Supports wildcard protected branch (#20825)

This PR introduce glob match for protected branch name. The separator is
`/` and you can use `*` matching non-separator chars and use `**` across
separator.

It also supports input an exist or non-exist branch name as matching
condition and branch name condition has high priority than glob rule.

Should fix #2529 and #15705

screenshots

<img width="1160" alt="image"
src="https://user-images.githubusercontent.com/81045/205651179-ebb5492a-4ade-4bb4-a13c-965e8c927063.png">

Co-authored-by: zeripath <art27@cantab.net>

3 files changed, 13 insertions, 11 deletions

diff --git a/services/repository/branch.go b/services/repository/branch.go
index 8717fee23b..291fb4a92b 100644
--- a/services/repository/branch.go
+++ b/services/repository/branch.go
@@ -149,8 +149,7 @@ func RenameBranch(repo *repo_model.Repository, doer *user_model.User, gitRepo *g
 
 // enmuerates all branch related errors
 var (
-	ErrBranchIsDefault   = errors.New("branch is default")
-	ErrBranchIsProtected = errors.New("branch is protected")
+	ErrBranchIsDefault = errors.New("branch is default")
 )
 
 // DeleteBranch delete branch
@@ -159,13 +158,12 @@ func DeleteBranch(doer *user_model.User, repo *repo_model.Repository, gitRepo *g
 		return ErrBranchIsDefault
 	}
 
-	isProtected, err := git_model.IsProtectedBranch(db.DefaultContext, repo.ID, branchName)
+	isProtected, err := git_model.IsBranchProtected(db.DefaultContext, repo.ID, branchName)
 	if err != nil {
 		return err
 	}
-
 	if isProtected {
-		return ErrBranchIsProtected
+		return git_model.ErrBranchIsProtected
 	}
 
 	commit, err := gitRepo.GetBranchCommit(branchName)
diff --git a/services/repository/files/patch.go b/services/repository/files/patch.go
index 33f4b6c9dc..73ee0fa815 100644
--- a/services/repository/files/patch.go
+++ b/services/repository/files/patch.go
@@ -66,13 +66,16 @@ func (opts *ApplyDiffPatchOptions) Validate(ctx context.Context, repo *repo_mode
 			return err
 		}
 	} else {
-		protectedBranch, err := git_model.GetProtectedBranchBy(ctx, repo.ID, opts.OldBranch)
+		protectedBranch, err := git_model.GetFirstMatchProtectedBranchRule(ctx, repo.ID, opts.OldBranch)
 		if err != nil {
 			return err
 		}
-		if protectedBranch != nil && !protectedBranch.CanUserPush(ctx, doer.ID) {
-			return models.ErrUserCannotCommit{
-				UserName: doer.LowerName,
+		if protectedBranch != nil {
+			protectedBranch.Repo = repo
+			if !protectedBranch.CanUserPush(ctx, doer) {
+				return models.ErrUserCannotCommit{
+					UserName: doer.LowerName,
+				}
 			}
 		}
 		if protectedBranch != nil && protectedBranch.RequireSignedCommits {
diff --git a/services/repository/files/update.go b/services/repository/files/update.go
index 30cfd9e2dd..58b7a5e082 100644
--- a/services/repository/files/update.go
+++ b/services/repository/files/update.go
@@ -463,17 +463,18 @@ func CreateOrUpdateRepoFile(ctx context.Context, repo *repo_model.Repository, do
 
 // VerifyBranchProtection verify the branch protection for modifying the given treePath on the given branch
 func VerifyBranchProtection(ctx context.Context, repo *repo_model.Repository, doer *user_model.User, branchName, treePath string) error {
-	protectedBranch, err := git_model.GetProtectedBranchBy(ctx, repo.ID, branchName)
+	protectedBranch, err := git_model.GetFirstMatchProtectedBranchRule(ctx, repo.ID, branchName)
 	if err != nil {
 		return err
 	}
 	if protectedBranch != nil {
+		protectedBranch.Repo = repo
 		isUnprotectedFile := false
 		glob := protectedBranch.GetUnprotectedFilePatterns()
 		if len(glob) != 0 {
 			isUnprotectedFile = protectedBranch.IsUnprotectedFile(glob, treePath)
 		}
-		if !protectedBranch.CanUserPush(ctx, doer.ID) && !isUnprotectedFile {
+		if !protectedBranch.CanUserPush(ctx, doer) && !isUnprotectedFile {
 			return models.ErrUserCannotCommit{
 				UserName: doer.LowerName,
 			}