Create eval-jobset role and guard /api/push route

2024-08-27 17:00:00 +02:00
parent 916531dc9c
commit f730433789
9 changed files with 65 additions and 7 deletions
--- a/src/lib/Hydra/Config.pm
+++ b/src/lib/Hydra/Config.pm
@ -95,6 +95,7 @@ sub get_legacy_ldap_config {
            "hydra_bump-to-front" => [ "bump-to-front" ],
            "hydra_cancel-build" => [ "cancel-build" ],
            "hydra_create-projects" => [ "create-projects" ],
+            "hydra_eval-jobset" => [ "eval-jobset" ],
            "hydra_restart-jobs" => [ "restart-jobs" ],
        },
    };
@ -159,6 +160,7 @@ sub valid_roles {
        "bump-to-front",
        "cancel-build",
        "create-projects",
+        "eval-jobset",
        "restart-jobs",
    ];
 }
--- a/src/lib/Hydra/Controller/API.pm
+++ b/src/lib/Hydra/Controller/API.pm
@ -248,19 +248,24 @@ sub push : Chained('api') PathPart('push') Args(0) {
    foreach my $s (@jobsets) {
        my ($p, $j) = parseJobsetName($s);
        my $jobset = $c->model('DB::Jobsets')->find($p, $j);
+        requireEvalJobsetPrivileges($c, $jobset->project);
        next unless defined $jobset && ($force || ($jobset->project->enabled && $jobset->enabled));
        triggerJobset($self, $c, $jobset, $force);
    }

    my @repos = split /,/, ($c->request->query_params->{repos} // "");
    foreach my $r (@repos) {
-        triggerJobset($self, $c, $_, $force) foreach $c->model('DB::Jobsets')->search(
+        my @jobsets = $c->model('DB::Jobsets')->search(
            { 'project.enabled' => 1, 'me.enabled' => 1 },
            {
                join => 'project',
                where => \ [ 'exists (select 1 from JobsetInputAlts where project = me.project and jobset = me.name and value = ?)', [ 'value', $r ] ],
                order_by => 'me.id DESC'
            });
+        foreach my $jobset (@jobsets) {
+            requireEvalJobsetPrivileges($c, $jobset->project);
+            triggerJobset($self, $c, $jobset, $force)
+        }
    }

    $self->status_ok(
--- a/src/lib/Hydra/Helper/CatalystUtils.pm
+++ b/src/lib/Hydra/Helper/CatalystUtils.pm
@ -15,6 +15,7 @@ our @EXPORT = qw(
    forceLogin requireUser requireProjectOwner requireRestartPrivileges requireAdmin requirePost isAdmin isProjectOwner
    requireBumpPrivileges
    requireCancelBuildPrivileges
+    requireEvalJobsetPrivileges
    trim
    getLatestFinishedEval getFirstEval
    paramToList
@ -186,6 +187,27 @@ sub isProjectOwner {
         defined $c->model('DB::ProjectMembers')->find({ project => $project, userName => $c->user->username }));
 }

+sub hasEvalJobsetRole {
+    my ($c) = @_;
+    return $c->user_exists && $c->check_user_roles("eval-jobset");
+}
+
+sub mayEvalJobset {
+    my ($c, $project) = @_;
+    return
+        $c->user_exists &&
+        (isAdmin($c) ||
+         hasEvalJobsetRole($c) ||
+         isProjectOwner($c, $project));
+}
+
+sub requireEvalJobsetPrivileges {
+    my ($c, $project) = @_;
+    requireUser($c);
+    accessDenied($c, "Only the project members, administrators, and accounts with eval-jobset privileges can perform this operation.")
+        unless mayEvalJobset($c, $project);
+}
+
 sub hasCancelBuildRole {
    my ($c) = @_;
    return $c->user_exists && $c->check_user_roles('cancel-build');
--- a/src/root/user.tt
+++ b/src/root/user.tt
@ -91,6 +91,7 @@
          [% INCLUDE roleoption mutable=mutable role="restart-jobs" %]
          [% INCLUDE roleoption mutable=mutable role="bump-to-front" %]
          [% INCLUDE roleoption mutable=mutable role="cancel-build" %]
+          [% INCLUDE roleoption mutable=mutable role="eval-jobset" %]
        </p>
      </div>
    </div>