Add tag protection

cmd/hook.go

@@ -222,15 +222,15 @@ Gitea or set your environment appropriately.`, "")
 		lastline++
 
 		// If the ref is a branch, check if it's protected
-		if strings.HasPrefix(refFullName, git.BranchPrefix) {
+		if strings.HasPrefix(refFullName, git.BranchPrefix) || strings.HasPrefix(refFullName, git.TagPrefix) {
 			oldCommitIDs[count] = oldCommitID
 			newCommitIDs[count] = newCommitID
 			refFullNames[count] = refFullName
 			count++
 			fmt.Fprintf(out, "*")
 
 			if count >= hookBatchSize {
-				fmt.Fprintf(out, " Checking %d branches\n", count)
+				fmt.Fprintf(out, " Checking %d references\n", count)
 
 				hookOptions.OldCommitIDs = oldCommitIDs
 				hookOptions.NewCommitIDs = newCommitIDs
@@ -261,7 +261,7 @@ Gitea or set your environment appropriately.`, "")
 		hookOptions.NewCommitIDs = newCommitIDs[:count]
 		hookOptions.RefFullNames = refFullNames[:count]
 
-		fmt.Fprintf(out, " Checking %d branches\n", count)
+		fmt.Fprintf(out, " Checking %d references\n", count)
 
 		statusCode, msg := private.HookPreReceive(username, reponame, hookOptions)
 		switch statusCode {

integrations/repo_tag_test.go

@@ -0,0 +1,162 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"io/ioutil"
+	"net/url"
+	"testing"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/services/release"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsUserAllowedToControlTag(t *testing.T) {
+	protectedTags := []*models.ProtectedTag{
+		{
+			NamePattern:      "*gitea",
+			WhitelistUserIDs: []int64{1},
+		},
+		{
+			NamePattern:      "v-*",
+			WhitelistUserIDs: []int64{2},
+		},
+		{
+			NamePattern: "release",
+		},
+	}
+
+	cases := []struct {
+		name    string
+		userid  int64
+		allowed bool
+	}{
+		{
+			name:    "test",
+			userid:  1,
+			allowed: true,
+		},
+		{
+			name:    "test",
+			userid:  3,
+			allowed: true,
+		},
+		{
+			name:    "gitea",
+			userid:  1,
+			allowed: true,
+		},
+		{
+			name:    "gitea",
+			userid:  3,
+			allowed: false,
+		},
+		{
+			name:    "test-gitea",
+			userid:  1,
+			allowed: true,
+		},
+		{
+			name:    "test-gitea",
+			userid:  3,
+			allowed: false,
+		},
+		{
+			name:    "gitea-test",
+			userid:  1,
+			allowed: true,
+		},
+		{
+			name:    "gitea-test",
+			userid:  3,
+			allowed: true,
+		},
+		{
+			name:    "v-1",
+			userid:  1,
+			allowed: false,
+		},
+		{
+			name:    "v-1",
+			userid:  2,
+			allowed: true,
+		},
+		{
+			name:    "release",
+			userid:  1,
+			allowed: false,
+		},
+	}
+
+	for n, c := range cases {
+		isAllowed, err := models.IsUserAllowedToControlTag(protectedTags, c.name, c.userid)
+		assert.NoError(t, err)
+		assert.Equal(t, c.allowed, isAllowed, "case %d: error should match", n)
+	}
+}
+
+func TestCreateNewTagProtected(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	repo := models.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
+	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
+
+	t.Run("API", func(t *testing.T) {
+		defer PrintCurrentTest(t)()
+
+		err := release.CreateNewTag(owner, repo, "master", "v-1", "first tag")
+		assert.NoError(t, err)
+
+		err = models.InsertProtectedTag(&models.ProtectedTag{
+			RepoID:      repo.ID,
+			NamePattern: "v-*",
+		})
+		assert.NoError(t, err)
+		err = models.InsertProtectedTag(&models.ProtectedTag{
+			RepoID:           repo.ID,
+			NamePattern:      "v-1.1",
+			WhitelistUserIDs: []int64{repo.OwnerID},
+		})
+		assert.NoError(t, err)
+
+		err = release.CreateNewTag(owner, repo, "master", "v-2", "second tag")
+		assert.Error(t, err)
+		assert.True(t, models.IsErrInvalidTagName(err))
+		e := err.(models.ErrInvalidTagName)
+		assert.True(t, e.Protected)
+
+		err = release.CreateNewTag(owner, repo, "master", "v-1.1", "third tag")
+		assert.NoError(t, err)
+	})
+
+	t.Run("Git", func(t *testing.T) {
+		defer PrintCurrentTest(t)()
+
+		onGiteaRun(t, func(t *testing.T, u *url.URL) {
+			username := "user2"
+			httpContext := NewAPITestContext(t, username, "repo1")
+
+			dstPath, err := ioutil.TempDir("", httpContext.Reponame)
+			assert.NoError(t, err)
+			defer util.RemoveAll(dstPath)
+
+			u.Path = httpContext.GitPath()
+			u.User = url.UserPassword(username, userPassword)
+
+			doGitClone(dstPath, u)(t)
+
+			_, err = git.NewCommand("tag", "v-2").RunInDir(dstPath)
+			assert.NoError(t, err)
+
+			_, err = git.NewCommand("push", "--tags").RunInDir(dstPath)
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "Tag v-2 is protected")
+		})
+	})
+}

models/error.go

@@ -957,7 +957,8 @@ func (err ErrReleaseNotExist) Error() string {
 
 // ErrInvalidTagName represents a "InvalidTagName" kind of error.
 type ErrInvalidTagName struct {
-	TagName string
+	TagName   string
+	Protected bool
 }
 
 // IsErrInvalidTagName checks if an error is a ErrInvalidTagName.
@@ -967,6 +968,9 @@ func IsErrInvalidTagName(err error) bool {
 }
 
 func (err ErrInvalidTagName) Error() string {
+	if err.Protected {
+		return fmt.Sprintf("release tag name is protected [tag_name: %s]", err.TagName)
+	}
 	return fmt.Sprintf("release tag name is not valid [tag_name: %s]", err.TagName)
 }
 

models/migrations/migrations.go

@@ -309,6 +309,8 @@ var migrations = []Migration{
 	NewMigration("Add LFS columns to Mirror", addLFSMirrorColumns),
 	// v179 -> v180
 	NewMigration("Convert avatar url to text", convertAvatarURLToText),
+	// v180 -> v181
+	NewMigration("Create protected tag table", createProtectedTagTable),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v180.go

@@ -0,0 +1,38 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"fmt"
+
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"xorm.io/xorm"
+)
+
+func createProtectedTagTable(x *xorm.Engine) error {
+	type ProtectedTag struct {
+		ID               int64   `xorm:"pk autoincr"`
+		RepoID           int64   `xorm:"UNIQUE(s)"`
+		NamePattern      string  `xorm:"UNIQUE(s)"`
+		WhitelistUserIDs []int64 `xorm:"JSON TEXT"`
+		WhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
+
+		CreatedUnix timeutil.TimeStamp `xorm:"created"`
+		UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
+	}
+
+	sess := x.NewSession()
+	defer sess.Close()
+	if err := sess.Begin(); err != nil {
+		return err
+	}
+
+	if err := sess.Sync2(new(ProtectedTag)); err != nil {
+		return fmt.Errorf("Sync2: %v", err)
+	}
+
+	return sess.Commit()
+}

models/models.go

@@ -134,6 +134,7 @@ func init() {
 		new(ProjectIssue),
 		new(Session),
 		new(RepoTransfer),
+		new(ProtectedTag),
 	)
 
 	gonicNames := []string{"SSL", "UID"}

models/tags.go

@@ -0,0 +1,117 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package models
+
+import (
+	"strings"
+
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"github.com/gobwas/glob"
+)
+
+// ProtectedTag struct
+type ProtectedTag struct {
+	ID               int64     `xorm:"pk autoincr"`
+	RepoID           int64     `xorm:"UNIQUE(s)"`
+	NamePattern      string    `xorm:"UNIQUE(s)"`
+	NameGlob         glob.Glob `xorm:"-"`
+	WhitelistUserIDs []int64   `xorm:"JSON TEXT"`
+	WhitelistTeamIDs []int64   `xorm:"JSON TEXT"`
+
+	CreatedUnix timeutil.TimeStamp `xorm:"created"`
+	UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
+}
+
+// BeforeInsert will be invoked by XORM before inserting a record
+func (pt *ProtectedTag) BeforeInsert() {
+	pt.CreatedUnix = timeutil.TimeStampNow()
+	pt.UpdatedUnix = timeutil.TimeStampNow()
+}
+
+// BeforeUpdate is invoked from XORM before updating this object.
+func (pt *ProtectedTag) BeforeUpdate() {
+	pt.UpdatedUnix = timeutil.TimeStampNow()
+}
+
+// InsertProtectedTag inserts a protected tag to database
+func InsertProtectedTag(pt *ProtectedTag) error {
+	_, err := x.Insert(pt)
+	return err
+}
+
+// UpdateProtectedTag updates the protected tag
+func UpdateProtectedTag(pt *ProtectedTag) error {
+	_, err := x.ID(pt.ID).AllCols().Update(pt)
+	return err
+}
+
+// DeleteProtectedTag deletes a protected tag by ID
+func DeleteProtectedTag(pt *ProtectedTag) error {
+	_, err := x.Delete(&ProtectedTag{ID: pt.ID})
+	return err
+}
+
+// EnsureCompiledPattern returns if the branch is protected
+func (pt *ProtectedTag) EnsureCompiledPattern() error {
+	if pt.NameGlob != nil {
+		return nil
+	}
+
+	expr := strings.TrimSpace(pt.NamePattern)
+
+	var err error
+	pt.NameGlob, err = glob.Compile(expr)
+	return err
+}
+
+// IsUserAllowed returns true if the user is allowed to modify the tag
+func (pt *ProtectedTag) IsUserAllowed(userID int64) bool {
+	if base.Int64sContains(pt.WhitelistUserIDs, userID) {
+		return true
+	}
+
+	if len(pt.WhitelistTeamIDs) == 0 {
+		return false
+	}
+
+	in, err := IsUserInTeams(userID, pt.WhitelistTeamIDs)
+	if err != nil {
+		log.Error("IsUserInTeams: %v", err)
+		return false
+	}
+	return in
+}
+
+// GetProtectedTags gets all protected tags
+func (repo *Repository) GetProtectedTags() ([]*ProtectedTag, error) {
+	tags := make([]*ProtectedTag, 0)
+	return tags, x.Find(&tags, &ProtectedTag{RepoID: repo.ID})
+}
+
+// IsUserAllowedToControlTag checks if a user can control the specific tag.
+// It returns true if the tag name is not protected or the user is allowed to control it.
+func IsUserAllowedToControlTag(tags []*ProtectedTag, tagName string, userID int64) (bool, error) {
+	isAllowed := true
+	for _, tag := range tags {
+		if err := tag.EnsureCompiledPattern(); err != nil {
+			log.Error("EnsureCompiledPattern failed: %v", err)
+			return false, err
+		}
+
+		if !tag.NameGlob.Match(tagName) {
+			continue
+		}
+
+		isAllowed = tag.IsUserAllowed(userID)
+		if isAllowed {
+			break
+		}
+	}
+
+	return isAllowed, nil
+}