644
--- a/app/services/clusters/update_service.rb
+++ b/app/services/clusters/update_service.rb
@@ -18,46 +18,9 @@ module Clusters
 
     private
 
-    def can_admin_pipeline_for_project?(project)
-      Ability.allowed?(current_user, :admin_pipeline, project)
-    end
-
     def validate_params(cluster)
-      if params[:management_project_id].present?
-        management_project = management_project_scope(cluster).find_by_id(params[:management_project_id])
-
-        unless management_project
-          cluster.errors.add(:management_project_id, _('Project does not exist or you don\'t have permission to perform this action'))
-
-          return false
-        end
-
-        unless can_admin_pipeline_for_project?(management_project)
-          # Use same message as not found to prevent enumeration
-          cluster.errors.add(:management_project_id, _('Project does not exist or you don\'t have permission to perform this action'))
-
-          return false
-        end
-      end
-
-      true
-    end
-
-    def management_project_scope(cluster)
-      return ::Project.all if cluster.instance_type?
-
-      group =
-        if cluster.group_type?
-          cluster.first_group
-        elsif cluster.project_type?
-          cluster.first_project&.namespace
-        end
-
-      # Prevent users from selecting nested projects until
-      # https://gitlab.com/gitlab-org/gitlab/issues/34650 is resolved
-      include_subgroups = cluster.group_type?
-
-      ::GroupProjectsFinder.new(group: group, current_user: current_user, options: { only_owned: true, include_subgroups: include_subgroups }).execute
+      ::Clusters::Management::ValidateManagementProjectPermissionsService.new(current_user)
+        .execute(cluster, params[:management_project_id])
     end
   end
 end
diff --git a/app/services/environments/auto_stop_service.rb b/app/services/environments/auto_stop_service.rb
index ee7f25a4d76..bde598abf66 100644
--- a/app/services/environments/auto_stop_service.rb
+++ b/app/services/environments/auto_stop_service.rb
@@ -30,7 +30,7 @@ module Environments
     def stop_in_batch
       environments = Environment.auto_stoppable(BATCH_SIZE)
 
-      return false unless environments.exists? && Feature.enabled?(:auto_stop_environments, default_enabled: true)
+      return false unless environments.exists?
 
       Ci::StopEnvironmentsService.execute_in_batch(environments)
     end
diff --git a/app/services/notification_service.rb b/app/services/notification_service.rb
index 62827f20929..91e19d190bd 100644
--- a/app/services/notification_service.rb
+++ b/app/services/notification_service.rb
@@ -489,6 +489,12 @@ class NotificationService
     end
   end
 
+  def pages_domain_auto_ssl_failed(domain)
+    project_maintainers_recipients(domain, action: 'disabled').each do |recipient|
+      mailer.pages_domain_auto_ssl_failed_email(domain, recipient.user).deliver_later
+    end
+  end
+
   def issue_due(issue)
     recipients = NotificationRecipients::BuildService.build_recipients(
       issue,
diff --git a/app/services/pages_domains/obtain_lets_encrypt_certificate_service.rb b/app/services/pages_domains/obtain_lets_encrypt_certificate_service.rb
index 93445dd4ddd..1c03641469e 100644
--- a/app/services/pages_domains/obtain_lets_encrypt_certificate_service.rb
+++ b/app/services/pages_domains/obtain_lets_encrypt_certificate_service.rb
@@ -57,6 +57,8 @@ module PagesDomains
       pages_domain.save!(validate: false)
 
       acme_order.destroy!
+
+      NotificationService.new.pages_domain_auto_ssl_failed(pages_domain)
     end
 
     def log_error(api_order)
-- 
cgit v1.2.3