feat(2437): Support read-only SCM (#2460)

Author: tkyi

bin/server

@@ -81,7 +81,7 @@ delete datastorePluginConfig.readOnly;
 // Default datastore
 const datastore = new DatastorePlugin(hoek.applyToDefaults({ ecosystem }, datastorePluginConfig || {}));
 
-// Source Code Plugin
+// Setup Source Code Plugin(s)
 const scmConfig = { scms: config.get('scms') };
 const ScmPlugin = require('screwdriver-scm-router');
 const scm = new ScmPlugin(scmConfig || {});

config/custom-environment-variables.yaml

@@ -320,6 +320,16 @@ scms:
   #     # if you have on-premise gitlab, you can specify that here
   #     gitlabHost: SCM_GITLAB_HOST
   #     gitlabProtocol: SCM_GITLAB_PROTOCOL
+  #     # readOnly scm config, default false
+  #     readOnly:
+  #         # set true to enable read-only scm mode
+  #         enabled: SCM_GITLAB_RO_ENABLED
+  #         # headless username
+  #         username: SCM_GITLAB_RO_USERNAME
+  #         # headless access token
+  #         accessToken: SCM_GITLAB_RO_TOKEN
+  #         # SCM clone type (https or ssh)
+  #         cloneType: SCM_GITLAB_RO_CLONE_TYPE
 webhooks:
   # Obtains the SCM token for a given user. If a user does not have a valid SCM token registered with Screwdriver, it will use this user's token instead.
   username: SCM_USERNAME
@@ -399,7 +409,7 @@ redisLock:
   enabled: REDLOCK_ENABLED
   options:
     # maximum retry limit to obtain lock
-    retryCount: REDLOCK_RETRY_COUNT 
+    retryCount: REDLOCK_RETRY_COUNT
     # the expected clock drift
     driftFactor: REDLOCK_DRIFT_FACTOR
     # the time in milliseconds between retry attempts

config/default.yaml

@@ -229,8 +229,18 @@ scms: {}
 #       # gitlabHost: mygitlab.com
 #       # gitlabProtocol: https
 #       # The username and email used for checkout with gitlab
-#       # username: sd-buildbot
+#       username: sd-buildbot
 #       # email: dev-null@screwdriver.cd
+#       # read-only scm config, default false
+#       readOnly:
+#         # set true to enable read-only scm mode
+#         enabled: false
+#         # headless username
+#         username: headless-user
+#         # headless access token
+#         accessToken: headlesstoken
+#         # SCM clone type (https or ssh)
+#         cloneType: https
 webhooks:
   # Obtains the SCM token for a given user. If a user does not have a valid SCM token registered with Screwdriver, it will use this user's token instead.
   username: sd-buildbot
@@ -331,7 +341,7 @@ redisLock:
   enabled: false
   options:
     # maximum retry limit to obtain lock
-    retryCount: 200 
+    retryCount: 200
     # the expected clock drift
     driftFactor: 0.01
     # the time in milliseconds between retry attempts
@@ -345,4 +355,4 @@ redisLock:
       options:
         password: "THIS-IS-A-PASSWORD"
         tls: false
-      database: 0
+      database: 0

package.json

@@ -74,7 +74,7 @@
     "@hapi/good": "^9.0.1",
     "@hapi/good-console": "^9.0.1",
     "@hapi/good-squeeze": "^6.0.0",
-    "@hapi/hapi": "^20.1.0",
+    "@hapi/hapi": "^20.1.3",
     "@hapi/hoek": "^9.1.1",
     "@hapi/inert": "^6.0.3",
     "@hapi/vision": "^6.1.0",
@@ -87,7 +87,7 @@
     "hapi-auth-bearer-token": "^8.0.0",
     "hapi-auth-jwt2": "^10.2.0",
     "hapi-rate-limit": "^5.0.0",
-    "hapi-swagger": "^14.1.0",
+    "hapi-swagger": "^14.1.3",
     "ioredis": "^3.2.2",
     "joi": "^17.4.0",
     "js-yaml": "^3.14.1",
@@ -116,12 +116,12 @@
     "screwdriver-executor-queue": "^3.0.2",
     "screwdriver-executor-router": "^2.1.2",
     "screwdriver-logger": "^1.0.2",
-    "screwdriver-models": "^28.6.3",
+    "screwdriver-models": "^28.7.3",
     "screwdriver-notifications-email": "^2.1.5",
     "screwdriver-notifications-slack": "^3.1.6",
     "screwdriver-scm-base": "^7.1.3",
     "screwdriver-scm-bitbucket": "^4.2.0",
-    "screwdriver-scm-github": "^11.1.4",
+    "screwdriver-scm-github": "^11.3.0",
     "screwdriver-scm-gitlab": "^2.2.1",
     "screwdriver-scm-router": "^6.1.1",
     "screwdriver-template-validator": "^5.1.2",
@@ -145,10 +145,10 @@
     "coveralls": "^3.1.0",
     "cucumber": "6.0.4",
     "cucumber-pretty": "^6.0.0",
-    "eslint": "^7.24.0",
+    "eslint": "^7.26.0",
     "eslint-config-screwdriver": "^5.0.5",
     "form-data": "^2.5.1",
-    "mocha": "^8.2.1",
+    "mocha": "^8.4.0",
     "mocha-multi-reporters": "^1.5.1",
     "mocha-sonarqube-reporter": "^1.0.2",
     "mockery": "^2.0.0",

plugins/auth/contexts.js

@@ -32,7 +32,8 @@ module.exports = config => ({
                     displayName: scm.getDisplayName({ scmContext }),
                     autoDeployKeyGeneration: scm.autoDeployKeyGenerationEnabled({
                         scmContext
-                    })
+                    }),
+                    readOnly: scm.getReadOnlyInfo({ scmContext }).enabled
                 };
 
                 contexts.push(context);
@@ -42,7 +43,8 @@ module.exports = config => ({
                 contexts.push({
                     context: 'guest',
                     displayName: 'Guest Access',
-                    autoDeployKeyGeneration: false
+                    autoDeployKeyGeneration: false,
+                    readOnly: false
                 });
             }
 

plugins/builds/update.js

@@ -5,6 +5,7 @@ const hoek = require('@hapi/hoek');
 const schema = require('screwdriver-data-schema');
 const joi = require('joi');
 const idSchema = schema.models.job.base.extract('id');
+const { getScmUri, getUserPermissions } = require('../helper');
 
 /**
  * Determine if this build is FIXED build or not.
@@ -68,7 +69,8 @@ module.exports = () => ({
                 jobFactory,
                 userFactory,
                 stepFactory,
-                bannerFactory
+                bannerFactory,
+                pipelineFactory
             } = request.server.app;
             const { id } = request.params;
             const { statusMessage, stats, status: desiredStatus } = request.payload;
@@ -82,7 +84,7 @@ module.exports = () => ({
 
             return buildFactory
                 .get(id)
-                .then(build => {
+                .then(async build => {
                     if (!build) {
                         throw boom.notFound(`Build ${id} does not exist`);
                     }
@@ -110,36 +112,24 @@ module.exports = () => ({
                             throw boom.badRequest('User can only update builds to ABORTED');
                         }
 
-                        // Check permission against the pipeline
                         // Fetch the job and user models
-                        return (
-                            Promise.all([jobFactory.get(build.jobId), userFactory.get({ username, scmContext })])
-                                // scmUri is buried in the pipeline, so we get that from the job
-                                .then(([job, user]) =>
-                                    job.pipeline.then(pipeline =>
-                                        user
-                                            .getPermissions(pipeline.scmUri)
-                                            // Check if user has push access or is a Screwdriver admin
-                                            .then(permissions => {
-                                                if (!permissions.push && !adminDetails.isAdmin) {
-                                                    throw boom.forbidden(
-                                                        `User ${user.getFullDisplayName()} does not ` +
-                                                            'have permission to abort this build'
-                                                    );
-                                                }
-
-                                                return eventFactory
-                                                    .get(build.eventId)
-                                                    .then(event => ({ build, event }));
-                                            })
-                                    )
-                                )
-                        );
+                        const [job, user] = await Promise.all([
+                            jobFactory.get(build.jobId),
+                            userFactory.get({ username, scmContext })
+                        ]);
+
+                        const pipeline = await job.pipeline;
+
+                        // Use parent's scmUri if pipeline is child pipeline and using read-only SCM
+                        const scmUri = await getScmUri({ pipeline, pipelineFactory });
+
+                        // Check the user's permission
+                        await getUserPermissions({ user, scmUri, level: 'push', isAdmin: adminDetails.isAdmin });
                     }
 
                     return eventFactory.get(build.eventId).then(event => ({ build, event }));
                 })
-                .then(({ build, event }) => {
+                .then(async ({ build, event }) => {
                     // We can't merge from executor-k8s/k8s-vm side because executor doesn't have build object
                     // So we do merge logic here instead
 
@@ -209,20 +199,17 @@ module.exports = () => ({
 
                     // If status got updated to RUNNING or COLLAPSED, update init endTime and code
                     if (['RUNNING', 'COLLAPSED', 'FROZEN'].includes(desiredStatus)) {
-                        return stepFactory
-                            .get({ buildId: id, name: 'sd-setup-init' })
-                            .then(step => {
-                                // If there is no init step, do nothing
-                                if (!step) {
-                                    return null;
-                                }
+                        const step = await stepFactory.get({ buildId: id, name: 'sd-setup-init' });
 
-                                step.endTime = build.startTime || new Date().toISOString();
-                                step.code = 0;
+                        // If there is no init step, do nothing
+                        if (step) {
+                            step.endTime = build.startTime || new Date().toISOString();
+                            step.code = 0;
 
-                                return step.update();
-                            })
-                            .then(() => Promise.all([build.update(), event.update()]));
+                            await step.update();
+                        }
+
+                        return Promise.all([build.update(), event.update()]);
                     }
 
                     // Only trigger next build on success
@@ -252,7 +239,6 @@ module.exports = () => ({
 
                                 // Guard against triggering non-successful or unstable builds
                                 // Don't further trigger pipeline if intented to skip further jobs
-
                                 if (newBuild.status !== 'SUCCESS' || skipFurther) {
                                     // Check for failed jobs and remove any child jobs in created state
                                     if (newBuild.status === 'FAILURE') {