1 files changed, 86 insertions, 36 deletions

diff --git a/app/services/ci/create_job_artifacts_service.rb b/app/services/ci/create_job_artifacts_service.rb
index f0ffe67510b..9a6e103e5dd 100644
--- a/app/services/ci/create_job_artifacts_service.rb
+++ b/app/services/ci/create_job_artifacts_service.rb
@@ -3,42 +3,104 @@
 module Ci
   class CreateJobArtifactsService < ::BaseService
     ArtifactsExistError = Class.new(StandardError)
+
+    LSIF_ARTIFACT_TYPE = 'lsif'
+
     OBJECT_STORAGE_ERRORS = [
       Errno::EIO,
       Google::Apis::ServerError,
       Signet::RemoteServerError
     ].freeze
 
-    def execute(job, artifacts_file, params, metadata_file: nil)
-      return success if sha256_matches_existing_artifact?(job, params['artifact_type'], artifacts_file)
+    def initialize(job)
+      @job = job
+      @project = job.project
+    end
+
+    def authorize(artifact_type:, filesize: nil)
+      result = validate_requirements(artifact_type: artifact_type, filesize: filesize)
+      return result unless result[:status] == :success
+
+      headers = JobArtifactUploader.workhorse_authorize(has_length: false, maximum_size: max_size(artifact_type))
 
-      artifact, artifact_metadata = build_artifact(job, artifacts_file, params, metadata_file)
-      result = parse_artifact(job, artifact)
+      if lsif?(artifact_type)
+        headers[:ProcessLsif] = true
+        headers[:ProcessLsifReferences] = Feature.enabled?(:code_navigation_references, project, default_enabled: false)
+      end
 
+      success(headers: headers)
+    end
+
+    def execute(artifacts_file, params, metadata_file: nil)
+      result = validate_requirements(artifact_type: params[:artifact_type], filesize: artifacts_file.size)
       return result unless result[:status] == :success
 
-      persist_artifact(job, artifact, artifact_metadata)
+      return success if sha256_matches_existing_artifact?(params[:artifact_type], artifacts_file)
+
+      artifact, artifact_metadata = build_artifact(artifacts_file, params, metadata_file)
+      result = parse_artifact(artifact)
+
+      return result unless result[:status] == :success
+
+      persist_artifact(artifact, artifact_metadata, params)
     end
 
     private
 
-    def build_artifact(job, artifacts_file, params, metadata_file)
+    attr_reader :job, :project
+
+    def validate_requirements(artifact_type:, filesize:)
+      return forbidden_type_error(artifact_type) if forbidden_type?(artifact_type)
+      return too_large_error if too_large?(artifact_type, filesize)
+
+      success
+    end
+
+    def forbidden_type?(type)
+      lsif?(type) && !code_navigation_enabled?
+    end
+
+    def too_large?(type, size)
+      size > max_size(type) if size
+    end
+
+    def code_navigation_enabled?
+      Feature.enabled?(:code_navigation, project, default_enabled: true)
+    end
+
+    def lsif?(type)
+      type == LSIF_ARTIFACT_TYPE
+    end
+
+    def max_size(type)
+      Ci::JobArtifact.max_artifact_size(type: type, project: project)
+    end
+
+    def forbidden_type_error(type)
+      error("#{type} artifacts are forbidden", :forbidden)
+    end
+
+    def too_large_error
+      error('file size has reached maximum size limit', :payload_too_large)
+    end
+
+    def build_artifact(artifacts_file, params, metadata_file)
       expire_in = params['expire_in'] ||
         Gitlab::CurrentSettings.current_application_settings.default_artifacts_expire_in
 
       artifact = Ci::JobArtifact.new(
         job_id: job.id,
-        project: job.project,
+        project: project,
         file: artifacts_file,
-        file_type: params['artifact_type'],
-        file_format: params['artifact_format'],
+        file_type: params[:artifact_type],
+        file_format: params[:artifact_format],
         file_sha256: artifacts_file.sha256,
         expire_in: expire_in)
 
       artifact_metadata = if metadata_file
                             Ci::JobArtifact.new(
                               job_id: job.id,
-                              project: job.project,
+                              project: project,
                               file: metadata_file,
                               file_type: :metadata,
                               file_format: :gzip,
@@ -46,31 +108,25 @@ module Ci
                               expire_in: expire_in)
                           end
 
-      if Feature.enabled?(:keep_latest_artifact_for_ref, job.project)
-        artifact.locked = true
-        artifact_metadata&.locked = true
-      end
-
       [artifact, artifact_metadata]
     end
 
-    def parse_artifact(job, artifact)
-      unless Feature.enabled?(:ci_synchronous_artifact_parsing, job.project, default_enabled: true)
+    def parse_artifact(artifact)
+      unless Feature.enabled?(:ci_synchronous_artifact_parsing, project, default_enabled: true)
         return success
       end
 
       case artifact.file_type
-      when 'dotenv' then parse_dotenv_artifact(job, artifact)
-      when 'cluster_applications' then parse_cluster_applications_artifact(job, artifact)
+      when 'dotenv' then parse_dotenv_artifact(artifact)
+      when 'cluster_applications' then parse_cluster_applications_artifact(artifact)
       else success
       end
     end
 
-    def persist_artifact(job, artifact, artifact_metadata)
+    def persist_artifact(artifact, artifact_metadata, params)
       Ci::JobArtifact.transaction do
         artifact.save!
         artifact_metadata&.save!
-        unlock_previous_artifacts!(artifact)
 
         # NOTE: The `artifacts_expire_at` column is already deprecated and to be removed in the near future.
         job.update_column(:artifacts_expire_at, artifact.expire_at)
@@ -78,42 +134,36 @@ module Ci
 
       success
     rescue ActiveRecord::RecordNotUnique => error
-      track_exception(error, job, params)
+      track_exception(error, params)
       error('another artifact of the same type already exists', :bad_request)
     rescue *OBJECT_STORAGE_ERRORS => error
-      track_exception(error, job, params)
+      track_exception(error, params)
       error(error.message, :service_unavailable)
     rescue => error
-      track_exception(error, job, params)
+      track_exception(error, params)
       error(error.message, :bad_request)
     end
 
-    def unlock_previous_artifacts!(artifact)
-      return unless Feature.enabled?(:keep_latest_artifact_for_ref, artifact.job.project)
-
-      Ci::JobArtifact.for_ref(artifact.job.ref, artifact.project_id).locked.update_all(locked: false)
-    end
-
-    def sha256_matches_existing_artifact?(job, artifact_type, artifacts_file)
+    def sha256_matches_existing_artifact?(artifact_type, artifacts_file)
       existing_artifact = job.job_artifacts.find_by_file_type(artifact_type)
       return false unless existing_artifact
 
       existing_artifact.file_sha256 == artifacts_file.sha256
     end
 
-    def track_exception(error, job, params)
+    def track_exception(error, params)
       Gitlab::ErrorTracking.track_exception(error,
         job_id: job.id,
         project_id: job.project_id,
-        uploading_type: params['artifact_type']
+        uploading_type: params[:artifact_type]
       )
     end
 
-    def parse_dotenv_artifact(job, artifact)
-      Ci::ParseDotenvArtifactService.new(job.project, current_user).execute(artifact)
+    def parse_dotenv_artifact(artifact)
+      Ci::ParseDotenvArtifactService.new(project, current_user).execute(artifact)
     end
 
-    def parse_cluster_applications_artifact(job, artifact)
+    def parse_cluster_applications_artifact(artifact)
       Clusters::ParseClusterApplicationsArtifactService.new(job, job.user).execute(artifact)
     end
   end