From 128be3c0103f601b2c80f3489646e57e202f6327 Mon Sep 17 00:00:00 2001 From: Tomasz Maczukin Date: Tue, 26 Jan 2016 17:03:38 +0100 Subject: [PATCH] Add basic runners management API - add feature to list runners - add feature to show runners details - add feature to delete runner - add feature to update runner --- app/models/ci/runner.rb | 6 + lib/api/api.rb | 1 + lib/api/entities.rb | 6 + lib/api/runners.rb | 107 ++++++++++++ spec/requests/api/runners_spec.rb | 278 ++++++++++++++++++++++++++++++ 5 files changed, 398 insertions(+) create mode 100644 lib/api/runners.rb create mode 100644 spec/requests/api/runners_spec.rb diff --git a/app/models/ci/runner.rb b/app/models/ci/runner.rb index 38b20cd7faa..1e914b44499 100644 --- a/app/models/ci/runner.rb +++ b/app/models/ci/runner.rb @@ -22,6 +22,7 @@ module Ci extend Ci::Model LAST_CONTACT_TIME = 5.minutes.ago + AVAILABLE_SCOPES = ['specific', 'shared', 'active', 'paused', 'online'] has_many :builds, class_name: 'Ci::Build' has_many :runner_projects, dependent: :destroy, class_name: 'Ci::RunnerProject' @@ -38,6 +39,11 @@ module Ci scope :online, ->() { where('contacted_at > ?', LAST_CONTACT_TIME) } scope :ordered, ->() { order(id: :desc) } + scope :owned_or_shared, ->(project_id) do + joins('LEFT JOIN ci_runner_projects ON ci_runner_projects.runner_id = ci_runners.id') + .where("ci_runner_projects.gl_project_id = #{project_id} OR ci_runners.is_shared = true") + end + acts_as_taggable def self.search(query) diff --git a/lib/api/api.rb b/lib/api/api.rb index 7efe0a0262f..7d65145176b 100644 --- a/lib/api/api.rb +++ b/lib/api/api.rb @@ -56,5 +56,6 @@ module API mount Triggers mount Builds mount Variables + mount Runners end end diff --git a/lib/api/entities.rb b/lib/api/entities.rb index a9c09ffdb31..bdbf2cf5082 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -377,6 +377,12 @@ module API expose :name end + class RunnerDetails < Runner + expose :tag_list + expose :version, :revision, :platform, :architecture + expose :contacted_at, as: :last_contact + end + class Build < Grape::Entity expose :id, :status, :stage, :name, :ref, :tag, :coverage expose :created_at, :started_at, :finished_at diff --git a/lib/api/runners.rb b/lib/api/runners.rb new file mode 100644 index 00000000000..7d4ca3f1587 --- /dev/null +++ b/lib/api/runners.rb @@ -0,0 +1,107 @@ +module API + # Runners API + class Runners < Grape::API + before { authenticate! } + + resource :runners do + # Get available shared runners + # + # Example Request: + # GET /runners + get do + runners = + if current_user.is_admin? + Ci::Runner.all + else + current_user.ci_authorized_runners + end + + runners = filter_runners(runners, params[:scope]) + present paginate(runners), with: Entities::Runner + end + + get ':id' do + runner = get_runner(params[:id]) + can_show_runner?(runner) unless current_user.is_admin? + + present runner, with: Entities::RunnerDetails + end + + put ':id' do + runner = get_runner(params[:id]) + can_update_runner?(runner) unless current_user.is_admin? + + attrs = attributes_for_keys [:description, :active, :tag_list] + if runner.update(attrs) + present runner, with: Entities::RunnerDetails + else + render_validation_error!(runner) + end + end + + delete ':id' do + runner = get_runner(params[:id]) + can_delete_runner?(runner) + runner.destroy! + + present runner, with: Entities::RunnerDetails + end + end + + resource :projects do + before { authorize_admin_project } + + # Get runners available for project + # + # Example Request: + # GET /projects/:id/runners + get ':id/runners' do + runners = filter_runners(Ci::Runner.owned_or_shared(user_project.id), params[:scope]) + present paginate(runners), with: Entities::Runner + end + end + + helpers do + def filter_runners(runners, scope) + return runners unless scope.present? + + available_scopes = ::Ci::Runner::AVAILABLE_SCOPES + unless (available_scopes && scope).empty? + runners.send(scope) + else + render_api_error!('Scope contains invalid value', 400) + end + end + + def get_runner(id) + runner = Ci::Runner.find(id) + not_found!('Runner') unless runner + runner + end + + def can_show_runner?(runner) + return true if runner.is_shared + forbidden!("Can't show runner's details - no access granted") unless user_can_access_runner?(runner) + end + + def can_update_runner?(runner) + return true if current_user.is_admin? + forbidden!("Can't update shared runner") if runner.is_shared? + forbidden!("Can't update runner - no access granted") unless user_can_access_runner?(runner) + end + + def can_delete_runner?(runner) + return true if current_user.is_admin? + forbidden!("Can't delete shared runner") if runner.is_shared? + forbidden!("Can't delete runner - associated with more than one project") if runner.projects.count > 1 + forbidden!("Can't delete runner - no access granted") unless user_can_access_runner?(runner) + end + + def user_can_access_runner?(runner) + runner.projects.inject(false) do |final, project| + final ||= abilities.allowed?(current_user, :admin_project, project) + end + end + end + end +end diff --git a/spec/requests/api/runners_spec.rb b/spec/requests/api/runners_spec.rb new file mode 100644 index 00000000000..e5c837d051b --- /dev/null +++ b/spec/requests/api/runners_spec.rb @@ -0,0 +1,278 @@ +require 'spec_helper' + +describe API::API, api: true do + include ApiHelpers + + let(:admin) { create(:user, :admin) } + let(:user) { create(:user) } + let(:user2) { create(:user) } + let!(:project) { create(:project, creator_id: user.id) } + let!(:project2) { create(:project, creator_id: user.id) } + let!(:master) { create(:project_member, user: user, project: project, access_level: ProjectMember::MASTER) } + let!(:developer) { create(:project_member, user: user2, project: project, access_level: ProjectMember::REPORTER) } + let!(:shared_runner) { create(:ci_shared_runner, tag_list: ['mysql', 'ruby'], active: true) } + let!(:specific_runner) { create(:ci_specific_runner, tag_list: ['mysql', 'ruby']) } + let!(:specific_runner_project) { create(:ci_runner_project, runner: specific_runner, project: project) } + let!(:specific_runner2) { create(:ci_specific_runner) } + let!(:specific_runner2_project) { create(:ci_runner_project, runner: specific_runner2, project: project2) } + let!(:unused_specific_runner) { create(:ci_specific_runner) } + let!(:two_projects_runner) { create(:ci_specific_runner) } + let!(:two_projects_runner_project) { create(:ci_runner_project, runner: two_projects_runner, project: project) } + let!(:two_projects_runner_project2) { create(:ci_runner_project, runner: two_projects_runner, project: project2) } + + describe 'GET /runners' do + context 'authorized user with admin privileges' do + it 'should return all runners' do + get api('/runners', admin) + shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr} + + expect(response.status).to eq(200) + expect(json_response).to be_an Array + expect(shared).to be_truthy + end + + it 'should filter runners by scope' do + get api('/runners?scope=specific', admin) + shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr} + + expect(response.status).to eq(200) + expect(json_response).to be_an Array + expect(shared).to be_falsey + end + end + + context 'authorized user without admin privileges' do + it 'should return user available runners' do + get api('/runners', user) + shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr} + + expect(response.status).to eq(200) + expect(json_response).to be_an Array + expect(shared).to be_falsey + end + end + + context 'unauthorized user' do + it 'should not return runners' do + get api('/runners') + + expect(response.status).to eq(401) + end + end + end + + describe 'GET /runners/:id' do + context 'admin user' do + it "should return runner's details" do + get api("/runners/#{specific_runner.id}", admin) + + expect(response.status).to eq(200) + expect(json_response['description']).to eq(specific_runner.description) + end + + it "should return shared runner's details" do + get api("/runners/#{shared_runner.id}", admin) + + expect(response.status).to eq(200) + expect(json_response['description']).to eq(shared_runner.description) + end + + it 'should return 404 if runner does not exists' do + get api('/runners/9999', admin) + + expect(response.status).to eq(404) + end + end + + context "runner project's administrative user" do + it "should return runner's details" do + get api("/runners/#{specific_runner.id}", user) + + expect(response.status).to eq(200) + expect(json_response['description']).to eq(specific_runner.description) + end + + it "should return shared runner's details" do + get api("/runners/#{shared_runner.id}", user) + + expect(response.status).to eq(200) + expect(json_response['description']).to eq(shared_runner.description) + end + end + + context 'other authorized user' do + it "should not return runner's details" do + get api("/runners/#{specific_runner.id}", user2) + + expect(response.status).to eq(403) + end + end + + context 'unauthorized user' do + it "should not return runner's details" do + get api("/runners/#{specific_runner.id}") + + expect(response.status).to eq(401) + end + end + end + + describe 'PUT /runners/:id' do + context 'admin user' do + it 'should update shared runner' do + description = shared_runner.description + active = shared_runner.active + tag_list = shared_runner.tag_list + put api("/runners/#{shared_runner.id}", admin), description: "#{description}_updated", active: !active, + tag_list: ['ruby2.1', 'pgsql', 'mysql'] + shared_runner.reload + + expect(response.status).to eq(200) + expect(shared_runner.description).not_to eq(description) + expect(shared_runner.active).not_to eq(active) + expect(shared_runner.tag_list).not_to eq(tag_list) + end + + it 'should update specific runner' do + description = specific_runner.description + put api("/runners/#{specific_runner.id}", admin), description: 'test' + specific_runner.reload + + expect(response.status).to eq(200) + expect(specific_runner.description).to eq('test') + expect(specific_runner.description).not_to eq(description) + end + + it 'should return 404 if runner does not exists' do + put api('/runners/9999', admin), description: 'test' + + expect(response.status).to eq(404) + end + end + + context 'authorized user' do + it 'should not update shared runner' do + put api("/runners/#{shared_runner.id}", user), description: 'test' + + expect(response.status).to eq(403) + end + + it 'should not update specific runner without access to' do + put api("/runners/#{specific_runner.id}", user2), description: 'test' + + expect(response.status).to eq(403) + end + + it 'should update specific runner' do + description = specific_runner.description + put api("/runners/#{specific_runner.id}", admin), description: 'test' + specific_runner.reload + + expect(response.status).to eq(200) + expect(specific_runner.description).to eq('test') + expect(specific_runner.description).not_to eq(description) + end + + end + + context 'unauthorized user' do + it 'should not delete runner' do + put api("/runners/#{specific_runner.id}"), description: 'test' + + expect(response.status).to eq(401) + end + end + end + + describe 'DELETE /runners/:id' do + context 'admin user' do + it 'should delete shared runner' do + expect do + delete api("/runners/#{shared_runner.id}", admin) + end.to change{ Ci::Runner.shared.count }.by(-1) + expect(response.status).to eq(200) + end + + it 'should delete unused specific runner' do + expect do + delete api("/runners/#{unused_specific_runner.id}", admin) + end.to change{ Ci::Runner.specific.count }.by(-1) + expect(response.status).to eq(200) + end + + it 'should delete used specific runner' do + expect do + delete api("/runners/#{specific_runner.id}", admin) + end.to change{ Ci::Runner.specific.count }.by(-1) + expect(response.status).to eq(200) + end + + it 'should return 404 if runner does not exists' do + delete api('/runners/9999', admin) + + expect(response.status).to eq(404) + end + end + + context 'authorized user' do + it 'should not delete shared runner' do + delete api("/runners/#{shared_runner.id}", user) + expect(response.status).to eq(403) + end + + it 'should not delete runner without access to' do + delete api("/runners/#{specific_runner.id}", user2) + expect(response.status).to eq(403) + end + + it 'should not delete runner with more than one associated project' do + delete api("/runners/#{two_projects_runner.id}", user) + expect(response.status).to eq(403) + end + + it 'should delete runner for one owned project' do + expect do + delete api("/runners/#{specific_runner.id}", user) + end.to change{ Ci::Runner.specific.count }.by(-1) + expect(response.status).to eq(200) + end + end + + context 'unauthorized user' do + it 'should not delete runner' do + delete api("/runners/#{specific_runner.id}") + + expect(response.status).to eq(401) + end + end + end + + describe 'GET /projects/:id/runners' do + context 'authorized user with master privileges' do + it "should return project's runners" do + get api("/projects/#{project.id}/runners", user) + shared = false || json_response.map{ |r| r['is_shared'] }.inject{ |sum, shr| sum || shr} + + expect(response.status).to eq(200) + expect(json_response).to be_an Array + expect(shared).to be_truthy + end + end + + context 'authorized user without master privileges' do + it "should not return project's runners" do + get api("/projects/#{project.id}/runners", user2) + + expect(response.status).to eq(403) + end + end + + context 'unauthorized user' do + it "should not return project's runners" do + get api("/projects/#{project.id}/runners") + + expect(response.status).to eq(401) + end + end + end +end