140 lines
5.6 KiB
Ruby
140 lines
5.6 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
module Clusters
|
|
class Agent < ApplicationRecord
|
|
include FromUnion
|
|
|
|
self.table_name = 'cluster_agents'
|
|
|
|
INACTIVE_AFTER = 1.hour.freeze
|
|
ACTIVITY_EVENT_LIMIT = 200
|
|
|
|
belongs_to :created_by_user, class_name: 'User', optional: true
|
|
belongs_to :project, class_name: '::Project' # Otherwise, it will load ::Clusters::Project
|
|
|
|
has_many :agent_tokens, -> { order_last_used_at_desc }, class_name: 'Clusters::AgentToken', inverse_of: :agent
|
|
has_many :active_agent_tokens, -> { active.order_last_used_at_desc }, class_name: 'Clusters::AgentToken', inverse_of: :agent
|
|
|
|
has_many :ci_access_group_authorizations, class_name: 'Clusters::Agents::Authorizations::CiAccess::GroupAuthorization'
|
|
has_many :ci_access_authorized_groups, class_name: '::Group', through: :ci_access_group_authorizations, source: :group
|
|
|
|
has_many :ci_access_project_authorizations, class_name: 'Clusters::Agents::Authorizations::CiAccess::ProjectAuthorization'
|
|
has_many :ci_access_authorized_projects, class_name: '::Project', through: :ci_access_project_authorizations, source: :project
|
|
|
|
has_many :user_access_group_authorizations, class_name: 'Clusters::Agents::Authorizations::UserAccess::GroupAuthorization'
|
|
has_many :user_access_authorized_groups, class_name: '::Group', through: :user_access_group_authorizations, source: :group
|
|
|
|
has_many :user_access_project_authorizations, class_name: 'Clusters::Agents::Authorizations::UserAccess::ProjectAuthorization'
|
|
has_many :user_access_authorized_projects, class_name: '::Project', through: :user_access_project_authorizations, source: :project
|
|
|
|
has_many :activity_events, -> { in_timeline_order }, class_name: 'Clusters::Agents::ActivityEvent', inverse_of: :agent
|
|
|
|
scope :ordered_by_name, -> { order(:name) }
|
|
scope :with_name, -> (name) { where(name: name) }
|
|
scope :has_vulnerabilities, -> (value = true) { where(has_vulnerabilities: value) }
|
|
|
|
validates :name,
|
|
presence: true,
|
|
length: { maximum: 63 },
|
|
uniqueness: { scope: :project_id },
|
|
format: {
|
|
with: Gitlab::Regex.cluster_agent_name_regex,
|
|
message: Gitlab::Regex.cluster_agent_name_regex_message
|
|
}
|
|
|
|
def has_access_to?(requested_project)
|
|
requested_project == project
|
|
end
|
|
|
|
def connected?
|
|
agent_tokens.active.where("last_used_at > ?", INACTIVE_AFTER.ago).exists?
|
|
end
|
|
|
|
def activity_event_deletion_cutoff
|
|
# Order is defined by the association
|
|
activity_events
|
|
.offset(ACTIVITY_EVENT_LIMIT - 1)
|
|
.pick(:recorded_at)
|
|
end
|
|
|
|
def to_ability_name
|
|
:cluster
|
|
end
|
|
|
|
def ci_access_authorized_for?(user)
|
|
return false unless user
|
|
return false unless ::Feature.enabled?(:expose_authorized_cluster_agents, project)
|
|
|
|
::Project.from_union(
|
|
all_ci_access_authorized_projects_for(user).limit(1),
|
|
all_ci_access_authorized_namespaces_for(user).limit(1)
|
|
).exists?
|
|
end
|
|
|
|
def user_access_authorized_for?(user)
|
|
return false unless user
|
|
return false unless ::Feature.enabled?(:expose_authorized_cluster_agents, project)
|
|
|
|
Clusters::Agents::Authorizations::UserAccess::Finder
|
|
.new(user, agent: self, preload: false, limit: 1).execute.any?
|
|
end
|
|
|
|
# As of today, all config values of associated authorization rows have the same value.
|
|
# See `UserAccess::RefreshService` for more information.
|
|
def user_access_config
|
|
self.class.from_union(
|
|
user_access_project_authorizations.select('config').limit(1),
|
|
user_access_group_authorizations.select('config').limit(1)
|
|
).compact.first&.config
|
|
end
|
|
|
|
private
|
|
|
|
def all_ci_access_authorized_projects_for(user)
|
|
::Project.joins(:ci_access_project_authorizations)
|
|
.joins(:project_authorizations)
|
|
.where(agent_project_authorizations: { agent_id: id })
|
|
.where(project_authorizations: { user_id: user.id, access_level: Gitlab::Access::DEVELOPER.. })
|
|
end
|
|
|
|
def all_ci_access_authorized_namespaces_for(user)
|
|
::Project.with(root_namespace_cte.to_arel)
|
|
.with(all_ci_access_authorized_namespaces_cte.to_arel)
|
|
.joins('INNER JOIN all_authorized_namespaces ON all_authorized_namespaces.id = projects.namespace_id')
|
|
.joins(:project_authorizations)
|
|
.where(project_authorizations: { user_id: user.id, access_level: Gitlab::Access::DEVELOPER.. })
|
|
end
|
|
|
|
def root_namespace_cte
|
|
Gitlab::SQL::CTE.new(:root_namespace, root_namespace.to_sql)
|
|
end
|
|
|
|
def all_ci_access_authorized_namespaces_cte
|
|
Gitlab::SQL::CTE.new(:all_authorized_namespaces, all_ci_access_authorized_namespaces.to_sql)
|
|
end
|
|
|
|
def all_ci_access_authorized_namespaces
|
|
Namespace.select("traversal_ids[array_length(traversal_ids, 1)] AS id")
|
|
.joins("INNER JOIN root_namespace ON " \
|
|
"namespaces.traversal_ids @> ARRAY[root_namespace.root_id]")
|
|
.joins("INNER JOIN agent_group_authorizations ON " \
|
|
"namespaces.traversal_ids @> ARRAY[agent_group_authorizations.group_id::integer]")
|
|
.where(agent_group_authorizations: { agent_id: id })
|
|
end
|
|
|
|
def root_namespace
|
|
Namespace.select("traversal_ids[1] AS root_id")
|
|
.where("traversal_ids @> ARRAY(?)", project_namespace)
|
|
.limit(1)
|
|
end
|
|
|
|
def project_namespace
|
|
::Project.select('namespace_id')
|
|
.joins(:cluster_agents)
|
|
.where(cluster_agents: { id: id })
|
|
.limit(1)
|
|
end
|
|
end
|
|
end
|
|
|
|
Clusters::Agent.prepend_mod_with('Clusters::Agent')
|