Add rerun permissions specification to job config

prow/apis/prowjobs/v1/types.go

@@ -161,6 +161,18 @@ type ProwJobSpec struct {
 
 	// ReporterConfig holds reporter-specific configuration
 	ReporterConfig *ReporterConfig `json:"reporter_config,omitempty"`
+
+	// RerunPermissions holds information about which users can rerun the job
+	RerunPermissions *RerunPermissions `json:"rerun_permissions,omitempty"`
+}
+
+type RerunPermissions struct {
+	// If AllowAnyone is set to true, any user can rerun the job
+	AllowAnyone bool `json:"allow_anyone,omitempty"`
+	// GitHubTeams contains IDs of GitHub teams of users who can rerun the job
+	GitHubTeams []int `json:"github_teams,omitempty"`
+	// GitHubUsers contains names of individual users who can rerun the job
+	GitHubUsers []string `json:"github_users,omitempty"`
 }
 
 type ReporterConfig struct {

prow/config/config.go

@@ -829,6 +829,9 @@ func validateJobBase(v JobBase, jobType prowapi.ProwJobType, podNamespace string
 	if v.Spec == nil || len(v.Spec.Containers) == 0 {
 		return nil // knative-build and jenkins jobs have no spec
 	}
+	if v.RerunPermissions != nil && v.RerunPermissions.AllowAnyone && (len(v.RerunPermissions.GitHubUsers) > 0 || len(v.RerunPermissions.GitHubTeams) > 0) {
+		return errors.New("allow anyone is set to true and permitted users or groups are specified")
+	}
 	return validateDecoration(v.Spec.Containers[0], v.DecorationConfig)
 }
 

prow/config/config_test.go

@@ -959,6 +959,16 @@ func TestValidateJobBase(t *testing.T) {
 			},
 			pass: true,
 		},
+		{
+			name: "invalid rerun_permissions",
+			base: JobBase{
+				RerunPermissions: &prowapi.RerunPermissions{
+					AllowAnyone: true,
+					GitHubUsers: []string{"user"},
+				},
+			},
+			pass: false,
+		},
 	}
 
 	for _, tc := range cases {

prow/config/jobs.go

@@ -111,6 +111,8 @@ type JobBase struct {
 	Annotations map[string]string `json:"annotations,omitempty"`
 	// ReporterConfig provides the option to configure reporting on job level
 	ReporterConfig *prowapi.ReporterConfig `json:"reporter_config,omitempty"`
+	// RerunPermissions specifies who can rerun the job
+	RerunPermissions *prowapi.RerunPermissions `json:"rerun_permissions,omitempty"`
 
 	UtilityConfig
 }

prow/pjutil/pjutil.go

@@ -171,7 +171,8 @@ func specFromJobBase(jb config.JobBase) prowapi.ProwJobSpec {
 		BuildSpec:       jb.BuildSpec,
 		PipelineRunSpec: jb.PipelineRunSpec,
 
-		ReporterConfig: jb.ReporterConfig,
+		ReporterConfig:   jb.ReporterConfig,
+		RerunPermissions: jb.RerunPermissions,
 	}
 }
 

prow/pjutil/pjutil_test.go

@@ -746,6 +746,8 @@ func TestCreateRefs(t *testing.T) {
 }
 
 func TestSpecFromJobBase(t *testing.T) {
+	permittedGroups := []int{1234, 5678}
+	permittedUsers := []string{"authorized_user", "another_authorized_user"}
 	testCases := []struct {
 		name    string
 		jobBase config.JobBase
@@ -774,6 +776,31 @@ func TestSpecFromJobBase(t *testing.T) {
 				return nil
 			},
 		},
+		{
+			name: "Verify rerun permissions gets copied",
+			jobBase: config.JobBase{
+				RerunPermissions: &prowapi.RerunPermissions{
+					AllowAnyone: false,
+					GitHubTeams: permittedGroups,
+					GitHubUsers: permittedUsers,
+				},
+			},
+			verify: func(pj prowapi.ProwJobSpec) error {
+				if pj.RerunPermissions == nil {
+					return errors.New("Expected RerunPermissions to be non-nil")
+				}
+				if pj.RerunPermissions.AllowAnyone {
+					return errors.New("Expected RerunPermissions.AllowAnyone to be false")
+				}
+				if pj.RerunPermissions.GitHubTeams == nil {
+					return errors.New("Expected RerunPermissions.Groups to be non-nil")
+				}
+				if pj.RerunPermissions.GitHubUsers == nil {
+					return errors.New("Expected RerunPermissions.Users to be non-nil")
+				}
+				return nil
+			},
+		},
 	}
 
 	for _, tc := range testCases {