Add support for pull credentials on builds and build triggers

2014-03-27 18:33:13 -04:00 · 2014-03-27 18:33:13 -04:00 · 2006917e03
commit 2006917e03
parent 1fc3c922a9
17 changed files with 355 additions and 37 deletions
--- a/endpoints/api/trigger.py
+++ b/endpoints/api/trigger.py
@ -15,7 +15,8 @@ from endpoints.common import start_build
 from endpoints.trigger import (BuildTrigger as BuildTriggerBase, TriggerDeactivationException,
                               TriggerActivationException, EmptyRepositoryException)
 from data import model
-from auth.permissions import UserAdminPermission
+from auth.permissions import UserAdminPermission, AdministerOrganizationPermission
+from util.names import parse_robot_username


 logger = logging.getLogger(__name__)
@ -133,7 +134,19 @@ class BuildTriggerActivate(RepositoryParamResource):
    'BuildTriggerActivateRequest': {
      'id': 'BuildTriggerActivateRequest',
      'type': 'object',
-      'description': 'Arbitrary json.',
+      'required': [
+        'config'
+      ],
+      'properties': {
+        'config': {
+          'type': 'object',
+          'description': 'Arbitrary json.',
+        },
+        'pull_robot': {
+          'type': 'string',
+          'description': 'The name of the robot that will be used to pull images.'
+        }
+      }
    },
  }

@ -154,7 +167,27 @@ class BuildTriggerActivate(RepositoryParamResource):

    user_permission = UserAdminPermission(trigger.connected_user.username)
    if user_permission.can():
-      new_config_dict = request.get_json()
+      # Update the pull robot (if any).
+      pull_robot_name = request.get_json().get('pull_robot', None)
+      if pull_robot_name:
+        pull_robot = model.lookup_robot(pull_robot_name)
+        if not pull_robot:
+          raise NotFound()
+
+        # Make sure the user has administer permissions for the robot's namespace.
+        (robot_namespace, shortname) = parse_robot_username(pull_robot_name)
+        if not AdministerOrganizationPermission(robot_namespace).can():
+          raise Unauthorized()
+
+        # Make sure the namespace matches that of the trigger.
+        if robot_namespace != namespace:
+          raise Unauthorized()          
+
+        # Set the pull robot.
+        trigger.pull_user = pull_robot
+
+      # Update the config.
+      new_config_dict = request.get_json()['config']

      token_name = 'Build Trigger: %s' % trigger.service.name
      token = model.create_delegate_token(namespace, repository, token_name,
@ -185,6 +218,7 @@ class BuildTriggerActivate(RepositoryParamResource):
      log_action('setup_repo_trigger', namespace,
               {'repo': repository, 'namespace': namespace,
                'trigger_id': trigger.uuid, 'service': trigger.service.name, 
+                'pull_user': trigger.pull_user.username if trigger.pull_user else None,
                'config': final_config}, repo=repo)

      return trigger_view(trigger)
@ -214,8 +248,10 @@ class ActivateBuildTrigger(RepositoryParamResource):
    dockerfile_id, tags, name, subdir = specs

    repo = model.get_repository(namespace, repository)
+    pull_credentials = model.get_pull_credentials(trigger)

-    build_request = start_build(repo, dockerfile_id, tags, name, subdir, True)
+    build_request = start_build(repo, dockerfile_id, tags, name, subdir, True,
+                                pull_credentials=pull_credentials)

    resp = build_status_view(build_request, True)
    repo_string = '%s/%s' % (namespace, repository)