change_access.rb 6.19 KB
Newer Older
1 2 3
module Gitlab
  module Checks
    class ChangeAccess
Michael Kozono's avatar
Michael Kozono committed
4 5 6 7 8 9 10 11 12 13 14
      ERROR_MESSAGES = {
        push_code: 'You are not allowed to push code to this project.',
        delete_default_branch: 'The default branch of a project cannot be deleted.',
        force_push_protected_branch: 'You are not allowed to force push code to a protected branch on this project.',
        non_master_delete_protected_branch: 'You are not allowed to delete protected branches from this project. Only a project master or owner can delete a protected branch.',
        non_web_delete_protected_branch: 'You can only delete protected branches using the web interface.',
        merge_protected_branch: 'You are not allowed to merge code into protected branches on this project.',
        push_protected_branch: 'You are not allowed to push code to protected branches on this project.',
        change_existing_tags: 'You are not allowed to change existing tags on this project.',
        update_protected_tag: 'Protected tags cannot be updated.',
        delete_protected_tag: 'Protected tags cannot be deleted.',
15 16
        create_protected_tag: 'You are not allowed to create this tag as it is protected.',
        lfs_objects_missing: 'LFS objects are missing. Ensure LFS is properly set up or try a manual "git lfs push --all".'
Michael Kozono's avatar
Michael Kozono committed
17 18
      }.freeze

19
      attr_reader :user_access, :project, :skip_authorization, :skip_lfs_integrity_check, :protocol, :oldrev, :newrev, :ref, :branch_name, :tag_name
20

21
      def initialize(
22
        change, user_access:, project:, skip_authorization: false,
23
        skip_lfs_integrity_check: false, protocol:
24
      )
25 26
        @oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)
        @branch_name = Gitlab::Git.branch_name(@ref)
27
        @tag_name = Gitlab::Git.tag_name(@ref)
28 29
        @user_access = user_access
        @project = project
30
        @skip_authorization = skip_authorization
31
        @skip_lfs_integrity_check = skip_lfs_integrity_check
32
        @protocol = protocol
33 34
      end

35
      def exec(skip_commits_check: false)
36
        return true if skip_authorization
37

38 39 40
        push_checks
        branch_checks
        tag_checks
41
        lfs_objects_exist_check unless skip_lfs_integrity_check
42
        commits_check unless skip_commits_check
43

44
        true
45 46 47 48
      end

      protected

49 50
      def push_checks
        if user_access.cannot_do_action?(:push_code)
51
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:push_code]
52 53 54 55
        end
      end

      def branch_checks
56
        return unless branch_name
57

58
        if deletion? && branch_name == project.default_branch
59
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:delete_default_branch]
60 61 62 63 64 65
        end

        protected_branch_checks
      end

      def protected_branch_checks
66
        return unless ProtectedBranch.protected?(project, branch_name)
67

68
        if forced_push?
69
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:force_push_protected_branch]
70 71
        end

72 73 74 75 76 77 78 79
        if deletion?
          protected_branch_deletion_checks
        else
          protected_branch_push_checks
        end
      end

      def protected_branch_deletion_checks
80
        unless user_access.can_delete_branch?(branch_name)
81
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_master_delete_protected_branch]
82 83
        end

84
        unless updated_from_web?
85
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_web_delete_protected_branch]
86 87 88 89
        end
      end

      def protected_branch_push_checks
90
        if matching_merge_request?
91
          unless user_access.can_merge_to_branch?(branch_name) || user_access.can_push_to_branch?(branch_name)
92
            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:merge_protected_branch]
93 94
          end
        else
95
          unless user_access.can_push_to_branch?(branch_name)
96
            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:push_protected_branch]
97 98 99 100 101
          end
        end
      end

      def tag_checks
102
        return unless tag_name
103

104
        if tag_exists? && user_access.cannot_do_action?(:admin_project)
105
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:change_existing_tags]
106
        end
107 108 109 110 111

        protected_tag_checks
      end

      def protected_tag_checks
112
        return unless ProtectedTag.protected?(project, tag_name)
113

114 115
        raise(GitAccess::UnauthorizedError, ERROR_MESSAGES[:update_protected_tag]) if update?
        raise(GitAccess::UnauthorizedError, ERROR_MESSAGES[:delete_protected_tag]) if deletion?
116

117
        unless user_access.can_create_tag?(tag_name)
118
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:create_protected_tag]
119 120 121
        end
      end

122 123
      def commits_check
        return if deletion? || newrev.nil?
124
        return unless should_run_commit_validations?
125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140

        # n+1: https://gitlab.com/gitlab-org/gitlab-ee/issues/3593
        ::Gitlab::GitalyClient.allow_n_plus_1_calls do
          commits.each do |commit|
            commit_check.validate(commit, validations_for_commit(commit))
          end
        end

        commit_check.validate_file_paths
      end

      # Method overwritten in EE to inject custom validations
      def validations_for_commit(_)
        []
      end

141 142
      private

143 144 145 146
      def should_run_commit_validations?
        commit_check.validate_lfs_file_locks?
      end

147 148 149 150
      def updated_from_web?
        protocol == 'web'
      end

151
      def tag_exists?
152
        project.repository.tag_exists?(tag_name)
153 154 155
      end

      def forced_push?
156
        Gitlab::Checks::ForcePush.force_push?(project, oldrev, newrev)
157 158
      end

159
      def update?
160
        !Gitlab::Git.blank_ref?(oldrev) && !deletion?
161 162 163
      end

      def deletion?
164
        Gitlab::Git.blank_ref?(newrev)
165 166
      end

167
      def matching_merge_request?
168
        Checks::MatchingMergeRequest.new(newrev, branch_name, project).match?
169
      end
170 171

      def lfs_objects_exist_check
172
        lfs_check = Checks::LfsIntegrity.new(project, newrev)
173 174 175 176 177

        if lfs_check.objects_missing?
          raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:lfs_objects_missing]
        end
      end
178 179 180 181 182 183

      def commit_check
        @commit_check ||= Gitlab::Checks::CommitCheck.new(project, user_access.user, newrev, oldrev)
      end

      def commits
184
        @commits ||= project.repository.new_commits(newrev)
185
      end
186 187 188
    end
  end
end