debian-mirror-gitlab/app/policies/ci/build_policy.rb

115 lines
3.3 KiB
Ruby
Raw Normal View History

2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2016-09-29 09:46:39 +05:30
module Ci
class BuildPolicy < CommitStatusPolicy
2017-09-10 17:25:29 +05:30
condition(:protected_ref) do
2020-10-24 23:57:45 +05:30
access = ::Gitlab::UserAccess.new(@user, container: @subject.project)
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
if @subject.tag?
!access.can_create_tag?(@subject.ref)
else
!access.can_update_branch?(@subject.ref)
2017-08-17 22:00:37 +05:30
end
end
2020-05-24 23:13:21 +05:30
condition(:unprotected_ref) do
if @subject.tag?
!ProtectedTag.protected?(@subject.project, @subject.ref)
else
!ProtectedBranch.protected?(@subject.project, @subject.ref)
end
end
2020-11-24 15:15:51 +05:30
# overridden in EE
2021-06-08 01:23:25 +05:30
condition(:protected_environment) do
2020-11-24 15:15:51 +05:30
false
end
2018-03-17 18:26:18 +05:30
condition(:owner_of_job) do
2018-05-09 12:01:36 +05:30
@subject.triggered_by?(@user)
2018-03-17 18:26:18 +05:30
end
2018-11-08 19:23:39 +05:30
condition(:branch_allows_collaboration) do
@subject.project.branch_allows_collaboration?(@user, @subject.ref)
end
2018-12-13 13:39:08 +05:30
condition(:archived, scope: :subject) do
@subject.archived?
end
2021-03-08 18:12:59 +05:30
condition(:artifacts_public, scope: :subject) do
@subject.artifacts_public?
end
2018-11-08 19:23:39 +05:30
condition(:terminal, scope: :subject) do
@subject.has_terminal?
end
2020-06-23 00:09:42 +05:30
condition(:is_web_ide_terminal, scope: :subject) do
@subject.pipeline.webide?
end
2021-02-22 17:27:13 +05:30
condition(:debug_mode, scope: :subject, score: 32) do
@subject.debug_mode?
end
condition(:project_read_build, scope: :subject) do
can?(:read_build, @subject.project)
end
condition(:project_update_build, scope: :subject) do
can?(:update_build, @subject.project)
end
2021-03-08 18:12:59 +05:30
condition(:project_developer) do
can?(:developer_access, @subject.project)
end
2021-02-22 17:27:13 +05:30
rule { project_read_build }.enable :read_build_trace
rule { debug_mode & ~project_update_build }.prevent :read_build_trace
2021-06-08 01:23:25 +05:30
# Authorizing the user to access to protected entities.
# There is a "jailbreak" mode to exceptionally bypass the authorization,
# however, you should NEVER allow it, rather suspect it's a wrong feature/product design.
rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment) }.policy do
2018-03-17 18:26:18 +05:30
prevent :update_build
2018-12-13 13:39:08 +05:30
prevent :update_commit_status
2018-03-17 18:26:18 +05:30
prevent :erase_build
end
2020-05-24 23:13:21 +05:30
rule { can?(:admin_build) | (can?(:update_build) & owner_of_job & unprotected_ref) }.enable :erase_build
2018-11-08 19:23:39 +05:30
rule { can?(:public_access) & branch_allows_collaboration }.policy do
enable :update_build
enable :update_commit_status
end
2022-06-02 21:05:25 +05:30
rule { can?(:update_build) & terminal & owner_of_job }.enable :create_build_terminal
2020-06-23 00:09:42 +05:30
2021-01-03 14:25:43 +05:30
rule { can?(:update_build) }.enable :play_job
2020-06-23 00:09:42 +05:30
rule { is_web_ide_terminal & can?(:create_web_ide_terminal) & (admin | owner_of_job) }.policy do
enable :read_web_ide_terminal
enable :update_web_ide_terminal
end
rule { is_web_ide_terminal & ~can?(:update_web_ide_terminal) }.policy do
prevent :create_build_terminal
end
rule { can?(:update_web_ide_terminal) & terminal }.policy do
enable :create_build_terminal
enable :create_build_service_proxy
end
rule { ~can?(:build_service_proxy_enabled) }.policy do
prevent :create_build_service_proxy
end
2021-03-08 18:12:59 +05:30
rule { project_read_build }.enable :read_job_artifacts
rule { ~artifacts_public & ~project_developer }.prevent :read_job_artifacts
2016-09-29 09:46:39 +05:30
end
end
2019-12-04 20:38:33 +05:30
2021-06-08 01:23:25 +05:30
Ci::BuildPolicy.prepend_mod_with('Ci::BuildPolicy')