tenseleyflow/shithub / 80bf62a

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package git

+

+import (

+	"context"

+	"errors"

+	"fmt"

+	"os/exec"

+	"strconv"

+	"strings"

+)

+

+// AheadBehind returns the number of commits unique to head (ahead)

+// and unique to base (behind), computed via

+// `git rev-list --left-right --count base...head`. Output shape is

+// "<behind>\t<ahead>" — the left side is base, right is head.

+//

+// When base or head doesn't exist on the repo we surface the typed

+// ErrRefNotFound so callers can render "—" instead of a number.

+func AheadBehind(ctx context.Context, gitDir, base, head string) (ahead, behind int, err error) {

+	cmd := exec.CommandContext(ctx, "git", "-C", gitDir,

+		"rev-list", "--left-right", "--count", base+"..."+head)

+	out, runErr := cmd.Output()

+	if runErr != nil {

+		var ee *exec.ExitError

+		if errors.As(runErr, &ee) {

+			stderr := string(ee.Stderr)

+			if strings.Contains(stderr, "unknown revision") || strings.Contains(stderr, "ambiguous argument") {

+				return 0, 0, ErrRefNotFound

+			}

+		}

+		return 0, 0, wrapExecErr(runErr)

+	}

+	parts := strings.Fields(strings.TrimSpace(string(out)))

+	if len(parts) != 2 {

+		return 0, 0, fmt.Errorf("rev-list: unexpected output %q", out)

+	}

+	behind, _ = strconv.Atoi(parts[0])

+	ahead, _ = strconv.Atoi(parts[1])

+	return ahead, behind, nil

+}

+

+// CommitsBetween returns the commits unique to head (the right side

+// of the symmetric range). Used by the compare view's commits list.

+func CommitsBetween(ctx context.Context, gitDir, base, head string, max int) ([]Commit, error) {

+	if max <= 0 {

+		max = 250

+	}

+	const sep = "\x1f"

+	const recordEnd = "\x1e"

+	format := strings.Join([]string{"%H", "%h", "%an", "%ae", "%at", "%s"}, sep) + sep + "%b" + recordEnd

+	cmd := exec.CommandContext(ctx, "git", "-C", gitDir,

+		"log",

+		"--max-count="+strconv.Itoa(max),

+		"--format="+format,

+		base+".."+head,

+	)

+	out, err := cmd.Output()

+	if err != nil {

+		var ee *exec.ExitError

+		if errors.As(err, &ee) && strings.Contains(string(ee.Stderr), "unknown revision") {

+			return nil, ErrRefNotFound

+		}

+		return nil, wrapExecErr(err)

+	}

+	return parseLogOutput(out)

+}

+

+// IsAncestor reports whether commit a is an ancestor of commit b.

+// Used by the pre-receive force-push detector: a fast-forward is

+// `IsAncestor(old, new)`.

+func IsAncestor(ctx context.Context, gitDir, a, b string) (bool, error) {

+	cmd := exec.CommandContext(ctx, "git", "-C", gitDir,

+		"merge-base", "--is-ancestor", a, b)

+	err := cmd.Run()

+	if err == nil {

+		return true, nil

+	}

+	var ee *exec.ExitError

+	if errors.As(err, &ee) {

+		// Exit 1 = not an ancestor. Anything else = real error.

+		if ee.ExitCode() == 1 {

+			return false, nil

+		}

+	}

+	return false, wrapExecErr(err)

+}

+

+// SetSymbolicRef updates HEAD (or any other symbolic ref) atomically.

+// Used by the default-branch change to point HEAD at the new branch.

+func SetSymbolicRef(ctx context.Context, gitDir, ref, target string) error {

+	cmd := exec.CommandContext(ctx, "git", "-C", gitDir,

+		"symbolic-ref", ref, target)

+	if out, err := cmd.CombinedOutput(); err != nil {

+		return fmt.Errorf("symbolic-ref %s -> %s: %w (%s)", ref, target, err, out)

+	}

+	return nil

+}

+

+// ErrRefNotFound is returned when git can't resolve a ref or commit.

+// Distinguished from generic exec failures so handlers can render a

+// 404-leaning response.

+var ErrRefNotFound = errors.New("git: ref not found")

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package protection enforces branch-protection rules on incoming

+// pushes. The pre-receive hook (S14) calls into Enforce once per

+// pushed ref; this package owns the matching, the per-rule checks,

+// and the rejection messages.

+//

+// Rule scope is `refs/heads/*` only — tag refs are out of scope here

+// (tag protection is its own thing in a future sprint).

+package protection

+

+import (

+	"context"

+	"errors"

+	"fmt"

+	"path/filepath"

+	"sort"

+	"strings"

+

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	repogit "github.com/tenseleyFlow/shithub/internal/repos/git"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+)

+

+// Decision is the result of evaluating a single ref update against

+// the rule set. Allow=true means the push proceeds; Allow=false

+// surfaces the reason+rule pattern back to the user via stderr.

+type Decision struct {

+	Allow      bool

+	Reason     string

+	RuleID     int64

+	Pattern    string

+}

+

+// Update is one ref update from the pre-receive hook's stdin.

+type Update struct {

+	OldSHA string

+	NewSHA string

+	Ref    string // "refs/heads/<name>" — tag refs and other namespaces are skipped

+	Pusher int64  // user_id; 0 means anonymous which any rule that requires explicit pushers will reject

+}

+

+// Enforce evaluates the rule set against `u`. Returns Allow=true

+// when no rule rejects; otherwise Allow=false with a human-readable

+// reason naming the pattern that matched.

+//

+// Rule precedence: longest-pattern-match wins (alphabetical tiebreak).

+// Rules don't apply to tag pushes or non-heads namespaces.

+func Enforce(ctx context.Context, pool *pgxpool.Pool, gitDir string, repoID int64, u Update) (Decision, error) {

+	if !strings.HasPrefix(u.Ref, "refs/heads/") {

+		return Decision{Allow: true, Reason: "non-branch ref"}, nil

+	}

+	branch := strings.TrimPrefix(u.Ref, "refs/heads/")

+

+	rq := reposdb.New()

+	rules, err := rq.ListBranchProtectionRules(ctx, pool, repoID)

+	if err != nil {

+		return Decision{}, fmt.Errorf("load rules: %w", err)

+	}

+	rule, ok := matchRule(rules, branch)

+	if !ok {

+		return Decision{Allow: true, Reason: "no rule matched"}, nil

+	}

+

+	isCreate := isAllZeros(u.OldSHA)

+	isDelete := isAllZeros(u.NewSHA)

+

+	// 1. Deletion gate.

+	if isDelete && rule.PreventDeletion {

+		return deny(rule, "deletion of this branch is blocked by protection rule"), nil

+	}

+

+	// 2. Force-push gate. Only meaningful when this is an update of an

+	// existing branch (both sides non-zero). Skipping allows the create

+	// case (oldSHA all-zero) and the delete case (handled above).

+	if !isCreate && !isDelete && rule.PreventForcePush {

+		ff, err := repogit.IsAncestor(ctx, gitDir, u.OldSHA, u.NewSHA)

+		if err != nil {

+			return Decision{}, fmt.Errorf("ancestor check: %w", err)

+		}

+		if !ff {

+			return deny(rule, "force-push to this branch is blocked by protection rule"), nil

+		}

+	}

+

+	// 3. Allowed-pushers gate.

+	if len(rule.AllowedPusherUserIds) > 0 {

+		ok := false

+		for _, id := range rule.AllowedPusherUserIds {

+			if id == u.Pusher {

+				ok = true

+				break

+			}

+		}

+		if !ok {

+			return deny(rule, "pusher is not on the allowed list for this branch"), nil

+		}

+	}

+

+	// 4. require_signed_commits, require_pr_for_push, status_checks_required

+	//    are placeholder columns wired by S20's migration; their owning

+	//    sprints flip them on. No-op here.

+

+	return Decision{Allow: true, Reason: "passed all rules", RuleID: rule.ID, Pattern: rule.Pattern}, nil

+}

+

+func deny(r reposdb.BranchProtectionRule, reason string) Decision {

+	return Decision{

+		Allow:   false,

+		Reason:  reason,

+		RuleID:  r.ID,

+		Pattern: r.Pattern,

+	}

+}

+

+// matchRule returns the rule with the longest pattern matching branch

+// (alphabetical tiebreaker). Returns ok=false when no rule matches.

+//

+// Patterns use filepath.Match semantics:

+//   - `*` matches any sequence of non-separator chars (NOT crossing `/`)

+//   - `?` matches a single non-separator char

+//   - `[abc]` matches one of a/b/c

+//

+// `release/*` matches `release/v1.0` but NOT `release/v1.0/sub`.

+func matchRule(rules []reposdb.BranchProtectionRule, branch string) (reposdb.BranchProtectionRule, bool) {

+	type cand struct {

+		rule reposdb.BranchProtectionRule

+	}

+	var matches []cand

+	for _, r := range rules {

+		ok, err := filepath.Match(r.Pattern, branch)

+		if err != nil {

+			continue // bad pattern — admin should fix; treat as no-match

+		}

+		if ok {

+			matches = append(matches, cand{rule: r})

+		}

+	}

+	if len(matches) == 0 {

+		return reposdb.BranchProtectionRule{}, false

+	}

+	sort.Slice(matches, func(i, j int) bool {

+		li, lj := len(matches[i].rule.Pattern), len(matches[j].rule.Pattern)

+		if li != lj {

+			return li > lj

+		}

+		return matches[i].rule.Pattern < matches[j].rule.Pattern

+	})

+	return matches[0].rule, true

+}

+

+// isAllZeros reports whether a SHA string is git's "this side is

+// absent" sentinel (40 zeros). Both pre-receive lines use this.

+func isAllZeros(sha string) bool {

+	if len(sha) != 40 {

+		return false

+	}

+	for _, c := range sha {

+		if c != '0' {

+			return false

+		}

+	}

+	return true

+}

+

+// FriendlyMessage formats a deny Decision for the user's git client.

+// The pre-receive hook writes this to stderr.

+func FriendlyMessage(d Decision) string {

+	if d.Allow {

+		return ""

+	}

+	return fmt.Sprintf("shithub: %s (rule pattern %q).", d.Reason, d.Pattern)

+}

+

+// ErrTransient is returned by Enforce when DB connectivity is the

+// failure cause. Pre-receive maps this to "transient error; try

+// again" and rejects the push (fail closed per S20 spec).

+var ErrTransient = errors.New("protection: transient error")

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package protection

+

+import (

+	"testing"

+

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+)

+

+func TestMatchRule_LongestPrefixWins(t *testing.T) {

+	t.Parallel()

+	rules := []reposdb.BranchProtectionRule{

+		{ID: 1, Pattern: "*"},

+		{ID: 2, Pattern: "release/*"},

+		{ID: 3, Pattern: "release/v1.0"},

+	}

+	cases := []struct {

+		branch  string

+		wantID  int64

+		wantHit bool

+	}{

+		{"release/v1.0", 3, true},

+		{"release/beta", 2, true},

+		// `*` doesn't cross `/` per filepath.Match — no rule matches

+		// a slash-containing branch when no rule has a deeper pattern.

+		{"release/v1.0/sub", 0, false},

+		{"trunk", 1, true},

+		{"feature-x", 1, true},

+	}

+	for _, c := range cases {

+		got, ok := matchRule(rules, c.branch)

+		if ok != c.wantHit {

+			t.Errorf("branch %q: hit=%v want %v", c.branch, ok, c.wantHit)

+			continue

+		}

+		if !c.wantHit {

+			continue

+		}

+		if got.ID != c.wantID {

+			t.Errorf("branch %q: matched rule %d, want %d", c.branch, got.ID, c.wantID)

+		}

+	}

+}

+

+func TestMatchRule_NoMatchReturnsFalse(t *testing.T) {

+	t.Parallel()

+	rules := []reposdb.BranchProtectionRule{{Pattern: "release/*"}}

+	if _, ok := matchRule(rules, "trunk"); ok {

+		t.Errorf("expected no match for trunk against release/*")

+	}

+}

+

+func TestMatchRule_AlphabeticalTiebreak(t *testing.T) {

+	t.Parallel()

+	rules := []reposdb.BranchProtectionRule{

+		{ID: 1, Pattern: "feature/*"},

+		{ID: 2, Pattern: "feat[u]re/*"}, // same length matching same string

+	}

+	got, ok := matchRule(rules, "feature/foo")

+	if !ok {

+		t.Fatalf("expected match")

+	}

+	// Both patterns have same length; alphabetical tiebreak:

+	// "feat[u]re/*" < "feature/*" so the [u]re/* wins.

+	if got.ID != 2 {

+		t.Errorf("got rule %d, want 2 (alphabetical tiebreak)", got.ID)

+	}

+}

+

+func TestIsAllZeros(t *testing.T) {

+	t.Parallel()

+	if !isAllZeros("0000000000000000000000000000000000000000") {

+		t.Errorf("40 zeros → true")

+	}

+	if isAllZeros("0000000000000000000000000000000000000001") {

+		t.Errorf("39 zeros + 1 → false")

+	}

+	if isAllZeros("00000") {

+		t.Errorf("short string → false")

+	}

+}