From 6fed1bc68a9997375db8bf7449dac51b70dc124e Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 27 Aug 2024 17:00:00 +0200 Subject: [PATCH] Create eval-jobset role and guard /api/push route --- doc/manual/src/configuration.md | 3 ++- src/lib/Hydra/Config.pm | 1 + src/lib/Hydra/Controller/API.pm | 2 ++ src/lib/Hydra/Helper/CatalystUtils.pm | 22 ++++++++++++++++++++++ src/root/user.tt | 1 + t/Hydra/Config/ldap_role_map.t | 3 ++- t/Hydra/Controller/User/ldap-legacy.t | 1 + t/Hydra/Controller/User/ldap.t | 2 ++ 8 files changed, 33 insertions(+), 2 deletions(-) diff --git a/doc/manual/src/configuration.md b/doc/manual/src/configuration.md index 4954040c6..d370312a7 100644 --- a/doc/manual/src/configuration.md +++ b/doc/manual/src/configuration.md @@ -208,7 +208,8 @@ Example configuration: # Make all users in the hydra_admin group Hydra admins hydra_admin = admin - # Allow all users in the dev group to restart jobs and cancel builds + # Allow all users in the dev group to eval jobsets, restart jobs and cancel builds + dev = eval-jobset dev = restart-jobs dev = cancel-build diff --git a/src/lib/Hydra/Config.pm b/src/lib/Hydra/Config.pm index af686fca7..0b2a06f55 100644 --- a/src/lib/Hydra/Config.pm +++ b/src/lib/Hydra/Config.pm @@ -95,6 +95,7 @@ sub get_legacy_ldap_config { "hydra_bump-to-front" => [ "bump-to-front" ], "hydra_cancel-build" => [ "cancel-build" ], "hydra_create-projects" => [ "create-projects" ], + "hydra_eval-jobset" => [ "eval-jobset" ], "hydra_restart-jobs" => [ "restart-jobs" ], }, }; diff --git a/src/lib/Hydra/Controller/API.pm b/src/lib/Hydra/Controller/API.pm index 06f35d4be..beefaab02 100644 --- a/src/lib/Hydra/Controller/API.pm +++ b/src/lib/Hydra/Controller/API.pm @@ -245,6 +245,7 @@ sub push : Chained('api') PathPart('push') Args(0) { my @jobsets = split /,/, ($c->request->query_params->{jobsets} // ""); foreach my $s (@jobsets) { my ($p, $j) = parseJobsetName($s); + requireEvalJobsetPrivileges($c, $jobset->project); my $jobset = $c->model('DB::Jobsets')->find($p, $j); next unless defined $jobset && ($force || ($jobset->project->enabled && $jobset->enabled)); triggerJobset($self, $c, $jobset, $force); @@ -252,6 +253,7 @@ sub push : Chained('api') PathPart('push') Args(0) { my @repos = split /,/, ($c->request->query_params->{repos} // ""); foreach my $r (@repos) { + # TODO: Unroll loop and integrate requireEvalJobsetPrivileges triggerJobset($self, $c, $_, $force) foreach $c->model('DB::Jobsets')->search( { 'project.enabled' => 1, 'me.enabled' => 1 }, { diff --git a/src/lib/Hydra/Helper/CatalystUtils.pm b/src/lib/Hydra/Helper/CatalystUtils.pm index 2a2ad86f3..398099ef4 100644 --- a/src/lib/Hydra/Helper/CatalystUtils.pm +++ b/src/lib/Hydra/Helper/CatalystUtils.pm @@ -186,6 +186,28 @@ sub isProjectOwner { defined $c->model('DB::ProjectMembers')->find({ project => $project, userName => $c->user->username })); } +sub hasEvalJobsetRole { + my ($c) = @_; + return $c->user_exists && $c_>check_user_roles("eval-jobset"); +} + +sub mayEvalJobset { + my ($c, $project) = $_; + return + $c->user_exists && + (isAdmin($c) || + hasEvalJobsetRole($c) || + isProjectOwner($c, $project)); +} + +sub requireEvalJobsetPrivileges { + my ($c, $project) = @_; + requireUser($c); + accessDenied($c, "Only the project members, administrators, and accounts with eval-jobset privileges can perform this operation.") + unless mayEvalJobset($c, $project); +} + + sub hasCancelBuildRole { my ($c) = @_; return $c->user_exists && $c->check_user_roles('cancel-build'); diff --git a/src/root/user.tt b/src/root/user.tt index 76f858504..04eb6e683 100644 --- a/src/root/user.tt +++ b/src/root/user.tt @@ -91,6 +91,7 @@ [% INCLUDE roleoption mutable=mutable role="restart-jobs" %] [% INCLUDE roleoption mutable=mutable role="bump-to-front" %] [% INCLUDE roleoption mutable=mutable role="cancel-build" %] + [% INCLUDE roleoption mutable=mutable role="eval-jobset" %]

diff --git a/t/Hydra/Config/ldap_role_map.t b/t/Hydra/Config/ldap_role_map.t index cb1adf46d..9b26a4c7c 100644 --- a/t/Hydra/Config/ldap_role_map.t +++ b/t/Hydra/Config/ldap_role_map.t @@ -21,6 +21,7 @@ write_file($ldapInHydraConfFile, < CONF @@ -83,7 +84,7 @@ subtest "getLDAPConfig" => sub { }, role_mapping => { "hydra_admin" => [ "admin" ], - "hydra_one_group_many_roles" => [ "create-projects", "cancel-build" ], + "hydra_one_group_many_roles" => [ "create-projects", "cancel-build", "eval-jobset" ], } }, "The empty file and set env var make legacy mode active." diff --git a/t/Hydra/Controller/User/ldap-legacy.t b/t/Hydra/Controller/User/ldap-legacy.t index 9cb197c0e..419c640a3 100644 --- a/t/Hydra/Controller/User/ldap-legacy.t +++ b/t/Hydra/Controller/User/ldap-legacy.t @@ -24,6 +24,7 @@ $ldap->add_group("hydra_create-projects", $users->{"many_roles"}->{"username"}); $ldap->add_group("hydra_restart-jobs", $users->{"many_roles"}->{"username"}); $ldap->add_group("hydra_bump-to-front", $users->{"many_roles"}->{"username"}); $ldap->add_group("hydra_cancel-build", $users->{"many_roles"}->{"username"}); +$ldap->add_group("hydra_eval-jobset", $users->{"many_roles"}->{"username"}); my $hydra_ldap_config = "${\$ldap->tmpdir()}/hydra_ldap_config.yaml"; LDAPContext::write_file($hydra_ldap_config, <add_group("hydra_create-projects", $users->{"many_roles"}->{"username"}); $ldap->add_group("hydra_restart-jobs", $users->{"many_roles"}->{"username"}); $ldap->add_group("hydra_bump-to-front", $users->{"many_roles"}->{"username"}); $ldap->add_group("hydra_cancel-build", $users->{"many_roles"}->{"username"}); +$ldap->add_group("hydra_eval-jobset", $users->{"many_roles"}->{"username"}); my $ctx = test_context( @@ -75,6 +76,7 @@ my $ctx = test_context( hydra_create-projects = create-projects hydra_cancel-build = cancel-build hydra_bump-to-front = bump-to-front + hydra_eval-jobset = eval-jobset hydra_restart-jobs = restart-jobs hydra_one_group_many_roles = create-projects