Merge branch 'main' of https://github.com/go-gitea/gitea into refactor-webhook

Author: KN4CK3R

cmd/hook.go

@@ -221,16 +221,16 @@ Gitea or set your environment appropriately.`, "")
 		total++
 		lastline++
 
-		// If the ref is a branch, check if it's protected
-		if strings.HasPrefix(refFullName, git.BranchPrefix) {
+		// If the ref is a branch or tag, check if it's protected
+		if strings.HasPrefix(refFullName, git.BranchPrefix) || strings.HasPrefix(refFullName, git.TagPrefix) {
 			oldCommitIDs[count] = oldCommitID
 			newCommitIDs[count] = newCommitID
 			refFullNames[count] = refFullName
 			count++
 			fmt.Fprintf(out, "*")
 
 			if count >= hookBatchSize {
-				fmt.Fprintf(out, " Checking %d branches\n", count)
+				fmt.Fprintf(out, " Checking %d references\n", count)
 
 				hookOptions.OldCommitIDs = oldCommitIDs
 				hookOptions.NewCommitIDs = newCommitIDs
@@ -261,7 +261,7 @@ Gitea or set your environment appropriately.`, "")
 		hookOptions.NewCommitIDs = newCommitIDs[:count]
 		hookOptions.RefFullNames = refFullNames[:count]
 
-		fmt.Fprintf(out, " Checking %d branches\n", count)
+		fmt.Fprintf(out, " Checking %d references\n", count)
 
 		statusCode, msg := private.HookPreReceive(username, reponame, hookOptions)
 		switch statusCode {

custom/conf/app.example.ini

@@ -705,6 +705,8 @@ PATH =
 ;;
 ;; Minimum amount of time a user must exist before comments are kept when the user is deleted.
 ;USER_DELETE_WITH_COMMENTS_MAX_TIME = 0
+;; Valid site url schemes for user profiles
+;VALID_SITE_URL_SCHEMES=http,https
 
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -519,6 +519,7 @@ relation to port exhaustion.
 - `NO_REPLY_ADDRESS`: **noreply.DOMAIN** Value for the domain part of the user's email address in the git log if user has set KeepEmailPrivate to true. DOMAIN resolves to the value in server.DOMAIN.
   The user's email will be replaced with a concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
 - `USER_DELETE_WITH_COMMENTS_MAX_TIME`: **0** Minimum amount of time a user must exist before comments are kept when the user is deleted.
+- `VALID_SITE_URL_SCHEMES`: **http, https**: Valid site url schemes for user profiles
 
 ### Service - Expore (`service.explore`)
 

docs/content/doc/advanced/protected-tags.en-us.md

@@ -0,0 +1,57 @@
+---
+date: "2021-05-14T00:00:00-00:00"
+title: "Protected tags"
+slug: "protected-tags"
+weight: 45
+toc: false
+draft: false
+menu:
+  sidebar:
+    parent: "advanced"
+    name: "Protected tags"
+    weight: 45
+    identifier: "protected-tags"
+---
+
+# Protected tags
+
+Protected tags allow control over who has permission to create or update git tags. Each rule allows you to match either an individual tag name, or use an appropriate pattern to control multiple tags at once. 
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Setting up protected tags
+
+To protect a tag, you need to follow these steps:
+
+1. Go to the repository’s **Settings** > **Tags** page.
+1. Type a pattern to match a name. You can use a single name, a [glob pattern](https://pkg.go.dev/github.com/gobwas/glob#Compile) or a regular expression.
+1. Choose the allowed users and/or teams. If you leave these fields empty noone is allowed to create or modify this tag.
+1. Select **Save** to save the configuration.
+
+## Pattern protected tags
+
+The pattern uses [glob](https://pkg.go.dev/github.com/gobwas/glob#Compile) or regular expressions to match a tag name. For regular expressions you need to enclose the pattern in slashes.
+
+Examples:
+
+| Type  | Pattern Protected Tag    | Possible Matching Tags                  |
+| ----- | ------------------------ | --------------------------------------- |
+| Glob  | `v*`                     | `v`, `v-1`, `version2`                  |
+| Glob  | `v[0-9]`                 | `v0`, `v1` up to `v9`                   |
+| Glob  | `*-release`              | `2.1-release`, `final-release`          |
+| Glob  | `gitea`                  | only `gitea`                            |
+| Glob  | `*gitea*`                | `gitea`, `2.1-gitea`, `1_gitea-release` |
+| Glob  | `{v,rel}-*`              | `v-`, `v-1`, `v-final`, `rel-`, `rel-x` |
+| Glob  | `*`                      | matches all possible tag names          |
+| Regex | `/\Av/`                  | `v`, `v-1`, `version2`                  |
+| Regex | `/\Av[0-9]\z/`           | `v0`, `v1` up to `v9`                   |
+| Regex | `/\Av\d+\.\d+\.\d+\z/`   | `v1.0.17`, `v2.1.0`                     |
+| Regex | `/\Av\d+(\.\d+){0,2}\z/` | `v1`, `v2.1`, `v1.2.34`                 |
+| Regex | `/-release\z/`           | `2.1-release`, `final-release`          |
+| Regex | `/gitea/`                | `gitea`, `2.1-gitea`, `1_gitea-release` |
+| Regex | `/\Agitea\z/`            | only `gitea`                            |
+| Regex | `/^gitea$/`              | only `gitea`                            |
+| Regex | `/\A(v\|rel)-/`          | `v-`, `v-1`, `v-final`, `rel-`, `rel-x` |
+| Regex | `/.+/`                   | matches all possible tag names          |

docs/content/doc/usage/reverse-proxies.en-us.md

@@ -221,6 +221,9 @@ If you wish to run Gitea with IIS. You will need to setup IIS with URL Rewrite a
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
+    <system.web>
+        <httpRuntime requestPathInvalidCharacters="" />
+    </system.web>
     <system.webServer>
         <security>
           <requestFiltering>

integrations/api_user_heatmap_test.go

@@ -26,7 +26,7 @@ func TestUserHeatmap(t *testing.T) {
 	var heatmap []*models.UserHeatmapData
 	DecodeJSON(t, resp, &heatmap)
 	var dummyheatmap []*models.UserHeatmapData
-	dummyheatmap = append(dummyheatmap, &models.UserHeatmapData{Timestamp: 1603152000, Contributions: 1})
+	dummyheatmap = append(dummyheatmap, &models.UserHeatmapData{Timestamp: 1603227600, Contributions: 1})
 
 	assert.Equal(t, dummyheatmap, heatmap)
 }

integrations/mirror_pull_test.go

@@ -59,7 +59,9 @@ func TestMirrorPull(t *testing.T) {
 
 	assert.NoError(t, release_service.CreateRelease(gitRepo, &models.Release{
 		RepoID:       repo.ID,
+		Repo:         repo,
 		PublisherID:  user.ID,
+		Publisher:    user,
 		TagName:      "v0.2",
 		Target:       "master",
 		Title:        "v0.2 is released",

integrations/repo_tag_test.go

@@ -0,0 +1,74 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"io/ioutil"
+	"net/url"
+	"testing"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/services/release"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCreateNewTagProtected(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	repo := models.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
+	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
+
+	t.Run("API", func(t *testing.T) {
+		defer PrintCurrentTest(t)()
+
+		err := release.CreateNewTag(owner, repo, "master", "v-1", "first tag")
+		assert.NoError(t, err)
+
+		err = models.InsertProtectedTag(&models.ProtectedTag{
+			RepoID:      repo.ID,
+			NamePattern: "v-*",
+		})
+		assert.NoError(t, err)
+		err = models.InsertProtectedTag(&models.ProtectedTag{
+			RepoID:           repo.ID,
+			NamePattern:      "v-1.1",
+			AllowlistUserIDs: []int64{repo.OwnerID},
+		})
+		assert.NoError(t, err)
+
+		err = release.CreateNewTag(owner, repo, "master", "v-2", "second tag")
+		assert.Error(t, err)
+		assert.True(t, models.IsErrProtectedTagName(err))
+
+		err = release.CreateNewTag(owner, repo, "master", "v-1.1", "third tag")
+		assert.NoError(t, err)
+	})
+
+	t.Run("Git", func(t *testing.T) {
+		onGiteaRun(t, func(t *testing.T, u *url.URL) {
+			username := "user2"
+			httpContext := NewAPITestContext(t, username, "repo1")
+
+			dstPath, err := ioutil.TempDir("", httpContext.Reponame)
+			assert.NoError(t, err)
+			defer util.RemoveAll(dstPath)
+
+			u.Path = httpContext.GitPath()
+			u.User = url.UserPassword(username, userPassword)
+
+			doGitClone(dstPath, u)(t)
+
+			_, err = git.NewCommand("tag", "v-2").RunInDir(dstPath)
+			assert.NoError(t, err)
+
+			_, err = git.NewCommand("push", "--tags").RunInDir(dstPath)
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "Tag v-2 is protected")
+		})
+	})
+}

models/error.go

@@ -985,6 +985,21 @@ func (err ErrInvalidTagName) Error() string {
 	return fmt.Sprintf("release tag name is not valid [tag_name: %s]", err.TagName)
 }
 
+// ErrProtectedTagName represents a "ProtectedTagName" kind of error.
+type ErrProtectedTagName struct {
+	TagName string
+}
+
+// IsErrProtectedTagName checks if an error is a ErrProtectedTagName.
+func IsErrProtectedTagName(err error) bool {
+	_, ok := err.(ErrProtectedTagName)
+	return ok
+}
+
+func (err ErrProtectedTagName) Error() string {
+	return fmt.Sprintf("release tag name is protected [tag_name: %s]", err.TagName)
+}
+
 // ErrRepoFileAlreadyExists represents a "RepoFileAlreadyExist" kind of error.
 type ErrRepoFileAlreadyExists struct {
 	Path string

models/fixtures/action.yml

@@ -32,3 +32,27 @@
   repo_id: 22
   is_private: true
   created_unix: 1603267920
+
+- id: 5
+  user_id: 10
+  op_type: 1 # create repo
+  act_user_id: 10
+  repo_id: 6
+  is_private: true
+  created_unix: 1603010100
+
+- id: 6
+  user_id: 10
+  op_type: 1 # create repo
+  act_user_id: 10
+  repo_id: 7
+  is_private: true
+  created_unix: 1603011300
+
+- id: 7
+  user_id: 10
+  op_type: 1 # create repo
+  act_user_id: 10
+  repo_id: 8
+  is_private: false
+  created_unix: 1603011540 # grouped with id:7

models/migrations/migrations.go

@@ -322,6 +322,8 @@ var migrations = []Migration{
 	// v185 -> v186
 	NewMigration("Add new table repo_archiver", addRepoArchiver),
 	// v186 -> v187
+	NewMigration("Create protected tag table", createProtectedTagTable),
+	// v187 -> v188
 	NewMigration("Drop unneeded webhook related columns", dropWebhookColumns),
 }
 

models/migrations/v186.go

@@ -5,42 +5,22 @@
 package migrations
 
 import (
+	"code.gitea.io/gitea/modules/timeutil"
+
 	"xorm.io/xorm"
 )
 
-func dropWebhookColumns(x *xorm.Engine) error {
-	// Make sure the columns exist before dropping them
-	type Webhook struct {
-		Signature string `xorm:"TEXT"`
-		IsSSL     bool   `xorm:"is_ssl"`
-	}
-	if err := x.Sync2(new(Webhook)); err != nil {
-		return err
-	}
-
-	type HookTask struct {
-		Typ         string `xorm:"VARCHAR(16) index"`
-		URL         string `xorm:"TEXT"`
-		Signature   string `xorm:"TEXT"`
-		HTTPMethod  string `xorm:"http_method"`
-		ContentType int
-		IsSSL       bool
-	}
-	if err := x.Sync2(new(HookTask)); err != nil {
-		return err
-	}
+func createProtectedTagTable(x *xorm.Engine) error {
+	type ProtectedTag struct {
+		ID               int64 `xorm:"pk autoincr"`
+		RepoID           int64
+		NamePattern      string
+		AllowlistUserIDs []int64 `xorm:"JSON TEXT"`
+		AllowlistTeamIDs []int64 `xorm:"JSON TEXT"`
 
-	sess := x.NewSession()
-	defer sess.Close()
-	if err := sess.Begin(); err != nil {
-		return err
-	}
-	if err := dropTableColumns(sess, "webhook", "signature", "is_ssl"); err != nil {
-		return err
-	}
-	if err := dropTableColumns(sess, "hook_task", "typ", "url", "signature", "http_method", "content_type", "is_ssl"); err != nil {
-		return err
+		CreatedUnix timeutil.TimeStamp `xorm:"created"`
+		UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
 	}
 
-	return sess.Commit()
+	return x.Sync2(new(ProtectedTag))
 }

models/migrations/v187.go

@@ -0,0 +1,46 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"xorm.io/xorm"
+)
+
+func dropWebhookColumns(x *xorm.Engine) error {
+	// Make sure the columns exist before dropping them
+	type Webhook struct {
+		Signature string `xorm:"TEXT"`
+		IsSSL     bool   `xorm:"is_ssl"`
+	}
+	if err := x.Sync2(new(Webhook)); err != nil {
+		return err
+	}
+
+	type HookTask struct {
+		Typ         string `xorm:"VARCHAR(16) index"`
+		URL         string `xorm:"TEXT"`
+		Signature   string `xorm:"TEXT"`
+		HTTPMethod  string `xorm:"http_method"`
+		ContentType int
+		IsSSL       bool
+	}
+	if err := x.Sync2(new(HookTask)); err != nil {
+		return err
+	}
+
+	sess := x.NewSession()
+	defer sess.Close()
+	if err := sess.Begin(); err != nil {
+		return err
+	}
+	if err := dropTableColumns(sess, "webhook", "signature", "is_ssl"); err != nil {
+		return err
+	}
+	if err := dropTableColumns(sess, "hook_task", "typ", "url", "signature", "http_method", "content_type", "is_ssl"); err != nil {
+		return err
+	}
+
+	return sess.Commit()
+}

models/models.go

@@ -137,6 +137,7 @@ func init() {
 		new(IssueIndex),
 		new(PushMirror),
 		new(RepoArchiver),
+		new(ProtectedTag),
 	)
 
 	gonicNames := []string{"SSL", "UID"}