Merge pull request #1155 from patbos/cloud_check

Vlatombe · web-flow · commit 99e78df79910 · 2022-04-29T11:39:47.000+02:00
diff --git a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFolderProperty.java b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFolderProperty.java
@@ -10,6 +10,7 @@
 import java.util.stream.Collectors;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.model.Job;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.DoNotUse;
@@ -99,6 +100,19 @@ private static List<UsagePermission> buildPermissions() {
         return ps;
     }
 
+    @SuppressWarnings({"rawtypes"})
+    public static boolean isAllowed(KubernetesSlave agent, Job job) {
+        ItemGroup parent = job.getParent();
+        Set<String> allowedClouds = new HashSet<>();
+
+        KubernetesCloud targetCloud = agent.getKubernetesCloud();
+        if (targetCloud.isUsageRestricted()) {
+            KubernetesFolderProperty.collectAllowedClouds(allowedClouds, parent);
+            return allowedClouds.contains(targetCloud.name);
+        }
+        return true;
+    }
+
     private static String PREFIX_USAGE_PERMISSION = "usage-permission-";
 
     @Override
diff --git a/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesQueueTaskDispatcher.java b/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesQueueTaskDispatcher.java
@@ -0,0 +1,43 @@
+package org.csanchez.jenkins.plugins.kubernetes;
+
+import hudson.Extension;
+import hudson.model.Job;
+import hudson.model.Node;
+import hudson.model.Queue;
+import hudson.model.Queue.Task;
+
+import hudson.model.queue.CauseOfBlockage;
+import hudson.model.queue.QueueTaskDispatcher;
+
+@Extension
+@SuppressWarnings({"rawtypes"})
+public class KubernetesQueueTaskDispatcher extends QueueTaskDispatcher {
+
+    @Override
+    public CauseOfBlockage canTake(Node node, Queue.BuildableItem item) {
+        if (node instanceof KubernetesSlave) {
+            KubernetesSlave slave = (KubernetesSlave) node;
+            Task ownerTask = item.task.getOwnerTask();
+            if (!KubernetesFolderProperty.isAllowed(slave, (Job) ownerTask)) {
+                return new KubernetesCloudNotAllowed(slave.getKubernetesCloud(), (Job) ownerTask);
+            }
+        }
+        return null;
+    }
+
+    public static final class KubernetesCloudNotAllowed extends CauseOfBlockage {
+
+        private final KubernetesCloud cloud;
+        private final Job job;
+
+        public KubernetesCloudNotAllowed(KubernetesCloud cloud, Job job) {
+            this.cloud = cloud;
+            this.job = job;
+        }
+
+        @Override
+        public String getShortDescription() {
+            return Messages.KubernetesCloudNotAllowed_Description(cloud.name, job.getFullName());
+        }
+    }
+}
diff --git a/src/main/resources/org/csanchez/jenkins/plugins/kubernetes/Messages.properties b/src/main/resources/org/csanchez/jenkins/plugins/kubernetes/Messages.properties
@@ -7,4 +7,5 @@ KubernetesFolderProperty.displayName=Kubernetes
 KubernetesSlave.HomeWarning=[WARNING] HOME is set to / in the jnlp container. You may encounter \
     troubles when using tools or ssh client. This usually happens if the uid doesn't have any \
     entry in /etc/passwd. Please add a user to your Dockerfile or set the HOME environment \
-    variable to a valid directory in the pod template definition.
+    variable to a valid directory in the pod template definition.
+KubernetesCloudNotAllowed.Description=Kubernetes cloud {0} is not allowed for folder containing job {1}
diff --git a/src/test/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesQueueTaskDispatcherTest.java b/src/test/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesQueueTaskDispatcherTest.java
@@ -0,0 +1,138 @@
+package org.csanchez.jenkins.plugins.kubernetes;
+
+import com.cloudbees.hudson.plugins.folder.Folder;
+import hudson.model.FreeStyleProject;
+import hudson.model.Project;
+import hudson.model.Queue;
+import hudson.model.Slave;
+import hudson.model.queue.CauseOfBlockage;
+import hudson.slaves.DumbSlave;
+import hudson.slaves.RetentionStrategy;
+import net.sf.json.JSONObject;
+import org.jenkinsci.plugins.workflow.job.WorkflowJob;
+import org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnit;
+import org.mockito.junit.MockitoRule;
+
+import java.util.ArrayList;
+import java.util.Calendar;
+
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.when;
+
+public class KubernetesQueueTaskDispatcherTest {
+
+    @Rule
+    public JenkinsRule jenkins = new JenkinsRule();
+
+    @Rule
+    public MockitoRule mockitoRule = MockitoJUnit.rule();
+
+    @Mock
+    private ExecutorStepExecution.PlaceholderTask task;
+
+    private Folder folderA;
+    private Folder folderB;
+    private KubernetesSlave slaveA;
+    private KubernetesSlave slaveB;
+
+    public void setUpTwoClouds() throws Exception {
+        folderA = new Folder(jenkins.jenkins, "A");
+        folderB = new Folder(jenkins.jenkins, "B");
+        jenkins.jenkins.add(folderA, "Folder A");
+        jenkins.jenkins.add(folderB, "Folder B");
+
+        KubernetesCloud cloudA = new KubernetesCloud("A");
+        cloudA.setUsageRestricted(true);
+
+        KubernetesCloud cloudB = new KubernetesCloud("B");
+        cloudB.setUsageRestricted(true);
+
+        jenkins.jenkins.clouds.add(cloudA);
+        jenkins.jenkins.clouds.add(cloudB);
+
+        KubernetesFolderProperty property1 = new KubernetesFolderProperty();
+        folderA.addProperty(property1);
+        JSONObject json1 = new JSONObject();
+        json1.element("usage-permission-A", true);
+        json1.element("usage-permission-B", false);
+        folderA.addProperty(property1.reconfigure(null, json1));
+
+        KubernetesFolderProperty property2 = new KubernetesFolderProperty();
+        folderB.addProperty(property2);
+        JSONObject json2 = new JSONObject();
+        json2.element("usage-permission-A", false);
+        json2.element("usage-permission-B", true);
+        folderB.addProperty(property2.reconfigure(null, json2));
+
+        slaveA = new KubernetesSlave("A", new PodTemplate(), "testA", "A", "dockerA", new KubernetesLauncher(), RetentionStrategy.INSTANCE);
+        slaveB = new KubernetesSlave("B", new PodTemplate(), "testB", "B", "dockerB", new KubernetesLauncher(), RetentionStrategy.INSTANCE);
+    }
+
+
+    @Test
+    public void checkRestrictedTwoClouds() throws Exception {
+        setUpTwoClouds();
+
+        FreeStyleProject projectA = folderA.createProject(FreeStyleProject.class, "buildJob");
+        FreeStyleProject projectB = folderB.createProject(FreeStyleProject.class, "buildJob");
+        KubernetesQueueTaskDispatcher dispatcher = new KubernetesQueueTaskDispatcher();
+
+        assertNull(dispatcher.canTake(slaveA, new Queue.BuildableItem(new Queue.WaitingItem(Calendar.getInstance(),
+                projectA, new ArrayList<>()))));
+        assertTrue(canTake(dispatcher, slaveB, projectA) instanceof KubernetesQueueTaskDispatcher.KubernetesCloudNotAllowed);
+        assertTrue(canTake(dispatcher, slaveA, projectB) instanceof KubernetesQueueTaskDispatcher.KubernetesCloudNotAllowed);
+        assertNull(canTake(dispatcher, slaveB, projectB));
+    }
+
+    @Test
+    public void checkNotRestrictedClouds() throws Exception {
+        Folder folder = new Folder(jenkins.jenkins, "C");
+        FreeStyleProject project = folder.createProject(FreeStyleProject.class, "buildJob");
+        jenkins.jenkins.add(folder, "C");
+        KubernetesCloud cloud = new KubernetesCloud("C");
+        cloud.setUsageRestricted(false);
+        jenkins.jenkins.clouds.add(cloud);
+        KubernetesQueueTaskDispatcher dispatcher = new KubernetesQueueTaskDispatcher();
+        KubernetesSlave slave = new KubernetesSlave("C", new PodTemplate(), "testC", "C", "dockerC", new KubernetesLauncher(), RetentionStrategy.INSTANCE);
+
+        assertNull(canTake(dispatcher, slave, project));
+    }
+
+
+    @Test
+    public void checkDumbSlave() throws Exception {
+        DumbSlave slave = jenkins.createOnlineSlave();
+        FreeStyleProject project = jenkins.createProject(FreeStyleProject.class);
+        KubernetesQueueTaskDispatcher dispatcher = new KubernetesQueueTaskDispatcher();
+
+        assertNull(canTake(dispatcher, slave, project));
+    }
+
+    @Test
+    public void checkPipelinesRestrictedTwoClouds() throws Exception {
+        setUpTwoClouds();
+
+        WorkflowJob job = folderA.createProject(WorkflowJob.class, "pipeline");
+        when(task.getOwnerTask()).thenReturn(job);
+        KubernetesQueueTaskDispatcher dispatcher = new KubernetesQueueTaskDispatcher();
+
+        assertNull(canTake(dispatcher, slaveA, task));
+        assertTrue(canTake(dispatcher, slaveB, task) instanceof KubernetesQueueTaskDispatcher.KubernetesCloudNotAllowed);
+    }
+
+    private CauseOfBlockage canTake(KubernetesQueueTaskDispatcher dispatcher, Slave slave, Project project) {
+        return dispatcher.canTake(slave, new Queue.BuildableItem(new Queue.WaitingItem(Calendar.getInstance(),
+                project, new ArrayList<>())));
+    }
+
+    private CauseOfBlockage canTake(KubernetesQueueTaskDispatcher dispatcher, Slave slave, Queue.Task task) {
+        return dispatcher.canTake(slave, new Queue.BuildableItem(new Queue.WaitingItem(Calendar.getInstance(),
+                task, new ArrayList<>())));
+    }
+
+}
