242 lines
8.4 KiB
Ruby
242 lines
8.4 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
module Groups
|
|
class TransferService < Groups::BaseService
|
|
TransferError = Class.new(StandardError)
|
|
|
|
attr_reader :error, :new_parent_group
|
|
|
|
def initialize(group, user, params = {})
|
|
super
|
|
@error = nil
|
|
end
|
|
|
|
def execute(new_parent_group)
|
|
@new_parent_group = new_parent_group
|
|
ensure_allowed_transfer
|
|
proceed_to_transfer
|
|
|
|
rescue TransferError, ActiveRecord::RecordInvalid, Gitlab::UpdatePathError => e
|
|
@group.errors.clear
|
|
@error = s_("TransferGroup|Transfer failed: %{error_message}") % { error_message: e.message }
|
|
false
|
|
end
|
|
|
|
private
|
|
|
|
def proceed_to_transfer
|
|
Group.transaction do
|
|
update_group_attributes
|
|
ensure_ownership
|
|
update_integrations
|
|
update_pending_builds!
|
|
end
|
|
|
|
post_update_hooks(@updated_project_ids)
|
|
propagate_integrations
|
|
|
|
true
|
|
end
|
|
|
|
# Overridden in EE
|
|
def post_update_hooks(updated_project_ids)
|
|
refresh_project_authorizations
|
|
refresh_descendant_groups if @new_parent_group
|
|
end
|
|
|
|
def ensure_allowed_transfer
|
|
raise_transfer_error(:group_is_already_root) if group_is_already_root?
|
|
raise_transfer_error(:same_parent_as_current) if same_parent?
|
|
raise_transfer_error(:has_subscription) if has_subscription?
|
|
raise_transfer_error(:invalid_policies) unless valid_policies?
|
|
raise_transfer_error(:namespace_with_same_path) if namespace_with_same_path?
|
|
raise_transfer_error(:group_contains_images) if group_projects_contain_registry_images?
|
|
raise_transfer_error(:cannot_transfer_to_subgroup) if transfer_to_subgroup?
|
|
raise_transfer_error(:group_contains_npm_packages) if group_with_npm_packages?
|
|
end
|
|
|
|
def group_with_npm_packages?
|
|
return false unless group.packages_feature_enabled?
|
|
|
|
npm_packages = ::Packages::GroupPackagesFinder.new(current_user, group, package_type: :npm).execute
|
|
|
|
different_root_ancestor? && npm_packages.exists?
|
|
end
|
|
|
|
def different_root_ancestor?
|
|
group.root_ancestor != new_parent_group&.root_ancestor
|
|
end
|
|
|
|
def group_is_already_root?
|
|
!@new_parent_group && !@group.has_parent?
|
|
end
|
|
|
|
def same_parent?
|
|
@new_parent_group && @new_parent_group.id == @group.parent_id
|
|
end
|
|
|
|
def has_subscription?
|
|
@group.paid?
|
|
end
|
|
|
|
def transfer_to_subgroup?
|
|
@new_parent_group && \
|
|
@group.self_and_descendants.pluck_primary_key.include?(@new_parent_group.id)
|
|
end
|
|
|
|
def valid_policies?
|
|
return false unless can?(current_user, :admin_group, @group)
|
|
|
|
if @new_parent_group
|
|
can?(current_user, :create_subgroup, @new_parent_group)
|
|
else
|
|
can?(current_user, :create_group)
|
|
end
|
|
end
|
|
|
|
# rubocop: disable CodeReuse/ActiveRecord
|
|
def namespace_with_same_path?
|
|
Namespace.exists?(path: @group.path, parent: @new_parent_group)
|
|
end
|
|
# rubocop: enable CodeReuse/ActiveRecord
|
|
|
|
def group_projects_contain_registry_images?
|
|
@group.has_container_repository_including_subgroups?
|
|
end
|
|
|
|
def update_group_attributes
|
|
if @new_parent_group && @new_parent_group.visibility_level < @group.visibility_level
|
|
update_children_and_projects_visibility
|
|
@group.visibility_level = @new_parent_group.visibility_level
|
|
end
|
|
|
|
update_two_factor_authentication if @new_parent_group
|
|
|
|
@group.parent = @new_parent_group
|
|
@group.clear_memoization(:self_and_ancestors_ids)
|
|
@group.clear_memoization(:root_ancestor) if different_root_ancestor?
|
|
|
|
inherit_group_shared_runners_settings
|
|
|
|
@group.save!
|
|
# #reload is called to make sure traversal_ids are reloaded
|
|
@group.reload # rubocop:disable Cop/ActiveRecordAssociationReload
|
|
end
|
|
|
|
# rubocop: disable CodeReuse/ActiveRecord
|
|
def update_children_and_projects_visibility
|
|
descendants = @group.descendants.where("visibility_level > ?", @new_parent_group.visibility_level)
|
|
|
|
Group
|
|
.where(id: descendants.select(:id))
|
|
.update_all(visibility_level: @new_parent_group.visibility_level)
|
|
|
|
projects_to_update = @group
|
|
.all_projects
|
|
.where("visibility_level > ?", @new_parent_group.visibility_level)
|
|
|
|
# Used in post_update_hooks in EE. Must use pluck (and not select)
|
|
# here as after we perform the update below we won't be able to find
|
|
# these records again.
|
|
@updated_project_ids = projects_to_update.pluck(:id)
|
|
|
|
Namespaces::ProjectNamespace
|
|
.where(id: projects_to_update.select(:project_namespace_id))
|
|
.update_all(visibility_level: @new_parent_group.visibility_level)
|
|
|
|
projects_to_update
|
|
.update_all(visibility_level: @new_parent_group.visibility_level)
|
|
end
|
|
|
|
def update_two_factor_authentication
|
|
return if namespace_parent_allows_two_factor_auth
|
|
|
|
@group.require_two_factor_authentication = false
|
|
end
|
|
|
|
def refresh_descendant_groups
|
|
return if namespace_parent_allows_two_factor_auth
|
|
|
|
if @group.descendants.where(require_two_factor_authentication: true).any?
|
|
DisallowTwoFactorForSubgroupsWorker.perform_async(@group.id)
|
|
end
|
|
end
|
|
# rubocop: enable CodeReuse/ActiveRecord
|
|
|
|
def namespace_parent_allows_two_factor_auth
|
|
@new_parent_group.namespace_settings.allow_mfa_for_subgroups
|
|
end
|
|
|
|
def ensure_ownership
|
|
return if @new_parent_group
|
|
return unless @group.owners.empty?
|
|
|
|
@group.add_owner(current_user)
|
|
end
|
|
|
|
def refresh_project_authorizations
|
|
projects_to_update = Set.new
|
|
|
|
# All projects in this hierarchy need to have their project authorizations recalculated
|
|
@group.all_projects.each_batch { |prjs| projects_to_update.merge(prjs.ids) } # rubocop: disable CodeReuse/ActiveRecord
|
|
|
|
# When a group is transferred, it also affects who gets access to the projects shared to
|
|
# the subgroups within its hierarchy, so we also schedule jobs that refresh authorizations for all such shared projects.
|
|
ProjectGroupLink.in_group(@group.self_and_descendants.select(:id)).each_batch do |project_group_links|
|
|
projects_to_update.merge(project_group_links.pluck(:project_id)) # rubocop: disable CodeReuse/ActiveRecord
|
|
end
|
|
|
|
AuthorizedProjectUpdate::ProjectAccessChangedService.new(projects_to_update.to_a).execute unless projects_to_update.empty?
|
|
end
|
|
|
|
def raise_transfer_error(message)
|
|
raise TransferError, localized_error_messages[message]
|
|
end
|
|
|
|
def localized_error_messages
|
|
{
|
|
database_not_supported: s_('TransferGroup|Database is not supported.'),
|
|
namespace_with_same_path: s_('TransferGroup|The parent group already has a subgroup or a project with the same path.'),
|
|
group_is_already_root: s_('TransferGroup|Group is already a root group.'),
|
|
same_parent_as_current: s_('TransferGroup|Group is already associated to the parent group.'),
|
|
invalid_policies: s_("TransferGroup|You don't have enough permissions."),
|
|
group_contains_images: s_('TransferGroup|Cannot update the path because there are projects under this group that contain Docker images in their Container Registry. Please remove the images from your projects first and try again.'),
|
|
cannot_transfer_to_subgroup: s_('TransferGroup|Cannot transfer group to one of its subgroup.'),
|
|
group_contains_npm_packages: s_('TransferGroup|Group contains projects with NPM packages.')
|
|
}.freeze
|
|
end
|
|
|
|
def inherit_group_shared_runners_settings
|
|
parent_setting = @group.parent&.shared_runners_setting
|
|
return unless parent_setting
|
|
|
|
if @group.shared_runners_setting_higher_than?(parent_setting)
|
|
result = Groups::UpdateSharedRunnersService.new(@group, current_user, shared_runners_setting: parent_setting).execute
|
|
|
|
raise TransferError, result[:message] unless result[:status] == :success
|
|
end
|
|
end
|
|
|
|
def update_integrations
|
|
@group.integrations.with_default_settings.delete_all
|
|
Integration.create_from_active_default_integrations(@group, :group_id)
|
|
end
|
|
|
|
def propagate_integrations
|
|
@group.integrations.with_default_settings.each do |integration|
|
|
PropagateIntegrationWorker.perform_async(integration.id)
|
|
end
|
|
end
|
|
|
|
def update_pending_builds!
|
|
update_params = {
|
|
namespace_traversal_ids: group.traversal_ids,
|
|
namespace_id: group.id
|
|
}
|
|
|
|
::Ci::UpdatePendingBuildService.new(group, update_params).execute
|
|
end
|
|
end
|
|
end
|
|
|
|
Groups::TransferService.prepend_mod_with('Groups::TransferService')
|