123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597 |
- // Copyright 2016 The Gitea Authors. All rights reserved.
- // SPDX-License-Identifier: MIT
-
- package git
-
- import (
- "context"
- "fmt"
- "strings"
- "time"
-
- "code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/organization"
- "code.gitea.io/gitea/models/perm"
- access_model "code.gitea.io/gitea/models/perm/access"
- repo_model "code.gitea.io/gitea/models/repo"
- "code.gitea.io/gitea/models/unit"
- user_model "code.gitea.io/gitea/models/user"
- "code.gitea.io/gitea/modules/base"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/timeutil"
- "code.gitea.io/gitea/modules/util"
-
- "github.com/gobwas/glob"
- )
-
- // ProtectedBranch struct
- type ProtectedBranch struct {
- ID int64 `xorm:"pk autoincr"`
- RepoID int64 `xorm:"UNIQUE(s)"`
- BranchName string `xorm:"UNIQUE(s)"`
- CanPush bool `xorm:"NOT NULL DEFAULT false"`
- EnableWhitelist bool
- WhitelistUserIDs []int64 `xorm:"JSON TEXT"`
- WhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
- EnableMergeWhitelist bool `xorm:"NOT NULL DEFAULT false"`
- WhitelistDeployKeys bool `xorm:"NOT NULL DEFAULT false"`
- MergeWhitelistUserIDs []int64 `xorm:"JSON TEXT"`
- MergeWhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
- EnableStatusCheck bool `xorm:"NOT NULL DEFAULT false"`
- StatusCheckContexts []string `xorm:"JSON TEXT"`
- EnableApprovalsWhitelist bool `xorm:"NOT NULL DEFAULT false"`
- ApprovalsWhitelistUserIDs []int64 `xorm:"JSON TEXT"`
- ApprovalsWhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
- RequiredApprovals int64 `xorm:"NOT NULL DEFAULT 0"`
- BlockOnRejectedReviews bool `xorm:"NOT NULL DEFAULT false"`
- BlockOnOfficialReviewRequests bool `xorm:"NOT NULL DEFAULT false"`
- BlockOnOutdatedBranch bool `xorm:"NOT NULL DEFAULT false"`
- DismissStaleApprovals bool `xorm:"NOT NULL DEFAULT false"`
- RequireSignedCommits bool `xorm:"NOT NULL DEFAULT false"`
- ProtectedFilePatterns string `xorm:"TEXT"`
- UnprotectedFilePatterns string `xorm:"TEXT"`
-
- CreatedUnix timeutil.TimeStamp `xorm:"created"`
- UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
- }
-
- func init() {
- db.RegisterModel(new(ProtectedBranch))
- db.RegisterModel(new(DeletedBranch))
- db.RegisterModel(new(RenamedBranch))
- }
-
- // IsProtected returns if the branch is protected
- func (protectBranch *ProtectedBranch) IsProtected() bool {
- return protectBranch.ID > 0
- }
-
- // CanUserPush returns if some user could push to this protected branch
- func (protectBranch *ProtectedBranch) CanUserPush(ctx context.Context, userID int64) bool {
- if !protectBranch.CanPush {
- return false
- }
-
- if !protectBranch.EnableWhitelist {
- if user, err := user_model.GetUserByID(ctx, userID); err != nil {
- log.Error("GetUserByID: %v", err)
- return false
- } else if repo, err := repo_model.GetRepositoryByID(ctx, protectBranch.RepoID); err != nil {
- log.Error("repo_model.GetRepositoryByID: %v", err)
- return false
- } else if writeAccess, err := access_model.HasAccessUnit(ctx, user, repo, unit.TypeCode, perm.AccessModeWrite); err != nil {
- log.Error("HasAccessUnit: %v", err)
- return false
- } else {
- return writeAccess
- }
- }
-
- if base.Int64sContains(protectBranch.WhitelistUserIDs, userID) {
- return true
- }
-
- if len(protectBranch.WhitelistTeamIDs) == 0 {
- return false
- }
-
- in, err := organization.IsUserInTeams(ctx, userID, protectBranch.WhitelistTeamIDs)
- if err != nil {
- log.Error("IsUserInTeams: %v", err)
- return false
- }
- return in
- }
-
- // IsUserMergeWhitelisted checks if some user is whitelisted to merge to this branch
- func IsUserMergeWhitelisted(ctx context.Context, protectBranch *ProtectedBranch, userID int64, permissionInRepo access_model.Permission) bool {
- if !protectBranch.EnableMergeWhitelist {
- // Then we need to fall back on whether the user has write permission
- return permissionInRepo.CanWrite(unit.TypeCode)
- }
-
- if base.Int64sContains(protectBranch.MergeWhitelistUserIDs, userID) {
- return true
- }
-
- if len(protectBranch.MergeWhitelistTeamIDs) == 0 {
- return false
- }
-
- in, err := organization.IsUserInTeams(ctx, userID, protectBranch.MergeWhitelistTeamIDs)
- if err != nil {
- log.Error("IsUserInTeams: %v", err)
- return false
- }
- return in
- }
-
- // IsUserOfficialReviewer check if user is official reviewer for the branch (counts towards required approvals)
- func IsUserOfficialReviewer(ctx context.Context, protectBranch *ProtectedBranch, user *user_model.User) (bool, error) {
- repo, err := repo_model.GetRepositoryByID(ctx, protectBranch.RepoID)
- if err != nil {
- return false, err
- }
-
- if !protectBranch.EnableApprovalsWhitelist {
- // Anyone with write access is considered official reviewer
- writeAccess, err := access_model.HasAccessUnit(ctx, user, repo, unit.TypeCode, perm.AccessModeWrite)
- if err != nil {
- return false, err
- }
- return writeAccess, nil
- }
-
- if base.Int64sContains(protectBranch.ApprovalsWhitelistUserIDs, user.ID) {
- return true, nil
- }
-
- inTeam, err := organization.IsUserInTeams(ctx, user.ID, protectBranch.ApprovalsWhitelistTeamIDs)
- if err != nil {
- return false, err
- }
-
- return inTeam, nil
- }
-
- // GetProtectedFilePatterns parses a semicolon separated list of protected file patterns and returns a glob.Glob slice
- func (protectBranch *ProtectedBranch) GetProtectedFilePatterns() []glob.Glob {
- return getFilePatterns(protectBranch.ProtectedFilePatterns)
- }
-
- // GetUnprotectedFilePatterns parses a semicolon separated list of unprotected file patterns and returns a glob.Glob slice
- func (protectBranch *ProtectedBranch) GetUnprotectedFilePatterns() []glob.Glob {
- return getFilePatterns(protectBranch.UnprotectedFilePatterns)
- }
-
- func getFilePatterns(filePatterns string) []glob.Glob {
- extarr := make([]glob.Glob, 0, 10)
- for _, expr := range strings.Split(strings.ToLower(filePatterns), ";") {
- expr = strings.TrimSpace(expr)
- if expr != "" {
- if g, err := glob.Compile(expr, '.', '/'); err != nil {
- log.Info("Invalid glob expression '%s' (skipped): %v", expr, err)
- } else {
- extarr = append(extarr, g)
- }
- }
- }
- return extarr
- }
-
- // MergeBlockedByProtectedFiles returns true if merge is blocked by protected files change
- func (protectBranch *ProtectedBranch) MergeBlockedByProtectedFiles(changedProtectedFiles []string) bool {
- glob := protectBranch.GetProtectedFilePatterns()
- if len(glob) == 0 {
- return false
- }
-
- return len(changedProtectedFiles) > 0
- }
-
- // IsProtectedFile return if path is protected
- func (protectBranch *ProtectedBranch) IsProtectedFile(patterns []glob.Glob, path string) bool {
- if len(patterns) == 0 {
- patterns = protectBranch.GetProtectedFilePatterns()
- if len(patterns) == 0 {
- return false
- }
- }
-
- lpath := strings.ToLower(strings.TrimSpace(path))
-
- r := false
- for _, pat := range patterns {
- if pat.Match(lpath) {
- r = true
- break
- }
- }
-
- return r
- }
-
- // IsUnprotectedFile return if path is unprotected
- func (protectBranch *ProtectedBranch) IsUnprotectedFile(patterns []glob.Glob, path string) bool {
- if len(patterns) == 0 {
- patterns = protectBranch.GetUnprotectedFilePatterns()
- if len(patterns) == 0 {
- return false
- }
- }
-
- lpath := strings.ToLower(strings.TrimSpace(path))
-
- r := false
- for _, pat := range patterns {
- if pat.Match(lpath) {
- r = true
- break
- }
- }
-
- return r
- }
-
- // GetProtectedBranchBy getting protected branch by ID/Name
- func GetProtectedBranchBy(ctx context.Context, repoID int64, branchName string) (*ProtectedBranch, error) {
- rel := &ProtectedBranch{RepoID: repoID, BranchName: branchName}
- has, err := db.GetByBean(ctx, rel)
- if err != nil {
- return nil, err
- }
- if !has {
- return nil, nil
- }
- return rel, nil
- }
-
- // WhitelistOptions represent all sorts of whitelists used for protected branches
- type WhitelistOptions struct {
- UserIDs []int64
- TeamIDs []int64
-
- MergeUserIDs []int64
- MergeTeamIDs []int64
-
- ApprovalsUserIDs []int64
- ApprovalsTeamIDs []int64
- }
-
- // UpdateProtectBranch saves branch protection options of repository.
- // If ID is 0, it creates a new record. Otherwise, updates existing record.
- // This function also performs check if whitelist user and team's IDs have been changed
- // to avoid unnecessary whitelist delete and regenerate.
- func UpdateProtectBranch(ctx context.Context, repo *repo_model.Repository, protectBranch *ProtectedBranch, opts WhitelistOptions) (err error) {
- if err = repo.GetOwner(ctx); err != nil {
- return fmt.Errorf("GetOwner: %w", err)
- }
-
- whitelist, err := updateUserWhitelist(ctx, repo, protectBranch.WhitelistUserIDs, opts.UserIDs)
- if err != nil {
- return err
- }
- protectBranch.WhitelistUserIDs = whitelist
-
- whitelist, err = updateUserWhitelist(ctx, repo, protectBranch.MergeWhitelistUserIDs, opts.MergeUserIDs)
- if err != nil {
- return err
- }
- protectBranch.MergeWhitelistUserIDs = whitelist
-
- whitelist, err = updateApprovalWhitelist(ctx, repo, protectBranch.ApprovalsWhitelistUserIDs, opts.ApprovalsUserIDs)
- if err != nil {
- return err
- }
- protectBranch.ApprovalsWhitelistUserIDs = whitelist
-
- // if the repo is in an organization
- whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.WhitelistTeamIDs, opts.TeamIDs)
- if err != nil {
- return err
- }
- protectBranch.WhitelistTeamIDs = whitelist
-
- whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.MergeWhitelistTeamIDs, opts.MergeTeamIDs)
- if err != nil {
- return err
- }
- protectBranch.MergeWhitelistTeamIDs = whitelist
-
- whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.ApprovalsWhitelistTeamIDs, opts.ApprovalsTeamIDs)
- if err != nil {
- return err
- }
- protectBranch.ApprovalsWhitelistTeamIDs = whitelist
-
- // Make sure protectBranch.ID is not 0 for whitelists
- if protectBranch.ID == 0 {
- if _, err = db.GetEngine(ctx).Insert(protectBranch); err != nil {
- return fmt.Errorf("Insert: %w", err)
- }
- return nil
- }
-
- if _, err = db.GetEngine(ctx).ID(protectBranch.ID).AllCols().Update(protectBranch); err != nil {
- return fmt.Errorf("Update: %w", err)
- }
-
- return nil
- }
-
- // GetProtectedBranches get all protected branches
- func GetProtectedBranches(ctx context.Context, repoID int64) ([]*ProtectedBranch, error) {
- protectedBranches := make([]*ProtectedBranch, 0)
- return protectedBranches, db.GetEngine(ctx).Find(&protectedBranches, &ProtectedBranch{RepoID: repoID})
- }
-
- // IsProtectedBranch checks if branch is protected
- func IsProtectedBranch(ctx context.Context, repoID int64, branchName string) (bool, error) {
- protectedBranch := &ProtectedBranch{
- RepoID: repoID,
- BranchName: branchName,
- }
-
- has, err := db.GetEngine(ctx).Exist(protectedBranch)
- if err != nil {
- return true, err
- }
- return has, nil
- }
-
- // updateApprovalWhitelist checks whether the user whitelist changed and returns a whitelist with
- // the users from newWhitelist which have explicit read or write access to the repo.
- func updateApprovalWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
- hasUsersChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)
- if !hasUsersChanged {
- return currentWhitelist, nil
- }
-
- whitelist = make([]int64, 0, len(newWhitelist))
- for _, userID := range newWhitelist {
- if reader, err := access_model.IsRepoReader(ctx, repo, userID); err != nil {
- return nil, err
- } else if !reader {
- continue
- }
- whitelist = append(whitelist, userID)
- }
-
- return whitelist, err
- }
-
- // updateUserWhitelist checks whether the user whitelist changed and returns a whitelist with
- // the users from newWhitelist which have write access to the repo.
- func updateUserWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
- hasUsersChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)
- if !hasUsersChanged {
- return currentWhitelist, nil
- }
-
- whitelist = make([]int64, 0, len(newWhitelist))
- for _, userID := range newWhitelist {
- user, err := user_model.GetUserByID(ctx, userID)
- if err != nil {
- return nil, fmt.Errorf("GetUserByID [user_id: %d, repo_id: %d]: %w", userID, repo.ID, err)
- }
- perm, err := access_model.GetUserRepoPermission(ctx, repo, user)
- if err != nil {
- return nil, fmt.Errorf("GetUserRepoPermission [user_id: %d, repo_id: %d]: %w", userID, repo.ID, err)
- }
-
- if !perm.CanWrite(unit.TypeCode) {
- continue // Drop invalid user ID
- }
-
- whitelist = append(whitelist, userID)
- }
-
- return whitelist, err
- }
-
- // updateTeamWhitelist checks whether the team whitelist changed and returns a whitelist with
- // the teams from newWhitelist which have write access to the repo.
- func updateTeamWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
- hasTeamsChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)
- if !hasTeamsChanged {
- return currentWhitelist, nil
- }
-
- teams, err := organization.GetTeamsWithAccessToRepo(ctx, repo.OwnerID, repo.ID, perm.AccessModeRead)
- if err != nil {
- return nil, fmt.Errorf("GetTeamsWithAccessToRepo [org_id: %d, repo_id: %d]: %w", repo.OwnerID, repo.ID, err)
- }
-
- whitelist = make([]int64, 0, len(teams))
- for i := range teams {
- if util.SliceContains(newWhitelist, teams[i].ID) {
- whitelist = append(whitelist, teams[i].ID)
- }
- }
-
- return whitelist, err
- }
-
- // DeleteProtectedBranch removes ProtectedBranch relation between the user and repository.
- func DeleteProtectedBranch(ctx context.Context, repoID, id int64) (err error) {
- protectedBranch := &ProtectedBranch{
- RepoID: repoID,
- ID: id,
- }
-
- if affected, err := db.GetEngine(ctx).Delete(protectedBranch); err != nil {
- return err
- } else if affected != 1 {
- return fmt.Errorf("delete protected branch ID(%v) failed", id)
- }
-
- return nil
- }
-
- // DeletedBranch struct
- type DeletedBranch struct {
- ID int64 `xorm:"pk autoincr"`
- RepoID int64 `xorm:"UNIQUE(s) INDEX NOT NULL"`
- Name string `xorm:"UNIQUE(s) NOT NULL"`
- Commit string `xorm:"UNIQUE(s) NOT NULL"`
- DeletedByID int64 `xorm:"INDEX"`
- DeletedBy *user_model.User `xorm:"-"`
- DeletedUnix timeutil.TimeStamp `xorm:"INDEX created"`
- }
-
- // AddDeletedBranch adds a deleted branch to the database
- func AddDeletedBranch(ctx context.Context, repoID int64, branchName, commit string, deletedByID int64) error {
- deletedBranch := &DeletedBranch{
- RepoID: repoID,
- Name: branchName,
- Commit: commit,
- DeletedByID: deletedByID,
- }
-
- _, err := db.GetEngine(ctx).Insert(deletedBranch)
- return err
- }
-
- // GetDeletedBranches returns all the deleted branches
- func GetDeletedBranches(ctx context.Context, repoID int64) ([]*DeletedBranch, error) {
- deletedBranches := make([]*DeletedBranch, 0)
- return deletedBranches, db.GetEngine(ctx).Where("repo_id = ?", repoID).Desc("deleted_unix").Find(&deletedBranches)
- }
-
- // GetDeletedBranchByID get a deleted branch by its ID
- func GetDeletedBranchByID(ctx context.Context, repoID, id int64) (*DeletedBranch, error) {
- deletedBranch := &DeletedBranch{}
- has, err := db.GetEngine(ctx).Where("repo_id = ?", repoID).And("id = ?", id).Get(deletedBranch)
- if err != nil {
- return nil, err
- }
- if !has {
- return nil, nil
- }
- return deletedBranch, nil
- }
-
- // RemoveDeletedBranchByID removes a deleted branch from the database
- func RemoveDeletedBranchByID(ctx context.Context, repoID, id int64) (err error) {
- deletedBranch := &DeletedBranch{
- RepoID: repoID,
- ID: id,
- }
-
- if affected, err := db.GetEngine(ctx).Delete(deletedBranch); err != nil {
- return err
- } else if affected != 1 {
- return fmt.Errorf("remove deleted branch ID(%v) failed", id)
- }
-
- return nil
- }
-
- // LoadUser loads the user that deleted the branch
- // When there's no user found it returns a user_model.NewGhostUser
- func (deletedBranch *DeletedBranch) LoadUser(ctx context.Context) {
- user, err := user_model.GetUserByID(ctx, deletedBranch.DeletedByID)
- if err != nil {
- user = user_model.NewGhostUser()
- }
- deletedBranch.DeletedBy = user
- }
-
- // RemoveDeletedBranchByName removes all deleted branches
- func RemoveDeletedBranchByName(ctx context.Context, repoID int64, branch string) error {
- _, err := db.GetEngine(ctx).Where("repo_id=? AND name=?", repoID, branch).Delete(new(DeletedBranch))
- return err
- }
-
- // RemoveOldDeletedBranches removes old deleted branches
- func RemoveOldDeletedBranches(ctx context.Context, olderThan time.Duration) {
- // Nothing to do for shutdown or terminate
- log.Trace("Doing: DeletedBranchesCleanup")
-
- deleteBefore := time.Now().Add(-olderThan)
- _, err := db.GetEngine(ctx).Where("deleted_unix < ?", deleteBefore.Unix()).Delete(new(DeletedBranch))
- if err != nil {
- log.Error("DeletedBranchesCleanup: %v", err)
- }
- }
-
- // RenamedBranch provide renamed branch log
- // will check it when a branch can't be found
- type RenamedBranch struct {
- ID int64 `xorm:"pk autoincr"`
- RepoID int64 `xorm:"INDEX NOT NULL"`
- From string
- To string
- CreatedUnix timeutil.TimeStamp `xorm:"created"`
- }
-
- // FindRenamedBranch check if a branch was renamed
- func FindRenamedBranch(ctx context.Context, repoID int64, from string) (branch *RenamedBranch, exist bool, err error) {
- branch = &RenamedBranch{
- RepoID: repoID,
- From: from,
- }
- exist, err = db.GetEngine(ctx).Get(branch)
-
- return branch, exist, err
- }
-
- // RenameBranch rename a branch
- func RenameBranch(ctx context.Context, repo *repo_model.Repository, from, to string, gitAction func(isDefault bool) error) (err error) {
- ctx, committer, err := db.TxContext(ctx)
- if err != nil {
- return err
- }
- defer committer.Close()
-
- sess := db.GetEngine(ctx)
- // 1. update default branch if needed
- isDefault := repo.DefaultBranch == from
- if isDefault {
- repo.DefaultBranch = to
- _, err = sess.ID(repo.ID).Cols("default_branch").Update(repo)
- if err != nil {
- return err
- }
- }
-
- // 2. Update protected branch if needed
- protectedBranch, err := GetProtectedBranchBy(ctx, repo.ID, from)
- if err != nil {
- return err
- }
-
- if protectedBranch != nil {
- protectedBranch.BranchName = to
- _, err = sess.ID(protectedBranch.ID).Cols("branch_name").Update(protectedBranch)
- if err != nil {
- return err
- }
- }
-
- // 3. Update all not merged pull request base branch name
- _, err = sess.Table("pull_request").Where("base_repo_id=? AND base_branch=? AND has_merged=?",
- repo.ID, from, false).
- Update(map[string]interface{}{"base_branch": to})
- if err != nil {
- return err
- }
-
- // 4. do git action
- if err = gitAction(isDefault); err != nil {
- return err
- }
-
- // 5. insert renamed branch record
- renamedBranch := &RenamedBranch{
- RepoID: repo.ID,
- From: from,
- To: to,
- }
- err = db.Insert(ctx, renamedBranch)
- if err != nil {
- return err
- }
-
- return committer.Commit()
- }
|