Skip to content

G
gitlab-ce
Commit 0e323ac2 authored by Hordur Freyr Yngvason's avatar Hordur Freyr Yngvason Committed by Nikola Milojevic
Browse files
Options

Add environment and project groups to allowed_agents API

parent 39e5bee5
Hide whitespace changes
Inline Side-by-side
Showing with 48 additions and 37 deletions
lib/api/ci/jobs.rb
View file @ 0e323ac2
......@@ -190,14 +190,25 @@ module API
pipeline = current_authenticated_job.pipeline
project = current_authenticated_job.project
agent_authorizations = Clusters::AgentAuthorizationsFinder.new(project).execute
project_groups = project.group&.self_and_ancestor_ids&.map { |id| { id: id } } || []
user_access_level = project.team.max_member_access(current_user.id)
roles_in_project = Gitlab::Access.sym_options_with_owner
.select { |_role, role_access_level| role_access_level <= user_access_level }
.map(&:first)
environment = if environment_slug = current_authenticated_job.deployment&.environment&.slug
{ slug: environment_slug }
end
# See https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/kubernetes_ci_access.md#apiv4joballowed_agents-api
{
allowed_agents: Entities::Clusters::AgentAuthorization.represent(agent_authorizations),
job: Entities::Ci::JobRequest::JobInfo.represent(current_authenticated_job),
pipeline: Entities::Ci::PipelineBasic.represent(pipeline),
project: Entities::ProjectIdentity.represent(project),
user: Entities::UserBasic.represent(current_user)
}
job: { id: current_authenticated_job.id },
pipeline: { id: pipeline.id },
project: { id: project.id, groups: project_groups },
user: { id: current_user.id, username: current_user.username, roles_in_project: roles_in_project },
environment: environment
}.compact
end
end
......
spec/requests/api/ci/jobs_spec.rb
View file @ 0e323ac2
......@@ -177,11 +177,16 @@ RSpec.describe API::Ci::Jobs do
end
describe 'GET /job/allowed_agents' do
let_it_be(:group_authorization) { create(:agent_group_authorization) }
let_it_be(:associated_agent) { create(:cluster_agent, project: project) }
let_it_be(:group) { create(:group) }
let_it_be(:group_agent) { create(:cluster_agent, project: create(:project, group: group)) }
let_it_be(:group_authorization) { create(:agent_group_authorization, agent: group_agent, group: group) }
let_it_be(:project_agent) { create(:cluster_agent, project: project) }
let(:implicit_authorization) { Clusters::Agents::ImplicitAuthorization.new(agent: associated_agent) }
let(:authorizations_finder) { double(execute: [implicit_authorization, group_authorization]) }
before(:all) do
project.update!(group: group_authorization.group)
end
let(:implicit_authorization) { Clusters::Agents::ImplicitAuthorization.new(agent: project_agent) }
let(:headers) { { API::Ci::Helpers::Runner::JOB_TOKEN_HEADER => job.token } }
let(:job) { create(:ci_build, :artifacts, pipeline: pipeline, user: api_user, status: job_status) }
......@@ -193,44 +198,22 @@ RSpec.describe API::Ci::Jobs do
end
before do
allow(Clusters::AgentAuthorizationsFinder).to receive(:new).with(project).and_return(authorizations_finder)
subject
end
context 'when token is valid and user is authorized' do
it 'returns agent info', :aggregate_failures do
expect(response).to have_gitlab_http_status(:ok)
expect(json_response.dig('job', 'id')).to eq(job.id)
expect(json_response.dig('pipeline', 'id')).to eq(job.pipeline_id)
expect(json_response.dig('project', 'id')).to eq(job.project_id)
expect(json_response.dig('user', 'username')).to eq(api_user.username)
expect(json_response['allowed_agents']).to match_array([
{
'id' => implicit_authorization.agent_id,
'config_project' => hash_including('id' => implicit_authorization.agent.project_id),
'configuration' => implicit_authorization.config
},
{
'id' => group_authorization.agent_id,
'config_project' => hash_including('id' => group_authorization.agent.project_id),
'configuration' => group_authorization.config
}
])
end
context 'when passing the token as params' do
let(:headers) { {} }
let(:params) { { job_token: job.token } }
shared_examples_for 'valid allowed_agents request' do
it 'returns agent info', :aggregate_failures do
expect(response).to have_gitlab_http_status(:ok)
expect(json_response.dig('job', 'id')).to eq(job.id)
expect(json_response.dig('pipeline', 'id')).to eq(job.pipeline_id)
expect(json_response.dig('project', 'id')).to eq(job.project_id)
expect(json_response.dig('project', 'groups')).to match_array([{ 'id' => group_authorization.group.id }])
expect(json_response.dig('user', 'id')).to eq(api_user.id)
expect(json_response.dig('user', 'username')).to eq(api_user.username)
expect(json_response.dig('user', 'roles_in_project')).to match_array %w(guest reporter developer)
expect(json_response).not_to include('environment')
expect(json_response['allowed_agents']).to match_array([
{
'id' => implicit_authorization.agent_id,
......@@ -239,12 +222,29 @@ RSpec.describe API::Ci::Jobs do
},
{
'id' => group_authorization.agent_id,
'config_project' => a_hash_including('id' => group_authorization.agent.project_id),
'config_project' => hash_including('id' => group_authorization.agent.project_id),
'configuration' => group_authorization.config
}
])
end
end
it_behaves_like 'valid allowed_agents request'
context 'when deployment' do
let(:job) { create(:ci_build, :artifacts, :with_deployment, environment: 'production', pipeline: pipeline, user: api_user, status: job_status) }
it 'includes environment slug' do
expect(json_response.dig('environment', 'slug')).to eq('production')
end
end
context 'when passing the token as params' do
let(:headers) { {} }
let(:params) { { job_token: job.token } }
it_behaves_like 'valid allowed_agents request'
end
end
context 'when user is anonymous' do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7