@@ -961,21 +961,28 @@ async def start_build(self, user: base_models.APIUser, build: models.UnsavedBuil
961961 build_orm = schemas .BuildORM (
962962 environment_id = build .environment_id ,
963963 status = models .BuildStatus .in_progress ,
964+ result_repository_url = build_parameters .repository ,
964965 )
966+
967+ launcher = launcher_orm .dump () if launcher_orm is not None else None
968+
969+ params : models .ShipwrightBuildRunParams | None = None
970+ if self .shipwright_client is not None :
971+ params = await self ._get_buildrun_params (
972+ user = user , build = build_orm .dump (), build_parameters = build_parameters , launcher = launcher
973+ )
974+ build_orm .result_image = params .output_image
975+ else :
976+ logger .error ("Shipwright client is None" )
977+
965978 session .add (build_orm )
966979 await session .flush ()
967980 await session .refresh (build_orm )
968-
969- result = build_orm .dump ()
970- launcher = launcher_orm .dump () if launcher_orm is not None else None
981+ result = build_orm .dump ()
971982
972983 if self .shipwright_client is not None :
973- params = await self ._get_buildrun_params (
974- user = user , build = result , build_parameters = build_parameters , launcher = launcher
975- )
984+ assert params is not None
976985 await self .shipwright_client .create_image_build (params = params , user_id = user .id )
977- else :
978- logger .error ("Shipwright client is None" )
979986
980987 return result
981988
@@ -1042,6 +1049,26 @@ async def get_build_logs(
10421049 authorized = await self ._get_environment_authorization (
10431050 session = session , user = user , environment = build .environment , scope = Scope .WRITE
10441051 )
1052+
1053+ # If the output image is private, check that the user can read the source repository
1054+ if build .result_image is None :
1055+ authorized = False
1056+ else :
1057+ if self .builds_config .private_builds_enabled and build .result_image .startswith (
1058+ self .builds_config .build_output_private_image_prefix
1059+ ):
1060+ if build .result_repository_url is None :
1061+ authorized = False
1062+ else :
1063+ repo_data = await self .git_repositories_repo .get_repository (
1064+ repository_url = build .result_repository_url ,
1065+ user = user ,
1066+ etag = None ,
1067+ internal_gitlab_user = base_models .APIUser (),
1068+ )
1069+ if not isinstance (repo_data .metadata , Metadata ) or not repo_data .metadata .pull_permission :
1070+ authorized = False
1071+
10451072 if not authorized :
10461073 raise errors .MissingResourceError (message = not_found_message )
10471074
@@ -1166,7 +1193,9 @@ async def _get_buildrun_params(
11661193 )
11671194
11681195 if result .is_error :
1169- raise errors .CannotStartBuildError (message = str (result .error ))
1196+ raise errors .UnauthorizedError (
1197+ message = f"You do not have the required credentials to clone the code repository { git_repository } ."
1198+ )
11701199
11711200 authentication_secret : models .AuthenticationSecret | None = None
11721201 output_image_prefix = self .builds_config .build_output_image_prefix
@@ -1179,7 +1208,10 @@ async def _get_buildrun_params(
11791208 if visibility == RepositoryVisibility .private :
11801209 if not self .builds_config .private_builds_enabled :
11811210 raise errors .CannotStartBuildError (message = "Private repository builds are not enabled" )
1182-
1211+ if isinstance (result .metadata , Metadata ) and not result .metadata .pull_permission :
1212+ raise errors .ForbiddenError (
1213+ message = f"You do not have the required permissions to clone the code repository { git_repository } ."
1214+ )
11831215 token : dict [str , Any ] | None = await self .git_repositories_repo .get_token (
11841216 repository_url = git_repository , user = user
11851217 )
0 commit comments