lib/gitlab/ci/pipeline/chain/validate/external.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105

# frozen_string_literal: true

module Gitlab
  module Ci
    module Pipeline
      module Chain
        module Validate
          class External < Chain::Base
            include Chain::Helpers

            InvalidResponseCode = Class.new(StandardError)

            VALIDATION_REQUEST_TIMEOUT = 5

            def perform!
              pipeline_authorized = validate_external

              log_message = pipeline_authorized ? 'authorized' : 'not authorized'
              Gitlab::AppLogger.info(message: "Pipeline #{log_message}", project_id: @pipeline.project.id, user_id: @pipeline.user.id)

              error('External validation failed', drop_reason: :external_validation_failure) unless pipeline_authorized
            end

            def break?
              @pipeline.errors.any?
            end

            private

            def validate_external
              return true unless validation_service_url

              # 200 - accepted
              # 4xx - not accepted
              # everything else - accepted and logged
              response_code = validate_service_request.code
              case response_code
              when 200
                true
              when 400..499
                false
              else
                raise InvalidResponseCode, "Unsupported response code received from Validation Service: #{response_code}"
              end
            rescue => ex
              Gitlab::ErrorTracking.track_exception(ex)

              true
            end

            def validate_service_request
              Gitlab::HTTP.post(
                validation_service_url, timeout: VALIDATION_REQUEST_TIMEOUT,
                body: validation_service_payload(@pipeline, @command.config_processor.stages_attributes)
              )
            end

            def validation_service_url
              ENV['EXTERNAL_VALIDATION_SERVICE_URL']
            end

            def validation_service_payload(pipeline, stages_attributes)
              {
                project: {
                  id: pipeline.project.id,
                  path: pipeline.project.full_path
                },
                user: {
                  id: pipeline.user.id,
                  username: pipeline.user.username,
                  email: pipeline.user.email
                },
                pipeline: {
                  sha: pipeline.sha,
                  ref: pipeline.ref,
                  type: pipeline.source
                },
                builds: builds_validation_payload(stages_attributes)
              }.to_json
            end

            def builds_validation_payload(stages_attributes)
              stages_attributes.map { |stage| stage[:builds] }.flatten
                .map(&method(:build_validation_payload))
            end

            def build_validation_payload(build)
              {
                name: build[:name],
                stage: build[:stage],
                image: build.dig(:options, :image, :name),
                services: build.dig(:options, :services)&.map { |service| service[:name] },
                script: [
                  build.dig(:options, :before_script),
                  build.dig(:options, :script),
                  build.dig(:options, :after_script)
                ].flatten.compact
              }
            end
          end
        end
      end
    end
  end
end