diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-09-26 13:52:31 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-09-26 13:52:31 +0000 |
commit | 142522c9b2bea21f951e978cbb1e35b0f6c5909b (patch) | |
tree | 54458ef2035a496a8ecd408f84fd5ceb8363191b | |
parent | d3f758abe7f1a848ce4b98e638eaab726dc48a70 (diff) | |
parent | eb1c5b5798da323a7cb922805b2c729f9224ac4a (diff) | |
download | gitlab-ce-142522c9b2bea21f951e978cbb1e35b0f6c5909b.tar.gz |
Merge branch 'security-fp-stop-jobs-when-blocking-user-12-1' into '12-1-stable'
Cancel all running CI jobs when user is blocked
See merge request gitlab/gitlabhq!3438
-rw-r--r-- | app/models/user.rb | 10 | ||||
-rw-r--r-- | app/services/ci/cancel_user_pipelines_service.rb | 13 | ||||
-rw-r--r-- | changelogs/unreleased/security-fp-stop-jobs-when-blocking-user.yml | 5 | ||||
-rw-r--r-- | spec/models/user_spec.rb | 18 | ||||
-rw-r--r-- | spec/services/ci/cancel_user_pipelines_service_spec.rb | 23 |
5 files changed, 68 insertions, 1 deletions
diff --git a/app/models/user.rb b/app/models/user.rb index 58509976135..d0b14104016 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -265,6 +265,16 @@ class User < ApplicationRecord BLOCKED_MESSAGE end end + + # rubocop: disable CodeReuse/ServiceClass + # Ideally we should not call a service object here but user.block + # is also bcalled by Users::MigrateToGhostUserService which references + # this state transition object in order to do a rollback. + # For this reason the tradeoff is to disable this cop. + after_transition any => :blocked do |user| + Ci::CancelUserPipelinesService.new.execute(user) + end + # rubocop: enable CodeReuse/ServiceClass end # Scopes diff --git a/app/services/ci/cancel_user_pipelines_service.rb b/app/services/ci/cancel_user_pipelines_service.rb new file mode 100644 index 00000000000..bcafb6b4a35 --- /dev/null +++ b/app/services/ci/cancel_user_pipelines_service.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +module Ci + class CancelUserPipelinesService + # rubocop: disable CodeReuse/ActiveRecord + # This is a bug with CodeReuse/ActiveRecord cop + # https://gitlab.com/gitlab-org/gitlab/issues/32332 + def execute(user) + user.pipelines.cancelable.find_each(&:cancel_running) + end + # rubocop: enable CodeReuse/ActiveRecord + end +end diff --git a/changelogs/unreleased/security-fp-stop-jobs-when-blocking-user.yml b/changelogs/unreleased/security-fp-stop-jobs-when-blocking-user.yml new file mode 100644 index 00000000000..1bc4345d5b6 --- /dev/null +++ b/changelogs/unreleased/security-fp-stop-jobs-when-blocking-user.yml @@ -0,0 +1,5 @@ +--- +title: Cancel all running CI jobs triggered by the user who is just blocked +merge_request: +author: +type: security diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index f4e1fea739b..ca814d20fa3 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -1049,11 +1049,27 @@ describe User do describe 'blocking user' do let(:user) { create(:user, name: 'John Smith') } - it "blocks user" do + it 'blocks user' do user.block expect(user.blocked?).to be_truthy end + + context 'when user has running CI pipelines' do + let(:service) { double } + + before do + pipeline = create(:ci_pipeline, :running, user: user) + create(:ci_build, :running, pipeline: pipeline) + end + + it 'cancels all running pipelines and related jobs' do + expect(Ci::CancelUserPipelinesService).to receive(:new).and_return(service) + expect(service).to receive(:execute).with(user) + + user.block + end + end end describe '.filter_items' do diff --git a/spec/services/ci/cancel_user_pipelines_service_spec.rb b/spec/services/ci/cancel_user_pipelines_service_spec.rb new file mode 100644 index 00000000000..251f21feaef --- /dev/null +++ b/spec/services/ci/cancel_user_pipelines_service_spec.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Ci::CancelUserPipelinesService do + describe '#execute' do + let(:user) { create(:user) } + + subject { described_class.new.execute(user) } + + context 'when user has running CI pipelines' do + let(:pipeline) { create(:ci_pipeline, :running, user: user) } + let!(:build) { create(:ci_build, :running, pipeline: pipeline) } + + it 'cancels all running pipelines and related jobs' do + subject + + expect(pipeline.reload).to be_canceled + expect(build.reload).to be_canceled + end + end + end +end |