1
0
Fork 0
forgejo/services/release/release.go
Kemal Zebari eb765dabfd
Handle invalid target when creating releases using API (#31841)
A 500 status code was thrown when passing a non-existent target to the
create release API. This snapshot handles this error and instead throws
a 404 status code.

Discovered while working on #31840.

(cherry picked from commit f05d9c98c4cb95e3a8a71bf3e2f8f4529e09f96f)
2024-09-14 18:45:18 +02:00

470 lines
14 KiB
Go

// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package release
import (
"context"
"errors"
"fmt"
"strings"
"code.gitea.io/gitea/models"
"code.gitea.io/gitea/models/db"
git_model "code.gitea.io/gitea/models/git"
repo_model "code.gitea.io/gitea/models/repo"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/container"
"code.gitea.io/gitea/modules/git"
"code.gitea.io/gitea/modules/gitrepo"
"code.gitea.io/gitea/modules/graceful"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/repository"
"code.gitea.io/gitea/modules/storage"
"code.gitea.io/gitea/modules/timeutil"
"code.gitea.io/gitea/modules/util"
"code.gitea.io/gitea/services/attachment"
notify_service "code.gitea.io/gitea/services/notify"
)
type AttachmentChange struct {
Action string // "add", "delete", "update
Type string // "attachment", "external"
UUID string
Name string
ExternalURL string
}
func createTag(ctx context.Context, gitRepo *git.Repository, rel *repo_model.Release, msg string) (bool, error) {
err := rel.LoadAttributes(ctx)
if err != nil {
return false, err
}
err = rel.Repo.MustNotBeArchived()
if err != nil {
return false, err
}
var created bool
// Only actual create when publish.
if !rel.IsDraft {
if !gitRepo.IsTagExist(rel.TagName) {
if err := rel.LoadAttributes(ctx); err != nil {
log.Error("LoadAttributes: %v", err)
return false, err
}
protectedTags, err := git_model.GetProtectedTags(ctx, rel.Repo.ID)
if err != nil {
return false, fmt.Errorf("GetProtectedTags: %w", err)
}
// Trim '--' prefix to prevent command line argument vulnerability.
rel.TagName = strings.TrimPrefix(rel.TagName, "--")
isAllowed, err := git_model.IsUserAllowedToControlTag(ctx, protectedTags, rel.TagName, rel.PublisherID)
if err != nil {
return false, err
}
if !isAllowed {
return false, models.ErrProtectedTagName{
TagName: rel.TagName,
}
}
commit, err := gitRepo.GetCommit(rel.Target)
if err != nil {
return false, err
}
if len(msg) > 0 {
if err = gitRepo.CreateAnnotatedTag(rel.TagName, msg, commit.ID.String()); err != nil {
if strings.Contains(err.Error(), "is not a valid tag name") {
return false, models.ErrInvalidTagName{
TagName: rel.TagName,
}
}
return false, err
}
} else if err = gitRepo.CreateTag(rel.TagName, commit.ID.String()); err != nil {
if strings.Contains(err.Error(), "is not a valid tag name") {
return false, models.ErrInvalidTagName{
TagName: rel.TagName,
}
}
return false, err
}
created = true
rel.LowerTagName = strings.ToLower(rel.TagName)
objectFormat := git.ObjectFormatFromName(rel.Repo.ObjectFormatName)
commits := repository.NewPushCommits()
commits.HeadCommit = repository.CommitToPushCommit(commit)
commits.CompareURL = rel.Repo.ComposeCompareURL(objectFormat.EmptyObjectID().String(), commit.ID.String())
refFullName := git.RefNameFromTag(rel.TagName)
notify_service.PushCommits(
ctx, rel.Publisher, rel.Repo,
&repository.PushUpdateOptions{
RefFullName: refFullName,
OldCommitID: objectFormat.EmptyObjectID().String(),
NewCommitID: commit.ID.String(),
}, commits)
notify_service.CreateRef(ctx, rel.Publisher, rel.Repo, refFullName, commit.ID.String())
rel.CreatedUnix = timeutil.TimeStampNow()
}
commit, err := gitRepo.GetTagCommit(rel.TagName)
if err != nil {
return false, fmt.Errorf("GetTagCommit: %w", err)
}
rel.Sha1 = commit.ID.String()
rel.NumCommits, err = commit.CommitsCount()
if err != nil {
return false, fmt.Errorf("CommitsCount: %w", err)
}
if rel.PublisherID <= 0 {
u, err := user_model.GetUserByEmail(ctx, commit.Author.Email)
if err == nil {
rel.PublisherID = u.ID
}
}
} else {
rel.CreatedUnix = timeutil.TimeStampNow()
}
return created, nil
}
// CreateRelease creates a new release of repository.
func CreateRelease(gitRepo *git.Repository, rel *repo_model.Release, msg string, attachmentChanges []*AttachmentChange) error {
has, err := repo_model.IsReleaseExist(gitRepo.Ctx, rel.RepoID, rel.TagName)
if err != nil {
return err
} else if has {
return repo_model.ErrReleaseAlreadyExist{
TagName: rel.TagName,
}
}
if _, err = createTag(gitRepo.Ctx, gitRepo, rel, msg); err != nil {
return err
}
rel.LowerTagName = strings.ToLower(rel.TagName)
if err = db.Insert(gitRepo.Ctx, rel); err != nil {
return err
}
addAttachmentUUIDs := make(container.Set[string])
for _, attachmentChange := range attachmentChanges {
if attachmentChange.Action != "add" {
return fmt.Errorf("can only create new attachments when creating release")
}
switch attachmentChange.Type {
case "attachment":
if attachmentChange.UUID == "" {
return fmt.Errorf("new attachment should have a uuid")
}
addAttachmentUUIDs.Add(attachmentChange.UUID)
case "external":
if attachmentChange.Name == "" || attachmentChange.ExternalURL == "" {
return fmt.Errorf("new external attachment should have a name and external url")
}
_, err = attachment.NewExternalAttachment(gitRepo.Ctx, &repo_model.Attachment{
Name: attachmentChange.Name,
UploaderID: rel.PublisherID,
RepoID: rel.RepoID,
ReleaseID: rel.ID,
ExternalURL: attachmentChange.ExternalURL,
})
if err != nil {
return err
}
default:
if attachmentChange.Type == "" {
return fmt.Errorf("missing attachment type")
}
return fmt.Errorf("unknown attachment type: '%q'", attachmentChange.Type)
}
}
if err = repo_model.AddReleaseAttachments(gitRepo.Ctx, rel.ID, addAttachmentUUIDs.Values()); err != nil {
return err
}
if !rel.IsDraft {
notify_service.NewRelease(gitRepo.Ctx, rel)
}
return nil
}
// CreateNewTag creates a new repository tag
func CreateNewTag(ctx context.Context, doer *user_model.User, repo *repo_model.Repository, commit, tagName, msg string) error {
has, err := repo_model.IsReleaseExist(ctx, repo.ID, tagName)
if err != nil {
return err
} else if has {
return models.ErrTagAlreadyExists{
TagName: tagName,
}
}
gitRepo, closer, err := gitrepo.RepositoryFromContextOrOpen(ctx, repo)
if err != nil {
return err
}
defer closer.Close()
rel := &repo_model.Release{
RepoID: repo.ID,
Repo: repo,
PublisherID: doer.ID,
Publisher: doer,
TagName: tagName,
Target: commit,
IsDraft: false,
IsPrerelease: false,
IsTag: true,
}
if _, err = createTag(ctx, gitRepo, rel, msg); err != nil {
return err
}
return db.Insert(ctx, rel)
}
// UpdateRelease updates information, attachments of a release and will create tag if it's not a draft and tag not exist.
// addAttachmentUUIDs accept a slice of new created attachments' uuids which will be reassigned release_id as the created release
// delAttachmentUUIDs accept a slice of attachments' uuids which will be deleted from the release
// editAttachments accept a map of attachment uuid to new attachment name which will be updated with attachments.
func UpdateRelease(ctx context.Context, doer *user_model.User, gitRepo *git.Repository, rel *repo_model.Release, createdFromTag bool, attachmentChanges []*AttachmentChange,
) error {
if rel.ID == 0 {
return errors.New("UpdateRelease only accepts an exist release")
}
isCreated, err := createTag(gitRepo.Ctx, gitRepo, rel, "")
if err != nil {
return err
}
rel.LowerTagName = strings.ToLower(rel.TagName)
ctx, committer, err := db.TxContext(ctx)
if err != nil {
return err
}
defer committer.Close()
if err = repo_model.UpdateRelease(ctx, rel); err != nil {
return err
}
addAttachmentUUIDs := make(container.Set[string])
delAttachmentUUIDs := make(container.Set[string])
updateAttachmentUUIDs := make(container.Set[string])
updateAttachments := make(container.Set[*AttachmentChange])
for _, attachmentChange := range attachmentChanges {
switch attachmentChange.Action {
case "add":
switch attachmentChange.Type {
case "attachment":
if attachmentChange.UUID == "" {
return fmt.Errorf("new attachment should have a uuid (%s)}", attachmentChange.Name)
}
addAttachmentUUIDs.Add(attachmentChange.UUID)
case "external":
if attachmentChange.Name == "" || attachmentChange.ExternalURL == "" {
return fmt.Errorf("new external attachment should have a name and external url")
}
_, err := attachment.NewExternalAttachment(ctx, &repo_model.Attachment{
Name: attachmentChange.Name,
UploaderID: doer.ID,
RepoID: rel.RepoID,
ReleaseID: rel.ID,
ExternalURL: attachmentChange.ExternalURL,
})
if err != nil {
return err
}
default:
if attachmentChange.Type == "" {
return fmt.Errorf("missing attachment type")
}
return fmt.Errorf("unknown attachment type: %q", attachmentChange.Type)
}
case "delete":
if attachmentChange.UUID == "" {
return fmt.Errorf("attachment deletion should have a uuid")
}
delAttachmentUUIDs.Add(attachmentChange.UUID)
case "update":
updateAttachmentUUIDs.Add(attachmentChange.UUID)
updateAttachments.Add(attachmentChange)
default:
if attachmentChange.Action == "" {
return fmt.Errorf("missing attachment action")
}
return fmt.Errorf("unknown attachment action: %q", attachmentChange.Action)
}
}
if err = repo_model.AddReleaseAttachments(ctx, rel.ID, addAttachmentUUIDs.Values()); err != nil {
return fmt.Errorf("AddReleaseAttachments: %w", err)
}
deletedUUIDs := make(container.Set[string])
if len(delAttachmentUUIDs) > 0 {
// Check attachments
attachments, err := repo_model.GetAttachmentsByUUIDs(ctx, delAttachmentUUIDs.Values())
if err != nil {
return fmt.Errorf("GetAttachmentsByUUIDs [uuids: %v]: %w", delAttachmentUUIDs, err)
}
for _, attach := range attachments {
if attach.ReleaseID != rel.ID {
return util.SilentWrap{
Message: "delete attachment of release permission denied",
Err: util.ErrPermissionDenied,
}
}
deletedUUIDs.Add(attach.UUID)
}
if _, err := repo_model.DeleteAttachments(ctx, attachments, true); err != nil {
return fmt.Errorf("DeleteAttachments [uuids: %v]: %w", delAttachmentUUIDs, err)
}
}
if len(updateAttachmentUUIDs) > 0 {
// Check attachments
attachments, err := repo_model.GetAttachmentsByUUIDs(ctx, updateAttachmentUUIDs.Values())
if err != nil {
return fmt.Errorf("GetAttachmentsByUUIDs [uuids: %v]: %w", updateAttachmentUUIDs, err)
}
for _, attach := range attachments {
if attach.ReleaseID != rel.ID {
return util.SilentWrap{
Message: "update attachment of release permission denied",
Err: util.ErrPermissionDenied,
}
}
}
}
for attachmentChange := range updateAttachments {
if !deletedUUIDs.Contains(attachmentChange.UUID) {
if err = repo_model.UpdateAttachmentByUUID(ctx, &repo_model.Attachment{
UUID: attachmentChange.UUID,
Name: attachmentChange.Name,
ExternalURL: attachmentChange.ExternalURL,
}, "name", "external_url"); err != nil {
return err
}
}
}
if err := committer.Commit(); err != nil {
return err
}
for _, uuid := range delAttachmentUUIDs.Values() {
if err := storage.Attachments.Delete(repo_model.AttachmentRelativePath(uuid)); err != nil {
// Even delete files failed, but the attachments has been removed from database, so we
// should not return error but only record the error on logs.
// users have to delete this attachments manually or we should have a
// synchronize between database attachment table and attachment storage
log.Error("delete attachment[uuid: %s] failed: %v", uuid, err)
}
}
if !rel.IsDraft {
if createdFromTag || isCreated {
notify_service.NewRelease(gitRepo.Ctx, rel)
return nil
}
notify_service.UpdateRelease(gitRepo.Ctx, doer, rel)
}
return nil
}
// DeleteReleaseByID deletes a release and corresponding Git tag by given ID.
func DeleteReleaseByID(ctx context.Context, repo *repo_model.Repository, rel *repo_model.Release, doer *user_model.User, delTag bool) error {
if delTag {
protectedTags, err := git_model.GetProtectedTags(ctx, rel.RepoID)
if err != nil {
return fmt.Errorf("GetProtectedTags: %w", err)
}
isAllowed, err := git_model.IsUserAllowedToControlTag(ctx, protectedTags, rel.TagName, rel.PublisherID)
if err != nil {
return err
}
if !isAllowed {
return models.ErrProtectedTagName{
TagName: rel.TagName,
}
}
err = repo_model.DeleteArchiveDownloadCountForRelease(ctx, rel.ID)
if err != nil {
return err
}
if stdout, _, err := git.NewCommand(ctx, "tag", "-d").AddDashesAndList(rel.TagName).
SetDescription(fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID)).
RunStdString(&git.RunOpts{Dir: repo.RepoPath()}); err != nil && !strings.Contains(err.Error(), "not found") {
log.Error("DeleteReleaseByID (git tag -d): %d in %v Failed:\nStdout: %s\nError: %v", rel.ID, repo, stdout, err)
return fmt.Errorf("git tag -d: %w", err)
}
refName := git.RefNameFromTag(rel.TagName)
objectFormat := git.ObjectFormatFromName(repo.ObjectFormatName)
notify_service.PushCommits(
ctx, doer, repo,
&repository.PushUpdateOptions{
RefFullName: refName,
OldCommitID: rel.Sha1,
NewCommitID: objectFormat.EmptyObjectID().String(),
}, repository.NewPushCommits())
notify_service.DeleteRef(ctx, doer, repo, refName)
if _, err := db.DeleteByID[repo_model.Release](ctx, rel.ID); err != nil {
return fmt.Errorf("DeleteReleaseByID: %w", err)
}
} else {
rel.IsTag = true
if err := repo_model.UpdateRelease(ctx, rel); err != nil {
return fmt.Errorf("Update: %w", err)
}
}
rel.Repo = repo
if err := rel.LoadAttributes(ctx); err != nil {
return fmt.Errorf("LoadAttributes: %w", err)
}
if err := repo_model.DeleteAttachmentsByRelease(ctx, rel.ID); err != nil {
return fmt.Errorf("DeleteAttachments: %w", err)
}
for i := range rel.Attachments {
attachment := rel.Attachments[i]
if err := storage.Attachments.Delete(attachment.RelativePath()); err != nil {
log.Error("Delete attachment %s of release %s failed: %v", attachment.UUID, rel.ID, err)
}
}
if !rel.IsDraft {
notify_service.DeleteRelease(ctx, doer, rel)
}
return nil
}
// Init start release service
func Init() error {
return initTagSyncQueue(graceful.GetManager().ShutdownContext())
}