authorize group runners on user

2017-09-07 15:49:29 +02:00 · 2017-09-07 15:49:29 +02:00 · 7fbdd17cbc
commit 7fbdd17cbc
parent 9507f39459
3 changed files with 68 additions and 14 deletions
--- a/app/models/group.rb
+++ b/app/models/group.rb
@ -29,6 +29,8 @@ class Group < Namespace
  has_many :labels, class_name: 'GroupLabel'
  has_many :variables, class_name: 'Ci::GroupVariable'
  has_many :custom_attributes, class_name: 'GroupCustomAttribute'
+  has_many :runner_groups, class_name: 'Ci::RunnerGroup'
+  has_many :runners, through: :runner_groups, source: :runner, class_name: 'Ci::Runner'

  has_many :uploads, as: :model, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent

--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -995,10 +995,17 @@ class User < ActiveRecord::Base

  def ci_authorized_runners
    @ci_authorized_runners ||= begin
-      runner_ids = Ci::RunnerProject
+      project_runner_ids = Ci::RunnerProject
        .where(project: authorized_projects(Gitlab::Access::MASTER))
        .select(:runner_id)
-      Ci::Runner.specific.where(id: runner_ids)
+
+      group_runner_ids = Ci::RunnerGroup
+        .where(group_id: owned_or_masters_groups.select(:id))
+        .select(:runner_id)
+
+      union = Gitlab::SQL::Union.new([project_runner_ids, group_runner_ids])
+
+      Ci::Runner.specific.where("ci_runners.id IN (#{union.to_sql})") # rubocop:disable GitlabSecurity/SqlInjection
    end
  end

@ -1187,6 +1194,11 @@ class User < ActiveRecord::Base
    max_member_access_for_group_ids([group_id])[group_id]
  end

+  def owned_or_masters_groups
+    union = Gitlab::SQL::Union.new([owned_groups, masters_groups])
+    Group.from("(#{union.to_sql}) namespaces")
+  end
+
  protected

  # override, from Devise::Validatable
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -1785,14 +1785,12 @@ describe User do

  describe '#ci_authorized_runners' do
    let(:user) { create(:user) }
-    let(:runner) { create(:ci_runner) }
+    let(:runner_1) { create(:ci_runner) }
+    let(:runner_2) { create(:ci_runner) }

-    before do
-      project.runners << runner
-    end
-
-    context 'without any projects' do
-      let(:project) { create(:project) }
+    context 'without any projects nor groups' do
+      let!(:project) { create(:project, runners: [runner_1]) }
+      let!(:group) { create(:group) }

      it 'does not load' do
        expect(user.ci_authorized_runners).to be_empty
@ -1801,10 +1799,38 @@ describe User do

    context 'with personal projects runners' do
      let(:namespace) { create(:namespace, owner: user) }
-      let(:project) { create(:project, namespace: namespace) }
+      let!(:project) { create(:project, namespace: namespace, runners: [runner_1]) }

      it 'loads' do
-        expect(user.ci_authorized_runners).to contain_exactly(runner)
+        expect(user.ci_authorized_runners).to contain_exactly(runner_1)
+      end
+    end
+
+    context 'with personal group runner' do
+      let!(:project) { create(:project, runners: [runner_1]) }
+      let!(:group) do
+        create(:group, runners: [runner_2]).tap do |group|
+          group.add_owner(user)
+        end
+      end
+
+      it 'loads' do
+        expect(user.ci_authorized_runners).to contain_exactly(runner_2)
+      end
+    end
+
+    context 'with personal project and group runner' do
+      let(:namespace) { create(:namespace, owner: user) }
+      let!(:project) { create(:project, namespace: namespace, runners: [runner_1]) }
+
+      let!(:group) do
+        create(:group, runners: [runner_2]).tap do |group|
+          group.add_owner(user)
+        end
+      end
+
+      it 'loads' do
+        expect(user.ci_authorized_runners).to contain_exactly(runner_1, runner_2)
      end
    end

@ -1815,7 +1841,7 @@ describe User do
        end

        it 'loads' do
-          expect(user.ci_authorized_runners).to contain_exactly(runner)
+          expect(user.ci_authorized_runners).to contain_exactly(runner_1)
        end
      end

@ -1832,7 +1858,21 @@ describe User do

    context 'with groups projects runners' do
      let(:group) { create(:group) }
-      let(:project) { create(:project, group: group) }
+      let!(:project) { create(:project, group: group, runners: [runner_1]) }
+
+      def add_user(access)
+        group.add_user(user, access)
+      end
+
+      it_behaves_like :member
+    end
+
+    context 'with groups runners' do
+      let!(:group) do
+        create(:group, runners: [runner_1]).tap do |group|
+          group.add_owner(user)
+        end
+      end

      def add_user(access)
        group.add_user(user, access)
@ -1842,7 +1882,7 @@ describe User do
    end

    context 'with other projects runners' do
-      let(:project) { create(:project) }
+      let!(:project) { create(:project, runners: [runner_1]) }

      def add_user(access)
        project.add_role(user, access)