2018-07-24 10:00:56 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-08-16 19:05:44 +00:00
|
|
|
module Ci
|
|
|
|
class BuildPolicy < CommitStatusPolicy
|
2017-07-18 14:13:57 +00:00
|
|
|
condition(:protected_ref) do
|
2020-07-21 18:09:45 +00:00
|
|
|
access = ::Gitlab::UserAccess.new(@user, container: @subject.project)
|
2017-07-17 08:49:54 +00:00
|
|
|
|
2017-07-18 08:31:29 +00:00
|
|
|
if @subject.tag?
|
2017-07-17 08:49:54 +00:00
|
|
|
!access.can_create_tag?(@subject.ref)
|
2017-07-18 08:31:29 +00:00
|
|
|
else
|
2017-07-18 13:56:28 +00:00
|
|
|
!access.can_update_branch?(@subject.ref)
|
2017-07-18 08:31:29 +00:00
|
|
|
end
|
2017-04-12 09:26:18 +00:00
|
|
|
end
|
|
|
|
|
2020-05-12 15:10:33 +00:00
|
|
|
condition(:unprotected_ref) do
|
|
|
|
if @subject.tag?
|
|
|
|
!ProtectedTag.protected?(@subject.project, @subject.ref)
|
|
|
|
else
|
|
|
|
!ProtectedBranch.protected?(@subject.project, @subject.ref)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-08-31 09:10:44 +00:00
|
|
|
# overridden in EE
|
2021-05-18 09:10:37 +00:00
|
|
|
condition(:protected_environment) do
|
2020-08-31 09:10:44 +00:00
|
|
|
false
|
|
|
|
end
|
|
|
|
|
2017-11-06 17:47:05 +00:00
|
|
|
condition(:owner_of_job) do
|
2018-04-02 18:38:47 +00:00
|
|
|
@subject.triggered_by?(@user)
|
2017-11-06 13:20:44 +00:00
|
|
|
end
|
|
|
|
|
2018-05-23 01:54:57 +00:00
|
|
|
condition(:branch_allows_collaboration) do
|
|
|
|
@subject.project.branch_allows_collaboration?(@user, @subject.ref)
|
2018-05-15 08:18:22 +00:00
|
|
|
end
|
|
|
|
|
2018-10-23 10:58:41 +00:00
|
|
|
condition(:archived, scope: :subject) do
|
|
|
|
@subject.archived?
|
|
|
|
end
|
|
|
|
|
2020-12-21 00:10:18 +00:00
|
|
|
condition(:artifacts_public, scope: :subject) do
|
|
|
|
@subject.artifacts_public?
|
|
|
|
end
|
|
|
|
|
2018-07-05 13:55:10 +00:00
|
|
|
condition(:terminal, scope: :subject) do
|
|
|
|
@subject.has_terminal?
|
|
|
|
end
|
|
|
|
|
2020-05-25 15:07:58 +00:00
|
|
|
condition(:is_web_ide_terminal, scope: :subject) do
|
|
|
|
@subject.pipeline.webide?
|
|
|
|
end
|
|
|
|
|
2020-12-10 15:10:12 +00:00
|
|
|
condition(:debug_mode, scope: :subject, score: 32) do
|
|
|
|
@subject.debug_mode?
|
|
|
|
end
|
|
|
|
|
|
|
|
condition(:project_read_build, scope: :subject) do
|
|
|
|
can?(:read_build, @subject.project)
|
|
|
|
end
|
|
|
|
|
|
|
|
condition(:project_update_build, scope: :subject) do
|
|
|
|
can?(:update_build, @subject.project)
|
|
|
|
end
|
|
|
|
|
2020-12-21 00:10:18 +00:00
|
|
|
condition(:project_developer) do
|
|
|
|
can?(:developer_access, @subject.project)
|
|
|
|
end
|
|
|
|
|
2020-12-10 15:10:12 +00:00
|
|
|
rule { project_read_build }.enable :read_build_trace
|
|
|
|
rule { debug_mode & ~project_update_build }.prevent :read_build_trace
|
|
|
|
|
2021-05-18 09:10:37 +00:00
|
|
|
# Authorizing the user to access to protected entities.
|
|
|
|
# There is a "jailbreak" mode to exceptionally bypass the authorization,
|
|
|
|
# however, you should NEVER allow it, rather suspect it's a wrong feature/product design.
|
|
|
|
rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment) }.policy do
|
2017-11-06 17:47:05 +00:00
|
|
|
prevent :update_build
|
2018-10-23 10:58:41 +00:00
|
|
|
prevent :update_commit_status
|
2017-11-06 17:47:05 +00:00
|
|
|
prevent :erase_build
|
|
|
|
end
|
|
|
|
|
2020-05-12 15:10:33 +00:00
|
|
|
rule { can?(:admin_build) | (can?(:update_build) & owner_of_job & unprotected_ref) }.enable :erase_build
|
2018-05-15 08:18:22 +00:00
|
|
|
|
2018-05-23 01:54:57 +00:00
|
|
|
rule { can?(:public_access) & branch_allows_collaboration }.policy do
|
2018-05-15 08:18:22 +00:00
|
|
|
enable :update_build
|
|
|
|
enable :update_commit_status
|
|
|
|
end
|
2018-07-05 13:55:10 +00:00
|
|
|
|
|
|
|
rule { can?(:update_build) & terminal }.enable :create_build_terminal
|
2020-05-25 15:07:58 +00:00
|
|
|
|
2020-10-13 09:08:27 +00:00
|
|
|
rule { can?(:update_build) }.enable :play_job
|
|
|
|
|
2020-05-25 15:07:58 +00:00
|
|
|
rule { is_web_ide_terminal & can?(:create_web_ide_terminal) & (admin | owner_of_job) }.policy do
|
|
|
|
enable :read_web_ide_terminal
|
|
|
|
enable :update_web_ide_terminal
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { is_web_ide_terminal & ~can?(:update_web_ide_terminal) }.policy do
|
|
|
|
prevent :create_build_terminal
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { can?(:update_web_ide_terminal) & terminal }.policy do
|
|
|
|
enable :create_build_terminal
|
|
|
|
enable :create_build_service_proxy
|
|
|
|
end
|
|
|
|
|
|
|
|
rule { ~can?(:build_service_proxy_enabled) }.policy do
|
|
|
|
prevent :create_build_service_proxy
|
|
|
|
end
|
2020-12-21 00:10:18 +00:00
|
|
|
|
|
|
|
rule { project_read_build }.enable :read_job_artifacts
|
|
|
|
rule { ~artifacts_public & ~project_developer }.prevent :read_job_artifacts
|
2016-08-16 19:05:44 +00:00
|
|
|
end
|
|
|
|
end
|
2019-09-13 13:26:31 +00:00
|
|
|
|
2021-05-11 21:10:21 +00:00
|
|
|
Ci::BuildPolicy.prepend_mod_with('Ci::BuildPolicy')
|