gitlab-org--gitlab-foss/lib/gitlab/checks/change_access.rb

module Gitlab
  module Checks
    class ChangeAccess
      ERROR_MESSAGES = {
        push_code: 'You are not allowed to push code to this project.',
        delete_default_branch: 'The default branch of a project cannot be deleted.',
        force_push_protected_branch: 'You are not allowed to force push code to a protected branch on this project.',
        non_master_delete_protected_branch: 'You are not allowed to delete protected branches from this project. Only a project master or owner can delete a protected branch.',
        non_web_delete_protected_branch: 'You can only delete protected branches using the web interface.',
        merge_protected_branch: 'You are not allowed to merge code into protected branches on this project.',
        push_protected_branch: 'You are not allowed to push code to protected branches on this project.',
        change_existing_tags: 'You are not allowed to change existing tags on this project.',
        update_protected_tag: 'Protected tags cannot be updated.',
        delete_protected_tag: 'Protected tags cannot be deleted.',
        create_protected_tag: 'You are not allowed to create this tag as it is protected.'
      }.freeze

      attr_reader :user_access, :project, :skip_authorization, :protocol

      def initialize(
        change, user_access:, project:, skip_authorization: false,
        protocol:
      )
        @oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)
        @branch_name = Gitlab::Git.branch_name(@ref)
        @tag_name = Gitlab::Git.tag_name(@ref)
        @user_access = user_access
        @project = project
        @skip_authorization = skip_authorization
        @protocol = protocol
      end

      def exec
        return true if skip_authorization

        push_checks
        branch_checks
        tag_checks

        true
      end

      protected

      def push_checks
        if user_access.cannot_do_action?(:push_code)
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:push_code]
        end
      end

      def branch_checks
        return unless @branch_name

        if deletion? && @branch_name == project.default_branch
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:delete_default_branch]
        end

        protected_branch_checks
      end

      def protected_branch_checks
        return unless ProtectedBranch.protected?(project, @branch_name)

        if forced_push?
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:force_push_protected_branch]
        end

        if deletion?
          protected_branch_deletion_checks
        else
          protected_branch_push_checks
        end
      end

      def protected_branch_deletion_checks
        unless user_access.can_delete_branch?(@branch_name)
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_master_delete_protected_branch]
        end

        unless protocol == 'web'
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_web_delete_protected_branch]
        end
      end

      def protected_branch_push_checks
        if matching_merge_request?
          unless user_access.can_merge_to_branch?(@branch_name) || user_access.can_push_to_branch?(@branch_name)
            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:merge_protected_branch]
          end
        else
          unless user_access.can_push_to_branch?(@branch_name)
            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:push_protected_branch]
          end
        end
      end

      def tag_checks
        return unless @tag_name

        if tag_exists? && user_access.cannot_do_action?(:admin_project)
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:change_existing_tags]
        end

        protected_tag_checks
      end

      def protected_tag_checks
        return unless ProtectedTag.protected?(project, @tag_name)

        raise(GitAccess::UnauthorizedError, ERROR_MESSAGES[:update_protected_tag]) if update?
        raise(GitAccess::UnauthorizedError, ERROR_MESSAGES[:delete_protected_tag]) if deletion?

        unless user_access.can_create_tag?(@tag_name)
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:create_protected_tag]
        end
      end

      private

      def tag_exists?
        project.repository.tag_exists?(@tag_name)
      end

      def forced_push?
        Gitlab::Checks::ForcePush.force_push?(@project, @oldrev, @newrev)
      end

      def update?
        !Gitlab::Git.blank_ref?(@oldrev) && !deletion?
      end

      def deletion?
        Gitlab::Git.blank_ref?(@newrev)
      end

      def matching_merge_request?
        Checks::MatchingMergeRequest.new(@newrev, @branch_name, @project).match?
      end
    end
  end
end
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`module Gitlab`
			`module Checks`
			`class ChangeAccess`
Fix Git over HTTP spec * The spec has 7 failures at this point * Specify rendered error messages * Render the GitAccess message rather than “Access denied” * Render the Not Found message provided by GitAccess, instead of a custom one * Expect GitAccess to check the config for whether Git-over-HTTP pull or push is disabled, rather than doing it in the controller * Add more thorough testing for authentication * Dried up a lot of tests * Fixed some broken tests 2017-05-15 19:13:36 -04:00			`ERROR_MESSAGES = {`
			`push_code: 'You are not allowed to push code to this project.',`
			`delete_default_branch: 'The default branch of a project cannot be deleted.',`
			`force_push_protected_branch: 'You are not allowed to force push code to a protected branch on this project.',`
			`non_master_delete_protected_branch: 'You are not allowed to delete protected branches from this project. Only a project master or owner can delete a protected branch.',`
			`non_web_delete_protected_branch: 'You can only delete protected branches using the web interface.',`
			`merge_protected_branch: 'You are not allowed to merge code into protected branches on this project.',`
			`push_protected_branch: 'You are not allowed to push code to protected branches on this project.',`
			`change_existing_tags: 'You are not allowed to change existing tags on this project.',`
			`update_protected_tag: 'Protected tags cannot be updated.',`
			`delete_protected_tag: 'Protected tags cannot be deleted.',`
			`create_protected_tag: 'You are not allowed to create this tag as it is protected.'`
			`}.freeze`

Backport changes from gitlab-org/gitlab-ee!1406 2017-03-13 07:31:27 -04:00			`attr_reader :user_access, :project, :skip_authorization, :protocol`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00
We never check user privilege if it's a deploy key 2016-11-17 14:48:23 -05:00			`def initialize(`
Don't pass `env` anymore to GitAccess, ChangeAccess, and ForcePush Signed-off-by: Rémy Coutable <remy@rymai.me> 2017-04-05 03:35:58 -04:00			`change, user_access:, project:, skip_authorization: false,`
Backport changes from gitlab-org/gitlab-ee!1406 2017-03-13 07:31:27 -04:00			`protocol:`
			`)`
api for generating new merge request DRY code + fix rubocop Add more test cases Append to changelog DRY changes list find_url service for merge_requests use GET for getting merge request links remove files rename to get_url_service reduce loop add test case for cross project refactor tiny thing update changelog 2016-07-28 00:04:57 -04:00			`@oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)`
			`@branch_name = Gitlab::Git.branch_name(@ref)`
Protected Tags enforced over git 2017-03-31 12:57:29 -04:00			`@tag_name = Gitlab::Git.tag_name(@ref)`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`@user_access = user_access`
			`@project = project`
We never check user privilege if it's a deploy key 2016-11-17 14:48:23 -05:00			`@skip_authorization = skip_authorization`
Backport changes from gitlab-org/gitlab-ee!1406 2017-03-13 07:31:27 -04:00			`@protocol = protocol`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`end`

			`def exec`
Remove GitAccessStatus (no longer needed) 2017-05-23 15:21:57 -04:00			`return true if skip_authorization`
Add confirm delete protected branch modal 2017-05-08 03:41:58 -04:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`push_checks`
			`branch_checks`
			`tag_checks`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00
Remove GitAccessStatus (no longer needed) 2017-05-23 15:21:57 -04:00			`true`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`end`

			`protected`

Add confirm delete protected branch modal 2017-05-08 03:41:58 -04:00			`def push_checks`
			`if user_access.cannot_do_action?(:push_code)`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:push_code]`
Add confirm delete protected branch modal 2017-05-08 03:41:58 -04:00			`end`
			`end`

			`def branch_checks`
Avoid protected branches checks when verifying access without branch name GitlabShell verify access sending ‘_any’ as the changes made on the git command, in those cases Gitlab::Checks::ChangeAccess won’t receive a branch_name so we don’t need to check for access to the protected branches on that repository. So we avoid some git operations in case the are not cached (empty_repo?) and some database lookups to get protected branches. These request is happening in every push. 2016-09-13 05:43:41 -04:00			`return unless @branch_name`
Add confirm delete protected branch modal 2017-05-08 03:41:58 -04:00
			`if deletion? && @branch_name == project.default_branch`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:delete_default_branch]`
Add confirm delete protected branch modal 2017-05-08 03:41:58 -04:00			`end`

			`protected_branch_checks`
			`end`

			`def protected_branch_checks`
Moved Project#protected_branch? to ProtectedBranch, similar for tags 2017-04-03 13:59:58 -04:00			`return unless ProtectedBranch.protected?(project, @branch_name)`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00
Remove useless permission checks in Gitlab::Checks::ChangeAccess Signed-off-by: Rémy Coutable <remy@rymai.me> 2017-01-12 17:37:14 -05:00			`if forced_push?`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:force_push_protected_branch]`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`end`

Add confirm delete protected branch modal 2017-05-08 03:41:58 -04:00			`if deletion?`
			`protected_branch_deletion_checks`
			`else`
			`protected_branch_push_checks`
			`end`
			`end`

			`def protected_branch_deletion_checks`
			`unless user_access.can_delete_branch?(@branch_name)`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_master_delete_protected_branch]`
Add confirm delete protected branch modal 2017-05-08 03:41:58 -04:00			`end`

			`unless protocol == 'web'`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_web_delete_protected_branch]`
Add confirm delete protected branch modal 2017-05-08 03:41:58 -04:00			`end`
			`end`

			`def protected_branch_push_checks`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`if matching_merge_request?`
Add confirm delete protected branch modal 2017-05-08 03:41:58 -04:00			`unless user_access.can_merge_to_branch?(@branch_name) \|\| user_access.can_push_to_branch?(@branch_name)`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:merge_protected_branch]`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`end`
			`else`
Add confirm delete protected branch modal 2017-05-08 03:41:58 -04:00			`unless user_access.can_push_to_branch?(@branch_name)`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:push_protected_branch]`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`end`
			`end`
			`end`

			`def tag_checks`
Protected Tags enforced over git 2017-03-31 12:57:29 -04:00			`return unless @tag_name`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00
Protected Tags enforced over git 2017-03-31 12:57:29 -04:00			`if tag_exists? && user_access.cannot_do_action?(:admin_project)`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:change_existing_tags]`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`end`
Protected Tags enforced over git 2017-03-31 12:57:29 -04:00
			`protected_tag_checks`
			`end`

			`def protected_tag_checks`
Add confirm delete protected branch modal 2017-05-08 03:41:58 -04:00			`return unless ProtectedTag.protected?(project, @tag_name)`

Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`raise(GitAccess::UnauthorizedError, ERROR_MESSAGES[:update_protected_tag]) if update?`
			`raise(GitAccess::UnauthorizedError, ERROR_MESSAGES[:delete_protected_tag]) if deletion?`
Protected Tags enforced over git 2017-03-31 12:57:29 -04:00
Cleanup & tests for UserAccess#can_create_tag? 2017-04-03 21:05:42 -04:00			`unless user_access.can_create_tag?(@tag_name)`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:create_protected_tag]`
Protected Tags enforced over git 2017-03-31 12:57:29 -04:00			`end`
			`end`

Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`private`

Protected Tags enforced over git 2017-03-31 12:57:29 -04:00			`def tag_exists?`
			`project.repository.tag_exists?(@tag_name)`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`end`

			`def forced_push?`
Don't pass `env` anymore to GitAccess, ChangeAccess, and ForcePush Signed-off-by: Rémy Coutable <remy@rymai.me> 2017-04-05 03:35:58 -04:00			`Gitlab::Checks::ForcePush.force_push?(@project, @oldrev, @newrev)`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`end`

Protected Tags prevents all updates instead of just force pushes. This only changes behaviour for masters, as developers are already prevented from updating/deleting tags without the Protected Tags feature 2017-04-03 19:05:51 -04:00			`def update?`
			`!Gitlab::Git.blank_ref?(@oldrev) && !deletion?`
			`end`

			`def deletion?`
Protected Tags enforced over git 2017-03-31 12:57:29 -04:00			`Gitlab::Git.blank_ref?(@newrev)`
			`end`

Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`def matching_merge_request?`
			`Checks::MatchingMergeRequest.new(@newrev, @branch_name, @project).match?`
			`end`
			`end`
			`end`
			`end`