Don't apply for ACL on push

chmouel · chmouel · commit b4acfcdde651 · 2022-05-16T14:36:48.000+02:00
Closes #681 Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>
diff --git a/pkg/pipelineascode/match.go b/pkg/pipelineascode/match.go
@@ -89,27 +89,28 @@ is that what you want? make sure you use -n when generating the secret, eg: echo
 	}
 
 	// Check if the submitter is allowed to run this.
-	allowed, err := p.vcx.IsAllowed(ctx, p.event)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	if !allowed {
-		msg := fmt.Sprintf("User %s is not allowed to run CI on this repo.", p.event.Sender)
-		p.logger.Info(msg)
-		if p.event.AccountID != "" {
-			msg = fmt.Sprintf("User: %s AccountID: %s is not allowed to run CI on this repo.", p.event.Sender, p.event.AccountID)
-		}
-		status := provider.StatusOpts{
-			Status:     "completed",
-			Conclusion: "skipped",
-			Text:       msg,
-			DetailsURL: "https://tenor.com/search/police-cat-gifs",
+	if p.event.EventType != "push" {
+		allowed, err := p.vcx.IsAllowed(ctx, p.event)
+		if err != nil {
+			return nil, nil, err
 		}
-		if err := p.vcx.CreateStatus(ctx, p.event, p.run.Info.Pac, status); err != nil {
-			return nil, nil, fmt.Errorf("failed to run create status, user is not allowed to run: %w", err)
+		if !allowed {
+			msg := fmt.Sprintf("User %s is not allowed to run CI on this repo.", p.event.Sender)
+			p.logger.Info(msg)
+			if p.event.AccountID != "" {
+				msg = fmt.Sprintf("User: %s AccountID: %s is not allowed to run CI on this repo.", p.event.Sender, p.event.AccountID)
+			}
+			status := provider.StatusOpts{
+				Status:     "completed",
+				Conclusion: "skipped",
+				Text:       msg,
+				DetailsURL: "https://tenor.com/search/police-cat-gifs",
+			}
+			if err := p.vcx.CreateStatus(ctx, p.event, p.run.Info.Pac, status); err != nil {
+				return nil, nil, fmt.Errorf("failed to run create status, user is not allowed to run: %w", err)
+			}
+			return nil, nil, nil
 		}
-		return nil, nil, nil
 	}
 
 	rawTemplates := p.getAllPipelineRuns(ctx)
@@ -146,7 +147,6 @@ is that what you want? make sure you use -n when generating the secret, eg: echo
 	if err != nil {
 		return nil, nil, err
 	}
-
 	// Match the PipelineRun with annotation
 	matchedPRs, err := matcher.MatchPipelinerunByAnnotation(ctx, p.logger, pipelineRuns, p.run, p.event)
 	if err != nil {
diff --git a/pkg/pipelineascode/pipelinesascode_github_test.go b/pkg/pipelineascode/pipelinesascode_github_test.go
@@ -312,6 +312,23 @@ func TestRun(t *testing.T) {
 			finalStatusText:              "is not allowed to run CI on this repo",
 			skipReplyingOrgPublicMembers: true,
 		},
+		{
+			name: "allowed/push event even from non allowed user",
+			runevent: info.Event{
+				SHA:           "principale",
+				Organization:  "organizationes",
+				Repository:    "lagaffe",
+				URL:           "https://service/documentation",
+				HeadBranch:    "press",
+				Sender:        "evilbro",
+				BaseBranch:    "main",
+				EventType:     "push",
+				TriggerTarget: "push",
+			},
+			tektondir:                    "testdata/push_branch",
+			finalStatus:                  "skipped",
+			skipReplyingOrgPublicMembers: true,
+		},
 		{
 			name: "Keep max number of pipelineruns",
 			runevent: info.Event{
