Add tag protection

cmd/hook.go

@@ -221,16 +221,16 @@ Gitea or set your environment appropriately.`, "")
 		total++
 		lastline++
 
-		// If the ref is a branch, check if it's protected
-		if strings.HasPrefix(refFullName, git.BranchPrefix) {
+		// If the ref is a branch or tag, check if it's protected
+		if strings.HasPrefix(refFullName, git.BranchPrefix) || strings.HasPrefix(refFullName, git.TagPrefix) {
 			oldCommitIDs[count] = oldCommitID
 			newCommitIDs[count] = newCommitID
 			refFullNames[count] = refFullName
 			count++
 			fmt.Fprintf(out, "*")
 
 			if count >= hookBatchSize {
-				fmt.Fprintf(out, " Checking %d branches\n", count)
+				fmt.Fprintf(out, " Checking %d references\n", count)
 
 				hookOptions.OldCommitIDs = oldCommitIDs
 				hookOptions.NewCommitIDs = newCommitIDs
@@ -261,7 +261,7 @@ Gitea or set your environment appropriately.`, "")
 		hookOptions.NewCommitIDs = newCommitIDs[:count]
 		hookOptions.RefFullNames = refFullNames[:count]
 
-		fmt.Fprintf(out, " Checking %d branches\n", count)
+		fmt.Fprintf(out, " Checking %d references\n", count)
 
 		statusCode, msg := private.HookPreReceive(username, reponame, hookOptions)
 		switch statusCode {

docs/content/doc/advanced/protected-tags.en-us.md

@@ -0,0 +1,46 @@
+---
+date: "2019-09-06T01:35:00-03:00"
+title: "Protected tags"
+slug: "protected-tags"
+weight: 45
+toc: false
+draft: false
+menu:
+  sidebar:
+    parent: "advanced"
+    name: "Protected tags"
+    weight: 45
+    identifier: "protected-tags"
+---
+
+# Protected tags
+
+Protected tags allow control over who has permission to create or update git tags. Each rule allows you to match either an individual tag name, or use wildcards to control multiple tags at once. 
+
+**Table of Contents**
+
+{{< toc >}}
+
+## Setting up protected tags
+
+To protect a tag, you need to follow these steps:
+
+1. Go to the repository’s **Settings** > **Tags** page.
+2. Type the name of specific tag or use a pattern to match multiple tags at once.
+3. Choose the allowed users and/or teams. If you leave these fields empty noone is allowed to create or modify this tag.
+4. Select **Save** to save the configuration.
+
+## Wildcard protected tags
+
+You can specify a wildcard protected tag, which protects all tags matching the wildcard. For example:
+
+| Wildcard Protected Tag | Matching Tags                           |
+| ---------------------- | --------------------------------------- |
+| `v*`                   | `v`, `v-1`, `version2`                  |
+| `v[0-9]`               | `v0`, `v1` up to `v9`                   |
+| `*-release`            | `2.1-release`, `final-release`          |
+| `*gitea*`              | `gitea`, `2.1-gitea`, `1_gitea-release` |
+| `{v,rel}-*`            | `v-`, `v-1`, `v-final`, `rel-`, `rel-x` |
+| `*`                    | matches all possible tag names          |
+
+See [github.com/gobwas/glob](https://pkg.go.dev/github.com/gobwas/glob#Compile) documentation for syntax.

integrations/repo_tag_test.go

@@ -0,0 +1,74 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"io/ioutil"
+	"net/url"
+	"testing"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/services/release"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCreateNewTagProtected(t *testing.T) {
+	defer prepareTestEnv(t)()
+
+	repo := models.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
+	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
+
+	t.Run("API", func(t *testing.T) {
+		defer PrintCurrentTest(t)()
+
+		err := release.CreateNewTag(owner, repo, "master", "v-1", "first tag")
+		assert.NoError(t, err)
+
+		err = models.InsertProtectedTag(&models.ProtectedTag{
+			RepoID:      repo.ID,
+			NamePattern: "v-*",
+		})
+		assert.NoError(t, err)
+		err = models.InsertProtectedTag(&models.ProtectedTag{
+			RepoID:           repo.ID,
+			NamePattern:      "v-1.1",
+			WhitelistUserIDs: []int64{repo.OwnerID},
+		})
+		assert.NoError(t, err)
+
+		err = release.CreateNewTag(owner, repo, "master", "v-2", "second tag")
+		assert.Error(t, err)
+		assert.True(t, models.IsErrProtectedTagName(err))
+
+		err = release.CreateNewTag(owner, repo, "master", "v-1.1", "third tag")
+		assert.NoError(t, err)
+	})
+
+	t.Run("Git", func(t *testing.T) {
+		onGiteaRun(t, func(t *testing.T, u *url.URL) {
+			username := "user2"
+			httpContext := NewAPITestContext(t, username, "repo1")
+
+			dstPath, err := ioutil.TempDir("", httpContext.Reponame)
+			assert.NoError(t, err)
+			defer util.RemoveAll(dstPath)
+
+			u.Path = httpContext.GitPath()
+			u.User = url.UserPassword(username, userPassword)
+
+			doGitClone(dstPath, u)(t)
+
+			_, err = git.NewCommand("tag", "v-2").RunInDir(dstPath)
+			assert.NoError(t, err)
+
+			_, err = git.NewCommand("push", "--tags").RunInDir(dstPath)
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "Tag v-2 is protected")
+		})
+	})
+}

models/error.go

@@ -970,6 +970,21 @@ func (err ErrInvalidTagName) Error() string {
 	return fmt.Sprintf("release tag name is not valid [tag_name: %s]", err.TagName)
 }
 
+// ErrProtectedTagName represents a "ProtectedTagName" kind of error.
+type ErrProtectedTagName struct {
+	TagName string
+}
+
+// IsErrProtectedTagName checks if an error is a ErrProtectedTagName.
+func IsErrProtectedTagName(err error) bool {
+	_, ok := err.(ErrProtectedTagName)
+	return ok
+}
+
+func (err ErrProtectedTagName) Error() string {
+	return fmt.Sprintf("release tag name is protected [tag_name: %s]", err.TagName)
+}
+
 // ErrRepoFileAlreadyExists represents a "RepoFileAlreadyExist" kind of error.
 type ErrRepoFileAlreadyExists struct {
 	Path string

models/migrations/migrations.go

@@ -309,6 +309,8 @@ var migrations = []Migration{
 	NewMigration("Add LFS columns to Mirror", addLFSMirrorColumns),
 	// v179 -> v180
 	NewMigration("Convert avatar url to text", convertAvatarURLToText),
+	// v180 -> v181
+	NewMigration("Create protected tag table", createProtectedTagTable),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v180.go

@@ -0,0 +1,26 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"xorm.io/xorm"
+)
+
+func createProtectedTagTable(x *xorm.Engine) error {
+	type ProtectedTag struct {
+		ID               int64 `xorm:"pk autoincr"`
+		RepoID           int64
+		NamePattern      string
+		WhitelistUserIDs []int64 `xorm:"JSON TEXT"`
+		WhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
+
+		CreatedUnix timeutil.TimeStamp `xorm:"created"`
+		UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
+	}
+
+	return x.Sync2(new(ProtectedTag))
+}

models/models.go

@@ -134,6 +134,7 @@ func init() {
 		new(ProjectIssue),
 		new(Session),
 		new(RepoTransfer),
+		new(ProtectedTag),
 	)
 
 	gonicNames := []string{"SSL", "UID"}

models/protected_tag.go

@@ -0,0 +1,118 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package models
+
+import (
+	"strings"
+
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"github.com/gobwas/glob"
+)
+
+// ProtectedTag struct
+type ProtectedTag struct {
+	ID               int64 `xorm:"pk autoincr"`
+	RepoID           int64
+	NamePattern      string
+	NameGlob         glob.Glob `xorm:"-"`
+	WhitelistUserIDs []int64   `xorm:"JSON TEXT"`
+	WhitelistTeamIDs []int64   `xorm:"JSON TEXT"`
+
+	CreatedUnix timeutil.TimeStamp `xorm:"created"`
+	UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
+}
+
+// InsertProtectedTag inserts a protected tag to database
+func InsertProtectedTag(pt *ProtectedTag) error {
+	_, err := x.Insert(pt)
+	return err
+}
+
+// UpdateProtectedTag updates the protected tag
+func UpdateProtectedTag(pt *ProtectedTag) error {
+	_, err := x.ID(pt.ID).AllCols().Update(pt)
+	return err
+}
+
+// DeleteProtectedTag deletes a protected tag by ID
+func DeleteProtectedTag(pt *ProtectedTag) error {
+	_, err := x.ID(pt.ID).Delete(&ProtectedTag{})
+	return err
+}
+
+// EnsureCompiledPattern ensures the glob pattern is compiled
+func (pt *ProtectedTag) EnsureCompiledPattern() error {
+	if pt.NameGlob != nil {
+		return nil
+	}
+
+	var err error
+	pt.NameGlob, err = glob.Compile(strings.TrimSpace(pt.NamePattern))
+	return err
+}
+
+// IsUserAllowed returns true if the user is allowed to modify the tag
+func (pt *ProtectedTag) IsUserAllowed(userID int64) (bool, error) {
+	if base.Int64sContains(pt.WhitelistUserIDs, userID) {
+		return true, nil
+	}
+
+	if len(pt.WhitelistTeamIDs) == 0 {
+		return false, nil
+	}
+
+	in, err := IsUserInTeams(userID, pt.WhitelistTeamIDs)
+	if err != nil {
+		return false, err
+	}
+	return in, nil
+}
+
+// GetProtectedTags gets all protected tags of the repository
+func (repo *Repository) GetProtectedTags() ([]*ProtectedTag, error) {
+	tags := make([]*ProtectedTag, 0)
+	return tags, x.Find(&tags, &ProtectedTag{RepoID: repo.ID})
+}
+
+// GetProtectedTagByID gets the protected tag with the specific id
+func GetProtectedTagByID(id int64) (*ProtectedTag, error) {
+	tag := &ProtectedTag{ID: id}
+	has, err := x.Get(tag)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, nil
+	}
+	return tag, nil
+}
+
+// IsUserAllowedToControlTag checks if a user can control the specific tag.
+// It returns true if the tag name is not protected or the user is allowed to control it.
+func IsUserAllowedToControlTag(tags []*ProtectedTag, tagName string, userID int64) (bool, error) {
+	isAllowed := true
+	for _, tag := range tags {
+		err := tag.EnsureCompiledPattern()
+		if err != nil {
+			return false, err
+		}
+
+		if !tag.NameGlob.Match(tagName) {
+			continue
+		}
+
+		isAllowed, err = tag.IsUserAllowed(userID)
+		if err != nil {
+			return false, err
+		}
+		if isAllowed {
+			break
+		}
+	}
+
+	return isAllowed, nil
+}