2018-12-13 13:39:08 +05:30
# frozen_string_literal: true
2016-08-24 12:49:21 +05:30
module Gitlab
module Checks
class ChangeAccess
2017-09-10 17:25:29 +05:30
ERROR_MESSAGES = {
push_code : 'You are not allowed to push code to this project.' ,
delete_default_branch : 'The default branch of a project cannot be deleted.' ,
force_push_protected_branch : 'You are not allowed to force push code to a protected branch on this project.' ,
2018-11-08 19:23:39 +05:30
non_master_delete_protected_branch : 'You are not allowed to delete protected branches from this project. Only a project maintainer or owner can delete a protected branch.' ,
2017-09-10 17:25:29 +05:30
non_web_delete_protected_branch : 'You can only delete protected branches using the web interface.' ,
merge_protected_branch : 'You are not allowed to merge code into protected branches on this project.' ,
push_protected_branch : 'You are not allowed to push code to protected branches on this project.' ,
change_existing_tags : 'You are not allowed to change existing tags on this project.' ,
update_protected_tag : 'Protected tags cannot be updated.' ,
delete_protected_tag : 'Protected tags cannot be deleted.' ,
2018-03-17 18:26:18 +05:30
create_protected_tag : 'You are not allowed to create this tag as it is protected.' ,
lfs_objects_missing : 'LFS objects are missing. Ensure LFS is properly set up or try a manual "git lfs push --all".'
2017-09-10 17:25:29 +05:30
} . freeze
2018-12-13 13:39:08 +05:30
LOG_MESSAGES = {
push_checks : " Checking if you are allowed to push... " ,
delete_default_branch_check : " Checking if default branch is being deleted... " ,
protected_branch_checks : " Checking if you are force pushing to a protected branch... " ,
protected_branch_push_checks : " Checking if you are allowed to push to the protected branch... " ,
protected_branch_deletion_checks : " Checking if you are allowed to delete the protected branch... " ,
tag_checks : " Checking if you are allowed to change existing tags... " ,
protected_tag_checks : " Checking if you are creating, updating or deleting a protected tag... " ,
lfs_objects_exist_check : " Scanning repository for blobs stored in LFS and verifying their files have been uploaded to GitLab... " ,
commits_check_file_paths_validation : " Validating commits' file paths... " ,
commits_check : " Validating commit contents... "
} . freeze
attr_reader :user_access , :project , :skip_authorization , :skip_lfs_integrity_check , :protocol , :oldrev , :newrev , :ref , :branch_name , :tag_name , :logger
2016-08-24 12:49:21 +05:30
2017-08-17 22:00:37 +05:30
def initialize (
change , user_access : , project : , skip_authorization : false ,
2018-12-13 13:39:08 +05:30
skip_lfs_integrity_check : false , protocol : , logger :
2017-08-17 22:00:37 +05:30
)
2016-09-13 17:45:13 +05:30
@oldrev , @newrev , @ref = change . values_at ( :oldrev , :newrev , :ref )
@branch_name = Gitlab :: Git . branch_name ( @ref )
2017-08-17 22:00:37 +05:30
@tag_name = Gitlab :: Git . tag_name ( @ref )
2016-08-24 12:49:21 +05:30
@user_access = user_access
@project = project
2017-08-17 22:00:37 +05:30
@skip_authorization = skip_authorization
2018-03-17 18:26:18 +05:30
@skip_lfs_integrity_check = skip_lfs_integrity_check
2017-08-17 22:00:37 +05:30
@protocol = protocol
2018-12-13 13:39:08 +05:30
@logger = logger
@logger . append_message ( " Running checks for ref: #{ @branch_name || @tag_name } " )
2016-08-24 12:49:21 +05:30
end
2018-03-17 18:26:18 +05:30
def exec ( skip_commits_check : false )
2017-09-10 17:25:29 +05:30
return true if skip_authorization
2016-08-24 12:49:21 +05:30
2017-09-10 17:25:29 +05:30
push_checks
branch_checks
tag_checks
2018-03-17 18:26:18 +05:30
lfs_objects_exist_check unless skip_lfs_integrity_check
commits_check unless skip_commits_check
2017-09-10 17:25:29 +05:30
true
2016-08-24 12:49:21 +05:30
end
protected
2017-09-10 17:25:29 +05:30
def push_checks
2018-12-13 13:39:08 +05:30
logger . log_timed ( LOG_MESSAGES [ __method__ ] ) do
unless can_push?
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :push_code ]
end
2017-09-10 17:25:29 +05:30
end
end
def branch_checks
2018-03-17 18:26:18 +05:30
return unless branch_name
2017-09-10 17:25:29 +05:30
2018-12-13 13:39:08 +05:30
logger . log_timed ( LOG_MESSAGES [ :delete_default_branch_check ] ) do
if deletion? && branch_name == project . default_branch
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :delete_default_branch ]
end
2017-09-10 17:25:29 +05:30
end
protected_branch_checks
end
def protected_branch_checks
2018-12-13 13:39:08 +05:30
logger . log_timed ( LOG_MESSAGES [ __method__ ] ) do
return unless ProtectedBranch . protected? ( project , branch_name ) # rubocop:disable Cop/AvoidReturnFromBlocks
2016-08-24 12:49:21 +05:30
2018-12-13 13:39:08 +05:30
if forced_push?
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :force_push_protected_branch ]
end
2016-08-24 12:49:21 +05:30
end
2017-09-10 17:25:29 +05:30
if deletion?
protected_branch_deletion_checks
else
protected_branch_push_checks
end
end
def protected_branch_deletion_checks
2018-12-13 13:39:08 +05:30
logger . log_timed ( LOG_MESSAGES [ __method__ ] ) do
unless user_access . can_delete_branch? ( branch_name )
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :non_master_delete_protected_branch ]
end
2017-09-10 17:25:29 +05:30
2018-12-13 13:39:08 +05:30
unless updated_from_web?
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :non_web_delete_protected_branch ]
end
2017-09-10 17:25:29 +05:30
end
end
def protected_branch_push_checks
2018-12-13 13:39:08 +05:30
logger . log_timed ( LOG_MESSAGES [ __method__ ] ) do
if matching_merge_request?
unless user_access . can_merge_to_branch? ( branch_name ) || user_access . can_push_to_branch? ( branch_name )
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :merge_protected_branch ]
end
else
unless user_access . can_push_to_branch? ( branch_name )
raise GitAccess :: UnauthorizedError , push_to_protected_branch_rejected_message
end
2016-08-24 12:49:21 +05:30
end
end
end
def tag_checks
2018-03-17 18:26:18 +05:30
return unless tag_name
2017-08-17 22:00:37 +05:30
2018-12-13 13:39:08 +05:30
logger . log_timed ( LOG_MESSAGES [ __method__ ] ) do
if tag_exists? && user_access . cannot_do_action? ( :admin_project )
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :change_existing_tags ]
end
2016-08-24 12:49:21 +05:30
end
2017-08-17 22:00:37 +05:30
protected_tag_checks
end
def protected_tag_checks
2018-12-13 13:39:08 +05:30
logger . log_timed ( LOG_MESSAGES [ __method__ ] ) do
return unless ProtectedTag . protected? ( project , tag_name ) # rubocop:disable Cop/AvoidReturnFromBlocks
2017-08-17 22:00:37 +05:30
2018-12-13 13:39:08 +05:30
raise ( GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :update_protected_tag ] ) if update?
raise ( GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :delete_protected_tag ] ) if deletion?
2016-08-24 12:49:21 +05:30
2018-12-13 13:39:08 +05:30
unless user_access . can_create_tag? ( tag_name )
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :create_protected_tag ]
end
2016-08-24 12:49:21 +05:30
end
end
2018-03-17 18:26:18 +05:30
def commits_check
return if deletion? || newrev . nil?
return unless should_run_commit_validations?
2018-12-13 13:39:08 +05:30
logger . log_timed ( LOG_MESSAGES [ __method__ ] ) do
# n+1: https://gitlab.com/gitlab-org/gitlab-ee/issues/3593
:: Gitlab :: GitalyClient . allow_n_plus_1_calls do
commits . each do | commit |
logger . check_timeout_reached
commit_check . validate ( commit , validations_for_commit ( commit ) )
end
2018-03-17 18:26:18 +05:30
end
end
2018-12-13 13:39:08 +05:30
logger . log_timed ( LOG_MESSAGES [ :commits_check_file_paths_validation ] ) do
commit_check . validate_file_paths
end
2018-03-17 18:26:18 +05:30
end
# Method overwritten in EE to inject custom validations
def validations_for_commit ( _ )
[ ]
end
2016-08-24 12:49:21 +05:30
private
2018-11-18 11:00:15 +05:30
def push_to_protected_branch_rejected_message
if project . empty_repo?
empty_project_push_message
else
ERROR_MESSAGES [ :push_protected_branch ]
end
end
def empty_project_push_message
<< ~ MESSAGE
A default branch ( e . g . master ) does not yet exist for #{project.full_path}
Ask a project Owner or Maintainer to create a default branch :
#{project_members_url}
MESSAGE
end
def project_members_url
Gitlab :: Routing . url_helpers . project_project_members_url ( project )
end
2018-03-17 18:26:18 +05:30
def should_run_commit_validations?
commit_check . validate_lfs_file_locks?
end
def updated_from_web?
protocol == 'web'
end
2017-08-17 22:00:37 +05:30
def tag_exists?
2018-03-17 18:26:18 +05:30
project . repository . tag_exists? ( tag_name )
2016-08-24 12:49:21 +05:30
end
def forced_push?
2018-03-17 18:26:18 +05:30
Gitlab :: Checks :: ForcePush . force_push? ( project , oldrev , newrev )
2016-08-24 12:49:21 +05:30
end
2017-08-17 22:00:37 +05:30
def update?
2018-03-17 18:26:18 +05:30
! Gitlab :: Git . blank_ref? ( oldrev ) && ! deletion?
2017-08-17 22:00:37 +05:30
end
def deletion?
2018-03-17 18:26:18 +05:30
Gitlab :: Git . blank_ref? ( newrev )
2017-08-17 22:00:37 +05:30
end
2016-08-24 12:49:21 +05:30
def matching_merge_request?
2018-03-17 18:26:18 +05:30
Checks :: MatchingMergeRequest . new ( newrev , branch_name , project ) . match?
end
def lfs_objects_exist_check
2018-12-13 13:39:08 +05:30
logger . log_timed ( LOG_MESSAGES [ __method__ ] ) do
lfs_check = Checks :: LfsIntegrity . new ( project , newrev , logger . time_left )
2018-03-17 18:26:18 +05:30
2018-12-13 13:39:08 +05:30
if lfs_check . objects_missing?
raise GitAccess :: UnauthorizedError , ERROR_MESSAGES [ :lfs_objects_missing ]
end
2018-03-17 18:26:18 +05:30
end
end
def commit_check
@commit_check || = Gitlab :: Checks :: CommitCheck . new ( project , user_access . user , newrev , oldrev )
end
def commits
@commits || = project . repository . new_commits ( newrev )
2016-08-24 12:49:21 +05:30
end
2018-03-27 19:54:05 +05:30
def can_push?
user_access . can_do_action? ( :push_code ) ||
user_access . can_push_to_branch? ( branch_name )
end
2016-08-24 12:49:21 +05:30
end
end
end