123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501 |
- // Copyright 2022 The Gitea Authors. All rights reserved.
- // SPDX-License-Identifier: MIT
-
- package git
-
- import (
- "context"
- "errors"
- "fmt"
- "strings"
-
- "code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/organization"
- "code.gitea.io/gitea/models/perm"
- access_model "code.gitea.io/gitea/models/perm/access"
- repo_model "code.gitea.io/gitea/models/repo"
- "code.gitea.io/gitea/models/unit"
- user_model "code.gitea.io/gitea/models/user"
- "code.gitea.io/gitea/modules/base"
- "code.gitea.io/gitea/modules/log"
- "code.gitea.io/gitea/modules/timeutil"
- "code.gitea.io/gitea/modules/util"
-
- "github.com/gobwas/glob"
- "github.com/gobwas/glob/syntax"
- )
-
- var ErrBranchIsProtected = errors.New("branch is protected")
-
- // ProtectedBranch struct
- type ProtectedBranch struct {
- ID int64 `xorm:"pk autoincr"`
- RepoID int64 `xorm:"UNIQUE(s)"`
- Repo *repo_model.Repository `xorm:"-"`
- RuleName string `xorm:"'branch_name' UNIQUE(s)"` // a branch name or a glob match to branch name
- globRule glob.Glob `xorm:"-"`
- isPlainName bool `xorm:"-"`
- CanPush bool `xorm:"NOT NULL DEFAULT false"`
- EnableWhitelist bool
- WhitelistUserIDs []int64 `xorm:"JSON TEXT"`
- WhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
- EnableMergeWhitelist bool `xorm:"NOT NULL DEFAULT false"`
- WhitelistDeployKeys bool `xorm:"NOT NULL DEFAULT false"`
- MergeWhitelistUserIDs []int64 `xorm:"JSON TEXT"`
- MergeWhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
- EnableStatusCheck bool `xorm:"NOT NULL DEFAULT false"`
- StatusCheckContexts []string `xorm:"JSON TEXT"`
- EnableApprovalsWhitelist bool `xorm:"NOT NULL DEFAULT false"`
- ApprovalsWhitelistUserIDs []int64 `xorm:"JSON TEXT"`
- ApprovalsWhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
- RequiredApprovals int64 `xorm:"NOT NULL DEFAULT 0"`
- BlockOnRejectedReviews bool `xorm:"NOT NULL DEFAULT false"`
- BlockOnOfficialReviewRequests bool `xorm:"NOT NULL DEFAULT false"`
- BlockOnOutdatedBranch bool `xorm:"NOT NULL DEFAULT false"`
- DismissStaleApprovals bool `xorm:"NOT NULL DEFAULT false"`
- RequireSignedCommits bool `xorm:"NOT NULL DEFAULT false"`
- ProtectedFilePatterns string `xorm:"TEXT"`
- UnprotectedFilePatterns string `xorm:"TEXT"`
-
- CreatedUnix timeutil.TimeStamp `xorm:"created"`
- UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
- }
-
- func init() {
- db.RegisterModel(new(ProtectedBranch))
- }
-
- // IsRuleNameSpecial return true if it contains special character
- func IsRuleNameSpecial(ruleName string) bool {
- for i := 0; i < len(ruleName); i++ {
- if syntax.Special(ruleName[i]) {
- return true
- }
- }
- return false
- }
-
- func (protectBranch *ProtectedBranch) loadGlob() {
- if protectBranch.globRule == nil {
- var err error
- protectBranch.globRule, err = glob.Compile(protectBranch.RuleName, '/')
- if err != nil {
- log.Warn("Invalid glob rule for ProtectedBranch[%d]: %s %v", protectBranch.ID, protectBranch.RuleName, err)
- protectBranch.globRule = glob.MustCompile(glob.QuoteMeta(protectBranch.RuleName), '/')
- }
- protectBranch.isPlainName = !IsRuleNameSpecial(protectBranch.RuleName)
- }
- }
-
- // Match tests if branchName matches the rule
- func (protectBranch *ProtectedBranch) Match(branchName string) bool {
- protectBranch.loadGlob()
- if protectBranch.isPlainName {
- return strings.EqualFold(protectBranch.RuleName, branchName)
- }
-
- return protectBranch.globRule.Match(branchName)
- }
-
- func (protectBranch *ProtectedBranch) LoadRepo(ctx context.Context) (err error) {
- if protectBranch.Repo != nil {
- return nil
- }
- protectBranch.Repo, err = repo_model.GetRepositoryByID(ctx, protectBranch.RepoID)
- return err
- }
-
- // CanUserPush returns if some user could push to this protected branch
- func (protectBranch *ProtectedBranch) CanUserPush(ctx context.Context, user *user_model.User) bool {
- if !protectBranch.CanPush {
- return false
- }
-
- if !protectBranch.EnableWhitelist {
- if err := protectBranch.LoadRepo(ctx); err != nil {
- log.Error("LoadRepo: %v", err)
- return false
- }
-
- writeAccess, err := access_model.HasAccessUnit(ctx, user, protectBranch.Repo, unit.TypeCode, perm.AccessModeWrite)
- if err != nil {
- log.Error("HasAccessUnit: %v", err)
- return false
- }
- return writeAccess
- }
-
- if base.Int64sContains(protectBranch.WhitelistUserIDs, user.ID) {
- return true
- }
-
- if len(protectBranch.WhitelistTeamIDs) == 0 {
- return false
- }
-
- in, err := organization.IsUserInTeams(ctx, user.ID, protectBranch.WhitelistTeamIDs)
- if err != nil {
- log.Error("IsUserInTeams: %v", err)
- return false
- }
- return in
- }
-
- // IsUserMergeWhitelisted checks if some user is whitelisted to merge to this branch
- func IsUserMergeWhitelisted(ctx context.Context, protectBranch *ProtectedBranch, userID int64, permissionInRepo access_model.Permission) bool {
- if !protectBranch.EnableMergeWhitelist {
- // Then we need to fall back on whether the user has write permission
- return permissionInRepo.CanWrite(unit.TypeCode)
- }
-
- if base.Int64sContains(protectBranch.MergeWhitelistUserIDs, userID) {
- return true
- }
-
- if len(protectBranch.MergeWhitelistTeamIDs) == 0 {
- return false
- }
-
- in, err := organization.IsUserInTeams(ctx, userID, protectBranch.MergeWhitelistTeamIDs)
- if err != nil {
- log.Error("IsUserInTeams: %v", err)
- return false
- }
- return in
- }
-
- // IsUserOfficialReviewer check if user is official reviewer for the branch (counts towards required approvals)
- func IsUserOfficialReviewer(ctx context.Context, protectBranch *ProtectedBranch, user *user_model.User) (bool, error) {
- repo, err := repo_model.GetRepositoryByID(ctx, protectBranch.RepoID)
- if err != nil {
- return false, err
- }
-
- if !protectBranch.EnableApprovalsWhitelist {
- // Anyone with write access is considered official reviewer
- writeAccess, err := access_model.HasAccessUnit(ctx, user, repo, unit.TypeCode, perm.AccessModeWrite)
- if err != nil {
- return false, err
- }
- return writeAccess, nil
- }
-
- if base.Int64sContains(protectBranch.ApprovalsWhitelistUserIDs, user.ID) {
- return true, nil
- }
-
- inTeam, err := organization.IsUserInTeams(ctx, user.ID, protectBranch.ApprovalsWhitelistTeamIDs)
- if err != nil {
- return false, err
- }
-
- return inTeam, nil
- }
-
- // GetProtectedFilePatterns parses a semicolon separated list of protected file patterns and returns a glob.Glob slice
- func (protectBranch *ProtectedBranch) GetProtectedFilePatterns() []glob.Glob {
- return getFilePatterns(protectBranch.ProtectedFilePatterns)
- }
-
- // GetUnprotectedFilePatterns parses a semicolon separated list of unprotected file patterns and returns a glob.Glob slice
- func (protectBranch *ProtectedBranch) GetUnprotectedFilePatterns() []glob.Glob {
- return getFilePatterns(protectBranch.UnprotectedFilePatterns)
- }
-
- func getFilePatterns(filePatterns string) []glob.Glob {
- extarr := make([]glob.Glob, 0, 10)
- for _, expr := range strings.Split(strings.ToLower(filePatterns), ";") {
- expr = strings.TrimSpace(expr)
- if expr != "" {
- if g, err := glob.Compile(expr, '.', '/'); err != nil {
- log.Info("Invalid glob expression '%s' (skipped): %v", expr, err)
- } else {
- extarr = append(extarr, g)
- }
- }
- }
- return extarr
- }
-
- // MergeBlockedByProtectedFiles returns true if merge is blocked by protected files change
- func (protectBranch *ProtectedBranch) MergeBlockedByProtectedFiles(changedProtectedFiles []string) bool {
- glob := protectBranch.GetProtectedFilePatterns()
- if len(glob) == 0 {
- return false
- }
-
- return len(changedProtectedFiles) > 0
- }
-
- // IsProtectedFile return if path is protected
- func (protectBranch *ProtectedBranch) IsProtectedFile(patterns []glob.Glob, path string) bool {
- if len(patterns) == 0 {
- patterns = protectBranch.GetProtectedFilePatterns()
- if len(patterns) == 0 {
- return false
- }
- }
-
- lpath := strings.ToLower(strings.TrimSpace(path))
-
- r := false
- for _, pat := range patterns {
- if pat.Match(lpath) {
- r = true
- break
- }
- }
-
- return r
- }
-
- // IsUnprotectedFile return if path is unprotected
- func (protectBranch *ProtectedBranch) IsUnprotectedFile(patterns []glob.Glob, path string) bool {
- if len(patterns) == 0 {
- patterns = protectBranch.GetUnprotectedFilePatterns()
- if len(patterns) == 0 {
- return false
- }
- }
-
- lpath := strings.ToLower(strings.TrimSpace(path))
-
- r := false
- for _, pat := range patterns {
- if pat.Match(lpath) {
- r = true
- break
- }
- }
-
- return r
- }
-
- // GetProtectedBranchRuleByName getting protected branch rule by name
- func GetProtectedBranchRuleByName(ctx context.Context, repoID int64, ruleName string) (*ProtectedBranch, error) {
- rel := &ProtectedBranch{RepoID: repoID, RuleName: ruleName}
- has, err := db.GetByBean(ctx, rel)
- if err != nil {
- return nil, err
- }
- if !has {
- return nil, nil
- }
- return rel, nil
- }
-
- // GetProtectedBranchRuleByID getting protected branch rule by rule ID
- func GetProtectedBranchRuleByID(ctx context.Context, repoID, ruleID int64) (*ProtectedBranch, error) {
- rel := &ProtectedBranch{ID: ruleID, RepoID: repoID}
- has, err := db.GetByBean(ctx, rel)
- if err != nil {
- return nil, err
- }
- if !has {
- return nil, nil
- }
- return rel, nil
- }
-
- // WhitelistOptions represent all sorts of whitelists used for protected branches
- type WhitelistOptions struct {
- UserIDs []int64
- TeamIDs []int64
-
- MergeUserIDs []int64
- MergeTeamIDs []int64
-
- ApprovalsUserIDs []int64
- ApprovalsTeamIDs []int64
- }
-
- // UpdateProtectBranch saves branch protection options of repository.
- // If ID is 0, it creates a new record. Otherwise, updates existing record.
- // This function also performs check if whitelist user and team's IDs have been changed
- // to avoid unnecessary whitelist delete and regenerate.
- func UpdateProtectBranch(ctx context.Context, repo *repo_model.Repository, protectBranch *ProtectedBranch, opts WhitelistOptions) (err error) {
- if err = repo.GetOwner(ctx); err != nil {
- return fmt.Errorf("GetOwner: %v", err)
- }
-
- whitelist, err := updateUserWhitelist(ctx, repo, protectBranch.WhitelistUserIDs, opts.UserIDs)
- if err != nil {
- return err
- }
- protectBranch.WhitelistUserIDs = whitelist
-
- whitelist, err = updateUserWhitelist(ctx, repo, protectBranch.MergeWhitelistUserIDs, opts.MergeUserIDs)
- if err != nil {
- return err
- }
- protectBranch.MergeWhitelistUserIDs = whitelist
-
- whitelist, err = updateApprovalWhitelist(ctx, repo, protectBranch.ApprovalsWhitelistUserIDs, opts.ApprovalsUserIDs)
- if err != nil {
- return err
- }
- protectBranch.ApprovalsWhitelistUserIDs = whitelist
-
- // if the repo is in an organization
- whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.WhitelistTeamIDs, opts.TeamIDs)
- if err != nil {
- return err
- }
- protectBranch.WhitelistTeamIDs = whitelist
-
- whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.MergeWhitelistTeamIDs, opts.MergeTeamIDs)
- if err != nil {
- return err
- }
- protectBranch.MergeWhitelistTeamIDs = whitelist
-
- whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.ApprovalsWhitelistTeamIDs, opts.ApprovalsTeamIDs)
- if err != nil {
- return err
- }
- protectBranch.ApprovalsWhitelistTeamIDs = whitelist
-
- // Make sure protectBranch.ID is not 0 for whitelists
- if protectBranch.ID == 0 {
- if _, err = db.GetEngine(ctx).Insert(protectBranch); err != nil {
- return fmt.Errorf("Insert: %v", err)
- }
- return nil
- }
-
- if _, err = db.GetEngine(ctx).ID(protectBranch.ID).AllCols().Update(protectBranch); err != nil {
- return fmt.Errorf("Update: %v", err)
- }
-
- return nil
- }
-
- // updateApprovalWhitelist checks whether the user whitelist changed and returns a whitelist with
- // the users from newWhitelist which have explicit read or write access to the repo.
- func updateApprovalWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
- hasUsersChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)
- if !hasUsersChanged {
- return currentWhitelist, nil
- }
-
- whitelist = make([]int64, 0, len(newWhitelist))
- for _, userID := range newWhitelist {
- if reader, err := access_model.IsRepoReader(ctx, repo, userID); err != nil {
- return nil, err
- } else if !reader {
- continue
- }
- whitelist = append(whitelist, userID)
- }
-
- return whitelist, err
- }
-
- // updateUserWhitelist checks whether the user whitelist changed and returns a whitelist with
- // the users from newWhitelist which have write access to the repo.
- func updateUserWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
- hasUsersChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)
- if !hasUsersChanged {
- return currentWhitelist, nil
- }
-
- whitelist = make([]int64, 0, len(newWhitelist))
- for _, userID := range newWhitelist {
- user, err := user_model.GetUserByID(ctx, userID)
- if err != nil {
- return nil, fmt.Errorf("GetUserByID [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)
- }
- perm, err := access_model.GetUserRepoPermission(ctx, repo, user)
- if err != nil {
- return nil, fmt.Errorf("GetUserRepoPermission [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)
- }
-
- if !perm.CanWrite(unit.TypeCode) {
- continue // Drop invalid user ID
- }
-
- whitelist = append(whitelist, userID)
- }
-
- return whitelist, err
- }
-
- // updateTeamWhitelist checks whether the team whitelist changed and returns a whitelist with
- // the teams from newWhitelist which have write access to the repo.
- func updateTeamWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
- hasTeamsChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)
- if !hasTeamsChanged {
- return currentWhitelist, nil
- }
-
- teams, err := organization.GetTeamsWithAccessToRepo(ctx, repo.OwnerID, repo.ID, perm.AccessModeRead)
- if err != nil {
- return nil, fmt.Errorf("GetTeamsWithAccessToRepo [org_id: %d, repo_id: %d]: %v", repo.OwnerID, repo.ID, err)
- }
-
- whitelist = make([]int64, 0, len(teams))
- for i := range teams {
- if util.SliceContains(newWhitelist, teams[i].ID) {
- whitelist = append(whitelist, teams[i].ID)
- }
- }
-
- return whitelist, err
- }
-
- // DeleteProtectedBranch removes ProtectedBranch relation between the user and repository.
- func DeleteProtectedBranch(ctx context.Context, repoID, id int64) (err error) {
- protectedBranch := &ProtectedBranch{
- RepoID: repoID,
- ID: id,
- }
-
- if affected, err := db.GetEngine(ctx).Delete(protectedBranch); err != nil {
- return err
- } else if affected != 1 {
- return fmt.Errorf("delete protected branch ID(%v) failed", id)
- }
-
- return nil
- }
-
- // RemoveUserIDFromProtectedBranch remove all user ids from protected branch options
- func RemoveUserIDFromProtectedBranch(ctx context.Context, p *ProtectedBranch, userID int64) error {
- lenIDs, lenApprovalIDs, lenMergeIDs := len(p.WhitelistUserIDs), len(p.ApprovalsWhitelistUserIDs), len(p.MergeWhitelistUserIDs)
- p.WhitelistUserIDs = util.SliceRemoveAll(p.WhitelistUserIDs, userID)
- p.ApprovalsWhitelistUserIDs = util.SliceRemoveAll(p.ApprovalsWhitelistUserIDs, userID)
- p.MergeWhitelistUserIDs = util.SliceRemoveAll(p.MergeWhitelistUserIDs, userID)
-
- if lenIDs != len(p.WhitelistUserIDs) || lenApprovalIDs != len(p.ApprovalsWhitelistUserIDs) ||
- lenMergeIDs != len(p.MergeWhitelistUserIDs) {
- if _, err := db.GetEngine(ctx).ID(p.ID).Cols(
- "whitelist_user_i_ds",
- "merge_whitelist_user_i_ds",
- "approvals_whitelist_user_i_ds",
- ).Update(p); err != nil {
- return fmt.Errorf("updateProtectedBranches: %v", err)
- }
- }
- return nil
- }
-
- // RemoveTeamIDFromProtectedBranch remove all team ids from protected branch options
- func RemoveTeamIDFromProtectedBranch(ctx context.Context, p *ProtectedBranch, teamID int64) error {
- lenIDs, lenApprovalIDs, lenMergeIDs := len(p.WhitelistTeamIDs), len(p.ApprovalsWhitelistTeamIDs), len(p.MergeWhitelistTeamIDs)
- p.WhitelistTeamIDs = util.SliceRemoveAll(p.WhitelistTeamIDs, teamID)
- p.ApprovalsWhitelistTeamIDs = util.SliceRemoveAll(p.ApprovalsWhitelistTeamIDs, teamID)
- p.MergeWhitelistTeamIDs = util.SliceRemoveAll(p.MergeWhitelistTeamIDs, teamID)
-
- if lenIDs != len(p.WhitelistTeamIDs) ||
- lenApprovalIDs != len(p.ApprovalsWhitelistTeamIDs) ||
- lenMergeIDs != len(p.MergeWhitelistTeamIDs) {
- if _, err := db.GetEngine(ctx).ID(p.ID).Cols(
- "whitelist_team_i_ds",
- "merge_whitelist_team_i_ds",
- "approvals_whitelist_team_i_ds",
- ).Update(p); err != nil {
- return fmt.Errorf("updateProtectedBranches: %v", err)
- }
- }
- return nil
- }
|