Merge branch 'master' into bugfix_cycle_12

Author: murtaza-swati

lib/travis.rb

@@ -31,6 +31,8 @@ class GithubApiError    < StandardError; end
   class AdminMissing      < StandardError; end
   class RepositoryMissing < StandardError; end
   class LogAlreadyRemoved < StandardError; end
+  class LogExpired        < StandardError; end
+  class LogAccessDenied   < StandardError; end
   class AuthorizationDenied < StandardError; end
   class JobUnfinished     < StandardError; end
 

lib/travis/api/app/endpoint/jobs.rb

@@ -93,16 +93,7 @@ class Jobs < Endpoint
           # the way we use responders makes it hard to validate proper format
           # automatically here, so we need to check it explicitly
           if accepts?('text/plain')
-            archived_log_path = resource.archived_url
-
-            if params[:cors_hax]
-              status 204
-              headers['Access-Control-Expose-Headers'] = 'Location'
-              headers['Location'] = archived_log_path
-              attach_log_token if job.try(:private?)
-            else
-              redirect archived_log_path, 307
-            end
+            respond_with resource.archived_log_content
           elsif accepts?('application/json')
             attach_log_token if job.try(:private?)
             respond_with resource.as_json

lib/travis/api/app/endpoint/logs.rb

@@ -9,6 +9,19 @@ class Logs < Endpoint
         resource = service(:find_log, id: params[:id]).run
         job = resource ? Job.find(resource.job_id) : nil
 
+        halt 404 unless job
+
+        repo = Travis::API::V3::Models::Repository.find(job.repository.id)
+        repo_can_write = current_user ? !!repo.users.where(id: current_user.id, permissions: { push: true }).first : false
+
+        if !repo.user_settings.job_log_time_based_limit && job.started_at && job.started_at < Time.now - repo.user_settings.job_log_access_older_than_days.days
+          halt 403, { error: { message: "We're sorry, but this data is not available anymore. Please check the repository settings in Travis CI." } }
+        end
+
+        if repo.user_settings.job_log_access_based_limit && !repo_can_write
+          halt 403, { error: { message: "We're sorry, but this data is not available. Please check the repository settings in Travis CI." } }
+        end
+
         if !resource || ((job.try(:private?) || !allow_public?) && !has_permission?(job))
           halt 404
         elsif resource.removed_at && accepts?('application/json')
@@ -17,7 +30,7 @@ class Logs < Endpoint
           # the way we use responders makes it hard to validate proper format
           # automatically here, so we need to check it explicitly
           if accepts?('text/plain')
-            redirect resource.archived_url, 307
+            respond_with resource.archived_log_content
           elsif accepts?('application/json')
             respond_with resource.as_json
           else

lib/travis/api/v3.rb

@@ -39,6 +39,8 @@ def location(env)
       JobNotCancelable    = ClientError        .create('job is not running, cannot cancel', status: 409)
       JobUnfinished       = ClientError        .create('job still running, cannot remove log yet', status: 409)
       LogAlreadyRemoved   = ClientError        .create('log has already been removed', status: 409)
+      LogExpired          = ClientError        .create("We're sorry, but this data is not available anymore. Please check the repository settings in Travis CI.", status: 403)
+      LogAccessDenied     = ClientError        .create("We're sorry, but this data is not available. Please check the repository settings in Travis CI.", status: 403)
       LoginRequired       = ClientError        .create('login required', status: 403)
       MethodNotAllowed    = ClientError        .create('method not allowed', status: 405)
       NotImplemented      = ServerError        .create('request not (yet) implemented', status: 501)

lib/travis/api/v3/access_control/log_token.rb

@@ -5,14 +5,15 @@ module Travis::API::V3
   class AccessControl::LogToken < AccessControl::Generic
     auth_type('log.token')
 
-    attr_accessor :token
+    attr_accessor :token, :repo_can_write
 
     def self.for_request(type, token, env)
       new(token)
     end
 
     def initialize(token)
       self.token = token
+      self.repo_can_write = Travis::API::V3::LogToken.find(token).repo_can_write
     end
 
     def temp_access?

lib/travis/api/v3/log_token.rb

@@ -1,14 +1,18 @@
 module Travis::API::V3
   class LogToken
-    attr_accessor :job_id
+    attr_accessor :job_id, :repo_can_write
 
     def self.find(token)
-      new(redis.get("l:#{token}").to_i)
+      key = "l:#{token}"
+      new(redis.hget(key, :job_id).to_i, !!redis.hget(key, :repo_can_write))
     end
 
-    def self.create(job)
+    def self.create(job, user_id)
+      repo_can_write = !!job.repository.users.where(id: user_id, permissions: { push: true }).first
+
       token = SecureRandom.urlsafe_base64(16)
-      redis.set("l:#{token}", job.id)
+      redis.hset("l:#{token}", :job_id, job.id)
+      redis.hset("l:#{token}", :repo_can_write, repo_can_write)
       redis.expire("l:#{token}", 1.day)
       token
     end
@@ -17,8 +21,9 @@ def self.redis
       Travis.redis
     end
 
-    def initialize(job_id)
+    def initialize(job_id, repo_can_write)
       self.job_id = job_id
+      self.repo_can_write = repo_can_write
     end
 
     def matches?(job)

lib/travis/api/v3/models/audit.rb

@@ -0,0 +1,6 @@
+module Travis::API::V3
+  class Models::Audit < Model
+    belongs_to :owner, polymorphic: true
+    belongs_to :source, polymorphic: true
+  end
+end

lib/travis/api/v3/models/json_slice.rb

@@ -2,7 +2,9 @@
 
 module Travis::API::V3
   class Models::JsonSlice
-    include Virtus.model, Enumerable, Models::JsonSync, ActiveModel::Validations
+    include Virtus.model, Enumerable, Models::JsonSync, ActiveModel::Validations, ActiveSupport::Callbacks, ActiveModel::Dirty
+    extend ActiveSupport::Concern
+    define_callbacks :after_save
 
     class << self
       attr_accessor :child_klass
@@ -30,14 +32,21 @@ def read(name)
 
     def update(name, value)
       raise NotFound unless respond_to?(:"#{name}=")
+      @changes = { :"#{name}" => { before: send(name), after: value } } unless value == send(name)
       send(:"#{name}=", value)
       raise UnprocessableEntity, errors.full_messages.to_sentence unless valid?
       sync!
+      run_callbacks :after_save
+      @changes = {}
       read(name)
     end
 
     def to_h
       Hash[map { |x| [x.name, x.value] }]
     end
+
+    def changes
+      @changes
+    end
   end
 end

lib/travis/api/v3/models/log.rb

@@ -27,6 +27,10 @@ def repository_private?
       job.repository.private?
     end
 
+    def repository
+      @repository ||= Travis::API::V3::Models::Repository.find(job.repository.id)
+    end
+
     private
 
     def archived_log_part

lib/travis/api/v3/models/user_settings.rb

@@ -12,9 +12,20 @@ class Models::UserSettings < Models::JsonSlice
     attribute :config_validation, Boolean, default: lambda { |us, _| us.config_validation? }
     attribute :share_encrypted_env_with_forks, Boolean, default: false
     attribute :share_ssh_keys_with_forks, Boolean, default: lambda { |us, _| us.share_ssh_keys_with_forks? }
+    attribute :job_log_time_based_limit, Boolean, default: lambda { |s, _| s.job_log_access_permissions[:time_based_limit] }
+    attribute :job_log_access_based_limit, Boolean, default: lambda { |s, _| s.job_log_access_permissions[:access_based_limit] }
+    attribute :job_log_access_older_than_days, Integer, default: lambda { |s, _| s.job_log_access_permissions[:older_than_days] }
+
+    validates :job_log_access_older_than_days, numericality: true
+
+    validate :job_log_access_older_than_days_restriction
+
+    set_callback :after_save, :after, :save_audit
 
     attr_reader :repo
 
+    attr_accessor :user, :change_source
+
     def initialize(repo, data)
       @repo = repo
       super(data)
@@ -57,5 +68,24 @@ def cutoff_date
     def days_since_jan_15
       Date.today.mjd - JAN_15.mjd + 1
     end
+
+    def job_log_access_permissions
+      Travis.config.to_h.fetch(:job_log_access_permissions) { {} }
+    end
+
+    def job_log_access_older_than_days_restriction
+      if job_log_access_older_than_days.to_i > job_log_access_permissions[:max_days_value] ||
+        job_log_access_older_than_days.to_i < job_log_access_permissions[:min_days_value]
+        errors.add(:job_log_access_older_than_days, "is outside the bounds")
+      end
+    end
+
+    private
+
+    def save_audit
+      if self.change_source
+        Travis::API::V3::Models::Audit.create!(owner: self.user, change_source: self.change_source, source: self.repo, source_changes: { settings: self.changes })
+      end
+    end
   end
 end