Skip to content

Commit d978816

Browse files
authored
fix: update some build permissions when the source repo is private (#1351)
Closes #1347.
1 parent 88b2173 commit d978816

1 file changed

Lines changed: 42 additions & 10 deletions

File tree

  • components/renku_data_services/session

components/renku_data_services/session/db.py

Lines changed: 42 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -961,21 +961,28 @@ async def start_build(self, user: base_models.APIUser, build: models.UnsavedBuil
961961
build_orm = schemas.BuildORM(
962962
environment_id=build.environment_id,
963963
status=models.BuildStatus.in_progress,
964+
result_repository_url=build_parameters.repository,
964965
)
966+
967+
launcher = launcher_orm.dump() if launcher_orm is not None else None
968+
969+
params: models.ShipwrightBuildRunParams | None = None
970+
if self.shipwright_client is not None:
971+
params = await self._get_buildrun_params(
972+
user=user, build=build_orm.dump(), build_parameters=build_parameters, launcher=launcher
973+
)
974+
build_orm.result_image = params.output_image
975+
else:
976+
logger.error("Shipwright client is None")
977+
965978
session.add(build_orm)
966979
await session.flush()
967980
await session.refresh(build_orm)
968-
969-
result = build_orm.dump()
970-
launcher = launcher_orm.dump() if launcher_orm is not None else None
981+
result = build_orm.dump()
971982

972983
if self.shipwright_client is not None:
973-
params = await self._get_buildrun_params(
974-
user=user, build=result, build_parameters=build_parameters, launcher=launcher
975-
)
984+
assert params is not None
976985
await self.shipwright_client.create_image_build(params=params, user_id=user.id)
977-
else:
978-
logger.error("Shipwright client is None")
979986

980987
return result
981988

@@ -1042,6 +1049,26 @@ async def get_build_logs(
10421049
authorized = await self._get_environment_authorization(
10431050
session=session, user=user, environment=build.environment, scope=Scope.WRITE
10441051
)
1052+
1053+
# If the output image is private, check that the user can read the source repository
1054+
if build.result_image is None:
1055+
authorized = False
1056+
else:
1057+
if self.builds_config.private_builds_enabled and build.result_image.startswith(
1058+
self.builds_config.build_output_private_image_prefix
1059+
):
1060+
if build.result_repository_url is None:
1061+
authorized = False
1062+
else:
1063+
repo_data = await self.git_repositories_repo.get_repository(
1064+
repository_url=build.result_repository_url,
1065+
user=user,
1066+
etag=None,
1067+
internal_gitlab_user=base_models.APIUser(),
1068+
)
1069+
if not isinstance(repo_data.metadata, Metadata) or not repo_data.metadata.pull_permission:
1070+
authorized = False
1071+
10451072
if not authorized:
10461073
raise errors.MissingResourceError(message=not_found_message)
10471074

@@ -1166,7 +1193,9 @@ async def _get_buildrun_params(
11661193
)
11671194

11681195
if result.is_error:
1169-
raise errors.CannotStartBuildError(message=str(result.error))
1196+
raise errors.UnauthorizedError(
1197+
message=f"You do not have the required credentials to clone the code repository {git_repository}."
1198+
)
11701199

11711200
authentication_secret: models.AuthenticationSecret | None = None
11721201
output_image_prefix = self.builds_config.build_output_image_prefix
@@ -1179,7 +1208,10 @@ async def _get_buildrun_params(
11791208
if visibility == RepositoryVisibility.private:
11801209
if not self.builds_config.private_builds_enabled:
11811210
raise errors.CannotStartBuildError(message="Private repository builds are not enabled")
1182-
1211+
if isinstance(result.metadata, Metadata) and not result.metadata.pull_permission:
1212+
raise errors.ForbiddenError(
1213+
message=f"You do not have the required permissions to clone the code repository {git_repository}."
1214+
)
11831215
token: dict[str, Any] | None = await self.git_repositories_repo.get_token(
11841216
repository_url=git_repository, user=user
11851217
)

0 commit comments

Comments
 (0)