Skip to content

Commit

Permalink
Create eval-jobset role and guard /api/push route
Browse files Browse the repository at this point in the history
  • Loading branch information
mweinelt committed Aug 27, 2024
1 parent 9ee3c6a commit f5deba2
Show file tree
Hide file tree
Showing 8 changed files with 33 additions and 2 deletions.
3 changes: 2 additions & 1 deletion doc/manual/src/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,8 @@ Example configuration:
<role_mapping>
# Make all users in the hydra_admin group Hydra admins
hydra_admin = admin
# Allow all users in the dev group to restart jobs and cancel builds
# Allow all users in the dev group to eval jobsets, restart jobs and cancel builds
dev = eval-jobset
dev = restart-jobs
dev = cancel-build
</role_mapping>
Expand Down
2 changes: 2 additions & 0 deletions src/lib/Hydra/Config.pm
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ sub get_legacy_ldap_config {
"hydra_bump-to-front" => [ "bump-to-front" ],
"hydra_cancel-build" => [ "cancel-build" ],
"hydra_create-projects" => [ "create-projects" ],
"hydra_eval-jobset" => [ "eval-jobset" ],
"hydra_restart-jobs" => [ "restart-jobs" ],
},
};
Expand Down Expand Up @@ -159,6 +160,7 @@ sub valid_roles {
"bump-to-front",
"cancel-build",
"create-projects",
"eval-jobset",
"restart-jobs",
];
}
Expand Down
2 changes: 2 additions & 0 deletions src/lib/Hydra/Controller/API.pm
Original file line number Diff line number Diff line change
Expand Up @@ -245,13 +245,15 @@ sub push : Chained('api') PathPart('push') Args(0) {
my @jobsets = split /,/, ($c->request->query_params->{jobsets} // "");
foreach my $s (@jobsets) {
my ($p, $j) = parseJobsetName($s);
requireEvalJobsetPrivileges($c, $jobset->project);
my $jobset = $c->model('DB::Jobsets')->find($p, $j);
next unless defined $jobset && ($force || ($jobset->project->enabled && $jobset->enabled));
triggerJobset($self, $c, $jobset, $force);
}

my @repos = split /,/, ($c->request->query_params->{repos} // "");
foreach my $r (@repos) {
# TODO: Unroll loop and integrate requireEvalJobsetPrivileges
triggerJobset($self, $c, $_, $force) foreach $c->model('DB::Jobsets')->search(
{ 'project.enabled' => 1, 'me.enabled' => 1 },
{
Expand Down
21 changes: 21 additions & 0 deletions src/lib/Hydra/Helper/CatalystUtils.pm
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,27 @@ sub isProjectOwner {
defined $c->model('DB::ProjectMembers')->find({ project => $project, userName => $c->user->username }));
}

sub hasEvalJobsetRole {
my ($c) = @_;
return $c->user_exists && $c_>check_user_roles("eval-jobset");
}

sub mayEvalJobset {
my ($c, $project) = $_;
return
$c->user_exists &&
(isAdmin($c) ||
hasEvalJobsetRole($c) ||
isProjectOwner($c, $project));
}

sub requireEvalJobsetPrivileges {
my ($c, $project) = @_;
requireUser($c);
accessDenied($c, "Only the project members, administrators, and accounts with eval-jobset privileges can perform this operation.")
unless mayEvalJobset($c, $project);
}

sub hasCancelBuildRole {
my ($c) = @_;
return $c->user_exists && $c->check_user_roles('cancel-build');
Expand Down
1 change: 1 addition & 0 deletions src/root/user.tt
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@
[% INCLUDE roleoption mutable=mutable role="restart-jobs" %]
[% INCLUDE roleoption mutable=mutable role="bump-to-front" %]
[% INCLUDE roleoption mutable=mutable role="cancel-build" %]
[% INCLUDE roleoption mutable=mutable role="eval-jobset" %]
</p>
</div>
</div>
Expand Down
3 changes: 2 additions & 1 deletion t/Hydra/Config/ldap_role_map.t
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ write_file($ldapInHydraConfFile, <<CONF);
hydra_admin = admin
hydra_one_group_many_roles = create-projects
hydra_one_group_many_roles = cancel-build
hydra_one_group_many_roles = eval-jobset
</role_mapping>
</ldap>
CONF
Expand Down Expand Up @@ -83,7 +84,7 @@ subtest "getLDAPConfig" => sub {
},
role_mapping => {
"hydra_admin" => [ "admin" ],
"hydra_one_group_many_roles" => [ "create-projects", "cancel-build" ],
"hydra_one_group_many_roles" => [ "create-projects", "cancel-build", "eval-jobset" ],
}
},
"The empty file and set env var make legacy mode active."
Expand Down
1 change: 1 addition & 0 deletions t/Hydra/Controller/User/ldap-legacy.t
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ $ldap->add_group("hydra_create-projects", $users->{"many_roles"}->{"username"});
$ldap->add_group("hydra_restart-jobs", $users->{"many_roles"}->{"username"});
$ldap->add_group("hydra_bump-to-front", $users->{"many_roles"}->{"username"});
$ldap->add_group("hydra_cancel-build", $users->{"many_roles"}->{"username"});
$ldap->add_group("hydra_eval-jobset", $users->{"many_roles"}->{"username"});

my $hydra_ldap_config = "${\$ldap->tmpdir()}/hydra_ldap_config.yaml";
LDAPContext::write_file($hydra_ldap_config, <<YAML);
Expand Down
2 changes: 2 additions & 0 deletions t/Hydra/Controller/User/ldap.t
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ $ldap->add_group("hydra_create-projects", $users->{"many_roles"}->{"username"});
$ldap->add_group("hydra_restart-jobs", $users->{"many_roles"}->{"username"});
$ldap->add_group("hydra_bump-to-front", $users->{"many_roles"}->{"username"});
$ldap->add_group("hydra_cancel-build", $users->{"many_roles"}->{"username"});
$ldap->add_group("hydra_eval-jobset", $users->{"many_roles"}->{"username"});


my $ctx = test_context(
Expand Down Expand Up @@ -75,6 +76,7 @@ my $ctx = test_context(
hydra_create-projects = create-projects
hydra_cancel-build = cancel-build
hydra_bump-to-front = bump-to-front
hydra_eval-jobset = eval-jobset
hydra_restart-jobs = restart-jobs
hydra_one_group_many_roles = create-projects
Expand Down

0 comments on commit f5deba2

Please sign in to comment.