Jonathan Miller
3396440926
Add organization-scoped branch protection rules that cascade to all
repos within the org. Repo-level rules take precedence; org rules
serve as the fallback when no repo rule matches a branch.
- New table: org_protected_branch (migration v332)
- OrgProtectedBranch model with full CRUD operations
- API endpoints: GET/POST/PATCH/DELETE /api/v1/orgs/{org}/branch_protections
- Inheritance via GetFirstMatchProtectedBranchRule() fallback
- InheritedFrom field added to BranchProtection API response
- Org rules use team-based whitelists (no per-user IDs at org level)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
136 lines
3.6 KiB
Go
136 lines
3.6 KiB
Go
// Copyright 2022 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package git
|
|
|
|
import (
|
|
"context"
|
|
"sort"
|
|
|
|
"code.gitea.io/gitea/models/db"
|
|
repo_model "code.gitea.io/gitea/models/repo"
|
|
user_model "code.gitea.io/gitea/models/user"
|
|
"code.gitea.io/gitea/modules/glob"
|
|
"code.gitea.io/gitea/modules/log"
|
|
"code.gitea.io/gitea/modules/optional"
|
|
)
|
|
|
|
type ProtectedBranchRules []*ProtectedBranch
|
|
|
|
func (rules ProtectedBranchRules) GetFirstMatched(branchName string) *ProtectedBranch {
|
|
for _, rule := range rules {
|
|
if rule.Match(branchName) {
|
|
return rule
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (rules ProtectedBranchRules) sort() {
|
|
sort.Slice(rules, func(i, j int) bool {
|
|
rules[i].loadGlob()
|
|
rules[j].loadGlob()
|
|
|
|
// if priority differ, use that to sort
|
|
if rules[i].Priority != rules[j].Priority {
|
|
return rules[i].Priority < rules[j].Priority
|
|
}
|
|
|
|
// now we sort the old way
|
|
if rules[i].isPlainName != rules[j].isPlainName {
|
|
return rules[i].isPlainName // plain name comes first, so plain name means "less"
|
|
}
|
|
return rules[i].CreatedUnix < rules[j].CreatedUnix
|
|
})
|
|
}
|
|
|
|
// FindRepoProtectedBranchRules load all repository's protected rules
|
|
func FindRepoProtectedBranchRules(ctx context.Context, repoID int64) (ProtectedBranchRules, error) {
|
|
var rules ProtectedBranchRules
|
|
err := db.GetEngine(ctx).Where("repo_id = ?", repoID).Asc("created_unix").Find(&rules)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
rules.sort() // to make non-glob rules have higher priority, and for same glob/non-glob rules, first created rules have higher priority
|
|
return rules, nil
|
|
}
|
|
|
|
// FindAllMatchedBranches find all matched branches
|
|
func FindAllMatchedBranches(ctx context.Context, repoID int64, ruleName string) ([]string, error) {
|
|
results := make([]string, 0, 10)
|
|
for page := 1; ; page++ {
|
|
brancheNames, err := FindBranchNames(ctx, FindBranchOptions{
|
|
ListOptions: db.ListOptions{
|
|
PageSize: 100,
|
|
Page: page,
|
|
},
|
|
RepoID: repoID,
|
|
IsDeletedBranch: optional.Some(false),
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
rule := glob.MustCompile(ruleName)
|
|
|
|
for _, branch := range brancheNames {
|
|
if rule.Match(branch) {
|
|
results = append(results, branch)
|
|
}
|
|
}
|
|
if len(brancheNames) < 100 {
|
|
break
|
|
}
|
|
}
|
|
|
|
return results, nil
|
|
}
|
|
|
|
// GetFirstMatchProtectedBranchRule returns the first matched rule.
|
|
// It checks repo-level rules first; if none match, it falls back to org-level rules
|
|
// (if the repo belongs to an organization).
|
|
func GetFirstMatchProtectedBranchRule(ctx context.Context, repoID int64, branchName string) (*ProtectedBranch, error) {
|
|
rules, err := FindRepoProtectedBranchRules(ctx, repoID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if matched := rules.GetFirstMatched(branchName); matched != nil {
|
|
return matched, nil
|
|
}
|
|
|
|
// Fall back to org-level rules
|
|
repo, err := repo_model.GetRepositoryByID(ctx, repoID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
owner, err := user_model.GetUserByID(ctx, repo.OwnerID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !owner.IsOrganization() {
|
|
return nil, nil
|
|
}
|
|
|
|
orgRule, err := FindOrgBranchRuleForBranch(ctx, owner.ID, branchName)
|
|
if err != nil {
|
|
log.Error("FindOrgBranchRuleForBranch: %v", err)
|
|
return nil, nil
|
|
}
|
|
if orgRule == nil {
|
|
return nil, nil
|
|
}
|
|
|
|
// Convert org rule to a ProtectedBranch with RepoID set so callers work correctly
|
|
pb := orgRule.ToProtectedBranch()
|
|
pb.RepoID = repoID
|
|
return pb, nil
|
|
}
|
|
|
|
// IsBranchProtected checks if branch is protected
|
|
func IsBranchProtected(ctx context.Context, repoID int64, branchName string) (bool, error) {
|
|
rule, err := GetFirstMatchProtectedBranchRule(ctx, repoID, branchName)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
return rule != nil, nil
|
|
}
|