Module: API::Helpers::Kubernetes::AgentHelpers

Includes:

Gitlab::Utils::StrongMemoize

Defined in:

lib/api/helpers/kubernetes/agent_helpers.rb

Instance Method Summary

• #access_token ⇒ Object
• #agent ⇒ Object
• #agent_has_access_to_project?(project) ⇒ Boolean
• #agent_token ⇒ Object
• #authenticate_gitlab_kas_request! ⇒ Object
• #check_agent_token ⇒ Object
• #check_feature_enabled ⇒ Object
• #gitaly_info(project) ⇒ Object
• #gitaly_repository(project) ⇒ Object
• #increment_count_events ⇒ Object
• #increment_unique_events ⇒ Object
• #retrieve_user_from_personal_access_token ⇒ Object
• #retrieve_user_from_session_cookie ⇒ Object
• #update_configuration(agent:, config:) ⇒ Object

Instance Method Details

#access_token ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 110

def access_token
  return unless params[:access_key].present?

  PersonalAccessToken.find_by_token(params[:access_key])
end

#agent ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 18

def agent
  agent_token.agent
end

#agent_has_access_to_project?(project) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 43

def agent_has_access_to_project?(project)
  Guest.can?(:download_code, project) || agent.has_access_to?(project)
end

#agent_token ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 13

def agent_token
  cluster_agent_token_from_authorization_token
end

#authenticate_gitlab_kas_request! ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 9

def authenticate_gitlab_kas_request!
  render_api_error!('KAS JWT authentication invalid', 401) unless Gitlab::Kas.verify_api_request(headers)
end

#check_agent_token ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 37

def check_agent_token
  unauthorized! unless agent_token

  ::Clusters::AgentTokens::TrackUsageService.new(agent_token).execute
end

#check_feature_enabled ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 33

def check_feature_enabled
  not_found!('Internal API not found') unless Feature.enabled?(:kubernetes_agent_internal_api, type: :ops)
end

#gitaly_info(project) ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 23

def gitaly_info(project)
  gitaly_features = Feature::Gitaly.server_feature_flags

  Gitlab::GitalyClient.connection_data(project.repository_storage).merge(features: gitaly_features)
end

#gitaly_repository(project) ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 29

def gitaly_repository(project)
  project.repository.gitaly_repository.to_h
end

#increment_count_events ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 61

def increment_count_events
  events = params[:counters]&.slice(
    :gitops_sync, :k8s_api_proxy_request, :flux_git_push_notifications_total,
    :k8s_api_proxy_requests_via_ci_access, :k8s_api_proxy_requests_via_user_access,
    :k8s_api_proxy_requests_via_pat_access
  )

  Gitlab::UsageDataCounters::KubernetesAgentCounter.increment_event_counts(events)
end

#increment_unique_events ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 47

def increment_unique_events
  events = params[:unique_counters]&.slice(
    :agent_users_using_ci_tunnel,
    :k8s_api_proxy_requests_unique_users_via_ci_access, :k8s_api_proxy_requests_unique_agents_via_ci_access,
    :k8s_api_proxy_requests_unique_users_via_user_access, :k8s_api_proxy_requests_unique_agents_via_user_access,
    :k8s_api_proxy_requests_unique_users_via_pat_access, :k8s_api_proxy_requests_unique_agents_via_pat_access,
    :flux_git_push_notified_unique_projects
  )

  events&.each do |event, entity_ids|
    increment_unique_values(event, entity_ids)
  end
end

#retrieve_user_from_personal_access_token ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 100

def retrieve_user_from_personal_access_token
  return unless access_token.present?

  validate_access_token!(scopes: [Gitlab::Auth::K8S_PROXY_SCOPE])

  ::PersonalAccessTokens::LastUsedService.new(access_token).execute

  access_token.user || raise(UnauthorizedError)
end

#retrieve_user_from_session_cookie ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 76

def retrieve_user_from_session_cookie
  # Load session
  public_session_id_string =
    begin
      Gitlab::Kas::UserAccess.decrypt_public_session_id(params[:access_key])
    rescue StandardError
      bad_request!('Invalid access_key')
    end

  session_id = Rack::Session::SessionId.new(public_session_id_string)
  session = ActiveSession.sessions_from_ids([session_id.private_id]).first
  unauthorized!('Invalid session') unless session

  # CSRF check
  unless ::Gitlab::Kas::UserAccess.valid_authenticity_token?(session.symbolize_keys, params[:csrf_token])
    unauthorized!('CSRF token does not match')
  end

  # Load user
  user = Warden::SessionSerializer.new('rack.session' => session).fetch(:user)
  unauthorized!('Invalid user in session') unless user
  user
end

#update_configuration(agent:, config:) ⇒ Object

# File 'lib/api/helpers/kubernetes/agent_helpers.rb', line 71

def update_configuration(agent:, config:)
  ::Clusters::Agents::Authorizations::CiAccess::RefreshService.new(agent, config: config).execute
  ::Clusters::Agents::Authorizations::UserAccess::RefreshService.new(agent, config: config).execute
end