summaryrefslogtreecommitdiff
path: root/app/policies/ci/build_policy.rb
blob: 6162a31c1183489e3baa195209eec5abad66cb8f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# frozen_string_literal: true

module Ci
  class BuildPolicy < CommitStatusPolicy
    condition(:protected_ref) do
      access = ::Gitlab::UserAccess.new(@user, container: @subject.project)

      if @subject.tag?
        !access.can_create_tag?(@subject.ref)
      else
        !access.can_update_branch?(@subject.ref)
      end
    end

    condition(:unprotected_ref) do
      if @subject.tag?
        !ProtectedTag.protected?(@subject.project, @subject.ref)
      else
        !ProtectedBranch.protected?(@subject.project, @subject.ref)
      end
    end

    # overridden in EE
    condition(:protected_environment) do
      false
    end

    condition(:owner_of_job) do
      @subject.triggered_by?(@user)
    end

    condition(:branch_allows_collaboration) do
      @subject.project.branch_allows_collaboration?(@user, @subject.ref)
    end

    condition(:archived, scope: :subject) do
      @subject.archived?
    end

    condition(:artifacts_public, scope: :subject) do
      @subject.artifacts_public?
    end

    condition(:terminal, scope: :subject) do
      @subject.has_terminal?
    end

    condition(:is_web_ide_terminal, scope: :subject) do
      @subject.pipeline.webide?
    end

    condition(:debug_mode, scope: :subject, score: 32) do
      @subject.debug_mode?
    end

    condition(:project_read_build, scope: :subject) do
      can?(:read_build, @subject.project)
    end

    condition(:project_update_build, scope: :subject) do
      can?(:update_build, @subject.project)
    end

    condition(:project_developer) do
      can?(:developer_access, @subject.project)
    end

    rule { project_read_build }.enable :read_build_trace
    rule { debug_mode & ~project_update_build }.prevent :read_build_trace

    # Authorizing the user to access to protected entities.
    # There is a "jailbreak" mode to exceptionally bypass the authorization,
    # however, you should NEVER allow it, rather suspect it's a wrong feature/product design.
    rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment) }.policy do
      prevent :update_build
      prevent :update_commit_status
      prevent :erase_build
    end

    rule { can?(:admin_build) | (can?(:update_build) & owner_of_job & unprotected_ref) }.enable :erase_build

    rule { can?(:public_access) & branch_allows_collaboration }.policy do
      enable :update_build
      enable :update_commit_status
    end

    rule { can?(:update_build) & terminal }.enable :create_build_terminal

    rule { can?(:update_build) }.enable :play_job

    rule { is_web_ide_terminal & can?(:create_web_ide_terminal) & (admin | owner_of_job) }.policy do
      enable :read_web_ide_terminal
      enable :update_web_ide_terminal
    end

    rule { is_web_ide_terminal & ~can?(:update_web_ide_terminal) }.policy do
      prevent :create_build_terminal
    end

    rule { can?(:update_web_ide_terminal) & terminal }.policy do
      enable :create_build_terminal
      enable :create_build_service_proxy
    end

    rule { ~can?(:build_service_proxy_enabled) }.policy do
      prevent :create_build_service_proxy
    end

    rule { project_read_build }.enable :read_job_artifacts
    rule { ~artifacts_public & ~project_developer }.prevent :read_job_artifacts
  end
end

Ci::BuildPolicy.prepend_mod_with('Ci::BuildPolicy')