mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-30 13:13:10 +00:00
[Enhancement] Allow admin to merge pr with protected file changes (#12078)
* [Enhancement] Allow admin to merge pr with protected file changes As tilte, show protected message in diff page and merge box. Signed-off-by: a1012112796 <1012112796@qq.com> * remove unused ver * Update options/locale/locale_en-US.ini Co-authored-by: Cirno the Strongest <1447794+CirnoT@users.noreply.github.com> * Add TrN * Apply suggestions from code review * fix lint * Update options/locale/locale_en-US.ini Co-authored-by: zeripath <art27@cantab.net> * Apply suggestions from code review * move pr proteced files check to TestPatch * Call TestPatch when protected branches settings changed * Apply review suggestion @CirnoT * move to service @lunny * slightly restructure routers/private/hook.go Adds a lot of comments and simplifies the logic Signed-off-by: Andrew Thornton <art27@cantab.net> * placate lint Signed-off-by: Andrew Thornton <art27@cantab.net> * skip duplicate protected files check * fix check logic * slight refactor of TestPatch Signed-off-by: Andrew Thornton <art27@cantab.net> * When checking for protected files changes in TestPatch use the temporary repository Signed-off-by: Andrew Thornton <art27@cantab.net> * fix introduced issue with hook Signed-off-by: Andrew Thornton <art27@cantab.net> * Remove the check on PR index being greater than 0 as it unnecessary Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: Cirno the Strongest <1447794+CirnoT@users.noreply.github.com> Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
parent
da32d0e72a
commit
dfa7291f8f
19 changed files with 464 additions and 185 deletions
|
@ -209,6 +209,38 @@ func (protectBranch *ProtectedBranch) GetProtectedFilePatterns() []glob.Glob {
|
||||||
return extarr
|
return extarr
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// MergeBlockedByProtectedFiles returns true if merge is blocked by protected files change
|
||||||
|
func (protectBranch *ProtectedBranch) MergeBlockedByProtectedFiles(pr *PullRequest) bool {
|
||||||
|
glob := protectBranch.GetProtectedFilePatterns()
|
||||||
|
if len(glob) == 0 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
return len(pr.ChangedProtectedFiles) > 0
|
||||||
|
}
|
||||||
|
|
||||||
|
// IsProtectedFile return if path is protected
|
||||||
|
func (protectBranch *ProtectedBranch) IsProtectedFile(patterns []glob.Glob, path string) bool {
|
||||||
|
if len(patterns) == 0 {
|
||||||
|
patterns = protectBranch.GetProtectedFilePatterns()
|
||||||
|
if len(patterns) == 0 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
lpath := strings.ToLower(strings.TrimSpace(path))
|
||||||
|
|
||||||
|
r := false
|
||||||
|
for _, pat := range patterns {
|
||||||
|
if pat.Match(lpath) {
|
||||||
|
r = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return r
|
||||||
|
}
|
||||||
|
|
||||||
// GetProtectedBranchByRepoID getting protected branch by repo ID
|
// GetProtectedBranchByRepoID getting protected branch by repo ID
|
||||||
func GetProtectedBranchByRepoID(repoID int64) ([]*ProtectedBranch, error) {
|
func GetProtectedBranchByRepoID(repoID int64) ([]*ProtectedBranch, error) {
|
||||||
protectedBranches := make([]*ProtectedBranch, 0)
|
protectedBranches := make([]*ProtectedBranch, 0)
|
||||||
|
|
|
@ -244,6 +244,8 @@ var migrations = []Migration{
|
||||||
NewMigration("add Team review request support", addTeamReviewRequestSupport),
|
NewMigration("add Team review request support", addTeamReviewRequestSupport),
|
||||||
// v154 > v155
|
// v154 > v155
|
||||||
NewMigration("add timestamps to Star, Label, Follow, Watch and Collaboration", addTimeStamps),
|
NewMigration("add timestamps to Star, Label, Follow, Watch and Collaboration", addTimeStamps),
|
||||||
|
// v155 -> v156
|
||||||
|
NewMigration("add changed_protected_files column for pull_request table", addChangedProtectedFilesPullRequestColumn),
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetCurrentDBVersion returns the current db version
|
// GetCurrentDBVersion returns the current db version
|
||||||
|
|
22
models/migrations/v155.go
Normal file
22
models/migrations/v155.go
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
// Copyright 2020 The Gitea Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a MIT-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package migrations
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"xorm.io/xorm"
|
||||||
|
)
|
||||||
|
|
||||||
|
func addChangedProtectedFilesPullRequestColumn(x *xorm.Engine) error {
|
||||||
|
type PullRequest struct {
|
||||||
|
ChangedProtectedFiles []string `xorm:"TEXT JSON"`
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := x.Sync2(new(PullRequest)); err != nil {
|
||||||
|
return fmt.Errorf("Sync2: %v", err)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
|
@ -45,6 +45,8 @@ type PullRequest struct {
|
||||||
CommitsAhead int
|
CommitsAhead int
|
||||||
CommitsBehind int
|
CommitsBehind int
|
||||||
|
|
||||||
|
ChangedProtectedFiles []string `xorm:"TEXT JSON"`
|
||||||
|
|
||||||
IssueID int64 `xorm:"INDEX"`
|
IssueID int64 `xorm:"INDEX"`
|
||||||
Issue *Issue `xorm:"-"`
|
Issue *Issue `xorm:"-"`
|
||||||
Index int64
|
Index int64
|
||||||
|
|
|
@ -123,7 +123,7 @@ func detectEncodingAndBOM(entry *git.TreeEntry, repo *models.Repository) (string
|
||||||
|
|
||||||
// CreateOrUpdateRepoFile adds or updates a file in the given repository
|
// CreateOrUpdateRepoFile adds or updates a file in the given repository
|
||||||
func CreateOrUpdateRepoFile(repo *models.Repository, doer *models.User, opts *UpdateRepoFileOptions) (*structs.FileResponse, error) {
|
func CreateOrUpdateRepoFile(repo *models.Repository, doer *models.User, opts *UpdateRepoFileOptions) (*structs.FileResponse, error) {
|
||||||
// If no branch name is set, assume master
|
// If no branch name is set, assume default branch
|
||||||
if opts.OldBranch == "" {
|
if opts.OldBranch == "" {
|
||||||
opts.OldBranch = repo.DefaultBranch
|
opts.OldBranch = repo.DefaultBranch
|
||||||
}
|
}
|
||||||
|
|
|
@ -1232,6 +1232,8 @@ pulls.required_status_check_administrator = As an administrator, you may still m
|
||||||
pulls.blocked_by_approvals = "This Pull Request doesn't have enough approvals yet. %d of %d approvals granted."
|
pulls.blocked_by_approvals = "This Pull Request doesn't have enough approvals yet. %d of %d approvals granted."
|
||||||
pulls.blocked_by_rejection = "This Pull Request has changes requested by an official reviewer."
|
pulls.blocked_by_rejection = "This Pull Request has changes requested by an official reviewer."
|
||||||
pulls.blocked_by_outdated_branch = "This Pull Request is blocked because it's outdated."
|
pulls.blocked_by_outdated_branch = "This Pull Request is blocked because it's outdated."
|
||||||
|
pulls.blocked_by_changed_protected_files_1= "This Pull Request is blocked because it changes a protected file:"
|
||||||
|
pulls.blocked_by_changed_protected_files_n= "This Pull Request is blocked because it changes protected files:"
|
||||||
pulls.can_auto_merge_desc = This pull request can be merged automatically.
|
pulls.can_auto_merge_desc = This pull request can be merged automatically.
|
||||||
pulls.cannot_auto_merge_desc = This pull request cannot be merged automatically due to conflicts.
|
pulls.cannot_auto_merge_desc = This pull request cannot be merged automatically due to conflicts.
|
||||||
pulls.cannot_auto_merge_helper = Merge manually to resolve the conflicts.
|
pulls.cannot_auto_merge_helper = Merge manually to resolve the conflicts.
|
||||||
|
@ -1779,6 +1781,7 @@ diff.review.comment = Comment
|
||||||
diff.review.approve = Approve
|
diff.review.approve = Approve
|
||||||
diff.review.reject = Request changes
|
diff.review.reject = Request changes
|
||||||
diff.committed_by = committed by
|
diff.committed_by = committed by
|
||||||
|
diff.protected = Protected
|
||||||
|
|
||||||
releases.desc = Track project versions and downloads.
|
releases.desc = Track project versions and downloads.
|
||||||
release.releases = Releases
|
release.releases = Releases
|
||||||
|
|
|
@ -16,6 +16,7 @@ import (
|
||||||
"code.gitea.io/gitea/modules/log"
|
"code.gitea.io/gitea/modules/log"
|
||||||
repo_module "code.gitea.io/gitea/modules/repository"
|
repo_module "code.gitea.io/gitea/modules/repository"
|
||||||
api "code.gitea.io/gitea/modules/structs"
|
api "code.gitea.io/gitea/modules/structs"
|
||||||
|
pull_service "code.gitea.io/gitea/services/pull"
|
||||||
repo_service "code.gitea.io/gitea/services/repository"
|
repo_service "code.gitea.io/gitea/services/repository"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -545,6 +546,11 @@ func CreateBranchProtection(ctx *context.APIContext, form api.CreateBranchProtec
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err = pull_service.CheckPrsForBaseBranch(ctx.Repo.Repository, protectBranch.BranchName); err != nil {
|
||||||
|
ctx.Error(http.StatusInternalServerError, "CheckPrsForBaseBranch", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// Reload from db to get all whitelists
|
// Reload from db to get all whitelists
|
||||||
bp, err := models.GetProtectedBranchBy(ctx.Repo.Repository.ID, form.BranchName)
|
bp, err := models.GetProtectedBranchBy(ctx.Repo.Repository.ID, form.BranchName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -768,6 +774,11 @@ func EditBranchProtection(ctx *context.APIContext, form api.EditBranchProtection
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err = pull_service.CheckPrsForBaseBranch(ctx.Repo.Repository, protectBranch.BranchName); err != nil {
|
||||||
|
ctx.Error(http.StatusInternalServerError, "CheckPrsForBaseBranch", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// Reload from db to ensure get all whitelists
|
// Reload from db to ensure get all whitelists
|
||||||
bp, err := models.GetProtectedBranchBy(repo.ID, bpName)
|
bp, err := models.GetProtectedBranchBy(repo.ID, bpName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -774,7 +774,7 @@ func MergePullRequest(ctx *context.APIContext, form auth.MergePullRequestForm) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := pull_service.CheckPRReadyToMerge(pr); err != nil {
|
if err := pull_service.CheckPRReadyToMerge(pr, false); err != nil {
|
||||||
if !models.IsErrNotAllowedToMerge(err) {
|
if !models.IsErrNotAllowedToMerge(err) {
|
||||||
ctx.Error(http.StatusInternalServerError, "CheckPRReadyToMerge", err)
|
ctx.Error(http.StatusInternalServerError, "CheckPRReadyToMerge", err)
|
||||||
return
|
return
|
||||||
|
|
|
@ -25,7 +25,6 @@ import (
|
||||||
|
|
||||||
"gitea.com/macaron/macaron"
|
"gitea.com/macaron/macaron"
|
||||||
"github.com/go-git/go-git/v5/plumbing"
|
"github.com/go-git/go-git/v5/plumbing"
|
||||||
"github.com/gobwas/glob"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func verifyCommits(oldCommitID, newCommitID string, repo *git.Repository, env []string) error {
|
func verifyCommits(oldCommitID, newCommitID string, repo *git.Repository, env []string) error {
|
||||||
|
@ -59,53 +58,6 @@ func verifyCommits(oldCommitID, newCommitID string, repo *git.Repository, env []
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
func checkFileProtection(oldCommitID, newCommitID string, patterns []glob.Glob, repo *git.Repository, env []string) error {
|
|
||||||
|
|
||||||
stdoutReader, stdoutWriter, err := os.Pipe()
|
|
||||||
if err != nil {
|
|
||||||
log.Error("Unable to create os.Pipe for %s", repo.Path)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
defer func() {
|
|
||||||
_ = stdoutReader.Close()
|
|
||||||
_ = stdoutWriter.Close()
|
|
||||||
}()
|
|
||||||
|
|
||||||
// This use of ... is safe as force-pushes have already been ruled out.
|
|
||||||
err = git.NewCommand("diff", "--name-only", oldCommitID+"..."+newCommitID).
|
|
||||||
RunInDirTimeoutEnvFullPipelineFunc(env, -1, repo.Path,
|
|
||||||
stdoutWriter, nil, nil,
|
|
||||||
func(ctx context.Context, cancel context.CancelFunc) error {
|
|
||||||
_ = stdoutWriter.Close()
|
|
||||||
|
|
||||||
scanner := bufio.NewScanner(stdoutReader)
|
|
||||||
for scanner.Scan() {
|
|
||||||
path := strings.TrimSpace(scanner.Text())
|
|
||||||
if len(path) == 0 {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
lpath := strings.ToLower(path)
|
|
||||||
for _, pat := range patterns {
|
|
||||||
if pat.Match(lpath) {
|
|
||||||
cancel()
|
|
||||||
return models.ErrFilePathProtected{
|
|
||||||
Path: path,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if err := scanner.Err(); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
_ = stdoutReader.Close()
|
|
||||||
return err
|
|
||||||
})
|
|
||||||
if err != nil && !models.IsErrFilePathProtected(err) {
|
|
||||||
log.Error("Unable to check file protection for commits from %s to %s in %s: %v", oldCommitID, newCommitID, repo.Path, err)
|
|
||||||
}
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
func readAndVerifyCommitsFromShaReader(input io.ReadCloser, repo *git.Repository, env []string) error {
|
func readAndVerifyCommitsFromShaReader(input io.ReadCloser, repo *git.Repository, env []string) error {
|
||||||
scanner := bufio.NewScanner(input)
|
scanner := bufio.NewScanner(input)
|
||||||
for scanner.Scan() {
|
for scanner.Scan() {
|
||||||
|
@ -202,6 +154,7 @@ func HookPreReceive(ctx *macaron.Context, opts private.HookOptions) {
|
||||||
private.GitQuarantinePath+"="+opts.GitQuarantinePath)
|
private.GitQuarantinePath+"="+opts.GitQuarantinePath)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Iterate across the provided old commit IDs
|
||||||
for i := range opts.OldCommitIDs {
|
for i := range opts.OldCommitIDs {
|
||||||
oldCommitID := opts.OldCommitIDs[i]
|
oldCommitID := opts.OldCommitIDs[i]
|
||||||
newCommitID := opts.NewCommitIDs[i]
|
newCommitID := opts.NewCommitIDs[i]
|
||||||
|
@ -224,146 +177,192 @@ func HookPreReceive(ctx *macaron.Context, opts private.HookOptions) {
|
||||||
})
|
})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if protectBranch != nil && protectBranch.IsProtected() {
|
|
||||||
// detect and prevent deletion
|
// Allow pushes to non-protected branches
|
||||||
if newCommitID == git.EmptySHA {
|
if protectBranch == nil || !protectBranch.IsProtected() {
|
||||||
log.Warn("Forbidden: Branch: %s in %-v is protected from deletion", branchName, repo)
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// This ref is a protected branch.
|
||||||
|
//
|
||||||
|
// First of all we need to enforce absolutely:
|
||||||
|
//
|
||||||
|
// 1. Detect and prevent deletion of the branch
|
||||||
|
if newCommitID == git.EmptySHA {
|
||||||
|
log.Warn("Forbidden: Branch: %s in %-v is protected from deletion", branchName, repo)
|
||||||
|
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
||||||
|
"err": fmt.Sprintf("branch %s is protected from deletion", branchName),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// 2. Disallow force pushes to protected branches
|
||||||
|
if git.EmptySHA != oldCommitID {
|
||||||
|
output, err := git.NewCommand("rev-list", "--max-count=1", oldCommitID, "^"+newCommitID).RunInDirWithEnv(repo.RepoPath(), env)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("Unable to detect force push between: %s and %s in %-v Error: %v", oldCommitID, newCommitID, repo, err)
|
||||||
|
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
||||||
|
"err": fmt.Sprintf("Fail to detect force push: %v", err),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
} else if len(output) > 0 {
|
||||||
|
log.Warn("Forbidden: Branch: %s in %-v is protected from force push", branchName, repo)
|
||||||
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
||||||
"err": fmt.Sprintf("branch %s is protected from deletion", branchName),
|
"err": fmt.Sprintf("branch %s is protected from force push", branchName),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// 3. Enforce require signed commits
|
||||||
|
if protectBranch.RequireSignedCommits {
|
||||||
|
err := verifyCommits(oldCommitID, newCommitID, gitRepo, env)
|
||||||
|
if err != nil {
|
||||||
|
if !isErrUnverifiedCommit(err) {
|
||||||
|
log.Error("Unable to check commits from %s to %s in %-v: %v", oldCommitID, newCommitID, repo, err)
|
||||||
|
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
||||||
|
"err": fmt.Sprintf("Unable to check commits from %s to %s: %v", oldCommitID, newCommitID, err),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
unverifiedCommit := err.(*errUnverifiedCommit).sha
|
||||||
|
log.Warn("Forbidden: Branch: %s in %-v is protected from unverified commit %s", branchName, repo, unverifiedCommit)
|
||||||
|
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
||||||
|
"err": fmt.Sprintf("branch %s is protected from unverified commit %s", branchName, unverifiedCommit),
|
||||||
})
|
})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// detect force push
|
// Now there are several tests which can be overridden:
|
||||||
if git.EmptySHA != oldCommitID {
|
//
|
||||||
output, err := git.NewCommand("rev-list", "--max-count=1", oldCommitID, "^"+newCommitID).RunInDirWithEnv(repo.RepoPath(), env)
|
// 4. Check protected file patterns - this is overridable from the UI
|
||||||
if err != nil {
|
changedProtectedfiles := false
|
||||||
log.Error("Unable to detect force push between: %s and %s in %-v Error: %v", oldCommitID, newCommitID, repo, err)
|
protectedFilePath := ""
|
||||||
|
|
||||||
|
globs := protectBranch.GetProtectedFilePatterns()
|
||||||
|
if len(globs) > 0 {
|
||||||
|
_, err := pull_service.CheckFileProtection(oldCommitID, newCommitID, globs, 1, env, gitRepo)
|
||||||
|
if err != nil {
|
||||||
|
if !models.IsErrFilePathProtected(err) {
|
||||||
|
log.Error("Unable to check file protection for commits from %s to %s in %-v: %v", oldCommitID, newCommitID, repo, err)
|
||||||
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
||||||
"err": fmt.Sprintf("Fail to detect force push: %v", err),
|
"err": fmt.Sprintf("Unable to check file protection for commits from %s to %s: %v", oldCommitID, newCommitID, err),
|
||||||
})
|
|
||||||
return
|
|
||||||
} else if len(output) > 0 {
|
|
||||||
log.Warn("Forbidden: Branch: %s in %-v is protected from force push", branchName, repo)
|
|
||||||
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
|
||||||
"err": fmt.Sprintf("branch %s is protected from force push", branchName),
|
|
||||||
})
|
|
||||||
return
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Require signed commits
|
|
||||||
if protectBranch.RequireSignedCommits {
|
|
||||||
err := verifyCommits(oldCommitID, newCommitID, gitRepo, env)
|
|
||||||
if err != nil {
|
|
||||||
if !isErrUnverifiedCommit(err) {
|
|
||||||
log.Error("Unable to check commits from %s to %s in %-v: %v", oldCommitID, newCommitID, repo, err)
|
|
||||||
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
|
||||||
"err": fmt.Sprintf("Unable to check commits from %s to %s: %v", oldCommitID, newCommitID, err),
|
|
||||||
})
|
|
||||||
return
|
|
||||||
}
|
|
||||||
unverifiedCommit := err.(*errUnverifiedCommit).sha
|
|
||||||
log.Warn("Forbidden: Branch: %s in %-v is protected from unverified commit %s", branchName, repo, unverifiedCommit)
|
|
||||||
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
|
||||||
"err": fmt.Sprintf("branch %s is protected from unverified commit %s", branchName, unverifiedCommit),
|
|
||||||
})
|
})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
// Detect Protected file pattern
|
changedProtectedfiles = true
|
||||||
globs := protectBranch.GetProtectedFilePatterns()
|
protectedFilePath = err.(models.ErrFilePathProtected).Path
|
||||||
if len(globs) > 0 {
|
}
|
||||||
err := checkFileProtection(oldCommitID, newCommitID, globs, gitRepo, env)
|
}
|
||||||
if err != nil {
|
|
||||||
if !models.IsErrFilePathProtected(err) {
|
// 5. Check if the doer is allowed to push
|
||||||
log.Error("Unable to check file protection for commits from %s to %s in %-v: %v", oldCommitID, newCommitID, repo, err)
|
canPush := false
|
||||||
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
if opts.IsDeployKey {
|
||||||
"err": fmt.Sprintf("Unable to check file protection for commits from %s to %s: %v", oldCommitID, newCommitID, err),
|
canPush = !changedProtectedfiles && protectBranch.CanPush && (!protectBranch.EnableWhitelist || protectBranch.WhitelistDeployKeys)
|
||||||
})
|
} else {
|
||||||
return
|
canPush = !changedProtectedfiles && protectBranch.CanUserPush(opts.UserID)
|
||||||
}
|
}
|
||||||
protectedFilePath := err.(models.ErrFilePathProtected).Path
|
|
||||||
|
// 6. If we're not allowed to push directly
|
||||||
|
if !canPush {
|
||||||
|
// Is this is a merge from the UI/API?
|
||||||
|
if opts.ProtectedBranchID == 0 {
|
||||||
|
// 6a. If we're not merging from the UI/API then there are two ways we got here:
|
||||||
|
//
|
||||||
|
// We are changing a protected file and we're not allowed to do that
|
||||||
|
if changedProtectedfiles {
|
||||||
log.Warn("Forbidden: Branch: %s in %-v is protected from changing file %s", branchName, repo, protectedFilePath)
|
log.Warn("Forbidden: Branch: %s in %-v is protected from changing file %s", branchName, repo, protectedFilePath)
|
||||||
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
||||||
"err": fmt.Sprintf("branch %s is protected from changing file %s", branchName, protectedFilePath),
|
"err": fmt.Sprintf("branch %s is protected from changing file %s", branchName, protectedFilePath),
|
||||||
})
|
})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
canPush := false
|
// Or we're simply not able to push to this protected branch
|
||||||
if opts.IsDeployKey {
|
|
||||||
canPush = protectBranch.CanPush && (!protectBranch.EnableWhitelist || protectBranch.WhitelistDeployKeys)
|
|
||||||
} else {
|
|
||||||
canPush = protectBranch.CanUserPush(opts.UserID)
|
|
||||||
}
|
|
||||||
if !canPush && opts.ProtectedBranchID > 0 {
|
|
||||||
// Merge (from UI or API)
|
|
||||||
pr, err := models.GetPullRequestByID(opts.ProtectedBranchID)
|
|
||||||
if err != nil {
|
|
||||||
log.Error("Unable to get PullRequest %d Error: %v", opts.ProtectedBranchID, err)
|
|
||||||
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
|
||||||
"err": fmt.Sprintf("Unable to get PullRequest %d Error: %v", opts.ProtectedBranchID, err),
|
|
||||||
})
|
|
||||||
return
|
|
||||||
}
|
|
||||||
user, err := models.GetUserByID(opts.UserID)
|
|
||||||
if err != nil {
|
|
||||||
log.Error("Unable to get User id %d Error: %v", opts.UserID, err)
|
|
||||||
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
|
||||||
"err": fmt.Sprintf("Unable to get User id %d Error: %v", opts.UserID, err),
|
|
||||||
})
|
|
||||||
return
|
|
||||||
}
|
|
||||||
perm, err := models.GetUserRepoPermission(repo, user)
|
|
||||||
if err != nil {
|
|
||||||
log.Error("Unable to get Repo permission of repo %s/%s of User %s", repo.OwnerName, repo.Name, user.Name, err)
|
|
||||||
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
|
||||||
"err": fmt.Sprintf("Unable to get Repo permission of repo %s/%s of User %s: %v", repo.OwnerName, repo.Name, user.Name, err),
|
|
||||||
})
|
|
||||||
return
|
|
||||||
}
|
|
||||||
allowedMerge, err := pull_service.IsUserAllowedToMerge(pr, perm, user)
|
|
||||||
if err != nil {
|
|
||||||
log.Error("Error calculating if allowed to merge: %v", err)
|
|
||||||
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
|
||||||
"err": fmt.Sprintf("Error calculating if allowed to merge: %v", err),
|
|
||||||
})
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if !allowedMerge {
|
|
||||||
log.Warn("Forbidden: User %d is not allowed to push to protected branch: %s in %-v and is not allowed to merge pr #%d", opts.UserID, branchName, repo, pr.Index)
|
|
||||||
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
|
||||||
"err": fmt.Sprintf("Not allowed to push to protected branch %s", branchName),
|
|
||||||
})
|
|
||||||
return
|
|
||||||
}
|
|
||||||
// Check all status checks and reviews is ok, unless repo admin which can bypass this.
|
|
||||||
if !perm.IsAdmin() {
|
|
||||||
if err := pull_service.CheckPRReadyToMerge(pr); err != nil {
|
|
||||||
if models.IsErrNotAllowedToMerge(err) {
|
|
||||||
log.Warn("Forbidden: User %d is not allowed push to protected branch %s in %-v and pr #%d is not ready to be merged: %s", opts.UserID, branchName, repo, pr.Index, err.Error())
|
|
||||||
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
|
||||||
"err": fmt.Sprintf("Not allowed to push to protected branch %s and pr #%d is not ready to be merged: %s", branchName, opts.ProtectedBranchID, err.Error()),
|
|
||||||
})
|
|
||||||
return
|
|
||||||
}
|
|
||||||
log.Error("Unable to check if mergable: protected branch %s in %-v and pr #%d. Error: %v", opts.UserID, branchName, repo, pr.Index, err)
|
|
||||||
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
|
||||||
"err": fmt.Sprintf("Unable to get status of pull request %d. Error: %v", opts.ProtectedBranchID, err),
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else if !canPush {
|
|
||||||
log.Warn("Forbidden: User %d is not allowed to push to protected branch: %s in %-v", opts.UserID, branchName, repo)
|
log.Warn("Forbidden: User %d is not allowed to push to protected branch: %s in %-v", opts.UserID, branchName, repo)
|
||||||
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
||||||
"err": fmt.Sprintf("Not allowed to push to protected branch %s", branchName),
|
"err": fmt.Sprintf("Not allowed to push to protected branch %s", branchName),
|
||||||
})
|
})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
// 6b. Merge (from UI or API)
|
||||||
|
|
||||||
|
// Get the PR, user and permissions for the user in the repository
|
||||||
|
pr, err := models.GetPullRequestByID(opts.ProtectedBranchID)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("Unable to get PullRequest %d Error: %v", opts.ProtectedBranchID, err)
|
||||||
|
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
||||||
|
"err": fmt.Sprintf("Unable to get PullRequest %d Error: %v", opts.ProtectedBranchID, err),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
user, err := models.GetUserByID(opts.UserID)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("Unable to get User id %d Error: %v", opts.UserID, err)
|
||||||
|
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
||||||
|
"err": fmt.Sprintf("Unable to get User id %d Error: %v", opts.UserID, err),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
perm, err := models.GetUserRepoPermission(repo, user)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("Unable to get Repo permission of repo %s/%s of User %s", repo.OwnerName, repo.Name, user.Name, err)
|
||||||
|
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
||||||
|
"err": fmt.Sprintf("Unable to get Repo permission of repo %s/%s of User %s: %v", repo.OwnerName, repo.Name, user.Name, err),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Now check if the user is allowed to merge PRs for this repository
|
||||||
|
allowedMerge, err := pull_service.IsUserAllowedToMerge(pr, perm, user)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("Error calculating if allowed to merge: %v", err)
|
||||||
|
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
||||||
|
"err": fmt.Sprintf("Error calculating if allowed to merge: %v", err),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if !allowedMerge {
|
||||||
|
log.Warn("Forbidden: User %d is not allowed to push to protected branch: %s in %-v and is not allowed to merge pr #%d", opts.UserID, branchName, repo, pr.Index)
|
||||||
|
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
||||||
|
"err": fmt.Sprintf("Not allowed to push to protected branch %s", branchName),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// If we're an admin for the repository we can ignore status checks, reviews and override protected files
|
||||||
|
if perm.IsAdmin() {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// Now if we're not an admin - we can't overwrite protected files so fail now
|
||||||
|
if changedProtectedfiles {
|
||||||
|
log.Warn("Forbidden: Branch: %s in %-v is protected from changing file %s", branchName, repo, protectedFilePath)
|
||||||
|
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
||||||
|
"err": fmt.Sprintf("branch %s is protected from changing file %s", branchName, protectedFilePath),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check all status checks and reviews are ok
|
||||||
|
if err := pull_service.CheckPRReadyToMerge(pr, true); err != nil {
|
||||||
|
if models.IsErrNotAllowedToMerge(err) {
|
||||||
|
log.Warn("Forbidden: User %d is not allowed push to protected branch %s in %-v and pr #%d is not ready to be merged: %s", opts.UserID, branchName, repo, pr.Index, err.Error())
|
||||||
|
ctx.JSON(http.StatusForbidden, map[string]interface{}{
|
||||||
|
"err": fmt.Sprintf("Not allowed to push to protected branch %s and pr #%d is not ready to be merged: %s", branchName, opts.ProtectedBranchID, err.Error()),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
log.Error("Unable to check if mergable: protected branch %s in %-v and pr #%d. Error: %v", opts.UserID, branchName, repo, pr.Index, err)
|
||||||
|
ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
|
||||||
|
"err": fmt.Sprintf("Unable to get status of pull request %d. Error: %v", opts.ProtectedBranchID, err),
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1426,6 +1426,9 @@ func ViewIssue(ctx *context.Context) {
|
||||||
ctx.Data["IsBlockedByOutdatedBranch"] = pull.ProtectedBranch.MergeBlockedByOutdatedBranch(pull)
|
ctx.Data["IsBlockedByOutdatedBranch"] = pull.ProtectedBranch.MergeBlockedByOutdatedBranch(pull)
|
||||||
ctx.Data["GrantedApprovals"] = cnt
|
ctx.Data["GrantedApprovals"] = cnt
|
||||||
ctx.Data["RequireSigned"] = pull.ProtectedBranch.RequireSignedCommits
|
ctx.Data["RequireSigned"] = pull.ProtectedBranch.RequireSignedCommits
|
||||||
|
ctx.Data["ChangedProtectedFiles"] = pull.ChangedProtectedFiles
|
||||||
|
ctx.Data["IsBlockedByChangedProtectedFiles"] = len(pull.ChangedProtectedFiles) != 0
|
||||||
|
ctx.Data["ChangedProtectedFilesNum"] = len(pull.ChangedProtectedFiles)
|
||||||
}
|
}
|
||||||
ctx.Data["WillSign"] = false
|
ctx.Data["WillSign"] = false
|
||||||
if ctx.User != nil {
|
if ctx.User != nil {
|
||||||
|
|
|
@ -624,6 +624,20 @@ func ViewPullFiles(ctx *context.Context) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if err = pull.LoadProtectedBranch(); err != nil {
|
||||||
|
ctx.ServerError("LoadProtectedBranch", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if pull.ProtectedBranch != nil {
|
||||||
|
glob := pull.ProtectedBranch.GetProtectedFilePatterns()
|
||||||
|
if len(glob) != 0 {
|
||||||
|
for _, file := range diff.Files {
|
||||||
|
file.IsProtected = pull.ProtectedBranch.IsProtectedFile(glob, file.Name)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
ctx.Data["Diff"] = diff
|
ctx.Data["Diff"] = diff
|
||||||
ctx.Data["DiffNotAvailable"] = diff.NumFiles == 0
|
ctx.Data["DiffNotAvailable"] = diff.NumFiles == 0
|
||||||
|
|
||||||
|
@ -772,7 +786,7 @@ func MergePullRequest(ctx *context.Context, form auth.MergePullRequestForm) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := pull_service.CheckPRReadyToMerge(pr); err != nil {
|
if err := pull_service.CheckPRReadyToMerge(pr, false); err != nil {
|
||||||
if !models.IsErrNotAllowedToMerge(err) {
|
if !models.IsErrNotAllowedToMerge(err) {
|
||||||
ctx.ServerError("Merge PR status", err)
|
ctx.ServerError("Merge PR status", err)
|
||||||
return
|
return
|
||||||
|
|
|
@ -16,6 +16,7 @@ import (
|
||||||
"code.gitea.io/gitea/modules/git"
|
"code.gitea.io/gitea/modules/git"
|
||||||
"code.gitea.io/gitea/modules/log"
|
"code.gitea.io/gitea/modules/log"
|
||||||
"code.gitea.io/gitea/modules/setting"
|
"code.gitea.io/gitea/modules/setting"
|
||||||
|
pull_service "code.gitea.io/gitea/services/pull"
|
||||||
)
|
)
|
||||||
|
|
||||||
// ProtectedBranch render the page to protect the repository
|
// ProtectedBranch render the page to protect the repository
|
||||||
|
@ -262,6 +263,10 @@ func SettingsProtectedBranchPost(ctx *context.Context, f auth.ProtectBranchForm)
|
||||||
ctx.ServerError("UpdateProtectBranch", err)
|
ctx.ServerError("UpdateProtectBranch", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
if err = pull_service.CheckPrsForBaseBranch(ctx.Repo.Repository, protectBranch.BranchName); err != nil {
|
||||||
|
ctx.ServerError("CheckPrsForBaseBranch", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
ctx.Flash.Success(ctx.Tr("repo.settings.update_protect_branch_success", branch))
|
ctx.Flash.Success(ctx.Tr("repo.settings.update_protect_branch_success", branch))
|
||||||
ctx.Redirect(fmt.Sprintf("%s/settings/branches/%s", ctx.Repo.RepoLink, branch))
|
ctx.Redirect(fmt.Sprintf("%s/settings/branches/%s", ctx.Repo.RepoLink, branch))
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -351,6 +351,7 @@ type DiffFile struct {
|
||||||
IsSubmodule bool
|
IsSubmodule bool
|
||||||
Sections []*DiffSection
|
Sections []*DiffSection
|
||||||
IsIncomplete bool
|
IsIncomplete bool
|
||||||
|
IsProtected bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetType returns type of diff file.
|
// GetType returns type of diff file.
|
||||||
|
|
|
@ -62,7 +62,7 @@ func checkAndUpdateStatus(pr *models.PullRequest) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if !has {
|
if !has {
|
||||||
if err := pr.UpdateColsIfNotMerged("merge_base", "status", "conflicted_files"); err != nil {
|
if err := pr.UpdateColsIfNotMerged("merge_base", "status", "conflicted_files", "changed_protected_files"); err != nil {
|
||||||
log.Error("Update[%d]: %v", pr.ID, err)
|
log.Error("Update[%d]: %v", pr.ID, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -228,6 +228,20 @@ func handle(data ...queue.Data) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// CheckPrsForBaseBranch check all pulls with bseBrannch
|
||||||
|
func CheckPrsForBaseBranch(baseRepo *models.Repository, baseBranchName string) error {
|
||||||
|
prs, err := models.GetUnmergedPullRequestsByBaseInfo(baseRepo.ID, baseBranchName)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, pr := range prs {
|
||||||
|
AddToTaskQueue(pr)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// Init runs the task queue to test all the checking status pull requests
|
// Init runs the task queue to test all the checking status pull requests
|
||||||
func Init() error {
|
func Init() error {
|
||||||
prQueue = queue.CreateUniqueQueue("pr_patch_checker", handle, "").(queue.UniqueQueue)
|
prQueue = queue.CreateUniqueQueue("pr_patch_checker", handle, "").(queue.UniqueQueue)
|
||||||
|
|
|
@ -559,7 +559,7 @@ func IsUserAllowedToMerge(pr *models.PullRequest, p models.Permission, user *mod
|
||||||
}
|
}
|
||||||
|
|
||||||
// CheckPRReadyToMerge checks whether the PR is ready to be merged (reviews and status checks)
|
// CheckPRReadyToMerge checks whether the PR is ready to be merged (reviews and status checks)
|
||||||
func CheckPRReadyToMerge(pr *models.PullRequest) (err error) {
|
func CheckPRReadyToMerge(pr *models.PullRequest, skipProtectedFilesCheck bool) (err error) {
|
||||||
if err = pr.LoadBaseRepo(); err != nil {
|
if err = pr.LoadBaseRepo(); err != nil {
|
||||||
return fmt.Errorf("LoadBaseRepo: %v", err)
|
return fmt.Errorf("LoadBaseRepo: %v", err)
|
||||||
}
|
}
|
||||||
|
@ -598,5 +598,15 @@ func CheckPRReadyToMerge(pr *models.PullRequest) (err error) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if skipProtectedFilesCheck {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if pr.ProtectedBranch.MergeBlockedByProtectedFiles(pr) {
|
||||||
|
return models.ErrNotAllowedToMerge{
|
||||||
|
Reason: "Changed protected files",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,6 +18,8 @@ import (
|
||||||
"code.gitea.io/gitea/modules/git"
|
"code.gitea.io/gitea/modules/git"
|
||||||
"code.gitea.io/gitea/modules/log"
|
"code.gitea.io/gitea/modules/log"
|
||||||
"code.gitea.io/gitea/modules/util"
|
"code.gitea.io/gitea/modules/util"
|
||||||
|
|
||||||
|
"github.com/gobwas/glob"
|
||||||
)
|
)
|
||||||
|
|
||||||
// DownloadDiffOrPatch will write the patch for the pr to the writer
|
// DownloadDiffOrPatch will write the patch for the pr to the writer
|
||||||
|
@ -66,6 +68,7 @@ func TestPatch(pr *models.PullRequest) error {
|
||||||
}
|
}
|
||||||
defer gitRepo.Close()
|
defer gitRepo.Close()
|
||||||
|
|
||||||
|
// 1. update merge base
|
||||||
pr.MergeBase, err = git.NewCommand("merge-base", "--", "base", "tracking").RunInDir(tmpBasePath)
|
pr.MergeBase, err = git.NewCommand("merge-base", "--", "base", "tracking").RunInDir(tmpBasePath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
var err2 error
|
var err2 error
|
||||||
|
@ -75,10 +78,32 @@ func TestPatch(pr *models.PullRequest) error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
pr.MergeBase = strings.TrimSpace(pr.MergeBase)
|
pr.MergeBase = strings.TrimSpace(pr.MergeBase)
|
||||||
|
|
||||||
|
// 2. Check for conflicts
|
||||||
|
if conflicts, err := checkConflicts(pr, gitRepo, tmpBasePath); err != nil || conflicts {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// 3. Check for protected files changes
|
||||||
|
if err = checkPullFilesProtection(pr, gitRepo); err != nil {
|
||||||
|
return fmt.Errorf("pr.CheckPullFilesProtection(): %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(pr.ChangedProtectedFiles) > 0 {
|
||||||
|
log.Trace("Found %d protected files changed", len(pr.ChangedProtectedFiles))
|
||||||
|
}
|
||||||
|
|
||||||
|
pr.Status = models.PullRequestStatusMergeable
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkConflicts(pr *models.PullRequest, gitRepo *git.Repository, tmpBasePath string) (bool, error) {
|
||||||
|
// 1. Create a plain patch from head to base
|
||||||
tmpPatchFile, err := ioutil.TempFile("", "patch")
|
tmpPatchFile, err := ioutil.TempFile("", "patch")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error("Unable to create temporary patch file! Error: %v", err)
|
log.Error("Unable to create temporary patch file! Error: %v", err)
|
||||||
return fmt.Errorf("Unable to create temporary patch file! Error: %v", err)
|
return false, fmt.Errorf("Unable to create temporary patch file! Error: %v", err)
|
||||||
}
|
}
|
||||||
defer func() {
|
defer func() {
|
||||||
_ = util.Remove(tmpPatchFile.Name())
|
_ = util.Remove(tmpPatchFile.Name())
|
||||||
|
@ -87,38 +112,43 @@ func TestPatch(pr *models.PullRequest) error {
|
||||||
if err := gitRepo.GetDiff(pr.MergeBase, "tracking", tmpPatchFile); err != nil {
|
if err := gitRepo.GetDiff(pr.MergeBase, "tracking", tmpPatchFile); err != nil {
|
||||||
tmpPatchFile.Close()
|
tmpPatchFile.Close()
|
||||||
log.Error("Unable to get patch file from %s to %s in %s Error: %v", pr.MergeBase, pr.HeadBranch, pr.BaseRepo.FullName(), err)
|
log.Error("Unable to get patch file from %s to %s in %s Error: %v", pr.MergeBase, pr.HeadBranch, pr.BaseRepo.FullName(), err)
|
||||||
return fmt.Errorf("Unable to get patch file from %s to %s in %s Error: %v", pr.MergeBase, pr.HeadBranch, pr.BaseRepo.FullName(), err)
|
return false, fmt.Errorf("Unable to get patch file from %s to %s in %s Error: %v", pr.MergeBase, pr.HeadBranch, pr.BaseRepo.FullName(), err)
|
||||||
}
|
}
|
||||||
stat, err := tmpPatchFile.Stat()
|
stat, err := tmpPatchFile.Stat()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
tmpPatchFile.Close()
|
tmpPatchFile.Close()
|
||||||
return fmt.Errorf("Unable to stat patch file: %v", err)
|
return false, fmt.Errorf("Unable to stat patch file: %v", err)
|
||||||
}
|
}
|
||||||
patchPath := tmpPatchFile.Name()
|
patchPath := tmpPatchFile.Name()
|
||||||
tmpPatchFile.Close()
|
tmpPatchFile.Close()
|
||||||
|
|
||||||
|
// 1a. if the size of that patch is 0 - there can be no conflicts!
|
||||||
if stat.Size() == 0 {
|
if stat.Size() == 0 {
|
||||||
log.Debug("PullRequest[%d]: Patch is empty - ignoring", pr.ID)
|
log.Debug("PullRequest[%d]: Patch is empty - ignoring", pr.ID)
|
||||||
pr.Status = models.PullRequestStatusMergeable
|
pr.Status = models.PullRequestStatusMergeable
|
||||||
pr.ConflictedFiles = []string{}
|
pr.ConflictedFiles = []string{}
|
||||||
return nil
|
return false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Trace("PullRequest[%d].testPatch (patchPath): %s", pr.ID, patchPath)
|
log.Trace("PullRequest[%d].testPatch (patchPath): %s", pr.ID, patchPath)
|
||||||
|
|
||||||
|
// 2. preset the pr.Status as checking (this is not save at present)
|
||||||
pr.Status = models.PullRequestStatusChecking
|
pr.Status = models.PullRequestStatusChecking
|
||||||
|
|
||||||
|
// 3. Read the base branch in to the index of the temporary repository
|
||||||
_, err = git.NewCommand("read-tree", "base").RunInDir(tmpBasePath)
|
_, err = git.NewCommand("read-tree", "base").RunInDir(tmpBasePath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("git read-tree %s: %v", pr.BaseBranch, err)
|
return false, fmt.Errorf("git read-tree %s: %v", pr.BaseBranch, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// 4. Now get the pull request configuration to check if we need to ignore whitespace
|
||||||
prUnit, err := pr.BaseRepo.GetUnit(models.UnitTypePullRequests)
|
prUnit, err := pr.BaseRepo.GetUnit(models.UnitTypePullRequests)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return false, err
|
||||||
}
|
}
|
||||||
prConfig := prUnit.PullRequestsConfig()
|
prConfig := prUnit.PullRequestsConfig()
|
||||||
|
|
||||||
|
// 5. Prepare the arguments to apply the patch against the index
|
||||||
args := []string{"apply", "--check", "--cached"}
|
args := []string{"apply", "--check", "--cached"}
|
||||||
if prConfig.IgnoreWhitespaceConflicts {
|
if prConfig.IgnoreWhitespaceConflicts {
|
||||||
args = append(args, "--ignore-whitespace")
|
args = append(args, "--ignore-whitespace")
|
||||||
|
@ -126,26 +156,44 @@ func TestPatch(pr *models.PullRequest) error {
|
||||||
args = append(args, patchPath)
|
args = append(args, patchPath)
|
||||||
pr.ConflictedFiles = make([]string, 0, 5)
|
pr.ConflictedFiles = make([]string, 0, 5)
|
||||||
|
|
||||||
|
// 6. Prep the pipe:
|
||||||
|
// - Here we could do the equivalent of:
|
||||||
|
// `git apply --check --cached patch_file > conflicts`
|
||||||
|
// Then iterate through the conflicts. However, that means storing all the conflicts
|
||||||
|
// in memory - which is very wasteful.
|
||||||
|
// - alternatively we can do the equivalent of:
|
||||||
|
// `git apply --check ... | grep ...`
|
||||||
|
// meaning we don't store all of the conflicts unnecessarily.
|
||||||
stderrReader, stderrWriter, err := os.Pipe()
|
stderrReader, stderrWriter, err := os.Pipe()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error("Unable to open stderr pipe: %v", err)
|
log.Error("Unable to open stderr pipe: %v", err)
|
||||||
return fmt.Errorf("Unable to open stderr pipe: %v", err)
|
return false, fmt.Errorf("Unable to open stderr pipe: %v", err)
|
||||||
}
|
}
|
||||||
defer func() {
|
defer func() {
|
||||||
_ = stderrReader.Close()
|
_ = stderrReader.Close()
|
||||||
_ = stderrWriter.Close()
|
_ = stderrWriter.Close()
|
||||||
}()
|
}()
|
||||||
|
|
||||||
|
// 7. Run the check command
|
||||||
conflict := false
|
conflict := false
|
||||||
err = git.NewCommand(args...).
|
err = git.NewCommand(args...).
|
||||||
RunInDirTimeoutEnvFullPipelineFunc(
|
RunInDirTimeoutEnvFullPipelineFunc(
|
||||||
nil, -1, tmpBasePath,
|
nil, -1, tmpBasePath,
|
||||||
nil, stderrWriter, nil,
|
nil, stderrWriter, nil,
|
||||||
func(ctx context.Context, cancel context.CancelFunc) error {
|
func(ctx context.Context, cancel context.CancelFunc) error {
|
||||||
|
// Close the writer end of the pipe to begin processing
|
||||||
_ = stderrWriter.Close()
|
_ = stderrWriter.Close()
|
||||||
|
defer func() {
|
||||||
|
// Close the reader on return to terminate the git command if necessary
|
||||||
|
_ = stderrReader.Close()
|
||||||
|
}()
|
||||||
|
|
||||||
const prefix = "error: patch failed:"
|
const prefix = "error: patch failed:"
|
||||||
const errorPrefix = "error: "
|
const errorPrefix = "error: "
|
||||||
|
|
||||||
conflictMap := map[string]bool{}
|
conflictMap := map[string]bool{}
|
||||||
|
|
||||||
|
// Now scan the output from the command
|
||||||
scanner := bufio.NewScanner(stderrReader)
|
scanner := bufio.NewScanner(stderrReader)
|
||||||
for scanner.Scan() {
|
for scanner.Scan() {
|
||||||
line := scanner.Text()
|
line := scanner.Text()
|
||||||
|
@ -170,25 +218,111 @@ func TestPatch(pr *models.PullRequest) error {
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(conflictMap) > 0 {
|
if len(conflictMap) > 0 {
|
||||||
pr.ConflictedFiles = make([]string, 0, len(conflictMap))
|
pr.ConflictedFiles = make([]string, 0, len(conflictMap))
|
||||||
for key := range conflictMap {
|
for key := range conflictMap {
|
||||||
pr.ConflictedFiles = append(pr.ConflictedFiles, key)
|
pr.ConflictedFiles = append(pr.ConflictedFiles, key)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
_ = stderrReader.Close()
|
|
||||||
return nil
|
return nil
|
||||||
})
|
})
|
||||||
|
|
||||||
|
// 8. If there is a conflict the `git apply` command will return a non-zero error code - so there will be a positive error.
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if conflict {
|
if conflict {
|
||||||
pr.Status = models.PullRequestStatusConflict
|
pr.Status = models.PullRequestStatusConflict
|
||||||
log.Trace("Found %d files conflicted: %v", len(pr.ConflictedFiles), pr.ConflictedFiles)
|
log.Trace("Found %d files conflicted: %v", len(pr.ConflictedFiles), pr.ConflictedFiles)
|
||||||
return nil
|
|
||||||
}
|
|
||||||
return fmt.Errorf("git apply --check: %v", err)
|
|
||||||
}
|
|
||||||
pr.Status = models.PullRequestStatusMergeable
|
|
||||||
|
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
return false, fmt.Errorf("git apply --check: %v", err)
|
||||||
|
}
|
||||||
|
return false, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// CheckFileProtection check file Protection
|
||||||
|
func CheckFileProtection(oldCommitID, newCommitID string, patterns []glob.Glob, limit int, env []string, repo *git.Repository) ([]string, error) {
|
||||||
|
// 1. If there are no patterns short-circuit and just return nil
|
||||||
|
if len(patterns) == 0 {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// 2. Prep the pipe
|
||||||
|
stdoutReader, stdoutWriter, err := os.Pipe()
|
||||||
|
if err != nil {
|
||||||
|
log.Error("Unable to create os.Pipe for %s", repo.Path)
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
defer func() {
|
||||||
|
_ = stdoutReader.Close()
|
||||||
|
_ = stdoutWriter.Close()
|
||||||
|
}()
|
||||||
|
|
||||||
|
changedProtectedFiles := make([]string, 0, limit)
|
||||||
|
|
||||||
|
// 3. Run `git diff --name-only` to get the names of the changed files
|
||||||
|
err = git.NewCommand("diff", "--name-only", oldCommitID, newCommitID).
|
||||||
|
RunInDirTimeoutEnvFullPipelineFunc(env, -1, repo.Path,
|
||||||
|
stdoutWriter, nil, nil,
|
||||||
|
func(ctx context.Context, cancel context.CancelFunc) error {
|
||||||
|
// Close the writer end of the pipe to begin processing
|
||||||
|
_ = stdoutWriter.Close()
|
||||||
|
defer func() {
|
||||||
|
// Close the reader on return to terminate the git command if necessary
|
||||||
|
_ = stdoutReader.Close()
|
||||||
|
}()
|
||||||
|
|
||||||
|
// Now scan the output from the command
|
||||||
|
scanner := bufio.NewScanner(stdoutReader)
|
||||||
|
for scanner.Scan() {
|
||||||
|
path := strings.TrimSpace(scanner.Text())
|
||||||
|
if len(path) == 0 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
lpath := strings.ToLower(path)
|
||||||
|
for _, pat := range patterns {
|
||||||
|
if pat.Match(lpath) {
|
||||||
|
changedProtectedFiles = append(changedProtectedFiles, path)
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if len(changedProtectedFiles) >= limit {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(changedProtectedFiles) > 0 {
|
||||||
|
return models.ErrFilePathProtected{
|
||||||
|
Path: changedProtectedFiles[0],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return scanner.Err()
|
||||||
|
})
|
||||||
|
// 4. log real errors if there are any...
|
||||||
|
if err != nil && !models.IsErrFilePathProtected(err) {
|
||||||
|
log.Error("Unable to check file protection for commits from %s to %s in %s: %v", oldCommitID, newCommitID, repo.Path, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return changedProtectedFiles, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// checkPullFilesProtection check if pr changed protected files and save results
|
||||||
|
func checkPullFilesProtection(pr *models.PullRequest, gitRepo *git.Repository) error {
|
||||||
|
if err := pr.LoadProtectedBranch(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if pr.ProtectedBranch == nil {
|
||||||
|
pr.ChangedProtectedFiles = nil
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
var err error
|
||||||
|
pr.ChangedProtectedFiles, err = CheckFileProtection(pr.MergeBase, "tracking", pr.ProtectedBranch.GetProtectedFilePatterns(), 10, os.Environ(), gitRepo)
|
||||||
|
if err != nil && !models.IsErrFilePathProtected(err) {
|
||||||
|
return err
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -173,7 +173,7 @@ func ChangeTargetBranch(pr *models.PullRequest, doer *models.User, targetBranch
|
||||||
pr.CommitsAhead = divergence.Ahead
|
pr.CommitsAhead = divergence.Ahead
|
||||||
pr.CommitsBehind = divergence.Behind
|
pr.CommitsBehind = divergence.Behind
|
||||||
|
|
||||||
if err := pr.UpdateColsIfNotMerged("merge_base", "status", "conflicted_files", "base_branch", "commits_ahead", "commits_behind"); err != nil {
|
if err := pr.UpdateColsIfNotMerged("merge_base", "status", "conflicted_files", "changed_protected_files", "base_branch", "commits_ahead", "commits_behind"); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -68,6 +68,9 @@
|
||||||
</div>
|
</div>
|
||||||
<span class="file">{{$file.Name}}</span>
|
<span class="file">{{$file.Name}}</span>
|
||||||
<div>{{$.i18n.Tr "repo.diff.file_suppressed"}}</div>
|
<div>{{$.i18n.Tr "repo.diff.file_suppressed"}}</div>
|
||||||
|
{{if $file.IsProtected}}
|
||||||
|
<span class="ui right basic label">{{$.i18n.Tr "repo.diff.protected"}}</span>
|
||||||
|
{{end}}
|
||||||
{{if and (not $file.IsSubmodule) (not $.PageIsWiki)}}
|
{{if and (not $file.IsSubmodule) (not $.PageIsWiki)}}
|
||||||
{{if $file.IsDeleted}}
|
{{if $file.IsDeleted}}
|
||||||
<a class="ui basic grey tiny button" rel="nofollow" href="{{EscapePound $.BeforeSourcePath}}/{{EscapePound .Name}}">{{$.i18n.Tr "repo.diff.view_file"}}</a>
|
<a class="ui basic grey tiny button" rel="nofollow" href="{{EscapePound $.BeforeSourcePath}}/{{EscapePound .Name}}">{{$.i18n.Tr "repo.diff.view_file"}}</a>
|
||||||
|
@ -104,6 +107,9 @@
|
||||||
{{end}}
|
{{end}}
|
||||||
</div>
|
</div>
|
||||||
<span class="file">{{if $file.IsRenamed}}{{$file.OldName}} → {{end}}{{$file.Name}}{{if .IsLFSFile}} ({{$.i18n.Tr "repo.stored_lfs"}}){{end}}</span>
|
<span class="file">{{if $file.IsRenamed}}{{$file.OldName}} → {{end}}{{$file.Name}}{{if .IsLFSFile}} ({{$.i18n.Tr "repo.stored_lfs"}}){{end}}</span>
|
||||||
|
{{if $file.IsProtected}}
|
||||||
|
<span class="ui right basic label">{{$.i18n.Tr "repo.diff.protected"}}</span>
|
||||||
|
{{end}}
|
||||||
{{if and (not $file.IsSubmodule) (not $.PageIsWiki)}}
|
{{if and (not $file.IsSubmodule) (not $.PageIsWiki)}}
|
||||||
{{if $file.IsDeleted}}
|
{{if $file.IsDeleted}}
|
||||||
<a class="ui basic grey tiny button" rel="nofollow" href="{{EscapePound $.BeforeSourcePath}}/{{EscapePound .Name}}">{{$.i18n.Tr "repo.diff.view_file"}}</a>
|
<a class="ui basic grey tiny button" rel="nofollow" href="{{EscapePound $.BeforeSourcePath}}/{{EscapePound .Name}}">{{$.i18n.Tr "repo.diff.view_file"}}</a>
|
||||||
|
|
|
@ -67,6 +67,7 @@
|
||||||
{{- else if .IsBlockedByApprovals}}red
|
{{- else if .IsBlockedByApprovals}}red
|
||||||
{{- else if .IsBlockedByRejection}}red
|
{{- else if .IsBlockedByRejection}}red
|
||||||
{{- else if .IsBlockedByOutdatedBranch}}red
|
{{- else if .IsBlockedByOutdatedBranch}}red
|
||||||
|
{{- else if .IsBlockedByChangedProtectedFiles}}red
|
||||||
{{- else if and .EnableStatusCheck (or .RequiredStatusCheckState.IsFailure .RequiredStatusCheckState.IsError)}}red
|
{{- else if and .EnableStatusCheck (or .RequiredStatusCheckState.IsFailure .RequiredStatusCheckState.IsError)}}red
|
||||||
{{- else if and .EnableStatusCheck (or (not $.LatestCommitStatus) .RequiredStatusCheckState.IsPending .RequiredStatusCheckState.IsWarning)}}yellow
|
{{- else if and .EnableStatusCheck (or (not $.LatestCommitStatus) .RequiredStatusCheckState.IsPending .RequiredStatusCheckState.IsWarning)}}yellow
|
||||||
{{- else if and .AllowMerge .RequireSigned (not .WillSign)}}red
|
{{- else if and .AllowMerge .RequireSigned (not .WillSign)}}red
|
||||||
|
@ -145,6 +146,16 @@
|
||||||
<i class="icon icon-octicon">{{svg "octicon-x"}}</i>
|
<i class="icon icon-octicon">{{svg "octicon-x"}}</i>
|
||||||
{{$.i18n.Tr "repo.pulls.blocked_by_outdated_branch"}}
|
{{$.i18n.Tr "repo.pulls.blocked_by_outdated_branch"}}
|
||||||
</div>
|
</div>
|
||||||
|
{{else if .IsBlockedByChangedProtectedFiles}}
|
||||||
|
<div class="item text red">
|
||||||
|
<i class="icon icon-octicon">{{svg "octicon-x" 16}}</i>
|
||||||
|
{{$.i18n.Tr (TrN $.i18n.Lang $.ChangedProtectedFilesNum "repo.pulls.blocked_by_changed_protected_files_1" "repo.pulls.blocked_by_changed_protected_files_n") | Safe }}
|
||||||
|
<div class="ui ordered list">
|
||||||
|
{{range .ChangedProtectedFiles}}
|
||||||
|
<div data-value="-" class="item">{{.}}</div>
|
||||||
|
{{end}}
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
{{else if and .EnableStatusCheck (or .RequiredStatusCheckState.IsError .RequiredStatusCheckState.IsFailure)}}
|
{{else if and .EnableStatusCheck (or .RequiredStatusCheckState.IsError .RequiredStatusCheckState.IsFailure)}}
|
||||||
<div class="item text red">
|
<div class="item text red">
|
||||||
<i class="icon icon-octicon">{{svg "octicon-x"}}</i>
|
<i class="icon icon-octicon">{{svg "octicon-x"}}</i>
|
||||||
|
@ -165,7 +176,7 @@
|
||||||
{{$.i18n.Tr (printf "repo.signing.wont_sign.%s" .WontSignReason) }}
|
{{$.i18n.Tr (printf "repo.signing.wont_sign.%s" .WontSignReason) }}
|
||||||
</div>
|
</div>
|
||||||
{{end}}
|
{{end}}
|
||||||
{{$notAllOverridableChecksOk := or .IsBlockedByApprovals .IsBlockedByRejection .IsBlockedByOutdatedBranch (and .EnableStatusCheck (not .RequiredStatusCheckState.IsSuccess))}}
|
{{$notAllOverridableChecksOk := or .IsBlockedByApprovals .IsBlockedByRejection .IsBlockedByOutdatedBranch .IsBlockedByChangedProtectedFiles (and .EnableStatusCheck (not .RequiredStatusCheckState.IsSuccess))}}
|
||||||
{{if and (or $.IsRepoAdmin (not $notAllOverridableChecksOk)) (or (not .AllowMerge) (not .RequireSigned) .WillSign)}}
|
{{if and (or $.IsRepoAdmin (not $notAllOverridableChecksOk)) (or (not .AllowMerge) (not .RequireSigned) .WillSign)}}
|
||||||
{{if $notAllOverridableChecksOk}}
|
{{if $notAllOverridableChecksOk}}
|
||||||
<div class="item text yellow">
|
<div class="item text yellow">
|
||||||
|
@ -360,6 +371,16 @@
|
||||||
<i class="icon icon-octicon">{{svg "octicon-x"}}</i>
|
<i class="icon icon-octicon">{{svg "octicon-x"}}</i>
|
||||||
{{$.i18n.Tr "repo.pulls.blocked_by_outdated_branch"}}
|
{{$.i18n.Tr "repo.pulls.blocked_by_outdated_branch"}}
|
||||||
</div>
|
</div>
|
||||||
|
{{else if .IsBlockedByChangedProtectedFiles}}
|
||||||
|
<div class="item text red">
|
||||||
|
<i class="icon icon-octicon">{{svg "octicon-x" 16}}</i>
|
||||||
|
{{$.i18n.Tr (TrN $.i18n.Lang $.ChangedProtectedFilesNum "repo.pulls.blocked_by_changed_protected_files_1" "repo.pulls.blocked_by_changed_protected_files_n") | Safe }}
|
||||||
|
<div class="ui ordered list">
|
||||||
|
{{range .ChangedProtectedFiles}}
|
||||||
|
<div data-value="-" class="item">{{.}}</div>
|
||||||
|
{{end}}
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
{{else if and .EnableStatusCheck (not .RequiredStatusCheckState.IsSuccess)}}
|
{{else if and .EnableStatusCheck (not .RequiredStatusCheckState.IsSuccess)}}
|
||||||
<div class="item text red">
|
<div class="item text red">
|
||||||
{{svg "octicon-x"}}
|
{{svg "octicon-x"}}
|
||||||
|
|
Loading…
Reference in a new issue