fix: not run permission child pipelines (#2760)

screwdriver-cd · Aug 26, 2022 · 78e7d73 · 78e7d73
1 parent 1557ee3
commit 78e7d73
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 1 deletion.
diff --git a/plugins/pipelines/startAll.js b/plugins/pipelines/startAll.js
@@ -41,7 +41,7 @@ module.exports = () => ({
                 }
             });
 
-            await Promise.all(
+            const createEvents = await Promise.allSettled(
                 pipelines.map(async p => {
                     const pipelineToken = await p.token;
                     const pipelineScmContext = p.scmContext;
@@ -51,6 +51,8 @@ module.exports = () => ({
                         token: pipelineToken
                     });
 
+                    await getUserPermissions({ user, scmUri: p.scmUri, level: 'push' });
+
                     await eventFactory.create({
                         pipelineId: p.id,
                         sha,
@@ -62,6 +64,12 @@ module.exports = () => ({
                 })
             );
 
+            const rejected = createEvents.filter(createEvent => createEvent.status === 'rejected');
+
+            if (rejected.length) {
+                throw boom.forbidden('Failed to start some child pipelines due to lack of permissions.');
+            }
+
             return h.response().code(201);
         },
         validate: {

diff --git a/test/plugins/pipelines.test.js b/test/plugins/pipelines.test.js
@@ -2659,6 +2659,48 @@ describe('pipeline plugin test', () => {
             });
         });
 
+        it('returns 403 if child pipeline does not have permission', () => {
+            const error = {
+                statusCode: 403,
+                error: 'Forbidden',
+                message: 'Failed to start some child pipelines due to lack of permissions.'
+            };
+
+            const noPermissionScmUri = 'github.com:12345:permission';
+            const pipelines = [
+                {
+                    id: 123,
+                    scmUri: 'github.com:12345:branchName',
+                    scmContext: 'github:github.com',
+                    createTime: '2038-01-19T03:14:08.131Z',
+                    admins: {
+                        stjohn: true
+                    },
+                    lastEventId: 456,
+                    state: 'ACTIVE'
+                },
+                {
+                    id: 123,
+                    scmUri: noPermissionScmUri,
+                    scmContext: 'github:github.com',
+                    createTime: '2038-01-19T03:14:08.131Z',
+                    admins: {
+                        stjohn: true
+                    },
+                    lastEventId: 456,
+                    state: 'ACTIVE'
+                }
+            ];
+
+            userMock.getPermissions.withArgs(noPermissionScmUri).resolves({ push: false });
+            pipelineFactoryMock.list.resolves(getPipelineMocks(pipelines));
+
+            return server.inject(options).then(reply => {
+                assert.equal(reply.statusCode, 403);
+                assert.deepEqual(reply.result, error);
+            });
+        });
+
         it('returns 404 for updating a pipeline that does not exist', () => {
             pipelineFactoryMock.get.withArgs(id).resolves(null);