From fa3fb23fb18ddea694ea54013059178fe7892c91 Mon Sep 17 00:00:00 2001 From: Grzegorz Bizon Date: Tue, 26 Sep 2017 11:53:50 +0200 Subject: Move pipeline builder validation chain to a module --- lib/gitlab/ci/pipeline/chain/validate/abilities.rb | 54 ++++++++++++++++++++++ lib/gitlab/ci/pipeline/chain/validate/config.rb | 35 ++++++++++++++ .../ci/pipeline/chain/validate/repository.rb | 32 +++++++++++++ lib/gitlab/ci/pipeline/chain/validate_abilities.rb | 52 --------------------- lib/gitlab/ci/pipeline/chain/validate_config.rb | 33 ------------- .../ci/pipeline/chain/validate_repository.rb | 30 ------------ 6 files changed, 121 insertions(+), 115 deletions(-) create mode 100644 lib/gitlab/ci/pipeline/chain/validate/abilities.rb create mode 100644 lib/gitlab/ci/pipeline/chain/validate/config.rb create mode 100644 lib/gitlab/ci/pipeline/chain/validate/repository.rb delete mode 100644 lib/gitlab/ci/pipeline/chain/validate_abilities.rb delete mode 100644 lib/gitlab/ci/pipeline/chain/validate_config.rb delete mode 100644 lib/gitlab/ci/pipeline/chain/validate_repository.rb (limited to 'lib/gitlab/ci') diff --git a/lib/gitlab/ci/pipeline/chain/validate/abilities.rb b/lib/gitlab/ci/pipeline/chain/validate/abilities.rb new file mode 100644 index 00000000000..4913a604079 --- /dev/null +++ b/lib/gitlab/ci/pipeline/chain/validate/abilities.rb @@ -0,0 +1,54 @@ +module Gitlab + module Ci + module Pipeline + module Chain + module Validate + class Abilities < Chain::Base + include Gitlab::Allowable + include Chain::Helpers + + def perform! + unless project.builds_enabled? + return error('Pipelines are disabled!') + end + + unless allowed_to_trigger_pipeline? + if can?(current_user, :create_pipeline, project) + return error("Insufficient permissions for protected ref '#{pipeline.ref}'") + else + return error('Insufficient permissions to create a new pipeline') + end + end + end + + def break? + @pipeline.errors.any? + end + + def allowed_to_trigger_pipeline? + if current_user + allowed_to_create? + else # legacy triggers don't have a corresponding user + !project.protected_for?(@pipeline.ref) + end + end + + def allowed_to_create? + return unless can?(current_user, :create_pipeline, project) + + access = Gitlab::UserAccess.new(current_user, project: project) + + if branch_exists? + access.can_update_branch?(@pipeline.ref) + elsif tag_exists? + access.can_create_tag?(@pipeline.ref) + else + true # Allow it for now and we'll reject when we check ref existence + end + end + end + end + end + end + end +end diff --git a/lib/gitlab/ci/pipeline/chain/validate/config.rb b/lib/gitlab/ci/pipeline/chain/validate/config.rb new file mode 100644 index 00000000000..489bcd79655 --- /dev/null +++ b/lib/gitlab/ci/pipeline/chain/validate/config.rb @@ -0,0 +1,35 @@ +module Gitlab + module Ci + module Pipeline + module Chain + module Validate + class Config < Chain::Base + include Chain::Helpers + + def perform! + unless @pipeline.config_processor + unless @pipeline.ci_yaml_file + return error("Missing #{@pipeline.ci_yaml_file_path} file") + end + + if @command.save_incompleted && @pipeline.has_yaml_errors? + @pipeline.drop + end + + return error(@pipeline.yaml_errors) + end + + unless @pipeline.has_stage_seeds? + return error('No stages / jobs for this pipeline.') + end + end + + def break? + @pipeline.errors.any? || @pipeline.persisted? + end + end + end + end + end + end +end diff --git a/lib/gitlab/ci/pipeline/chain/validate/repository.rb b/lib/gitlab/ci/pipeline/chain/validate/repository.rb new file mode 100644 index 00000000000..9d328c9cedb --- /dev/null +++ b/lib/gitlab/ci/pipeline/chain/validate/repository.rb @@ -0,0 +1,32 @@ +module Gitlab + module Ci + module Pipeline + module Chain + module Validate + class Repository < Chain::Base + include Chain::Helpers + + def perform! + unless branch_exists? || tag_exists? + return error('Reference not found') + end + + ## TODO, we check commit in the service, that is why + # there is no repository access here. + # + # Should we validate repository before building a pipeline? + # + unless pipeline.sha + return error('Commit not found') + end + end + + def break? + @pipeline.errors.any? + end + end + end + end + end + end +end diff --git a/lib/gitlab/ci/pipeline/chain/validate_abilities.rb b/lib/gitlab/ci/pipeline/chain/validate_abilities.rb deleted file mode 100644 index 28a9c0ba999..00000000000 --- a/lib/gitlab/ci/pipeline/chain/validate_abilities.rb +++ /dev/null @@ -1,52 +0,0 @@ -module Gitlab - module Ci - module Pipeline - module Chain - class ValidateAbilities < Chain::Base - include Gitlab::Allowable - include Chain::Helpers - - def perform! - unless project.builds_enabled? - return error('Pipelines are disabled!') - end - - unless allowed_to_trigger_pipeline? - if can?(current_user, :create_pipeline, project) - return error("Insufficient permissions for protected ref '#{pipeline.ref}'") - else - return error('Insufficient permissions to create a new pipeline') - end - end - end - - def break? - @pipeline.errors.any? - end - - def allowed_to_trigger_pipeline? - if current_user - allowed_to_create? - else # legacy triggers don't have a corresponding user - !project.protected_for?(@pipeline.ref) - end - end - - def allowed_to_create? - return unless can?(current_user, :create_pipeline, project) - - access = Gitlab::UserAccess.new(current_user, project: project) - - if branch_exists? - access.can_update_branch?(@pipeline.ref) - elsif tag_exists? - access.can_create_tag?(@pipeline.ref) - else - true # Allow it for now and we'll reject when we check ref existence - end - end - end - end - end - end -end diff --git a/lib/gitlab/ci/pipeline/chain/validate_config.rb b/lib/gitlab/ci/pipeline/chain/validate_config.rb deleted file mode 100644 index 0dba8731438..00000000000 --- a/lib/gitlab/ci/pipeline/chain/validate_config.rb +++ /dev/null @@ -1,33 +0,0 @@ -module Gitlab - module Ci - module Pipeline - module Chain - class ValidateConfig < Chain::Base - include Chain::Helpers - - def perform! - unless @pipeline.config_processor - unless @pipeline.ci_yaml_file - return error("Missing #{@pipeline.ci_yaml_file_path} file") - end - - if @command.save_incompleted && @pipeline.has_yaml_errors? - @pipeline.drop - end - - return error(@pipeline.yaml_errors) - end - - unless @pipeline.has_stage_seeds? - return error('No stages / jobs for this pipeline.') - end - end - - def break? - @pipeline.errors.any? || @pipeline.persisted? - end - end - end - end - end -end diff --git a/lib/gitlab/ci/pipeline/chain/validate_repository.rb b/lib/gitlab/ci/pipeline/chain/validate_repository.rb deleted file mode 100644 index 4d1b88a7065..00000000000 --- a/lib/gitlab/ci/pipeline/chain/validate_repository.rb +++ /dev/null @@ -1,30 +0,0 @@ -module Gitlab - module Ci - module Pipeline - module Chain - class ValidateRepository < Chain::Base - include Chain::Helpers - - def perform! - unless branch_exists? || tag_exists? - return error('Reference not found') - end - - ## TODO, we check commit in the service, that is why - # there is no repository access here. - # - # Should we validate repository before building a pipeline? - # - unless pipeline.sha - return error('Commit not found') - end - end - - def break? - @pipeline.errors.any? - end - end - end - end - end -end -- cgit v1.2.1