1 files changed, 106 insertions, 0 deletions

diff --git a/app/services/clusters/agents/refresh_authorization_service.rb b/app/services/clusters/agents/refresh_authorization_service.rb
new file mode 100644
index 00000000000..a9e3340dbf5
--- /dev/null
+++ b/app/services/clusters/agents/refresh_authorization_service.rb
@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module Clusters
+  module Agents
+    class RefreshAuthorizationService
+      include Gitlab::Utils::StrongMemoize
+
+      AUTHORIZED_ENTITY_LIMIT = 100
+
+      delegate :project, to: :agent, private: true
+      delegate :root_ancestor, to: :project, private: true
+
+      def initialize(agent, config:)
+        @agent = agent
+        @config = config
+      end
+
+      def execute
+        refresh_projects!
+        refresh_groups!
+
+        true
+      end
+
+      private
+
+      attr_reader :agent, :config
+
+      def refresh_projects!
+        if allowed_project_configurations.present?
+          project_ids = allowed_project_configurations.map { |config| config.fetch(:project_id) }
+
+          agent.with_lock do
+            agent.project_authorizations.upsert_all(allowed_project_configurations, unique_by: [:agent_id, :project_id])
+            agent.project_authorizations.where.not(project_id: project_ids).delete_all # rubocop: disable CodeReuse/ActiveRecord
+          end
+        else
+          agent.project_authorizations.delete_all(:delete_all)
+        end
+      end
+
+      def refresh_groups!
+        if allowed_group_configurations.present?
+          group_ids = allowed_group_configurations.map { |config| config.fetch(:group_id) }
+
+          agent.with_lock do
+            agent.group_authorizations.upsert_all(allowed_group_configurations, unique_by: [:agent_id, :group_id])
+            agent.group_authorizations.where.not(group_id: group_ids).delete_all # rubocop: disable CodeReuse/ActiveRecord
+          end
+        else
+          agent.group_authorizations.delete_all(:delete_all)
+        end
+      end
+
+      def allowed_project_configurations
+        strong_memoize(:allowed_project_configurations) do
+          project_entries = extract_config_entries(entity: 'projects')
+
+          if project_entries
+            allowed_projects.where_full_path_in(project_entries.keys).map do |project|
+              { project_id: project.id, config: project_entries[project.full_path] }
+            end
+          end
+        end
+      end
+
+      def allowed_group_configurations
+        strong_memoize(:allowed_group_configurations) do
+          group_entries = extract_config_entries(entity: 'groups')
+
+          if group_entries
+            allowed_groups.where_full_path_in(group_entries.keys).map do |group|
+              { group_id: group.id, config: group_entries[group.full_path] }
+            end
+          end
+        end
+      end
+
+      def extract_config_entries(entity:)
+        config.dig('ci_access', entity)
+          &.first(AUTHORIZED_ENTITY_LIMIT)
+          &.index_by { |config| config.delete('id') }
+      end
+
+      def allowed_projects
+        if group_root_ancestor?
+          root_ancestor.all_projects
+        else
+          ::Project.none
+        end
+      end
+
+      def allowed_groups
+        if group_root_ancestor?
+          root_ancestor.self_and_descendants
+        else
+          ::Group.none
+        end
+      end
+
+      def group_root_ancestor?
+        root_ancestor.group?
+      end
+    end
+  end
+end