Merge pull request #11149 from hejieehe/feat_10478

feat：运行时校验权限代持人权限是否已失效 #10478
TencentBlueKing · Dec 10, 2024 · 0cc12cf · 0cc12cf
2 parents f861f59 + 69bf2db
commit 0cc12cf
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 59 deletions.
diff --git a/...ess/api-process/src/main/kotlin/com/tencent/devops/process/constant/ProcessMessageCode.kt b/...ess/api-process/src/main/kotlin/com/tencent/devops/process/constant/ProcessMessageCode.kt
@@ -558,4 +558,7 @@ object ProcessMessageCode {
     // 用户[xxx] 没有如下子流水线的执行权限，重置授权失败
     const val BK_NOT_SUB_PIPELINE_EXECUTE_PERMISSION_RESET_ERROR_TITLE =
         "bkNotSubPipelineExecutePermissionResetErrorTitle"
+
+    // 权限代持人[xxx]已无当前流水线执行权限，可能是权限已过期或不再负责此流水线，请联系流水线拥有者处理
+    const val BK_AUTHOR_NOT_PIPELINE_EXECUTE_PERMISSION = "bkAuthorNotPipelineExecutePermission"
 }
diff --git a/...src/main/kotlin/com/tencent/devops/process/service/webhook/PipelineBuildWebhookService.kt b/...src/main/kotlin/com/tencent/devops/process/service/webhook/PipelineBuildWebhookService.kt
@@ -29,7 +29,9 @@ package com.tencent.devops.process.service.webhook
 
 import com.tencent.devops.common.api.enums.RepositoryType
 import com.tencent.devops.common.api.exception.ErrorCodeException
+import com.tencent.devops.common.api.exception.PermissionForbiddenException
 import com.tencent.devops.common.api.util.JsonUtil
+import com.tencent.devops.common.auth.api.AuthPermission
 import com.tencent.devops.common.client.Client
 import com.tencent.devops.common.event.dispatcher.SampleEventDispatcher
 import com.tencent.devops.common.event.pojo.measure.ProjectUserDailyEvent
@@ -44,6 +46,7 @@ import com.tencent.devops.common.pipeline.pojo.BuildParameters
 import com.tencent.devops.common.pipeline.pojo.element.trigger.WebHookTriggerElement
 import com.tencent.devops.common.pipeline.utils.PIPELINE_PAC_REPO_HASH_ID
 import com.tencent.devops.common.service.prometheus.BkTimed
+import com.tencent.devops.common.web.utils.I18nUtil
 import com.tencent.devops.common.webhook.pojo.code.PIPELINE_START_WEBHOOK_USER_ID
 import com.tencent.devops.common.webhook.service.code.loader.WebhookElementParamsRegistrar
 import com.tencent.devops.common.webhook.service.code.loader.WebhookStartParamsRegistrar
@@ -57,11 +60,13 @@ import com.tencent.devops.process.engine.service.PipelineWebHookQueueService
 import com.tencent.devops.process.engine.service.PipelineWebhookService
 import com.tencent.devops.process.engine.service.WebhookBuildParameterService
 import com.tencent.devops.process.engine.service.code.GitWebhookUnlockDispatcher
+import com.tencent.devops.process.permission.PipelinePermissionService
 import com.tencent.devops.process.pojo.BuildId
 import com.tencent.devops.process.pojo.code.WebhookBuildResult
 import com.tencent.devops.process.pojo.code.WebhookCommit
 import com.tencent.devops.process.pojo.trigger.PipelineTriggerDetailBuilder
 import com.tencent.devops.process.pojo.trigger.PipelineTriggerEvent
+import com.tencent.devops.process.pojo.trigger.PipelineTriggerFailedErrorCode
 import com.tencent.devops.process.pojo.trigger.PipelineTriggerFailedMatch
 import com.tencent.devops.process.pojo.trigger.PipelineTriggerFailedMatchElement
 import com.tencent.devops.process.pojo.trigger.PipelineTriggerFailedMsg
@@ -73,7 +78,6 @@ import com.tencent.devops.process.service.pipeline.PipelineBuildService
 import com.tencent.devops.process.trigger.PipelineTriggerEventService
 import com.tencent.devops.process.utils.PIPELINE_START_TASK_ID
 import com.tencent.devops.process.utils.PipelineVarUtil
-import com.tencent.devops.process.webhook.PipelineBuildPermissionService
 import com.tencent.devops.process.yaml.PipelineYamlService
 import com.tencent.devops.repository.api.ServiceRepositoryResource
 import org.slf4j.LoggerFactory
@@ -96,8 +100,8 @@ class PipelineBuildWebhookService @Autowired constructor(
     private val webhookBuildParameterService: WebhookBuildParameterService,
     private val pipelineTriggerEventService: PipelineTriggerEventService,
     private val measureEventDispatcher: SampleEventDispatcher,
-    private val pipelineBuildPermissionService: PipelineBuildPermissionService,
-    private val pipelineYamlService: PipelineYamlService
+    private val pipelineYamlService: PipelineYamlService,
+    private val pipelinePermissionService: PipelinePermissionService
 ) {
     companion object {
         private val logger = LoggerFactory.getLogger(PipelineBuildWebhookService::class.java)
@@ -268,6 +272,11 @@ class PipelineBuildWebhookService @Autowired constructor(
             val matchResult = matcher.isMatch(projectId, pipelineId, repo, webHookParams)
             if (matchResult.isMatch) {
                 try {
+                    checkPermission(
+                        userId = userId,
+                        projectId = projectId,
+                        pipelineId = pipelineId
+                    )
                     val webhookCommit = WebhookCommit(
                         userId = userId,
                         pipelineId = pipelineId,
@@ -312,6 +321,19 @@ class PipelineBuildWebhookService @Autowired constructor(
                             .reason(PipelineTriggerReason.TRIGGER_SUCCESS.name)
                             .buildNum(buildDetail?.buildNum.toString())
                     }
+                } catch (permissionException: PermissionForbiddenException) {
+                    logger.warn("check permission failed", permissionException)
+                    builder.eventSource(repo.repoHashId!!)
+                        .status(PipelineTriggerStatus.FAILED.name)
+                        .reason(PipelineTriggerReason.TRIGGER_FAILED.name)
+                        .reasonDetail(
+                            PipelineTriggerFailedErrorCode(
+                                errorCode = ProcessMessageCode.BK_AUTHOR_NOT_PIPELINE_EXECUTE_PERMISSION,
+                                params = listOf(userId)
+                            )
+                        )
+                    // 当前流水线没有权限触发
+                    return false
                 } catch (ignore: Exception) {
                     logger.warn("$pipelineId|webhook trigger|(${element.name})|repo(${matcher.getRepoName()})", ignore)
                     builder.eventSource(eventSource = repo.repoHashId!!)
@@ -513,7 +535,6 @@ class PipelineBuildWebhookService @Autowired constructor(
 //            errorCode = ProcessMessageCode.ERROR_NO_RELEASE_PIPELINE_VERSION
 //        )
         val version = webhookCommit.version ?: pipelineInfo.version
-        checkPermission(pipelineInfo.lastModifyUser, projectId = projectId, pipelineId = pipelineId)
 
         val resource = pipelineRepositoryService.getPipelineResourceVersion(
             projectId = projectId,
@@ -600,7 +621,16 @@ class PipelineBuildWebhookService @Autowired constructor(
     }
 
     private fun checkPermission(userId: String, projectId: String, pipelineId: String) {
-        pipelineBuildPermissionService.checkPermission(userId = userId, projectId = projectId, pipelineId = pipelineId)
+        pipelinePermissionService.validPipelinePermission(
+            userId = userId,
+            projectId = projectId,
+            pipelineId = pipelineId,
+            permission = AuthPermission.EXECUTE,
+            message = I18nUtil.getCodeLanMessage(
+                messageCode = ProcessMessageCode.USER_NO_PIPELINE_PERMISSION_UNDER_PROJECT,
+                params = arrayOf(userId, projectId, AuthPermission.EXECUTE.getI18n(I18nUtil.getLanguage(userId)))
+            )
+        )
     }
 
     private fun uploadProjectUserMetrics(

diff --git a/...cess/src/main/kotlin/com/tencent/devops/process/webhook/PipelineBuildPermissionService.kt b/...cess/src/main/kotlin/com/tencent/devops/process/webhook/PipelineBuildPermissionService.kt
diff --git a/support-files/i18n/process/message_en_US.properties b/support-files/i18n/process/message_en_US.properties
@@ -783,5 +783,6 @@ bkRepoTriggerSkipWipNotMatch=Do not trigger during WIP stage
 bkPipelineRunConditionResult=The calculation result of custom condition [{0}] is: {1}
 bkPipelineRunConditionNotMatch=, which is not met and will be skipped.
 bkPipelineRunConditionWithError=The calculation of custom condition has error: {0}
+bkAuthorNotPipelineExecutePermission=The authority holder for [{0}] no longer has permission to execute the current pipeline. This may be because the permission has expired or they are no longer responsible for this pipeline. Please contact the pipeline owner to handle it.
 transferErrorCheckAgentIdFailed=The current private build machine data is incorrect or does not exist
 transferErrorCheckEnvIdFailed=The current private build machine cluster data is incorrect or does not exist
diff --git a/support-files/i18n/process/message_zh_CN.properties b/support-files/i18n/process/message_zh_CN.properties
@@ -783,5 +783,6 @@ bkRepoTriggerSkipWipNotMatch=WIP阶段不触发
 bkPipelineRunConditionResult=自定义条件[{0}]的计算结果为：{1}
 bkPipelineRunConditionNotMatch=，条件未满足即将跳过
 bkPipelineRunConditionWithError=自定义条件计算出错：{0}
+bkAuthorNotPipelineExecutePermission=权限代持人[{0}]已无当前流水线执行权限，可能是权限已过期或不再负责此流水线，请联系流水线拥有者处理
 transferErrorCheckAgentIdFailed=当前私有构建机数据有误或不存在
 transferErrorCheckEnvIdFailed=当前私有构建机集群数据有误或不存在