debian-mirror-gitlab/lib/gitlab/ci/pipeline/chain/validate/external.rb

# frozen_string_literal: true

module Gitlab
  module Ci
    module Pipeline
      module Chain
        module Validate
          class External < Chain::Base
            include Chain::Helpers

            InvalidResponseCode = Class.new(StandardError)

            DEFAULT_VALIDATION_REQUEST_TIMEOUT = 5
            ACCEPTED_STATUS = 200
            REJECTED_STATUS = 406

            def perform!
              pipeline_authorized = validate_external

              log_message = pipeline_authorized ? 'authorized' : 'not authorized'
              Gitlab::AppLogger.info(message: "Pipeline #{log_message}", project_id: project.id, user_id: current_user.id)

              error('External validation failed', drop_reason: :external_validation_failure) unless pipeline_authorized
            end

            def break?
              pipeline.errors.any?
            end

            private

            def validate_external
              return true unless validation_service_url

              # 200 - accepted
              # 406 - rejected
              # everything else - accepted and logged
              response_code = validate_service_request.code
              case response_code
              when ACCEPTED_STATUS
                true
              when REJECTED_STATUS
                false
              else
                raise InvalidResponseCode, "Unsupported response code received from Validation Service: #{response_code}"
              end
            rescue StandardError => ex
              Gitlab::ErrorTracking.track_exception(ex, project_id: project.id)

              true
            end

            def validate_service_request
              headers = {
                'X-Gitlab-Correlation-id' => Labkit::Correlation::CorrelationId.current_id,
                'X-Gitlab-Token' => validation_service_token
              }.compact

              Gitlab::HTTP.post(
                validation_service_url, timeout: validation_service_timeout,
                headers: headers,
                body: validation_service_payload.to_json
              )
            end

            def validation_service_timeout
              timeout = Gitlab::CurrentSettings.external_pipeline_validation_service_timeout || ENV['EXTERNAL_VALIDATION_SERVICE_TIMEOUT'].to_i
              return timeout if timeout > 0

              DEFAULT_VALIDATION_REQUEST_TIMEOUT
            end

            def validation_service_url
              Gitlab::CurrentSettings.external_pipeline_validation_service_url || ENV['EXTERNAL_VALIDATION_SERVICE_URL']
            end

            def validation_service_token
              Gitlab::CurrentSettings.external_pipeline_validation_service_token || ENV['EXTERNAL_VALIDATION_SERVICE_TOKEN']
            end

            def validation_service_payload
              {
                project: {
                  id: project.id,
                  path: project.full_path,
                  created_at: project.created_at&.iso8601
                },
                user: {
                  id: current_user.id,
                  username: current_user.username,
                  email: current_user.email,
                  created_at: current_user.created_at&.iso8601,
                  current_sign_in_ip: current_user.current_sign_in_ip,
                  last_sign_in_ip: current_user.last_sign_in_ip,
                  sign_in_count: current_user.sign_in_count
                },
                pipeline: {
                  sha: pipeline.sha,
                  ref: pipeline.ref,
                  type: pipeline.source
                },
                builds: builds_validation_payload
              }
            end

            def builds_validation_payload
              stages_attributes.flat_map { |stage| stage[:builds] }
                .map(&method(:build_validation_payload))
            end

            def build_validation_payload(build)
              {
                name: build[:name],
                stage: build[:stage],
                image: build.dig(:options, :image, :name),
                services: service_names(build),
                script: [
                  build.dig(:options, :before_script),
                  build.dig(:options, :script),
                  build.dig(:options, :after_script)
                ].flatten.compact
              }
            end

            def service_names(build)
              services = build.dig(:options, :services)

              return unless services

              services.compact.map { |service| service[:name] }
            end

            def stages_attributes
              command.yaml_processor_result.stages_attributes
            end
          end
        end
      end
    end
  end
end

Gitlab::Ci::Pipeline::Chain::Validate::External.prepend_mod_with('Gitlab::Ci::Pipeline::Chain::Validate::External')
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`# frozen_string_literal: true`

			`module Gitlab`
			`module Ci`
			`module Pipeline`
			`module Chain`
			`module Validate`
			`class External < Chain::Base`
			`include Chain::Helpers`

			`InvalidResponseCode = Class.new(StandardError)`

New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`DEFAULT_VALIDATION_REQUEST_TIMEOUT = 5`
			`ACCEPTED_STATUS = 200`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`REJECTED_STATUS = 406`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
			`def perform!`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`pipeline_authorized = validate_external`

			`log_message = pipeline_authorized ? 'authorized' : 'not authorized'`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`Gitlab::AppLogger.info(message: "Pipeline #{log_message}", project_id: project.id, user_id: current_user.id)`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30
			`error('External validation failed', drop_reason: :external_validation_failure) unless pipeline_authorized`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`end`

			`def break?`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`pipeline.errors.any?`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`end`

			`private`

			`def validate_external`
			`return true unless validation_service_url`

			`# 200 - accepted`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`# 406 - rejected`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`# everything else - accepted and logged`
			`response_code = validate_service_request.code`
			`case response_code`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`when ACCEPTED_STATUS`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`true`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`when REJECTED_STATUS`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`false`
			`else`
			`raise InvalidResponseCode, "Unsupported response code received from Validation Service: #{response_code}"`
			`end`
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`rescue StandardError => ex`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`Gitlab::ErrorTracking.track_exception(ex, project_id: project.id)`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
			`true`
			`end`

			`def validate_service_request`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`headers = {`
			`'X-Gitlab-Correlation-id' => Labkit::Correlation::CorrelationId.current_id,`
			`'X-Gitlab-Token' => validation_service_token`
			`}.compact`

New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`Gitlab::HTTP.post(`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`validation_service_url, timeout: validation_service_timeout,`
			`headers: headers,`
			`body: validation_service_payload.to_json`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`)`
			`end`

New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`def validation_service_timeout`
			`timeout = Gitlab::CurrentSettings.external_pipeline_validation_service_timeout \|\| ENV['EXTERNAL_VALIDATION_SERVICE_TIMEOUT'].to_i`
			`return timeout if timeout > 0`

			`DEFAULT_VALIDATION_REQUEST_TIMEOUT`
			`end`

New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`def validation_service_url`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`Gitlab::CurrentSettings.external_pipeline_validation_service_url \|\| ENV['EXTERNAL_VALIDATION_SERVICE_URL']`
			`end`

			`def validation_service_token`
			`Gitlab::CurrentSettings.external_pipeline_validation_service_token \|\| ENV['EXTERNAL_VALIDATION_SERVICE_TOKEN']`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`end`

New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`def validation_service_payload`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`{`
			`project: {`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`id: project.id,`
			`path: project.full_path,`
			`created_at: project.created_at&.iso8601`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`},`
			`user: {`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`id: current_user.id,`
			`username: current_user.username,`
			`email: current_user.email,`
New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`created_at: current_user.created_at&.iso8601,`
			`current_sign_in_ip: current_user.current_sign_in_ip,`
New upstream version 14.4.2+ds1 2021-11-18 22:05:49 +05:30			`last_sign_in_ip: current_user.last_sign_in_ip,`
			`sign_in_count: current_user.sign_in_count`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`},`
			`pipeline: {`
			`sha: pipeline.sha,`
			`ref: pipeline.ref,`
			`type: pipeline.source`
			`},`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`builds: builds_validation_payload`
			`}`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`end`

New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`def builds_validation_payload`
			`stages_attributes.flat_map { \|stage\| stage[:builds] }`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`.map(&method(:build_validation_payload))`
			`end`

			`def build_validation_payload(build)`
			`{`
			`name: build[:name],`
			`stage: build[:stage],`
			`image: build.dig(:options, :image, :name),`
New upstream version 14.6.3+ds1 2022-01-26 12:08:38 +05:30			`services: service_names(build),`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`script: [`
			`build.dig(:options, :before_script),`
			`build.dig(:options, :script),`
			`build.dig(:options, :after_script)`
			`].flatten.compact`
			`}`
			`end`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30
New upstream version 14.6.3+ds1 2022-01-26 12:08:38 +05:30			`def service_names(build)`
			`services = build.dig(:options, :services)`

			`return unless services`

			`services.compact.map { \|service\| service[:name] }`
			`end`

New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`def stages_attributes`
			`command.yaml_processor_result.stages_attributes`
			`end`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`end`
			`end`
			`end`
			`end`
			`end`
			`end`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`Gitlab::Ci::Pipeline::Chain::Validate::External.prepend_mod_with('Gitlab::Ci::Pipeline::Chain::Validate::External')`