diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-04-27 18:20:35 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-04-27 18:20:35 +0000 |
| commit | fbcf5b688d3133065705b24b73330f9b9bf19181 (patch) | |
| tree | 5d640c9c862feaa1ad3399fb8277c32ff70834e3 /app/services/clusters | |
| parent | e8aa488899554f5fe4413779f485583d691fd5a8 (diff) | |
| download | gitlab-ce-fbcf5b688d3133065705b24b73330f9b9bf19181.tar.gz | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/services/clusters')
| -rw-r--r-- | app/services/clusters/agents/authorize_proxy_user_service.rb | 53 |
1 files changed, 14 insertions, 39 deletions
diff --git a/app/services/clusters/agents/authorize_proxy_user_service.rb b/app/services/clusters/agents/authorize_proxy_user_service.rb index ba90d61a7ef..fbcf25153c1 100644 --- a/app/services/clusters/agents/authorize_proxy_user_service.rb +++ b/app/services/clusters/agents/authorize_proxy_user_service.rb @@ -13,12 +13,12 @@ module Clusters def execute return forbidden unless user_access_config.present? - access_as = user_access_config[:access_as] + access_as = user_access_config['access_as'] return forbidden unless access_as.present? return forbidden if access_as.size != 1 - if authorizations = handle_access(access_as, user_access_config) - return success(payload: authorizations) + if payload = handle_access(access_as) + return success(payload: payload) end forbidden @@ -29,15 +29,20 @@ module Clusters attr_reader :current_user, :agent # Override in EE - def handle_access(access_as, user_access) - access_as_agent(user_access) if access_as.key?(:agent) + def handle_access(access_as) + access_as_agent if access_as.key?('agent') + end + + def authorizations + @authorizations ||= ::Clusters::Agents::Authorizations::UserAccess::Finder + .new(current_user, agent: agent).execute end def response_base { agent: { id: agent.id, - config_project: { id: agent.project.id } + config_project: { id: agent.project_id } }, user: { id: current_user.id, @@ -46,44 +51,14 @@ module Clusters } end - def access_as_agent(user_access) - projects = authorized_projects(user_access) - groups = authorized_groups(user_access) - return unless projects.size + groups.size > 0 + def access_as_agent + return if authorizations.empty? response_base.merge(access_as: { agent: {} }) end - def authorized_projects(user_access) - strong_memoize_with(:authorized_projects, user_access) do - user_access.fetch(:projects, []) - .first(::Clusters::Agents::Authorizations::CiAccess::RefreshService::AUTHORIZED_ENTITY_LIMIT) - .map { |project| ::Project.find_by_full_path(project[:id]) } - .select { |project| current_user.can?(:use_k8s_proxies, project) } - end - end - - def authorized_groups(user_access) - strong_memoize_with(:authorized_groups, user_access) do - user_access.fetch(:groups, []) - .first(::Clusters::Agents::Authorizations::CiAccess::RefreshService::AUTHORIZED_ENTITY_LIMIT) - .map { |group| ::Group.find_by_full_path(group[:id]) } - .select { |group| current_user.can?(:use_k8s_proxies, group) } - end - end - def user_access_config - # TODO: Read the configuration from the database once it has been - # indexed. See https://gitlab.com/gitlab-org/gitlab/-/issues/389430 - branch = agent.project.default_branch_or_main - path = ".gitlab/agents/#{agent.name}/config.yaml" - config_yaml = agent.project.repository - &.blob_at_branch(branch, path) - &.data - return unless config_yaml.present? - - config = YAML.safe_load(config_yaml, aliases: true, symbolize_names: true) - config[:user_access] + agent.user_access_config end strong_memoize_attr :user_access_config |