Check for credit card when playing manual jobs

Prevent a user from running previously created manual jobs.

Changelog: fixed

app/services/ci/play_bridge_service.rb

@@ -3,7 +3,7 @@
 module Ci
   class PlayBridgeService < ::BaseService
     def execute(bridge)
-      raise Gitlab::Access::AccessDeniedError unless can?(current_user, :play_job, bridge)
+      check_access!(bridge)
 
       bridge.tap do |bridge|
         bridge.user = current_user
@@ -14,5 +14,13 @@ module Ci
         AfterRequeueJobService.new(project, current_user).execute(bridge)
       end
     end
+
+    private
+
+    def check_access!(bridge)
+      raise Gitlab::Access::AccessDeniedError unless can?(current_user, :play_job, bridge)
+    end
   end
 end
+
+Ci::PlayBridgeService.prepend_mod_with('Ci::PlayBridgeService')

app/services/ci/play_build_service.rb

@@ -3,11 +3,7 @@
 module Ci
   class PlayBuildService < ::BaseService
     def execute(build, job_variables_attributes = nil)
-      raise Gitlab::Access::AccessDeniedError unless can?(current_user, :play_job, build)
-
-      if job_variables_attributes.present? && !can?(current_user, :set_pipeline_variables, project)
-        raise Gitlab::Access::AccessDeniedError
-      end
+      check_access!(build, job_variables_attributes)
 
       # Try to enqueue the build, otherwise create a duplicate.
       #
@@ -23,5 +19,17 @@ module Ci
         Ci::Build.retry(build, current_user)
       end
     end
+
+    private
+
+    def check_access!(build, job_variables_attributes)
+      raise Gitlab::Access::AccessDeniedError unless can?(current_user, :play_job, build)
+
+      if job_variables_attributes.present? && !can?(current_user, :set_pipeline_variables, project)
+        raise Gitlab::Access::AccessDeniedError
+      end
+    end
   end
 end
+
+Ci::PlayBuildService.prepend_mod_with('Ci::PlayBuildService')

ee/app/services/ee/ci/play_bridge_service.rb

+# frozen_string_literal: true
+
+module EE
+  module Ci
+    module PlayBridgeService
+      extend ::Gitlab::Utils::Override
+
+      private
+
+      override :check_access!
+      def check_access!(bridge)
+        super
+
+        if current_user && !current_user.has_required_credit_card_to_run_pipelines?(project)
+          ::Gitlab::AppLogger.info(
+            message: 'Credit card required to be on file in order to play a job',
+            project_path: project.full_path,
+            user_id: current_user.id,
+            plan: project.root_namespace.actual_plan_name
+          )
+
+          raise ::Gitlab::Access::AccessDeniedError, 'Credit card required to be on file in order to play a job'
+        end
+      end
+    end
+  end
+end

ee/app/services/ee/ci/play_build_service.rb

+# frozen_string_literal: true
+
+module EE
+  module Ci
+    module PlayBuildService
+      extend ::Gitlab::Utils::Override
+
+      private
+
+      override :check_access!
+      def check_access!(build, job_variables_attributes)
+        super
+
+        if current_user && !current_user.has_required_credit_card_to_run_pipelines?(project)
+          ::Gitlab::AppLogger.info(
+            message: 'Credit card required to be on file in order to play a job',
+            project_path: project.full_path,
+            user_id: current_user.id,
+            plan: project.root_namespace.actual_plan_name
+          )
+
+          raise ::Gitlab::Access::AccessDeniedError, 'Credit card required to be on file in order to play a job'
+        end
+      end
+    end
+  end
+end

ee/changelogs/unreleased/prevent-play-job-without-cc-info.yml

+---
+title: Check for credit card when playing manual jobs
+merge_request: 62124
+author:
+type: fixed

ee/spec/services/ci/play_bridge_service_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ci::PlayBridgeService, '#execute' do
+  it_behaves_like 'prevents playing job when credit card is required' do
+    let(:user) { create(:user, maintainer_projects: [project, downstream_project]) }
+    let(:project) { create(:project) }
+    let(:pipeline) { create(:ci_pipeline, project: project) }
+    let(:downstream_project) { create(:project) }
+    let(:job) { create(:ci_bridge, :playable, pipeline: pipeline, downstream: downstream_project) }
+
+    subject { described_class.new(project, user).execute(job) }
+  end
+end

ee/spec/services/ci/play_build_service_spec.rb

 # frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe Ci::PlayBuildService, '#execute' do
   it_behaves_like 'restricts access to protected environments'
+
+  it_behaves_like 'prevents playing job when credit card is required' do
+    let(:user) { create(:user, maintainer_projects: [project]) }
+    let(:project) { create(:project) }
+    let(:pipeline) { create(:ci_pipeline, project: project) }
+    let(:job) { create(:ci_build, :manual, pipeline: pipeline) }
+
+    subject { described_class.new(project, user).execute(job) }
+  end
 end

ee/spec/support/shared_examples/services/ci/play_job_service_shared_examples.rb

+# frozen_string_literal: true
+
+RSpec.shared_examples 'prevents playing job when credit card is required' do
+  before do
+    allow(::Gitlab).to receive(:com?).and_return(true)
+  end
+
+  context 'when user has required credit card' do
+    before do
+      allow(user)
+        .to receive(:has_required_credit_card_to_run_pipelines?)
+        .with(project)
+        .and_return(true)
+    end
+
+    it 'does not raise any exception' do
+      expect { subject }.not_to raise_error(::Gitlab::Access::AccessDeniedError)
+    end
+  end
+
+  context 'when user does not have required credit card' do
+    before do
+      allow(user)
+        .to receive(:has_required_credit_card_to_run_pipelines?)
+        .with(project)
+        .and_return(false)
+    end
+
+    it 'raises an exception and logs the failure' do
+      expect(::Gitlab::AppLogger)
+        .to receive(:info)
+        .with(
+          message: 'Credit card required to be on file in order to play a job',
+          project_path: project.full_path,
+          user_id: user.id,
+          plan: 'free')
+
+      expect { subject }
+        .to raise_error(::Gitlab::Access::AccessDeniedError, 'Credit card required to be on file in order to play a job')
+    end
+  end
+end