Merge pull request #1369 from travis-ci/prd_custom_images_us4_am

[M2-US4] Implement deleting custom images

Author: DominikAlberski

lib/travis/api/enqueue/services/restart_model.rb

@@ -27,7 +27,7 @@ def push(event, payload)
         end
 
         def accept?
-          current_user && permission? && resetable? && billing?
+          current_user && permission? && resetable? && billing? && custom_image_create_allowed? && custom_image_use_allowed?
         end
 
         def billing?
@@ -61,12 +61,64 @@ def billing?
           end
         end
 
+        def custom_image_create_allowed?
+          return true if !!Travis.config.enterprise
+
+          @_custom_image_create_allowed ||= begin
+            jobs = target.is_a?(Job) ? [target] : target.matrix
+            jobs.map do |job|
+              next unless job.config
+
+              create_name = job.config.dig(:vm, :create, :name)
+              if create_name
+                return false unless !!artifact_manager.create(owner: repository.owner, image_name: create_name, job_restart: true)
+              end
+            end
+            true
+          rescue Travis::API::V3::Error
+            false
+          end
+        end
+
+
+        def custom_image_use_allowed?
+          return true if !!Travis.config.enterprise
+
+          @_custom_image_use_allowed ||= begin
+            jobs = target.is_a?(Job) ? [target] : target.matrix
+
+            jobs.map do |job|
+              next unless job.config
+
+              use_name = job.config.dig(:vm, :use)
+              use_name = use_name[:name] if use_name.is_a?(Hash)
+
+              if use_name
+                return false unless can_use_custom_image?(owner: repository.owner, image_name: use_name)
+              end
+            end
+            true
+          rescue Travis::API::V3::Error
+            false
+          end
+        end
+
+        def can_use_custom_image?(owner:, image_name:)
+          !!artifact_manager.use(owner: , image_name:)
+        rescue Travis::API::V3::NotFound
+          true
+        rescue Travis::API::V3::Error
+          false
+        end
+
         def messages
           messages = []
           messages << { notice: "The #{type} was successfully restarted." } if accept?
           messages << { error:  'You do not seem to have sufficient permissions.' } unless permission?
           messages << { error:  'You do not have enough credits.' } unless billing?
           messages << { error:  "This #{type} currently can not be restarted." } unless resetable?
+          messages << { error:  "Image creation build restart not allowed." } unless custom_image_create_allowed?
+          messages << { error:  "Can't use the custom image. Make sure it's already created" } unless custom_image_use_allowed?
           messages
         end
 
@@ -88,6 +140,10 @@ def target
 
         private
 
+        def artifact_manager
+          @_artifact_manger = Travis::API::V3::ArtifactManagerClient.new(current_user&.id)
+        end
+
         def subscription
           Subscription.where(owner: repository.owner)&.first
         end

lib/travis/api/v3/artifact_manager_client.rb

@@ -0,0 +1,99 @@
+module Travis::API::V3
+  class ArtifactManagerClient
+    class ConfigurationError < StandardError; end
+
+    def initialize(user_id)
+      @user_id = user_id
+    end
+
+    def create(owner:, image_name:, job_restart: false)
+      params = {
+        owner_type: owner.class.name.downcase,
+        id: owner.id,
+        name: image_name,
+        job_restart:
+      }
+      handle_errors_and_respond(connection.post("/create", params)) do |body|
+        body.include?('image_id') ? body['image_id'] : false
+      end
+    rescue Faraday::Error
+      raise ArtifactManagerConnectionError
+    end
+
+    def use(owner:, image_name:)
+      handle_errors_and_respond(connection.get("/image/#{owner.class.name.downcase}/#{owner.id}/#{image_name}")) do |body|
+        return body['image_id'] if body.include?('image_id')
+
+        return body['image']['id'] if body.include?('image')
+
+        false
+      end
+    rescue Faraday::Error
+      raise ArtifactManagerConnectionError
+    end
+
+    def images(owner_type, owner_id)
+      response = connection.get("/images?owner_type=#{owner_type}&id=#{owner_id}")
+      handle_images_response(response)
+    end
+
+    def delete_images(owner_type, owner_id, image_ids)
+      image_ids.each do |image_id|
+        response = connection.delete("/image/#{owner_type.downcase}/#{owner_id}/#{image_id}")
+        handle_errors_and_respond(response)
+      end
+    end
+
+    private
+
+    def handle_images_response(response)
+      handle_errors_and_respond(response) do |r|
+        r['images'].map { |image_data| Travis::API::V3::Models::CustomImage.new(image_data) }
+      end
+    end
+
+    def handle_errors_and_respond(response)
+      body = response.body.is_a?(String) && response.body.length.positive? ? JSON.parse(response.body) : response.body
+
+      case response.status
+      when 200, 201
+        yield(body) if block_given?
+      when 202
+        true
+      when 204
+        true
+      when 400
+        raise Travis::API::V3::ClientError, body['error']
+      when 403
+        raise Travis::API::V3::InsufficientAccess, body['rejection_code']
+      when 404
+        raise Travis::API::V3::NotFound, body['error']
+      when 422
+        raise Travis::API::V3::UnprocessableEntity, body['error']
+      else
+        raise Travis::API::V3::ServerError, 'Artifact manager failed'
+      end
+    end
+
+    def connection(timeout: 10)
+      @connection ||= Faraday.new(url: artifact_manager_url, ssl: { ca_path: '/usr/lib/ssl/certs' }) do |conn|
+        conn.request(:authorization, :basic, '_', artifact_manager_auth_key)
+        conn.headers['X-Travis-User-Id'] = @user_id.to_s
+        conn.headers['Content-Type'] = 'application/json'
+        conn.request :json
+        conn.response :json
+        conn.options[:open_timeout] = timeout
+        conn.options[:timeout] = timeout
+        conn.adapter :net_http
+      end
+    end
+
+    def artifact_manager_url
+      Travis.config.artifact_manager&.url || raise(ConfigurationError, 'No artifact manager url configured')
+    end
+
+    def artifact_manager_auth_key
+      Travis.config.artifact_manager&.auth_key || raise(ConfigurationError, 'No artifact manager auth key configured')
+    end
+  end
+end

lib/travis/api/v3/models/custom_image.rb

@@ -7,7 +7,7 @@ class Models::CustomImage < Model
     scope :available, -> { where(state: 'available') }
 
     def created_by
-      user_id = custom_image_logs.created.frist&.sender_id
+      user_id = custom_image_logs.created.first&.sender_id
       return unless user_id
 
       User.find(user_id)

lib/travis/api/v3/queries/custom_images.rb

@@ -1,7 +1,12 @@
 module Travis::API::V3
   class Queries::CustomImages < Query
     def for_owner(owner)
-      Models::CustomImage.where(owner_id: owner.id, owner_type: owner_type(owner))
+      Models::CustomImage.available.where(owner_id: owner.id, owner_type: owner_type(owner)).order('created_at DESC')
+    end
+
+    def delete(image_ids, owner, sender)
+      client = ArtifactManagerClient.new(sender.id)
+      client.delete_images(owner_type(owner), owner.id, image_ids)
     end
 
     private

lib/travis/api/v3/renderer/membership.rb

@@ -0,0 +1,6 @@
+module Travis::API::V3
+  class Renderer::Membership < ModelRenderer
+    representation(:minimal, :organization_id, :build_permission)
+    representation(:standard, :user_id, :organization_id, :role, :build_permission)
+  end
+end

lib/travis/api/v3/renderer/user.rb

@@ -2,7 +2,7 @@
 
 module Travis::API::V3
   class Renderer::User < Renderer::Owner
-    representation(:standard, :email, :is_syncing, :synced_at, :recently_signed_up, :secure_user_hash, :ro_mode, :confirmed_at, :custom_keys, :internal, :last_activity_at)
+    representation(:standard, :email, :is_syncing, :synced_at, :recently_signed_up, :secure_user_hash, :ro_mode, :confirmed_at, :custom_keys, :internal, :last_activity_at, :memberships)
     representation(:additional, :emails, :collaborator)
 
     def email

lib/travis/api/v3/routes.rb

@@ -173,6 +173,7 @@ module Routes
       resource :custom_images do
         route '/custom_images'
         get :for_owner
+        delete :delete
       end
     end
 

lib/travis/api/v3/services/custom_images/delete.rb

@@ -0,0 +1,21 @@
+module Travis::API::V3
+  class Services::CustomImages::Delete < Service
+    params :image_ids
+
+    def run!
+      raise LoginRequired unless access_control.full_access_or_logged_in?
+
+      owner = query(:owner).find
+      raise NotFound unless owner
+
+      if owner.is_a?(Travis::API::V3::Models::User)
+        access_control.permissions(owner).sync!
+      else
+        access_control.permissions(owner).admin!
+      end
+
+      query.delete(params['image_ids'], owner, access_control.user)
+      deleted
+    end
+  end
+end

lib/travis/api/v3/services/custom_images/for_owner.rb

@@ -9,9 +9,16 @@ def run!
       owner = query(:owner).find
 
       raise NotFound unless owner
-      repo = owner.repositories.first
-      raise InsufficientAccess unless repo
-      access_control.permissions(repo).build_create!
+
+      if owner.is_a?(Travis::API::V3::Models::User)
+        raise InsufficientAccess unless access_control.user.id == owner.id
+      else
+        membership = Models::Membership.where(organization_id: owner.id).joins(:user).includes(:user).first
+        raise NotFound unless membership
+
+        build_permission = membership.build_permission.nil? ? true : membership.build_permission
+        raise InsufficientAccess unless build_permission
+      end
 
       results = query(:custom_images).for_owner(owner)
       result results

lib/travis/config/defaults.rb

@@ -106,7 +106,8 @@ def fallback_logs_api_auth_token
             recaptcha:            { endpoint: 'https://www.google.com', secret: ENV['RECAPTCHA_SECRET_KEY'] || '' },
             antifraud:            { captcha_max_failed_attempts: 3, captcha_block_duration: 24, credit_card_max_failed_attempts: 3, credit_card_block_duration: 24 },
             legacy_roles:         false,
-            internal_users:       [{id: 0, login: 'cron'}]
+            internal_users:       [{id: 0, login: 'cron'}],
+            artifact_manager:     { url: 'http://artifact_manager:3434', auth_key: 'secret' }
 
     default :_access => [:key]