From 91ed8ed687ee9edbda0098475e66ad41f886d7a5 Mon Sep 17 00:00:00 2001 From: James Edwards-Jones Date: Wed, 15 Mar 2017 22:29:07 +0000 Subject: Protected tags copy/paste from protected branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Should provide basic CRUD backend for frontend to work from. Doesn’t include frontend, API, or the internal API used from gitlab-shell --- .../projects/protected_tags_controller.rb | 58 ++++++++++++++++++++++ app/models/concerns/protected_ref_access.rb | 21 ++++++++ app/models/concerns/protected_tag_access.rb | 21 ++++++++ app/models/project.rb | 1 + app/models/protected_branch.rb | 39 +++------------ app/models/protected_ref_matcher.rb | 52 +++++++++++++++++++ app/models/protected_tag.rb | 39 +++++++++++++++ app/models/protected_tag/push_access_level.rb | 21 ++++++++ app/services/protected_tags/create_service.rb | 11 ++++ app/services/protected_tags/update_service.rb | 13 +++++ 10 files changed, 244 insertions(+), 32 deletions(-) create mode 100644 app/controllers/projects/protected_tags_controller.rb create mode 100644 app/models/concerns/protected_ref_access.rb create mode 100644 app/models/concerns/protected_tag_access.rb create mode 100644 app/models/protected_ref_matcher.rb create mode 100644 app/models/protected_tag.rb create mode 100644 app/models/protected_tag/push_access_level.rb create mode 100644 app/services/protected_tags/create_service.rb create mode 100644 app/services/protected_tags/update_service.rb (limited to 'app') diff --git a/app/controllers/projects/protected_tags_controller.rb b/app/controllers/projects/protected_tags_controller.rb new file mode 100644 index 00000000000..5ab5d1d997b --- /dev/null +++ b/app/controllers/projects/protected_tags_controller.rb @@ -0,0 +1,58 @@ +class Projects::ProtectedTagsController < Projects::ApplicationController + include RepositorySettingsRedirect + # Authorize + before_action :require_non_empty_project + before_action :authorize_admin_project! + before_action :load_protected_tag, only: [:show, :update, :destroy] + + layout "project_settings" + + def index + redirect_to_repository_settings(@project) + end + + def create + @protected_tag = ::ProtectedTags::CreateService.new(@project, current_user, protected_tag_params).execute + unless @protected_tag.persisted? + flash[:alert] = @protected_tags.errors.full_messages.join(', ').html_safe + end + redirect_to_repository_settings(@project) + end + + def show + @matching_tags = @protected_tag.matching(@project.repository.tags) + end + + def update + @protected_tag = ::ProtectedTags::UpdateService.new(@project, current_user, protected_tag_params).execute(@protected_tag) + + if @protected_tag.valid? + respond_to do |format| + format.json { render json: @protected_tag, status: :ok } + end + else + respond_to do |format| + format.json { render json: @protected_tag.errors, status: :unprocessable_entity } + end + end + end + + def destroy + @protected_tag.destroy + + respond_to do |format| + format.html { redirect_to_repository_settings(@project) } + format.js { head :ok } + end + end + + private + + def load_protected_tag + @protected_tag = @project.protected_tags.find(params[:id]) + end + + def protected_tag_params + params.require(:protected_tag).permit(:name, push_access_levels_attributes: [:access_level, :id]) + end +end diff --git a/app/models/concerns/protected_ref_access.rb b/app/models/concerns/protected_ref_access.rb new file mode 100644 index 00000000000..9dd4d9c6f24 --- /dev/null +++ b/app/models/concerns/protected_ref_access.rb @@ -0,0 +1,21 @@ +module ProtectedBranchAccess + extend ActiveSupport::Concern + + included do + belongs_to :protected_branch + delegate :project, to: :protected_branch + + scope :master, -> { where(access_level: Gitlab::Access::MASTER) } + scope :developer, -> { where(access_level: Gitlab::Access::DEVELOPER) } + end + + def humanize + self.class.human_access_levels[self.access_level] + end + + def check_access(user) + return true if user.is_admin? + + project.team.max_member_access(user.id) >= access_level + end +end diff --git a/app/models/concerns/protected_tag_access.rb b/app/models/concerns/protected_tag_access.rb new file mode 100644 index 00000000000..cf66a6434b5 --- /dev/null +++ b/app/models/concerns/protected_tag_access.rb @@ -0,0 +1,21 @@ +module ProtectedTagAccess + extend ActiveSupport::Concern + + included do + belongs_to :protected_tag + delegate :project, to: :protected_tag + + scope :master, -> { where(access_level: Gitlab::Access::MASTER) } + scope :developer, -> { where(access_level: Gitlab::Access::DEVELOPER) } + end + + def humanize + self.class.human_access_levels[self.access_level] + end + + def check_access(user) + return true if user.is_admin? + + project.team.max_member_access(user.id) >= access_level + end +end diff --git a/app/models/project.rb b/app/models/project.rb index 4a3faff7d5b..3f1a8a1a1e1 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -132,6 +132,7 @@ class Project < ActiveRecord::Base has_many :snippets, dependent: :destroy, class_name: 'ProjectSnippet' has_many :hooks, dependent: :destroy, class_name: 'ProjectHook' has_many :protected_branches, dependent: :destroy + has_many :protected_tags, dependent: :destroy has_many :project_authorizations has_many :authorized_users, through: :project_authorizations, source: :user, class_name: 'User' diff --git a/app/models/protected_branch.rb b/app/models/protected_branch.rb index 39e979ef15b..7681d5b5112 100644 --- a/app/models/protected_branch.rb +++ b/app/models/protected_branch.rb @@ -18,50 +18,25 @@ class ProtectedBranch < ActiveRecord::Base project.commit(self.name) end - # Returns all protected branches that match the given branch name. - # This realizes all records from the scope built up so far, and does - # _not_ return a relation. - # - # This method optionally takes in a list of `protected_branches` to search - # through, to avoid calling out to the database. def self.matching(branch_name, protected_branches: nil) - (protected_branches || all).select { |protected_branch| protected_branch.matches?(branch_name) } + ProtectedRefMatcher.matching(ProtectedBranch, branch_name, protected_refs: protected_branches) end - # Returns all branches (among the given list of branches [`Gitlab::Git::Branch`]) - # that match the current protected branch. def matching(branches) - branches.select { |branch| self.matches?(branch.name) } + ref_matcher.matching(branches) end - # Checks if the protected branch matches the given branch name. def matches?(branch_name) - return false if self.name.blank? - - exact_match?(branch_name) || wildcard_match?(branch_name) + ref_matcher.matches?(branch_name) end - # Checks if this protected branch contains a wildcard def wildcard? - self.name && self.name.include?('*') + ref_matcher.wildcard? end - protected - - def exact_match?(branch_name) - self.name == branch_name - end - - def wildcard_match?(branch_name) - wildcard_regex === branch_name - end + private - def wildcard_regex - @wildcard_regex ||= begin - name = self.name.gsub('*', 'STAR_DONT_ESCAPE') - quoted_name = Regexp.quote(name) - regex_string = quoted_name.gsub('STAR_DONT_ESCAPE', '.*?') - /\A#{regex_string}\z/ - end + def ref_matcher + @ref_matcher ||= ProtectedRefMatcher.new(self) end end diff --git a/app/models/protected_ref_matcher.rb b/app/models/protected_ref_matcher.rb new file mode 100644 index 00000000000..83f44240259 --- /dev/null +++ b/app/models/protected_ref_matcher.rb @@ -0,0 +1,52 @@ +class ProtectedRefMatcher + def initialize(protected_ref) + @protected_ref = protected_ref + end + + # Returns all protected refs that match the given ref name. + # This realizes all records from the scope built up so far, and does + # _not_ return a relation. + # + # This method optionally takes in a list of `protected_refs` to search + # through, to avoid calling out to the database. + def self.matching(type, ref_name, protected_refs: nil) + (protected_refs || type.all).select { |protected_ref| protected_ref.matches?(ref_name) } + end + + # Returns all branches/tags (among the given list of refs [`Gitlab::Git::Branch`]) + # that match the current protected ref. + def matching(refs) + refs.select { |ref| @protected_ref.matches?(ref.name) } + end + + # Checks if the protected ref matches the given ref name. + def matches?(ref_name) + return false if @protected_ref.name.blank? + + exact_match?(ref_name) || wildcard_match?(ref_name) + end + + # Checks if this protected ref contains a wildcard + def wildcard? + @protected_ref.name && @protected_ref.name.include?('*') + end + + protected + + def exact_match?(ref_name) + @protected_ref.name == ref_name + end + + def wildcard_match?(ref_name) + wildcard_regex === ref_name + end + + def wildcard_regex + @wildcard_regex ||= begin + name = @protected_ref.name.gsub('*', 'STAR_DONT_ESCAPE') + quoted_name = Regexp.quote(name) + regex_string = quoted_name.gsub('STAR_DONT_ESCAPE', '.*?') + /\A#{regex_string}\z/ + end + end +end diff --git a/app/models/protected_tag.rb b/app/models/protected_tag.rb new file mode 100644 index 00000000000..d307549aa49 --- /dev/null +++ b/app/models/protected_tag.rb @@ -0,0 +1,39 @@ +class ProtectedTag < ActiveRecord::Base + include Gitlab::ShellAdapter + + belongs_to :project + validates :name, presence: true + validates :project, presence: true + + has_many :push_access_levels, dependent: :destroy + + validates :push_access_levels, length: { is: 1, message: "are restricted to a single instance per protected tag." } + + accepts_nested_attributes_for :push_access_levels + + def commit + project.commit(self.name) + end + + def self.matching(tag_name, protected_tags: nil) + ProtectedRefMatcher.matching(ProtectedTag, tag_name, protected_refs: protected_tags) + end + + def matching(branches) + ref_matcher.matching(branches) + end + + def matches?(tag_name) + ref_matcher.matches?(tag_name) + end + + def wildcard? + ref_matcher.wildcard? + end + + private + + def ref_matcher + @ref_matcher ||= ProtectedRefMatcher.new(self) + end +end diff --git a/app/models/protected_tag/push_access_level.rb b/app/models/protected_tag/push_access_level.rb new file mode 100644 index 00000000000..9282af841ce --- /dev/null +++ b/app/models/protected_tag/push_access_level.rb @@ -0,0 +1,21 @@ +class ProtectedTag::PushAccessLevel < ActiveRecord::Base + include ProtectedTagAccess + + validates :access_level, presence: true, inclusion: { in: [Gitlab::Access::MASTER, + Gitlab::Access::DEVELOPER, + Gitlab::Access::NO_ACCESS] } + + def self.human_access_levels + { + Gitlab::Access::MASTER => "Masters", + Gitlab::Access::DEVELOPER => "Developers + Masters", + Gitlab::Access::NO_ACCESS => "No one" + }.with_indifferent_access + end + + def check_access(user) + return false if access_level == Gitlab::Access::NO_ACCESS + + super + end +end diff --git a/app/services/protected_tags/create_service.rb b/app/services/protected_tags/create_service.rb new file mode 100644 index 00000000000..faba7865a17 --- /dev/null +++ b/app/services/protected_tags/create_service.rb @@ -0,0 +1,11 @@ +module ProtectedTags + class CreateService < BaseService + attr_reader :protected_tag + + def execute + raise Gitlab::Access::AccessDeniedError unless can?(current_user, :admin_project, project) + + project.protected_tags.create(params) + end + end +end diff --git a/app/services/protected_tags/update_service.rb b/app/services/protected_tags/update_service.rb new file mode 100644 index 00000000000..8a2419efd7b --- /dev/null +++ b/app/services/protected_tags/update_service.rb @@ -0,0 +1,13 @@ +module ProtectedTags + class UpdateService < BaseService + attr_reader :protected_tag + + def execute(protected_tag) + raise Gitlab::Access::AccessDeniedError unless can?(current_user, :admin_project, project) + + @protected_tag = protected_tag + @protected_tag.update(params) + @protected_tag + end + end +end -- cgit v1.2.3