# frozen_string_literal: true
module Gitlab
module Ci
module Pipeline
module Chain
module Validate
class External < Chain::Base
include Chain::Helpers
InvalidResponseCode = Class.new(StandardError)
DEFAULT_VALIDATION_REQUEST_TIMEOUT = 5
ACCEPTED_STATUS = 200
REJECTED_STATUS = 406
def perform!
pipeline_authorized = validate_external
log_message = pipeline_authorized ? 'authorized' : 'not authorized'
Gitlab::AppLogger.info(message: "Pipeline #{log_message}", project_id: project.id, user_id: current_user.id)
error('External validation failed', drop_reason: :external_validation_failure) unless pipeline_authorized
end
def break?
pipeline.errors.any?
end
private
def validate_external
return true unless validation_service_url
# 200 - accepted
# 406 - rejected
# everything else - accepted and logged
response_code = validate_service_request.code
case response_code
when ACCEPTED_STATUS
true
when REJECTED_STATUS
false
else
raise InvalidResponseCode, "Unsupported response code received from Validation Service: #{response_code}"
end
rescue StandardError => ex
Gitlab::ErrorTracking.track_exception(ex, project_id: project.id)
true
end
def validate_service_request
headers = {
'X-Gitlab-Correlation-id' => Labkit::Correlation::CorrelationId.current_id,
'X-Gitlab-Token' => validation_service_token
}.compact
Gitlab::HTTP.post(
validation_service_url, timeout: validation_service_timeout,
headers: headers,
body: validation_service_payload.to_json
)
end
def validation_service_timeout
timeout = Gitlab::CurrentSettings.external_pipeline_validation_service_timeout || ENV['EXTERNAL_VALIDATION_SERVICE_TIMEOUT'].to_i
return timeout if timeout > 0
DEFAULT_VALIDATION_REQUEST_TIMEOUT
end
def validation_service_url
Gitlab::CurrentSettings.external_pipeline_validation_service_url || ENV['EXTERNAL_VALIDATION_SERVICE_URL']
end
def validation_service_token
Gitlab::CurrentSettings.external_pipeline_validation_service_token || ENV['EXTERNAL_VALIDATION_SERVICE_TOKEN']
end
def validation_service_payload
{
project: {
id: project.id,
path: project.full_path,
created_at: project.created_at&.iso8601,
shared_runners_enabled: project.shared_runners_enabled?,
group_runners_enabled: project.group_runners_enabled?
},
user: {
id: current_user.id,
username: current_user.username,
email: current_user.email,
created_at: current_user.created_at&.iso8601,
current_sign_in_ip: current_user.current_sign_in_ip,
last_sign_in_ip: current_user.last_sign_in_ip,
sign_in_count: current_user.sign_in_count
},
pipeline: {
sha: pipeline.sha,
ref: pipeline.ref,
type: pipeline.source
},
builds: builds_validation_payload,
total_builds_count: current_user.pipelines.jobs_count_in_alive_pipelines
}
end
def builds_validation_payload
stages_attributes.flat_map { |stage| stage[:builds] }
.map(&method(:build_validation_payload))
end
def build_validation_payload(build)
{
name: build[:name],
stage: build[:stage],
image: build.dig(:options, :image, :name),
services: service_names(build),
script: [
build.dig(:options, :before_script),
build.dig(:options, :script),
build.dig(:options, :after_script)
].flatten.compact
}
end
def service_names(build)
services = build.dig(:options, :services)
return unless services
services.compact.map { |service| service[:name] }
end
def stages_attributes
command.yaml_processor_result.stages_attributes
end
end
end
end
end
end
end
Gitlab::Ci::Pipeline::Chain::Validate::External.prepend_mod_with('Gitlab::Ci::Pipeline::Chain::Validate::External')