Merge branch '9258-support-alerts-from-external-prometheus-servers-model' into 'master'

Implement alerting setting model See merge request gitlab-org/gitlab-ee!9334

Merge branch '9258-support-alerts-from-external-prometheus-servers-model' into 'master'
Implement alerting setting model See merge request gitlab-org/gitlab-ee!9334
072e9f54 · Sean McGivern · fc3cb7aa · 39aa9458 · 072e9f54 · 072e9f54
Commit 072e9f54 authored Feb 04, 2019 by Sean McGivern
16 changed files
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -2166,6 +2166,11 @@ ActiveRecord::Schema.define(version: 20190124200344) do
    t.index ["name"], name: "index_programming_languages_on_name", unique: true, using: :btree
  end
+  create_table "project_alerting_settings", primary_key: "project_id", id: :integer, force: :cascade do |t|
+    t.string "encrypted_token", null: false
+    t.string "encrypted_token_iv", null: false
+  end
  create_table "project_authorizations", id: false, force: :cascade do |t|
    t.integer "user_id", null: false
    t.integer "project_id", null: false
@@ -3462,6 +3467,7 @@ ActiveRecord::Schema.define(version: 20190124200344) do
  add_foreign_key "personal_access_tokens", "users"
  add_foreign_key "pool_repositories", "projects", column: "source_project_id", on_delete: :nullify
  add_foreign_key "pool_repositories", "shards", on_delete: :restrict
+  add_foreign_key "project_alerting_settings", "projects", on_delete: :cascade
  add_foreign_key "project_authorizations", "projects", on_delete: :cascade
  add_foreign_key "project_authorizations", "users", on_delete: :cascade
  add_foreign_key "project_auto_devops", "projects", on_delete: :cascade

--- a/ee/app/controllers/ee/projects/settings/operations_controller.rb
+++ b/ee/app/controllers/ee/projects/settings/operations_controller.rb
@@ -8,13 +8,34 @@ module EE
        extend ActiveSupport::Concern
        prepended do
+          before_action :authorize_read_prometheus_alerts!,
+            only: [:reset_alerting_token]
+          respond_to :json, only: [:reset_alerting_token]
+          def reset_alerting_token
+            result = ::Projects::Operations::UpdateService
+              .new(project, current_user, alerting_params)
+              .execute
+            if result[:status] == :success
+              render json: { token: project.alerting_setting.token }
+            else
+              render json: {}, status: :unprocessable_entity
+            end
+          end
          helper_method :tracing_setting
+          private
+          def alerting_params
+            { alerting_setting_attributes: { regenerate_token: true } }
+          end
          def tracing_setting
            @tracing_setting ||= project.tracing_setting || project.build_tracing_setting
          end
-          private :tracing_setting
        end
        override :permitted_project_params

--- a/ee/app/models/alerting/project_alerting_setting.rb
+++ b/ee/app/models/alerting/project_alerting_setting.rb
+# frozen_string_literal: true
+require 'securerandom'
+module Alerting
+  class ProjectAlertingSetting < ApplicationRecord
+    belongs_to :project
+    validates :token, presence: true
+    attr_encrypted :token,
+      mode: :per_attribute_iv,
+      key: Settings.attr_encrypted_db_key_base_truncated,
+      algorithm: 'aes-256-gcm'
+    before_validation :ensure_token
+    private
+    def ensure_token
+      self.token ||= generate_token
+    end
+    def generate_token
+      SecureRandom.hex
+    end
+  end
+end
--- a/ee/app/models/ee/project.rb
+++ b/ee/app/models/ee/project.rb
@@ -40,6 +40,7 @@ module EE
      has_one :github_service
      has_one :gitlab_slack_application_service
      has_one :tracing_setting, class_name: 'ProjectTracingSetting'
+      has_one :alerting_setting, inverse_of: :project, class_name: 'Alerting::ProjectAlertingSetting'
      has_one :feature_usage, class_name: 'ProjectFeatureUsage'
      has_many :reviews, inverse_of: :project
@@ -118,6 +119,7 @@ module EE
      delegate :store_security_reports_available?, to: :namespace
      accepts_nested_attributes_for :tracing_setting, update_only: true, allow_destroy: true
+      accepts_nested_attributes_for :alerting_setting, update_only: true
    end
    class_methods do

--- a/ee/app/services/ee/projects/operations/update_service.rb
+++ b/ee/app/services/ee/projects/operations/update_service.rb
@@ -9,7 +9,9 @@ module EE
        override :project_update_params
        def project_update_params
-          super.merge(tracing_setting_params)
+          super
+            .merge(tracing_setting_params)
+            .merge(alerting_setting_params)
        end
        private
@@ -22,6 +24,23 @@ module EE
          { tracing_setting_attributes: attr.merge(_destroy: destroy) }
        end
+        def alerting_setting_params
+          return {} unless can?(current_user, :read_prometheus_alerts, project)
+          attr = params[:alerting_setting_attributes]
+          return {} unless attr
+          regenerate_token = attr.delete(:regenerate_token)
+          if regenerate_token
+            attr[:token] = nil
+          else
+            attr = attr.except(:token) # rubocop: disable CodeReuse/ActiveRecord
+          end
+          { alerting_setting_attributes: attr }
+        end
      end
    end
  end

--- a/ee/app/services/projects/prometheus/alerts/notify_service.rb
+++ b/ee/app/services/projects/prometheus/alerts/notify_service.rb
@@ -34,10 +34,21 @@ module Projects
        end
        def valid_alert_manager_token?(token)
-          # We don't support token authorization for manual installations.
+          valid_for_manual?(token) || valid_for_managed?(token)
+        end
+        def valid_for_manual?(token)
          prometheus = project.find_or_initialize_service('prometheus')
-          return true if prometheus.manual_configuration?
+          return false unless prometheus.manual_configuration?
+          if setting = project.alerting_setting
+            compare_token(token, setting.token)
+          else
+            token.nil?
+          end
+        end
+        def valid_for_managed?(token)
          prometheus_application = available_prometheus_application(project)
          return false unless prometheus_application

--- a/ee/changelogs/unreleased/9258-support-alerts-from-external-prometheus-servers-model.yml
+++ b/ee/changelogs/unreleased/9258-support-alerts-from-external-prometheus-servers-model.yml
+---
+title: Support alerts from external Prometheus servers
+merge_request: 9334
+author:
+type: added
--- a/ee/config/routes/project.rb
+++ b/ee/config/routes/project.rb
@@ -36,6 +36,14 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
          end
        end
      end
+      namespace :settings do
+        resource :operations, only: [:show, :update] do
+          member do
+            post :reset_alerting_token
+          end
+        end
+      end
    end
  end
 end

--- a/ee/db/migrate/20190121140658_create_project_alerting_settings.rb
+++ b/ee/db/migrate/20190121140658_create_project_alerting_settings.rb
+# frozen_string_literal: true
+class CreateProjectAlertingSettings < ActiveRecord::Migration[5.0]
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+  def change
+    create_table :project_alerting_settings, id: :int, primary_key: :project_id do |t|
+      t.string :encrypted_token, null: false
+      t.string :encrypted_token_iv, null: false
+      t.foreign_key :projects, column: :project_id, on_delete: :cascade
+    end
+  end
+end
--- a/ee/spec/controllers/projects/settings/operations_controller_spec.rb
+++ b/ee/spec/controllers/projects/settings/operations_controller_spec.rb
@@ -232,6 +232,107 @@ describe Projects::Settings::OperationsController do
    end
  end
+  describe 'POST reset_alerting_token' do
+    let(:project) { create(:project) }
+    before do
+      stub_licensed_features(prometheus_alerts: true)
+      project.add_maintainer(user)
+    end
+    context 'with existing alerting setting' do
+      let!(:alerting_setting) do
+        create(:project_alerting_setting, project: project)
+      end
+      let!(:old_token) { alerting_setting.token }
+      it 'returns newly reset token' do
+        reset_alerting_token
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response['token']).to eq(alerting_setting.reload.token)
+        expect(old_token).not_to eq(alerting_setting.token)
+      end
+    end
+    context 'without existing alerting setting' do
+      it 'creates a token' do
+        reset_alerting_token
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(project.alerting_setting).not_to be_nil
+        expect(json_response['token']).to eq(project.alerting_setting.token)
+      end
+    end
+    context 'when update fails' do
+      let(:operations_update_service) { spy(:operations_update_service) }
+      let(:alerting_params) do
+        { alerting_setting_attributes: { regenerate_token: true } }
+      end
+      before do
+        expect(::Projects::Operations::UpdateService)
+          .to receive(:new).with(project, user, alerting_params)
+          .and_return(operations_update_service)
+        expect(operations_update_service).to receive(:execute)
+          .and_return(status: :error)
+      end
+      it 'returns unprocessable_entity' do
+        reset_alerting_token
+        expect(response).to have_gitlab_http_status(:unprocessable_entity)
+        expect(json_response).to be_empty
+      end
+    end
+    context 'with insufficient permissions' do
+      before do
+        project.add_reporter(user)
+      end
+      it 'returns 404' do
+        reset_alerting_token
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+    context 'as an anonymous user' do
+      before do
+        sign_out(user)
+      end
+      it 'returns unauthorized status' do
+        reset_alerting_token
+        expect(response).to have_gitlab_http_status(:unauthorized)
+      end
+    end
+    context 'without a license' do
+      before do
+        stub_licensed_features(prometheus_alerts: false)
+      end
+      it 'returns 404' do
+        reset_alerting_token
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+    private
+    def reset_alerting_token
+      post :reset_alerting_token,
+        params: project_params(project),
+        format: :json
+    end
+  end
  private
  def project_params(project, params = {})

--- a/ee/spec/factories/project_alerting_settings.rb
+++ b/ee/spec/factories/project_alerting_settings.rb
+# frozen_string_literal: true
+FactoryBot.define do
+  factory :project_alerting_setting, class: Alerting::ProjectAlertingSetting do
+    project
+    token 'access_token_123'
+  end
+end
--- a/ee/spec/lib/gitlab/import_export/all_models.yml
+++ b/ee/spec/lib/gitlab/import_export/all_models.yml
@@ -77,6 +77,7 @@ project:
 - packages
 - package_files
 - tracing_setting
+- alerting_setting
 - webide_pipelines
 - reviews
 prometheus_metrics:

--- a/ee/spec/models/alerting/project_alerting_setting_spec.rb
+++ b/ee/spec/models/alerting/project_alerting_setting_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+describe Alerting::ProjectAlertingSetting do
+  set(:project) { create(:project) }
+  subject { create(:project_alerting_setting, project: project) }
+  describe 'Associations' do
+    it { is_expected.to belong_to(:project) }
+  end
+  describe '#token' do
+    context 'when set' do
+      let(:token) { SecureRandom.hex }
+      subject do
+        create(:project_alerting_setting, project: project, token: token)
+      end
+      it 'reads the token' do
+        expect(subject.token).to eq(token)
+        expect(subject.encrypted_token).not_to be_nil
+        expect(subject.encrypted_token_iv).not_to be_nil
+      end
+    end
+    context 'when not set' do
+      before do
+        subject.token = nil
+      end
+      it 'generates a token before validation' do
+        expect(subject).to be_valid
+        expect(subject.token).to match(/\A\h{32}\z/)
+      end
+    end
+  end
+end
--- a/ee/spec/models/project_spec.rb
+++ b/ee/spec/models/project_spec.rb
@@ -16,6 +16,7 @@ describe Project do
    it { is_expected.to have_one(:import_state).class_name('ProjectImportState') }
    it { is_expected.to have_one(:repository_state).class_name('ProjectRepositoryState').inverse_of(:project) }
+    it { is_expected.to have_one(:alerting_setting).class_name('Alerting::ProjectAlertingSetting') }
    it { is_expected.to have_many(:reviews).inverse_of(:project) }
    it { is_expected.to have_many(:path_locks) }

--- a/ee/spec/services/projects/operations/update_service_spec.rb
+++ b/ee/spec/services/projects/operations/update_service_spec.rb
@@ -3,12 +3,12 @@
 require 'spec_helper'
 describe Projects::Operations::UpdateService do
-  subject { described_class.new(project, user, params) }
+  set(:user) { create(:user) }
+  let(:project) { create(:project) }
  let(:result) { subject.execute }
-  set(:user) { create(:user) }
+  subject { described_class.new(project, user, params) }
-  set(:project) { create(:project) }
  describe '#execute' do
    context 'tracing setting' do
@@ -98,5 +98,95 @@ describe Projects::Operations::UpdateService do
        end
      end
    end
+    context 'alerting setting' do
+      before do
+        stub_licensed_features(prometheus_alerts: true)
+        project.add_maintainer(user)
+      end
+      shared_examples 'no operation' do
+        it 'does nothing' do
+          expect(result[:status]).to eq(:success)
+          expect(project.reload.alerting_setting).to be_nil
+        end
+      end
+      context 'with valid params' do
+        let(:params) { { alerting_setting_attributes: alerting_params } }
+        shared_examples 'setting creation' do
+          it 'creates a setting' do
+            expect(project.alerting_setting).to be_nil
+            expect(result[:status]).to eq(:success)
+            expect(project.reload.alerting_setting).not_to be_nil
+          end
+        end
+        context 'when regenerate_token is not set' do
+          let(:alerting_params) { { token: 'some token' } }
+          context 'with an existing setting' do
+            let!(:alerting_setting) do
+              create(:project_alerting_setting, project: project)
+            end
+            it 'ignores provided token' do
+              expect(result[:status]).to eq(:success)
+              expect(project.reload.alerting_setting.token)
+                .to eq(alerting_setting.token)
+            end
+          end
+          context 'without an existing setting' do
+            it_behaves_like 'setting creation'
+          end
+        end
+        context 'when regenerate_token is set' do
+          let(:alerting_params) { { regenerate_token: true } }
+          context 'with an existing setting' do
+            let(:token) { 'some token' }
+            let!(:alerting_setting) do
+              create(:project_alerting_setting, project: project, token: token)
+            end
+            it 'regenerates token' do
+              expect(result[:status]).to eq(:success)
+              expect(project.reload.alerting_setting.token).not_to eq(token)
+            end
+          end
+          context 'without an existing setting' do
+            it_behaves_like 'setting creation'
+            context 'without license' do
+              before do
+                stub_licensed_features(prometheus_alerts: false)
+              end
+              it_behaves_like 'no operation'
+            end
+            context 'with insufficient permissions' do
+              before do
+                project.add_reporter(user)
+              end
+              it_behaves_like 'no operation'
+            end
+          end
+        end
+      end
+      context 'with empty params' do
+        let(:params) { {} }
+        it_behaves_like 'no operation'
+      end
+    end
  end
 end
--- a/ee/spec/services/projects/prometheus/alerts/notify_service_spec.rb
+++ b/ee/spec/services/projects/prometheus/alerts/notify_service_spec.rb
@@ -70,8 +70,6 @@ describe Projects::Prometheus::Alerts::NotifyService do
      end
      with_them do
-        let(:alert_manager_token) { token_input }
        before do
          cluster = create(:cluster, :provided_by_user,
                           projects: [project],
@@ -138,11 +136,38 @@ describe Projects::Prometheus::Alerts::NotifyService do
    end
    context 'with manual prometheus installation' do
-      before do
+      using RSpec::Parameterized::TableSyntax
-        create(:prometheus_service, project: project)
+      where(:alerting_setting, :configured_token, :token_input, :result) do
+        true  | token | token | :success
+        true  | token | 'x'   | :failure
+        true  | token | nil   | :failure
+        false | nil   | nil   | :success
+        false | nil   | token | :failure
      end
-      it_behaves_like 'notifies alerts'
+      with_them do
+        let(:alert_manager_token) { token_input }
+        before do
+          create(:prometheus_service, project: project)
+          if alerting_setting
+            create(:project_alerting_setting,
+                   project: project,
+                   token: configured_token)
+          end
+        end
+        case result = params[:result]
+        when :success
+          it_behaves_like 'notifies alerts'
+        when :failure
+          it_behaves_like 'no notifications'
+        else
+          raise "invalid result: #{result.inspect}"
+        end
+      end
    end
  end