Keep external service validation backwards compatible

Changes reject code values only for GitLab.com

lib/gitlab/ci/pipeline/chain/validate/external.rb

@@ -11,9 +11,12 @@ module Gitlab
             InvalidResponseCode = Class.new(StandardError)
 
             VALIDATION_REQUEST_TIMEOUT = 5
+            ACCEPTED_STATUS = 200
+            DOT_COM_REJECTED_STATUS = 406
+            GENERAL_REJECTED_STATUS = (400..499).freeze
 
             def perform!
-              return unless ::Feature.enabled?(:ci_external_validation_service, @pipeline.project, default_enabled: :yaml)
+              return unless enabled?
 
               pipeline_authorized = validate_external
 
@@ -29,27 +32,42 @@ module Gitlab
 
             private
 
+            def enabled?
+              return true unless Gitlab.com?
+
+              ::Feature.enabled?(:ci_external_validation_service, project, default_enabled: :yaml)
+            end
+
             def validate_external
               return true unless validation_service_url
 
               # 200 - accepted
-              # 406 - not accepted
+              # 406 - not accepted on GitLab.com
+              # 4XX - not accepted for other installations
               # everything else - accepted and logged
               response_code = validate_service_request.code
               case response_code
-              when 200
+              when ACCEPTED_STATUS
                 true
-              when 406
+              when rejected_status
                 false
               else
                 raise InvalidResponseCode, "Unsupported response code received from Validation Service: #{response_code}"
               end
             rescue => ex
-              Gitlab::ErrorTracking.track_exception(ex, project_id: @pipeline.project.id)
+              Gitlab::ErrorTracking.track_exception(ex, project_id: project.id)
 
               true
             end
 
+            def rejected_status
+              if Gitlab.com?
+                DOT_COM_REJECTED_STATUS
+              else
+                GENERAL_REJECTED_STATUS
+              end
+            end
+
             def validate_service_request
               Gitlab::HTTP.post(
                 validation_service_url, timeout: VALIDATION_REQUEST_TIMEOUT,

spec/lib/gitlab/ci/pipeline/chain/validate/external_spec.rb

@@ -42,6 +42,7 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::External do
   end
 
   let(:save_incompleted) { true }
+  let(:dot_com) { true }
   let(:command) do
     Gitlab::Ci::Pipeline::Chain::Command.new(
       project: project, current_user: user, yaml_processor_result: yaml_processor_result, save_incompleted: save_incompleted
@@ -55,6 +56,7 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::External do
 
     before do
       stub_env('EXTERNAL_VALIDATION_SERVICE_URL', validation_service_url)
+      allow(Gitlab).to receive(:com?).and_return(dot_com)
     end
 
     shared_examples 'successful external authorization' do
@@ -143,6 +145,35 @@ RSpec.describe Gitlab::Ci::Pipeline::Chain::Validate::External do
       end
     end
 
+    context 'when not on .com' do
+      let(:dot_com) { false }
+
+      before do
+        stub_feature_flags(ci_external_validation_service: false)
+        stub_request(:post, validation_service_url).to_return(status: 404, body: "{}")
+      end
+
+      it 'drops the pipeline' do
+        perform!
+
+        expect(pipeline.status).to eq('failed')
+        expect(pipeline).to be_persisted
+        expect(pipeline.errors.to_a).to include('External validation failed')
+      end
+
+      it 'breaks the chain' do
+        perform!
+
+        expect(step.break?).to be true
+      end
+
+      it 'logs the authorization' do
+        expect(Gitlab::AppLogger).to receive(:info).with(message: 'Pipeline not authorized', project_id: project.id, user_id: user.id)
+
+        perform!
+      end
+    end
+
     context 'when validation returns 406 Not Acceptable' do
       before do
         stub_request(:post, validation_service_url).to_return(status: 406, body: "{}")