gitlab-org--gitlab-foss/lib/gitlab/checks/branch_check.rb

150 lines
5.8 KiB
Ruby

# frozen_string_literal: true
module Gitlab
module Checks
class BranchCheck < BaseSingleChecker
ERROR_MESSAGES = {
delete_default_branch: 'The default branch of a project cannot be deleted.',
force_push_protected_branch: 'You are not allowed to force push code to a protected branch on this project.',
non_master_delete_protected_branch: 'You are not allowed to delete protected branches from this project. Only a project maintainer or owner can delete a protected branch.',
non_web_delete_protected_branch: 'You can only delete protected branches using the web interface.',
merge_protected_branch: 'You are not allowed to merge code into protected branches on this project.',
push_protected_branch: 'You are not allowed to push code to protected branches on this project.',
create_protected_branch: 'You are not allowed to create protected branches on this project.',
invalid_commit_create_protected_branch: 'You can only use an existing protected branch ref as the basis of a new protected branch.',
non_web_create_protected_branch: 'You can only create protected branches using the web interface and API.',
prohibited_hex_branch_name: 'You cannot create a branch with a 40-character hexadecimal branch name.'
}.freeze
LOG_MESSAGES = {
delete_default_branch_check: "Checking if default branch is being deleted...",
protected_branch_checks: "Checking if you are force pushing to a protected branch...",
protected_branch_push_checks: "Checking if you are allowed to push to the protected branch...",
protected_branch_creation_checks: "Checking if you are allowed to create a protected branch...",
protected_branch_deletion_checks: "Checking if you are allowed to delete the protected branch..."
}.freeze
def validate!
return unless branch_name
logger.log_timed(LOG_MESSAGES[:delete_default_branch_check]) do
if deletion? && branch_name == project.default_branch
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:delete_default_branch]
end
end
prohibited_branch_checks
protected_branch_checks
end
private
def prohibited_branch_checks
return if deletion?
if branch_name =~ /\A\h{40}\z/
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:prohibited_hex_branch_name]
end
end
def protected_branch_checks
logger.log_timed(LOG_MESSAGES[:protected_branch_checks]) do
return unless ProtectedBranch.protected?(project, branch_name) # rubocop:disable Cop/AvoidReturnFromBlocks
if forced_push? && !ProtectedBranch.allow_force_push?(project, branch_name)
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:force_push_protected_branch]
end
end
if project.empty_repo?
protected_branch_push_checks
elsif creation?
protected_branch_creation_checks
elsif deletion?
protected_branch_deletion_checks
else
protected_branch_push_checks
end
end
def protected_branch_creation_checks
logger.log_timed(LOG_MESSAGES[:protected_branch_creation_checks]) do
break if user_access.can_push_to_branch?(branch_name)
unless user_access.can_merge_to_branch?(branch_name)
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:create_protected_branch]
end
unless safe_commit_for_new_protected_branch?
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:invalid_commit_create_protected_branch]
end
unless updated_from_web?
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:non_web_create_protected_branch]
end
end
end
def protected_branch_deletion_checks
logger.log_timed(LOG_MESSAGES[:protected_branch_deletion_checks]) do
unless user_access.can_delete_branch?(branch_name)
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:non_master_delete_protected_branch]
end
unless updated_from_web?
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:non_web_delete_protected_branch]
end
end
end
def protected_branch_push_checks
logger.log_timed(LOG_MESSAGES[:protected_branch_push_checks]) do
if matching_merge_request?
unless user_access.can_merge_to_branch?(branch_name) || user_access.can_push_to_branch?(branch_name)
raise GitAccess::ForbiddenError, ERROR_MESSAGES[:merge_protected_branch]
end
else
unless user_access.can_push_to_branch?(branch_name)
raise GitAccess::ForbiddenError, push_to_protected_branch_rejected_message
end
end
end
end
def push_to_protected_branch_rejected_message
if project.empty_repo?
empty_project_push_message
else
ERROR_MESSAGES[:push_protected_branch]
end
end
def empty_project_push_message
<<~MESSAGE
A default branch (e.g. main) does not yet exist for #{project.full_path}
Ask a project Owner or Maintainer to create a default branch:
#{project_members_url}
MESSAGE
end
def project_members_url
Gitlab::Routing.url_helpers.project_project_members_url(project)
end
def matching_merge_request?
Checks::MatchingMergeRequest.new(newrev, branch_name, project).match?
end
def forced_push?
Gitlab::Checks::ForcePush.force_push?(project, oldrev, newrev)
end
def safe_commit_for_new_protected_branch?
ProtectedBranch.any_protected?(project, project.repository.branch_names_contains_sha(newrev))
end
end
end
end