Merge branch 'master' into sh-headless-chrome-support

4 files changed, 122 insertions, 24 deletions

diff --git a/app/services/ci/create_pipeline_service.rb b/app/services/ci/create_pipeline_service.rb
index 942145c4a8c..884b681ff81 100644
--- a/app/services/ci/create_pipeline_service.rb
+++ b/app/services/ci/create_pipeline_service.rb
@@ -15,12 +15,48 @@ module Ci
         pipeline_schedule: schedule
       )
 
+      result = validate(current_user || trigger_request.trigger.owner,
+                        ignore_skip_ci: ignore_skip_ci,
+                        save_on_errors: save_on_errors)
+
+      return result if result
+
+      begin
+        Ci::Pipeline.transaction do
+          pipeline.save!
+
+          yield(pipeline) if block_given?
+
+          Ci::CreatePipelineStagesService
+            .new(project, current_user)
+            .execute(pipeline)
+        end
+      rescue ActiveRecord::RecordInvalid => e
+        return error("Failed to persist the pipeline: #{e}")
+      end
+
+      update_merge_requests_head_pipeline
+
+      cancel_pending_pipelines if project.auto_cancel_pending_pipelines?
+
+      pipeline_created_counter.increment(source: source)
+
+      pipeline.tap(&:process!)
+    end
+
+    private
+
+    def validate(triggering_user, ignore_skip_ci:, save_on_errors:)
       unless project.builds_enabled?
         return error('Pipeline is disabled')
       end
 
-      unless trigger_request || can?(current_user, :create_pipeline, project)
-        return error('Insufficient permissions to create a new pipeline')
+      unless allowed_to_trigger_pipeline?(triggering_user)
+        if can?(triggering_user, :create_pipeline, project)
+          return error("Insufficient permissions for protected ref '#{ref}'")
+        else
+          return error('Insufficient permissions to create a new pipeline')
+        end
       end
 
       unless branch? || tag?
@@ -33,7 +69,7 @@ module Ci
 
       unless pipeline.config_processor
         unless pipeline.ci_yaml_file
-          return error('Missing .gitlab-ci.yml file')
+          return error("Missing #{pipeline.ci_yaml_file_path} file")
         end
         return error(pipeline.yaml_errors, save: save_on_errors)
       end
@@ -46,24 +82,29 @@ module Ci
       unless pipeline.has_stage_seeds?
         return error('No stages / jobs for this pipeline.')
       end
+    end
 
-      Ci::Pipeline.transaction do
-        update_merge_requests_head_pipeline if pipeline.save
-
-        Ci::CreatePipelineStagesService
-          .new(project, current_user)
-          .execute(pipeline)
+    def allowed_to_trigger_pipeline?(triggering_user)
+      if triggering_user
+        allowed_to_create?(triggering_user)
+      else # legacy triggers don't have a corresponding user
+        !project.protected_for?(ref)
       end
+    end
 
-      cancel_pending_pipelines if project.auto_cancel_pending_pipelines?
+    def allowed_to_create?(triggering_user)
+      access = Gitlab::UserAccess.new(triggering_user, project: project)
 
-      pipeline_created_counter.increment(source: source)
-
-      pipeline.tap(&:process!)
+      can?(triggering_user, :create_pipeline, project) &&
+        if branch?
+          access.can_update_branch?(ref)
+        elsif tag?
+          access.can_create_tag?(ref)
+        else
+          true # Allow it for now and we'll reject when we check ref existence
+        end
     end
 
-    private
-
     def update_merge_requests_head_pipeline
       return unless pipeline.latest?
 
@@ -113,15 +154,21 @@ module Ci
     end
 
     def branch?
-      project.repository.ref_exists?(Gitlab::Git::BRANCH_REF_PREFIX + ref)
+      return @is_branch if defined?(@is_branch)
+
+      @is_branch =
+        project.repository.ref_exists?(Gitlab::Git::BRANCH_REF_PREFIX + ref)
     end
 
     def tag?
-      project.repository.ref_exists?(Gitlab::Git::TAG_REF_PREFIX + ref)
+      return @is_tag if defined?(@is_tag)
+
+      @is_tag =
+        project.repository.ref_exists?(Gitlab::Git::TAG_REF_PREFIX + ref)
     end
 
     def ref
-      Gitlab::Git.ref_name(origin_ref)
+      @ref ||= Gitlab::Git.ref_name(origin_ref)
     end
 
     def valid_sha?
@@ -135,7 +182,7 @@ module Ci
     end
 
     def pipeline_created_counter
-      @pipeline_created_counter ||= Gitlab::Metrics.counter(:pipelines_created_count, "Pipelines created count")
+      @pipeline_created_counter ||= Gitlab::Metrics.counter(:pipelines_created_total, "Counter of pipelines created")
     end
   end
 end
diff --git a/app/services/ci/create_trigger_request_service.rb b/app/services/ci/create_trigger_request_service.rb
index cf3d4aee2bc..b2aa457bbd5 100644
--- a/app/services/ci/create_trigger_request_service.rb
+++ b/app/services/ci/create_trigger_request_service.rb
@@ -1,12 +1,19 @@
+# This class is deprecated because we're closing Ci::TriggerRequest.
+# New class is PipelineTriggerService (app/services/ci/pipeline_trigger_service.rb)
+# which is integrated with Ci::PipelineVariable instaed of Ci::TriggerRequest.
+# We remove this class after we removed v1 and v3 API. This class is still being
+# referred by such legacy code.
 module Ci
-  class CreateTriggerRequestService
-    def execute(project, trigger, ref, variables = nil)
+  module CreateTriggerRequestService
+    Result = Struct.new(:trigger_request, :pipeline)
+
+    def self.execute(project, trigger, ref, variables = nil)
       trigger_request = trigger.trigger_requests.create(variables: variables)
 
       pipeline = Ci::CreatePipelineService.new(project, trigger.owner, ref: ref)
         .execute(:trigger, ignore_skip_ci: true, trigger_request: trigger_request)
 
-      trigger_request if pipeline.persisted?
+      Result.new(trigger_request, pipeline)
     end
   end
 end
diff --git a/app/services/ci/pipeline_trigger_service.rb b/app/services/ci/pipeline_trigger_service.rb
new file mode 100644
index 00000000000..1e5ad28ba57
--- /dev/null
+++ b/app/services/ci/pipeline_trigger_service.rb
@@ -0,0 +1,44 @@
+module Ci
+  class PipelineTriggerService < BaseService
+    def execute
+      if trigger_from_token
+        create_pipeline_from_trigger(trigger_from_token)
+      end
+    end
+
+    private
+
+    def create_pipeline_from_trigger(trigger)
+      # this check is to not leak the presence of the project if user cannot read it
+      return unless trigger.project == project
+
+      pipeline = Ci::CreatePipelineService.new(project, trigger.owner, ref: params[:ref])
+        .execute(:trigger, ignore_skip_ci: true) do |pipeline|
+          trigger.trigger_requests.create!(pipeline: pipeline)
+          create_pipeline_variables!(pipeline)
+        end
+
+      if pipeline.persisted?
+        success(pipeline: pipeline)
+      else
+        error(pipeline.errors.messages, 400)
+      end
+    end
+
+    def trigger_from_token
+      return @trigger if defined?(@trigger)
+
+      @trigger = Ci::Trigger.find_by_token(params[:token].to_s)
+    end
+
+    def create_pipeline_variables!(pipeline)
+      return unless params[:variables]
+
+      variables = params[:variables].map do |key, value|
+        { key: key, value: value }
+      end
+
+      pipeline.variables.create!(variables)
+    end
+  end
+end
diff --git a/app/services/ci/register_job_service.rb b/app/services/ci/register_job_service.rb
index af84d4c7427..b951e8d0c9f 100644
--- a/app/services/ci/register_job_service.rb
+++ b/app/services/ci/register_job_service.rb
@@ -54,7 +54,7 @@ module Ci
     def builds_for_shared_runner
       new_builds.
         # don't run projects which have not enabled shared runners and builds
-        joins(:project).where(projects: { shared_runners_enabled: true })
+        joins(:project).where(projects: { shared_runners_enabled: true, pending_delete: false })
         .joins('LEFT JOIN project_features ON ci_builds.project_id = project_features.project_id')
         .where('project_features.builds_access_level IS NULL or project_features.builds_access_level > 0').
 
@@ -66,7 +66,7 @@ module Ci
     end
 
     def builds_for_specific_runner
-      new_builds.where(project: runner.projects.with_builds_enabled).order('created_at ASC')
+      new_builds.where(project: runner.projects.without_deleted.with_builds_enabled).order('created_at ASC')
     end
 
     def running_builds_for_shared_runners