lib/gitlab/ci/build/policy/refs.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

# frozen_string_literal: true

module Gitlab
  module Ci
    module Build
      module Policy
        class Refs < Policy::Specification
          def initialize(refs)
            @patterns = Array(refs)
          end

          def satisfied_by?(pipeline, seed = nil)
            @patterns.any? do |pattern|
              pattern, path = pattern.split('@', 2)

              matches_path?(path, pipeline) &&
                matches_pattern?(pattern, pipeline)
            end
          end

          private

          def matches_path?(path, pipeline)
            return true unless path

            pipeline.project_full_path == path
          end

          def matches_pattern?(pattern, pipeline)
            matches_tags_keyword?(pattern, pipeline) ||
              matches_branches_keyword?(pattern, pipeline) ||
              matches_pipeline_source?(pattern, pipeline) ||
              matches_single_ref?(pattern, pipeline) ||
              matches_external_merge_request_source?(pattern, pipeline)
          end

          def matches_tags_keyword?(pattern, pipeline)
            pipeline.tag? && pattern == 'tags'
          end

          def matches_branches_keyword?(pattern, pipeline)
            pipeline.branch? && pattern == 'branches'
          end

          def matches_pipeline_source?(pattern, pipeline)
            sanitized_source_name(pipeline) == pattern ||
              sanitized_source_name(pipeline)&.pluralize == pattern
          end

          def matches_single_ref?(pattern, pipeline)
            # patterns can be matched only when branch or tag is used
            # the pattern matching does not work for merge requests pipelines
            if pipeline.branch? || pipeline.tag?
              if regexp = Gitlab::UntrustedRegexp::RubySyntax.fabricate(pattern, fallback: true)
                regexp.match?(pipeline.ref)
              else
                pattern == pipeline.ref
              end
            end
          end

          # TODO: best would be to support 'only/except: external_merge_requests'
          # but for now we reuse 'merge_requests'
          def matches_external_merge_request_source?(pattern, pipeline)
            sanitized_source_name(pipeline) == 'external_merge_request' &&
              pattern == 'merge_requests'
          end

          def sanitized_source_name(pipeline)
            # TODO Memoizing this doesn't seem to make sense with
            #   pipelines being passed in to #satsified_by? as a param.
            @sanitized_source_name ||= pipeline&.source&.delete_suffix('_event')
          end
        end
      end
    end
  end
end