web: honor allowed-labels setting in the REST API

This change adds a new gearman method to get the allowed-labels setting
so that the web service can filter the list of available labels per
tenant.

Change-Id: I5b1f9a19340b98d4100ffe8e904b434851b50293

tests/unit/test_web.py

@@ -766,6 +766,21 @@ class TestWeb(BaseTestWeb):
         self.assertIn(expected, resp.json())
 
 
+class TestWebMultiTenant(BaseTestWeb):
+    tenant_config_file = 'config/multi-tenant/main.yaml'
+
+    def test_web_labels_allowed_list(self):
+        labels = ["tenant-one-label", "fake", "tenant-two-label"]
+        self.fake_nodepool.registerLauncher(labels, "FakeLauncher2")
+        # Tenant-one has label restriction in place
+        res = self.get_url('api/tenant/tenant-one/labels').json()
+        self.assertEqual([{'name': 'fake'}, {'name': 'tenant-one-label'}], res)
+        # Tenant-two does not
+        res = self.get_url('api/tenant/tenant-two/labels').json()
+        self.assertEqual(
+            list(map(lambda x: {'name': x}, sorted(labels + ["label1"]))), res)
+
+
 class TestWebSecrets(BaseTestWeb):
     tenant_config_file = 'config/secrets/main.yaml'
 

zuul/rpclistener.py

@@ -62,6 +62,7 @@ class RPCListener(object):
     def register(self):
         self.worker.registerFunction("zuul:autohold")
         self.worker.registerFunction("zuul:autohold_list")
+        self.worker.registerFunction("zuul:allowed_labels_get")
         self.worker.registerFunction("zuul:dequeue")
         self.worker.registerFunction("zuul:enqueue")
         self.worker.registerFunction("zuul:enqueue_ref")
@@ -480,6 +481,17 @@ class RPCListener(object):
 
         gear_job.sendWorkComplete(json.dumps(output))
 
+    def handle_allowed_labels_get(self, job):
+        args = json.loads(job.arguments)
+        tenant = self.sched.abide.tenants.get(args.get("tenant"))
+        if not tenant:
+            job.sendWorkComplete(json.dumps(None))
+            return
+        labels = tenant.allowed_labels
+        if not labels:
+            labels = []
+        job.sendWorkComplete(json.dumps(labels))
+
     def handle_pipeline_list(self, job):
         args = json.loads(job.arguments)
         tenant = self.sched.abide.tenants.get(args.get("tenant"))

zuul/web/__init__.py

@@ -29,6 +29,8 @@ import time
 import select
 import threading
 
+import re2
+
 import zuul.model
 import zuul.rpcclient
 import zuul.zk
@@ -394,10 +396,17 @@ class ZuulWebAPI(object):
     @cherrypy.tools.save_params()
     @cherrypy.tools.json_out(content_type='application/json; charset=utf-8')
     def labels(self, tenant):
+        job = self.rpc.submitJob('zuul:allowed_labels_get', {'tenant': tenant})
+        allowed_labels = json.loads(job.data[0])
+        if allowed_labels is None:
+            raise cherrypy.HTTPError(404, 'Tenant %s does not exist.' % tenant)
         labels = set()
         for launcher in self.zk.getRegisteredLaunchers():
             for label in launcher.supported_labels:
-                labels.add(label)
+                if not allowed_labels or (
+                        [True for allowed_label in allowed_labels if
+                         re2.match(allowed_label, label)]):
+                    labels.add(label)
         ret = [{'name': label} for label in sorted(labels)]
         resp = cherrypy.response
         resp.headers['Access-Control-Allow-Origin'] = '*'