gitlab-org--gitlab-foss/app/models/integration.rb

# frozen_string_literal: true

# To add new integration you should build a class inherited from Integration
# and implement a set of methods
class Integration < ApplicationRecord
  include Sortable
  include Importable
  include Integrations::Loggable
  include Integrations::HasDataFields
  include Integrations::ResetSecretFields
  include FromUnion
  include EachBatch
  include IgnorableColumns
  extend ::Gitlab::Utils::Override

  UnknownType = Class.new(StandardError)

  self.inheritance_column = :type_new

  INTEGRATION_NAMES = %w[
    asana assembla bamboo bugzilla buildkite campfire confluence custom_issue_tracker datadog discord
    drone_ci emails_on_push ewm external_wiki flowdock hangouts_chat harbor irker jira
    mattermost mattermost_slash_commands microsoft_teams packagist pipelines_email
    pivotaltracker prometheus pushover redmine slack slack_slash_commands teamcity unify_circuit webex_teams youtrack zentao
  ].freeze

  # TODO Shimo is temporary disabled on group and instance-levels.
  # See: https://gitlab.com/gitlab-org/gitlab/-/issues/345677
  PROJECT_SPECIFIC_INTEGRATION_NAMES = %w[
    jenkins shimo
  ].freeze

  # Fake integrations to help with local development.
  DEV_INTEGRATION_NAMES = %w[
    mock_ci mock_monitoring
  ].freeze

  # Base classes which aren't actual integrations.
  BASE_CLASSES = %w[
    Integrations::BaseChatNotification
    Integrations::BaseCi
    Integrations::BaseIssueTracker
    Integrations::BaseMonitoring
    Integrations::BaseSlashCommands
  ].freeze

  SECTION_TYPE_CONFIGURATION = 'configuration'
  SECTION_TYPE_CONNECTION = 'connection'
  SECTION_TYPE_TRIGGER = 'trigger'

  attr_encrypted :properties,
                 mode: :per_attribute_iv,
                 key: Settings.attr_encrypted_db_key_base_32,
                 algorithm: 'aes-256-gcm',
                 marshal: true,
                 marshaler: ::Gitlab::Json,
                 encode: false,
                 encode_iv: false

  # Handle assignment of props with symbol keys.
  # To do this correctly, we need to call the method generated by attr_encrypted.
  alias_method :attr_encrypted_props=, :properties=
  private :attr_encrypted_props=

  def properties=(props)
    self.attr_encrypted_props = props&.with_indifferent_access&.freeze
  end

  alias_attribute :type, :type_new

  default_value_for :active, false
  default_value_for :alert_events, true
  default_value_for :category, 'common'
  default_value_for :commit_events, true
  default_value_for :confidential_issues_events, true
  default_value_for :confidential_note_events, true
  default_value_for :issues_events, true
  default_value_for :job_events, true
  default_value_for :merge_requests_events, true
  default_value_for :note_events, true
  default_value_for :pipeline_events, true
  default_value_for :push_events, true
  default_value_for :tag_push_events, true
  default_value_for :wiki_page_events, true

  after_initialize :initialize_properties

  after_commit :reset_updated_properties

  belongs_to :project, inverse_of: :integrations
  belongs_to :group, inverse_of: :integrations
  has_one :service_hook, inverse_of: :integration, foreign_key: :service_id

  validates :project_id, presence: true, unless: -> { instance_level? || group_level? }
  validates :group_id, presence: true, unless: -> { instance_level? || project_level? }
  validates :project_id, :group_id, absence: true, if: -> { instance_level? }
  validates :type, presence: true, exclusion: BASE_CLASSES
  validates :type, uniqueness: { scope: :instance }, if: :instance_level?
  validates :type, uniqueness: { scope: :project_id }, if: :project_level?
  validates :type, uniqueness: { scope: :group_id }, if: :group_level?
  validate :validate_belongs_to_project_or_group

  scope :external_issue_trackers, -> { where(category: 'issue_tracker').active }
  # TODO: Will be modified in 15.0
  # Details: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/74501#note_744393645
  scope :third_party_wikis, -> { where(type: %w[Integrations::Confluence Integrations::Shimo]).active }
  scope :by_name, ->(name) { by_type(integration_name_to_type(name)) }
  scope :external_wikis, -> { by_name(:external_wiki).active }
  scope :active, -> { where(active: true) }
  scope :by_type, ->(type) { where(type: type) } # INTERNAL USE ONLY: use by_name instead
  scope :by_active_flag, -> (flag) { where(active: flag) }
  scope :inherit_from_id, -> (id) { where(inherit_from_id: id) }
  scope :with_default_settings, -> { where.not(inherit_from_id: nil) }
  scope :with_custom_settings, -> { where(inherit_from_id: nil) }
  scope :for_group, -> (group) { where(group_id: group, type: available_integration_types(include_project_specific: false)) }
  scope :for_instance, -> { where(instance: true, type: available_integration_types(include_project_specific: false)) }

  scope :push_hooks, -> { where(push_events: true, active: true) }
  scope :tag_push_hooks, -> { where(tag_push_events: true, active: true) }
  scope :issue_hooks, -> { where(issues_events: true, active: true) }
  scope :confidential_issue_hooks, -> { where(confidential_issues_events: true, active: true) }
  scope :merge_request_hooks, -> { where(merge_requests_events: true, active: true) }
  scope :note_hooks, -> { where(note_events: true, active: true) }
  scope :confidential_note_hooks, -> { where(confidential_note_events: true, active: true) }
  scope :job_hooks, -> { where(job_events: true, active: true) }
  scope :archive_trace_hooks, -> { where(archive_trace_events: true, active: true) }
  scope :pipeline_hooks, -> { where(pipeline_events: true, active: true) }
  scope :wiki_page_hooks, -> { where(wiki_page_events: true, active: true) }
  scope :deployment_hooks, -> { where(deployment_events: true, active: true) }
  scope :alert_hooks, -> { where(alert_events: true, active: true) }
  scope :deployment, -> { where(category: 'deployment') }

  class << self
    private

    attr_writer :field_storage

    def field_storage
      @field_storage || :properties
    end
  end

  # :nocov: Tested on subclasses.
  def self.field(name, storage: field_storage, **attrs)
    fields << ::Integrations::Field.new(name: name, integration_class: self, **attrs)

    case storage
    when :properties
      prop_accessor(name)
    when :data_fields
      data_field(name)
    else
      raise ArgumentError, "Unknown field storage: #{storage}"
    end

    boolean_accessor(name) if attrs[:type] == 'checkbox'
  end
  # :nocov:

  def self.fields
    @fields ||= []
  end

  def fields
    self.class.fields.dup
  end

  # Provide convenient accessor methods for each serialized property.
  # Also keep track of updated properties in a similar way as ActiveModel::Dirty
  def self.prop_accessor(*args)
    args.each do |arg|
      class_eval <<~RUBY, __FILE__, __LINE__ + 1
        unless method_defined?(arg)
          def #{arg}
            properties['#{arg}'] if properties.present?
          end
        end

        def #{arg}=(value)
          self.properties ||= {}
          updated_properties['#{arg}'] = #{arg} unless #{arg}_changed?
          self.properties = self.properties.merge('#{arg}' => value)
        end

        def #{arg}_changed?
          #{arg}_touched? && #{arg} != #{arg}_was
        end

        def #{arg}_touched?
          updated_properties.include?('#{arg}')
        end

        def #{arg}_was
          updated_properties['#{arg}']
        end
      RUBY
    end
  end

  # Provide convenient boolean accessor methods for each serialized property.
  # Also keep track of updated properties in a similar way as ActiveModel::Dirty
  def self.boolean_accessor(*args)
    args.each do |arg|
      # TODO: Allow legacy usage of `.boolean_accessor`, once all integrations
      # are converted to the field DSL we can remove this and only call
      # `.boolean_accessor` through `.field`.
      #
      # See https://gitlab.com/groups/gitlab-org/-/epics/7652
      prop_accessor(arg) unless method_defined?(arg)

      class_eval <<~RUBY, __FILE__, __LINE__ + 1
        # Make the original getter available as a private method.
        alias_method :#{arg}_before_type_cast, :#{arg}
        private(:#{arg}_before_type_cast)

        def #{arg}
          Gitlab::Utils.to_boolean(#{arg}_before_type_cast)
        end

        def #{arg}?
          # '!!' is used because nil or empty string is converted to nil
          !!#{arg}
        end
      RUBY
    end
  end

  def self.to_param
    raise NotImplementedError
  end

  def self.event_names
    self.supported_events.map { |event| IntegrationsHelper.integration_event_field_name(event) }
  end

  def self.supported_events
    %w[commit push tag_push issue confidential_issue merge_request wiki_page]
  end

  def self.default_test_event
    'push'
  end

  def self.event_description(event)
    IntegrationsHelper.integration_event_description(event)
  end

  def self.find_or_initialize_non_project_specific_integration(name, instance: false, group_id: nil)
    return unless name.in?(available_integration_names(include_project_specific: false))

    integration_name_to_model(name).find_or_initialize_by(instance: instance, group_id: group_id)
  end

  def self.find_or_initialize_all_non_project_specific(scope)
    scope + build_nonexistent_integrations_for(scope)
  end

  def self.build_nonexistent_integrations_for(scope)
    nonexistent_integration_types_for(scope).map do |type|
      integration_type_to_model(type).new
    end
  end
  private_class_method :build_nonexistent_integrations_for

  # Returns a list of integration types that do not exist in the given scope.
  # Example: ["AsanaService", ...]
  def self.nonexistent_integration_types_for(scope)
    # Using #map instead of #pluck to save one query count. This is because
    # ActiveRecord loaded the object here, so we don't need to query again later.
    available_integration_types(include_project_specific: false) - scope.map(&:type)
  end
  private_class_method :nonexistent_integration_types_for

  # Returns a list of available integration names.
  # Example: ["asana", ...]
  # @deprecated
  def self.available_integration_names(include_project_specific: true, include_dev: true)
    names = integration_names
    names += project_specific_integration_names if include_project_specific
    names += dev_integration_names if include_dev

    names.sort_by(&:downcase)
  end

  def self.integration_names
    INTEGRATION_NAMES
  end

  def self.dev_integration_names
    return [] unless Gitlab.dev_or_test_env?

    DEV_INTEGRATION_NAMES
  end

  def self.project_specific_integration_names
    PROJECT_SPECIFIC_INTEGRATION_NAMES
  end

  # Returns a list of available integration types.
  # Example: ["Integrations::Asana", ...]
  def self.available_integration_types(include_project_specific: true, include_dev: true)
    available_integration_names(include_project_specific: include_project_specific, include_dev: include_dev).map do
      integration_name_to_type(_1)
    end
  end

  # Returns the model for the given integration name.
  # Example: :asana => Integrations::Asana
  def self.integration_name_to_model(name)
    type = integration_name_to_type(name)
    integration_type_to_model(type)
  end

  # Returns the STI type for the given integration name.
  # Example: "asana" => "Integrations::Asana"
  def self.integration_name_to_type(name)
    name = name.to_s
    if available_integration_names.exclude?(name)
      Gitlab::ErrorTracking.track_and_raise_for_dev_exception(UnknownType.new(name.inspect))
    else
      "Integrations::#{name.camelize}"
    end
  end

  # Returns the model for the given STI type.
  # Example: "Integrations::Asana" => Integrations::Asana
  def self.integration_type_to_model(type)
    type.constantize
  end
  private_class_method :integration_type_to_model

  def self.build_from_integration(integration, project_id: nil, group_id: nil)
    new_integration = integration.dup

    new_integration.instance = false
    new_integration.project_id = project_id
    new_integration.group_id = group_id
    new_integration.inherit_from_id = integration.id if integration.inheritable?
    new_integration
  end

  # Duplicating an integration also duplicates the data fields. Duped records have different ciphertexts.
  override :dup
  def dup
    new_integration = super
    new_integration.assign_attributes(reencrypt_properties)

    if supports_data_fields?
      fields = data_fields.dup
      fields.integration = new_integration
    end

    new_integration
  end

  def inheritable?
    instance_level? || group_level?
  end

  def self.instance_exists_for?(type)
    exists?(instance: true, type: type)
  end

  def self.default_integration(type, scope)
    closest_group_integration(type, scope) || instance_level_integration(type)
  end

  def self.closest_group_integration(type, scope)
    group_ids = scope.ancestors(hierarchy_order: :asc).reselect(:id)
    array = group_ids.to_sql.present? ? "array(#{group_ids.to_sql})" : 'ARRAY[]'

    where(type: type, group_id: group_ids, inherit_from_id: nil)
      .order(Arel.sql("array_position(#{array}::bigint[], #{table_name}.group_id)"))
      .first
  end
  private_class_method :closest_group_integration

  def self.instance_level_integration(type)
    find_by(type: type, instance: true)
  end
  private_class_method :instance_level_integration

  # Returns the number of successfully saved integrations
  # Duplicate integrations are excluded from this count by their validations.
  def self.create_from_active_default_integrations(owner, association)
    group_ids = sorted_ancestors(owner).select(:id)
    array = group_ids.to_sql.present? ? "array(#{group_ids.to_sql})" : 'ARRAY[]'
    order = Arel.sql("type_new ASC, array_position(#{array}::bigint[], #{table_name}.group_id), instance DESC")

    from_union([active.where(instance: true), active.where(group_id: group_ids, inherit_from_id: nil)])
      .order(order)
      .group_by(&:type)
      .count { |type, parents| build_from_integration(parents.first, association => owner.id).save }
  end

  def self.inherited_descendants_from_self_or_ancestors_from(integration)
    inherit_from_ids =
      where(type: integration.type, group: integration.group.self_and_ancestors)
        .or(where(type: integration.type, instance: true)).select(:id)

    from_union([
      where(type: integration.type, inherit_from_id: inherit_from_ids, group: integration.group.descendants),
      where(type: integration.type, inherit_from_id: inherit_from_ids, project: Project.in_namespace(integration.group.self_and_descendants))
    ])
  end

  def activated?
    active
  end

  def operating?
    active && persisted?
  end

  def show_active_box?
    true
  end

  def editable?
    true
  end

  def activate_disabled_reason
    nil
  end

  def category
    read_attribute(:category).to_sym
  end

  def initialize_properties
    self.properties = {} if has_attribute?(:encrypted_properties) && encrypted_properties.nil?
  end

  def title
    # implement inside child
  end

  def description
    # implement inside child
  end

  def help
    # implement inside child
  end

  def to_param
    # implement inside child
    self.class.to_param
  end

  def sections
    []
  end

  # TODO: Once all integrations use `Integrations::Field` we can
  # use `#secret?` here.
  # See: https://gitlab.com/groups/gitlab-org/-/epics/7652
  def secret_fields
    fields.select { |f| f[:type] == 'password' }.pluck(:name)
  end

  # Expose a list of fields in the JSON endpoint.
  #
  # This list is used in `Integration#as_json(only: json_fields)`.
  def json_fields
    %w[active]
  end

  # properties is always nil - ignore it.
  override :attributes
  def attributes
    super.except('properties')
  end

  # Returns a hash of attributes (columns => values) used for inserting into the database.
  def to_database_hash
    column = self.class.attribute_aliases.fetch('type', 'type')

    as_json(
      except: %w[id instance project_id group_id created_at updated_at]
    ).merge(column => type)
     .merge(reencrypt_properties)
  end

  def reencrypt_properties
    unless properties.nil? || properties.empty?
      alg = self.class.encrypted_attributes[:properties][:algorithm]
      iv = generate_iv(alg)
      ep = self.class.encrypt(:properties, properties, { iv: iv })
    end

    { 'encrypted_properties' => ep, 'encrypted_properties_iv' => iv }
  end

  def event_channel_names
    []
  end

  def event_names
    self.class.event_names
  end

  def api_field_names
    fields.reject { _1[:type] == 'password' }.pluck(:name)
  end

  def form_fields
    fields.reject { _1[:api_only] == true }
  end

  def configurable_events
    events = supported_events

    # No need to disable individual triggers when there is only one
    if events.count == 1
      []
    else
      events
    end
  end

  def supported_events
    self.class.supported_events
  end

  def default_test_event
    self.class.default_test_event
  end

  def execute(data)
    # implement inside child
  end

  def test(data)
    # default implementation
    result = execute(data)
    { success: result.present?, result: result }
  end

  # Disable test for instance-level and group-level integrations.
  # https://gitlab.com/gitlab-org/gitlab/-/issues/213138
  def testable?
    project_level?
  end

  def project_level?
    project_id.present?
  end

  def group_level?
    group_id.present?
  end

  def instance_level?
    instance?
  end

  def parent
    project || group
  end

  # Returns a hash of the properties that have been assigned a new value since last save,
  # indicating their original values (attr => original value).
  # ActiveRecord does not provide a mechanism to track changes in serialized keys,
  # so we need a specific implementation for integration properties.
  # This allows to track changes to properties set with the accessor methods,
  # but not direct manipulation of properties hash.
  def updated_properties
    @updated_properties ||= ActiveSupport::HashWithIndifferentAccess.new
  end

  def reset_updated_properties
    @updated_properties = nil
  end

  def async_execute(data)
    return unless supported_events.include?(data[:object_kind])

    Integrations::ExecuteWorker.perform_async(id, data)
  end

  # override if needed
  def supports_data_fields?
    false
  end

  private

  # Ancestors sorted by hierarchy depth in bottom-top order.
  def self.sorted_ancestors(scope)
    if scope.root_ancestor.use_traversal_ids?
      Namespace.from(scope.ancestors(hierarchy_order: :asc))
    else
      scope.ancestors
    end
  end

  def validate_belongs_to_project_or_group
    errors.add(:project_id, 'The service cannot belong to both a project and a group') if project_level? && group_level?
  end

  def validate_recipients?
    activated? && !importing?
  end
end

Integration.prepend_mod_with('Integration')