#3202

Committed 25 Jul 2025 04:52PM UTC coverage: 67.669% (-27.3%) from 94.935%

Build # #3202

Build Type

push

screwdriver

Committed by

web-flow

Commit Message

feat(3363): Update the existing endpoint to get admin for a pipeline from the specified SCM context (#3370)

Run Details

1284 of 2114 branches covered (60.74%)

Branch coverage included in aggregate %.

1 of 11 new or added lines in 1 file covered. (9.09%)

1235 existing lines in 49 files now uncovered.

3417 of 4833 relevant lines covered (70.7%)

50.53 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

20.83

/plugins/secrets/index.js

'use strict';

const boom = require('@hapi/boom');
const createRoute = require('./create');
const getRoute = require('./get');
const removeRoute = require('./remove');
const updateRoute = require('./update');
const { getUserPermissions, getScmUri } = require('../helper');

/**
 * Secrets API Plugin
 * @method register
 * @param  {Hapi}     server            Hapi Server
 */
const secretsPlugin = {
    name: 'secrets',
    async register(server) {
        /**
         * Throws error if a credential does not have access to a secret
         * If credential has access, returns whether secret value will be shown
         * @method canAccess
         * @param {Object}  credentials              Credential object from Hapi
         * @param {String}  credentials.username     Username of the person logged in (or build ID)
         * @param {String}  credentials.scmContext   Scm of the person logged in (or build ID)
         * @param {Array}   credentials.scope        Scope of the credential (user, build, admin)
         * @param {String}  [credentials.pipelineId] If credential is a build, this is the pipeline ID
         * @param {String}  [credentials.configPipelineId] If credential is a build, this is the parent pipeline ID
         * @param {String}  [credentials.jobId]      If credential is a build, this is the job ID
         * @param {String}  [credentials.isPR]       If credential is a build, this is true if a PR
         * @param {Object}  secret                   Secret object from Hapi
         * @param {String}  permission               Required permission level
         * @param {String}  app                      Server app object
         * @return {Boolean}
         */
        server.expose('canAccess', async (credentials, secret, permission, app) => {
            const { userFactory, pipelineFactory } = app;
            const { scmContext, scope, username } = credentials;

            // Get secret pipeline
            const pipeline = await pipelineFactory.get(secret.pipelineId);

            if (!pipeline) {
                throw boom.notFound(`Pipeline ${secret.pipelineId} does not exist`);
            }

            // Use parent's scmUri if pipeline is child pipeline and using read-only SCM
            const scmUri = await getScmUri({ pipeline, pipelineFactory });

            // Check pipeline scope
            if (scope.includes('pipeline')) {
                if (parseInt(secret.pipelineId, 10) !== parseInt(credentials.pipelineId, 10)) {
                    throw boom.forbidden('Token does not have permission to this secret');
                }
            }

            // Check user scope
            if (scope.includes('user')) {
                const user = await userFactory.get({ username, scmContext });

                if (!user) {
                    throw boom.notFound(`User ${username} does not exist`);
                }

                await getUserPermissions({ user, scmUri, level: permission });

                return false;
            }

            // Check if secret belongs to current pipeline or parent pipeline
            if (secret.pipelineId !== credentials.pipelineId && secret.pipelineId !== credentials.configPipelineId) {
                throw boom.forbidden(`${username} is not allowed to access this secret`);
            }

            // Check for pull request
            if (!secret.allowInPR && credentials.isPR) {
                throw boom.forbidden('This secret is not allowed in pull requests');
            }

            return true;
        });

        server.route([createRoute(), getRoute(), removeRoute(), updateRoute()]);
    }
};

module.exports = secretsPlugin;

1	'use strict';
2
3	const boom = require('@hapi/boom');	1✔
4	const createRoute = require('./create');	1✔
5	const getRoute = require('./get');	1✔
6	const removeRoute = require('./remove');	1✔
7	const updateRoute = require('./update');	1✔
8	const { getUserPermissions, getScmUri } = require('../helper');	1✔
9
10	/**
11	* Secrets API Plugin
12	* @method register
13	* @param {Hapi} server Hapi Server
14	*/
15	const secretsPlugin = {	1✔
16	name: 'secrets',
17	async register(server) {
18	/**
19	* Throws error if a credential does not have access to a secret
20	* If credential has access, returns whether secret value will be shown
21	* @method canAccess
22	* @param {Object} credentials Credential object from Hapi
23	* @param {String} credentials.username Username of the person logged in (or build ID)
24	* @param {String} credentials.scmContext Scm of the person logged in (or build ID)
25	* @param {Array} credentials.scope Scope of the credential (user, build, admin)
26	* @param {String} [credentials.pipelineId] If credential is a build, this is the pipeline ID
27	* @param {String} [credentials.configPipelineId] If credential is a build, this is the parent pipeline ID
28	* @param {String} [credentials.jobId] If credential is a build, this is the job ID
29	* @param {String} [credentials.isPR] If credential is a build, this is true if a PR
30	* @param {Object} secret Secret object from Hapi
31	* @param {String} permission Required permission level
32	* @param {String} app Server app object
33	* @return {Boolean}
34	*/
35	server.expose('canAccess', async (credentials, secret, permission, app) => {	66✔
UNCOV 36	const { userFactory, pipelineFactory } = app;	×
UNCOV 37	const { scmContext, scope, username } = credentials;	×
38
39	// Get secret pipeline
UNCOV 40	const pipeline = await pipelineFactory.get(secret.pipelineId);	×
41
UNCOV 42	if (!pipeline) {	×
UNCOV 43	throw boom.notFound(`Pipeline ${secret.pipelineId} does not exist`);	×
44	}
45
46	// Use parent's scmUri if pipeline is child pipeline and using read-only SCM
UNCOV 47	const scmUri = await getScmUri({ pipeline, pipelineFactory });	×
48
49	// Check pipeline scope
UNCOV 50	if (scope.includes('pipeline')) {	×
UNCOV 51	if (parseInt(secret.pipelineId, 10) !== parseInt(credentials.pipelineId, 10)) {	×
UNCOV 52	throw boom.forbidden('Token does not have permission to this secret');	×
53	}
54	}
55
56	// Check user scope
UNCOV 57	if (scope.includes('user')) {	×
UNCOV 58	const user = await userFactory.get({ username, scmContext });	×
59
UNCOV 60	if (!user) {	×
UNCOV 61	throw boom.notFound(`User ${username} does not exist`);	×
62	}
63
UNCOV 64	await getUserPermissions({ user, scmUri, level: permission });	×
65
UNCOV 66	return false;	×
67	}
68
69	// Check if secret belongs to current pipeline or parent pipeline
UNCOV 70	if (secret.pipelineId !== credentials.pipelineId && secret.pipelineId !== credentials.configPipelineId) {	×
UNCOV 71	throw boom.forbidden(`${username} is not allowed to access this secret`);	×
72	}
73
74	// Check for pull request
UNCOV 75	if (!secret.allowInPR && credentials.isPR) {	×
UNCOV 76	throw boom.forbidden('This secret is not allowed in pull requests');	×
77	}
78
UNCOV 79	return true;	×
80	});
81
82	server.route([createRoute(), getRoute(), removeRoute(), updateRoute()]);	66✔
83	}
84	};
85
86	module.exports = secretsPlugin;	1✔

screwdriver-cd / screwdriver / #3202

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous