debian-mirror-gitlab/lib/api/ci/helpers/runner.rb

162 lines
5.5 KiB
Ruby
Raw Normal View History

2021-10-27 15:23:28 +05:30
# frozen_string_literal: true
module API
module Ci
module Helpers
module Runner
include Gitlab::Utils::StrongMemoize
prepend_mod_with('API::Ci::Helpers::Runner') # rubocop: disable Cop/InjectEnterpriseEditionModule
JOB_TOKEN_HEADER = 'HTTP_JOB_TOKEN'
JOB_TOKEN_PARAM = :token
2023-04-23 21:23:45 +05:30
LEGACY_SYSTEM_XID = '<legacy>'
2021-10-27 15:23:28 +05:30
2023-07-09 08:55:56 +05:30
def authenticate_runner!(ensure_runner_manager: true, update_contacted_at: true)
2022-08-13 15:12:31 +05:30
track_runner_authentication
2021-10-27 15:23:28 +05:30
forbidden! unless current_runner
2023-04-23 21:23:45 +05:30
runner_details = get_runner_details_from_request
2023-05-27 22:25:52 +05:30
current_runner.heartbeat(runner_details, update_contacted_at: update_contacted_at)
2023-07-09 08:55:56 +05:30
return unless ensure_runner_manager
2023-06-20 00:43:36 +05:30
current_runner_manager&.heartbeat(runner_details, update_contacted_at: update_contacted_at)
2021-10-27 15:23:28 +05:30
end
def get_runner_details_from_request
return get_runner_ip unless params['info'].present?
2022-01-26 12:08:38 +05:30
attributes_for_keys(%w(name version revision platform architecture executor), params['info'])
2023-04-23 21:23:45 +05:30
.merge(get_system_id_from_request)
2021-10-27 15:23:28 +05:30
.merge(get_runner_config_from_request)
.merge(get_runner_ip)
end
2023-04-23 21:23:45 +05:30
def get_system_id_from_request
return { system_id: params[:system_id] } if params.include?(:system_id)
{}
end
2021-10-27 15:23:28 +05:30
def get_runner_ip
{ ip_address: ip_address }
end
def current_runner
token = params[:token]
if token
2021-11-18 22:05:49 +05:30
::Ci::Runner.sticking.stick_or_unstick_request(env, :runner, token)
2021-10-27 15:23:28 +05:30
end
strong_memoize(:current_runner) do
::Ci::Runner.find_by_token(token.to_s)
end
end
2023-06-20 00:43:36 +05:30
def current_runner_manager
strong_memoize(:current_runner_manager) do
2023-04-23 21:23:45 +05:30
system_xid = params.fetch(:system_id, LEGACY_SYSTEM_XID)
2023-06-20 00:43:36 +05:30
current_runner&.ensure_manager(system_xid) { |m| m.contacted_at = Time.current }
2023-04-23 21:23:45 +05:30
end
end
2022-08-13 15:12:31 +05:30
def track_runner_authentication
if current_runner
metrics.increment_runner_authentication_success_counter(runner_type: current_runner.runner_type)
else
metrics.increment_runner_authentication_failure_counter
end
end
2021-10-27 15:23:28 +05:30
# HTTP status codes to terminate the job on GitLab Runner:
# - 403
2023-01-13 00:05:48 +05:30
def authenticate_job!(heartbeat_runner: false)
2021-10-27 15:23:28 +05:30
job = current_job
# 404 is not returned here because we want to terminate the job if it's
# running. A 404 can be returned from anywhere in the networking stack which is why
# we are explicit about a 403, we should improve this in
# https://gitlab.com/gitlab-org/gitlab/-/issues/327703
forbidden! unless job
2022-07-16 23:28:13 +05:30
forbidden! unless job.valid_token?(job_token)
2021-10-27 15:23:28 +05:30
forbidden!('Project has been deleted!') if job.project.nil? || job.project.pending_delete?
forbidden!('Job has been erased!') if job.erased?
2023-01-13 00:05:48 +05:30
job_forbidden!(job, 'Job is not running') unless job.running?
2021-10-27 15:23:28 +05:30
2022-01-26 12:08:38 +05:30
# Only some requests (like updating the job or patching the trace) should trigger
# runner heartbeat. Operations like artifacts uploading are executed in context of
# the running job and in the job environment, which in many cases will cause the IP
# to be updated to not the expected value. And operations like artifacts downloads can
# be done even after the job is finished and from totally different runners - while
# they would then update the connection status of not the runner that they should.
# Runner requests done in context of job authentication should explicitly define when
# the heartbeat should be triggered.
if heartbeat_runner
job.runner&.heartbeat(get_runner_ip)
2023-06-20 00:43:36 +05:30
job.runner_manager&.heartbeat(get_runner_ip)
2022-01-26 12:08:38 +05:30
end
2021-10-27 15:23:28 +05:30
job
end
2022-07-16 23:28:13 +05:30
def authenticate_job_via_dependent_job!
2023-01-13 00:05:48 +05:30
authenticate!
2022-07-16 23:28:13 +05:30
forbidden! unless current_job
2023-01-13 00:05:48 +05:30
forbidden! unless can?(current_user, :read_build, current_job)
2022-07-16 23:28:13 +05:30
end
2021-10-27 15:23:28 +05:30
def current_job
id = params[:id]
if id
2021-11-18 22:05:49 +05:30
::Ci::Build
.sticking
.stick_or_unstick_request(env, :build, id)
2021-10-27 15:23:28 +05:30
end
strong_memoize(:current_job) do
::Ci::Build.find_by_id(id)
end
end
2022-07-16 23:28:13 +05:30
# The token used by runner to authenticate a request.
# In most cases, the runner uses the token belonging to the requested job.
# However, when requesting for job artifacts, the runner would use
# the token that belongs to downstream jobs that depend on the job that owns
# the artifacts.
def job_token
@job_token ||= (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s
2021-10-27 15:23:28 +05:30
end
def job_forbidden!(job, reason)
header 'Job-Status', job.status
forbidden!(reason)
end
def set_application_context
return unless current_job
2022-08-27 11:52:29 +05:30
Gitlab::ApplicationContext.push(job: current_job, runner: current_runner)
2021-10-27 15:23:28 +05:30
end
def track_ci_minutes_usage!(_build, _runner)
# noop: overridden in EE
end
private
def get_runner_config_from_request
{ config: attributes_for_keys(%w(gpus), params.dig('info', 'config')) }
end
2022-07-16 23:28:13 +05:30
2022-08-13 15:12:31 +05:30
def metrics
strong_memoize(:metrics) { ::Gitlab::Ci::Runner::Metrics.new }
end
2021-10-27 15:23:28 +05:30
end
end
end
end