Protected branches with templates

Signed-off-by: jolheiser <[email protected]>

Author: jolheiser

models/branches.go

@@ -311,66 +311,75 @@ type WhitelistOptions struct {
 // This function also performs check if whitelist user and team's IDs have been changed
 // to avoid unnecessary whitelist delete and regenerate.
 func UpdateProtectBranch(repo *Repository, protectBranch *ProtectedBranch, opts WhitelistOptions) (err error) {
+	return updateProtectBranch(x, repo, protectBranch, opts)
+}
+
+func updateProtectBranch(e Engine, repo *Repository, protectBranch *ProtectedBranch, opts WhitelistOptions) (err error) {
 	if err = repo.GetOwner(); err != nil {
 		return fmt.Errorf("GetOwner: %v", err)
 	}
 
-	whitelist, err := updateUserWhitelist(repo, protectBranch.WhitelistUserIDs, opts.UserIDs)
+	whitelist, err := updateUserWhitelist(e, repo, protectBranch.WhitelistUserIDs, opts.UserIDs)
 	if err != nil {
 		return err
 	}
 	protectBranch.WhitelistUserIDs = whitelist
 
-	whitelist, err = updateUserWhitelist(repo, protectBranch.MergeWhitelistUserIDs, opts.MergeUserIDs)
+	whitelist, err = updateUserWhitelist(e, repo, protectBranch.MergeWhitelistUserIDs, opts.MergeUserIDs)
 	if err != nil {
 		return err
 	}
 	protectBranch.MergeWhitelistUserIDs = whitelist
 
-	whitelist, err = updateApprovalWhitelist(repo, protectBranch.ApprovalsWhitelistUserIDs, opts.ApprovalsUserIDs)
+	whitelist, err = updateApprovalWhitelist(e, repo, protectBranch.ApprovalsWhitelistUserIDs, opts.ApprovalsUserIDs)
 	if err != nil {
 		return err
 	}
 	protectBranch.ApprovalsWhitelistUserIDs = whitelist
 
 	// if the repo is in an organization
-	whitelist, err = updateTeamWhitelist(repo, protectBranch.WhitelistTeamIDs, opts.TeamIDs)
+	whitelist, err = updateTeamWhitelist(e, repo, protectBranch.WhitelistTeamIDs, opts.TeamIDs)
 	if err != nil {
 		return err
 	}
 	protectBranch.WhitelistTeamIDs = whitelist
 
-	whitelist, err = updateTeamWhitelist(repo, protectBranch.MergeWhitelistTeamIDs, opts.MergeTeamIDs)
+	whitelist, err = updateTeamWhitelist(e, repo, protectBranch.MergeWhitelistTeamIDs, opts.MergeTeamIDs)
 	if err != nil {
 		return err
 	}
 	protectBranch.MergeWhitelistTeamIDs = whitelist
 
-	whitelist, err = updateTeamWhitelist(repo, protectBranch.ApprovalsWhitelistTeamIDs, opts.ApprovalsTeamIDs)
+	whitelist, err = updateTeamWhitelist(e, repo, protectBranch.ApprovalsWhitelistTeamIDs, opts.ApprovalsTeamIDs)
 	if err != nil {
 		return err
 	}
 	protectBranch.ApprovalsWhitelistTeamIDs = whitelist
 
 	// Make sure protectBranch.ID is not 0 for whitelists
 	if protectBranch.ID == 0 {
-		if _, err = x.Insert(protectBranch); err != nil {
+		if _, err = e.Insert(protectBranch); err != nil {
 			return fmt.Errorf("Insert: %v", err)
 		}
 		return nil
 	}
 
-	if _, err = x.ID(protectBranch.ID).AllCols().Update(protectBranch); err != nil {
+	if _, err = e.ID(protectBranch.ID).AllCols().Update(protectBranch); err != nil {
 		return fmt.Errorf("Update: %v", err)
 	}
 
 	return nil
 }
 
 // GetProtectedBranches get all protected branches
-func (repo *Repository) GetProtectedBranches() ([]*ProtectedBranch, error) {
+func (repo *Repository) getProtectedBranches(e Engine) ([]*ProtectedBranch, error) {
 	protectedBranches := make([]*ProtectedBranch, 0)
-	return protectedBranches, x.Find(&protectedBranches, &ProtectedBranch{RepoID: repo.ID})
+	return protectedBranches, e.Find(&protectedBranches, &ProtectedBranch{RepoID: repo.ID})
+}
+
+// GetProtectedBranches get all protected branches
+func (repo *Repository) GetProtectedBranches() ([]*ProtectedBranch, error) {
+	return repo.getProtectedBranches(x)
 }
 
 // GetBranchProtection get the branch protection of a branch
@@ -419,15 +428,15 @@ func (repo *Repository) IsProtectedBranchForPush(branchName string, doer *User)
 
 // updateApprovalWhitelist checks whether the user whitelist changed and returns a whitelist with
 // the users from newWhitelist which have explicit read or write access to the repo.
-func updateApprovalWhitelist(repo *Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
+func updateApprovalWhitelist(e Engine, repo *Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
 	hasUsersChanged := !util.IsSliceInt64Eq(currentWhitelist, newWhitelist)
 	if !hasUsersChanged {
 		return currentWhitelist, nil
 	}
 
 	whitelist = make([]int64, 0, len(newWhitelist))
 	for _, userID := range newWhitelist {
-		if reader, err := repo.IsReader(userID); err != nil {
+		if reader, err := repo.isReader(e, userID); err != nil {
 			return nil, err
 		} else if !reader {
 			continue
@@ -440,19 +449,19 @@ func updateApprovalWhitelist(repo *Repository, currentWhitelist, newWhitelist []
 
 // updateUserWhitelist checks whether the user whitelist changed and returns a whitelist with
 // the users from newWhitelist which have write access to the repo.
-func updateUserWhitelist(repo *Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
+func updateUserWhitelist(e Engine, repo *Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
 	hasUsersChanged := !util.IsSliceInt64Eq(currentWhitelist, newWhitelist)
 	if !hasUsersChanged {
 		return currentWhitelist, nil
 	}
 
 	whitelist = make([]int64, 0, len(newWhitelist))
 	for _, userID := range newWhitelist {
-		user, err := GetUserByID(userID)
+		user, err := getUserByID(e, userID)
 		if err != nil {
 			return nil, fmt.Errorf("GetUserByID [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)
 		}
-		perm, err := GetUserRepoPermission(repo, user)
+		perm, err := getUserRepoPermission(e, repo, user)
 		if err != nil {
 			return nil, fmt.Errorf("GetUserRepoPermission [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)
 		}
@@ -469,13 +478,13 @@ func updateUserWhitelist(repo *Repository, currentWhitelist, newWhitelist []int6
 
 // updateTeamWhitelist checks whether the team whitelist changed and returns a whitelist with
 // the teams from newWhitelist which have write access to the repo.
-func updateTeamWhitelist(repo *Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
+func updateTeamWhitelist(e Engine, repo *Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
 	hasTeamsChanged := !util.IsSliceInt64Eq(currentWhitelist, newWhitelist)
 	if !hasTeamsChanged {
 		return currentWhitelist, nil
 	}
 
-	teams, err := GetTeamsWithAccessToRepo(repo.OwnerID, repo.ID, AccessModeRead)
+	teams, err := getTeamsWithAccessToRepo(e, repo.OwnerID, repo.ID, AccessModeRead)
 	if err != nil {
 		return nil, fmt.Errorf("GetTeamsWithAccessToRepo [org_id: %d, repo_id: %d]: %v", repo.OwnerID, repo.ID, err)
 	}

models/org_team.go

@@ -1021,8 +1021,12 @@ func removeTeamRepo(e Engine, teamID, repoID int64) error {
 
 // GetTeamsWithAccessToRepo returns all teams in an organization that have given access level to the repository.
 func GetTeamsWithAccessToRepo(orgID, repoID int64, mode AccessMode) ([]*Team, error) {
+	return getTeamsWithAccessToRepo(x, orgID, repoID, mode)
+}
+
+func getTeamsWithAccessToRepo(e Engine, orgID, repoID int64, mode AccessMode) ([]*Team, error) {
 	teams := make([]*Team, 0, 5)
-	return teams, x.Where("team.authorize >= ?", mode).
+	return teams, e.Where("team.authorize >= ?", mode).
 		Join("INNER", "team_repo", "team_repo.team_id = team.id").
 		And("team_repo.org_id = ?", orgID).
 		And("team_repo.repo_id = ?", repoID).

models/repo.go

@@ -821,10 +821,14 @@ func (repo *Repository) GetWriters() (_ []*User, err error) {
 
 // IsReader returns true if user has explicit read access or higher to the repository.
 func (repo *Repository) IsReader(userID int64) (bool, error) {
+	return repo.isReader(x, userID)
+}
+
+func (repo *Repository) isReader(e Engine, userID int64) (bool, error) {
 	if repo.OwnerID == userID {
 		return true, nil
 	}
-	return x.Where("repo_id = ? AND user_id = ? AND mode >= ?", repo.ID, userID, AccessModeRead).Get(&Access{})
+	return e.Where("repo_id = ? AND user_id = ? AND mode >= ?", repo.ID, userID, AccessModeRead).Get(&Access{})
 }
 
 // getUsersWithAccessMode returns users that have at least given access mode to the repository.

models/repo_generate.go

@@ -5,6 +5,7 @@
 package models
 
 import (
+	"fmt"
 	"strconv"
 	"strings"
 
@@ -18,20 +19,21 @@ import (
 
 // GenerateRepoOptions contains the template units to generate
 type GenerateRepoOptions struct {
-	Name        string
-	Description string
-	Private     bool
-	GitContent  bool
-	Topics      bool
-	GitHooks    bool
-	Webhooks    bool
-	Avatar      bool
-	IssueLabels bool
+	Name             string
+	Description      string
+	Private          bool
+	GitContent       bool
+	Topics           bool
+	GitHooks         bool
+	Webhooks         bool
+	Avatar           bool
+	IssueLabels      bool
+	BranchProtection bool
 }
 
 // IsValid checks whether at least one option is chosen for generation
 func (gro GenerateRepoOptions) IsValid() bool {
-	return gro.GitContent || gro.Topics || gro.GitHooks || gro.Webhooks || gro.Avatar || gro.IssueLabels // or other items as they are added
+	return gro.GitContent || gro.Topics || gro.GitHooks || gro.Webhooks || gro.Avatar || gro.IssueLabels || gro.BranchProtection // or other items as they are added
 }
 
 // GiteaTemplate holds information about a .gitea/template file
@@ -166,3 +168,49 @@ func GenerateIssueLabels(ctx DBContext, templateRepo, generateRepo *Repository)
 	}
 	return nil
 }
+
+// GenerateBranchProtection generates branch protection from a template repository
+func GenerateBranchProtection(ctx DBContext, doer *User, templateRepo, generateRepo *Repository) error {
+	branches, err := templateRepo.getProtectedBranches(ctx.e)
+	if err != nil {
+		return err
+	}
+
+	for _, branch := range branches {
+		// Create the branches (other than default, which exists already)
+		if !strings.EqualFold(generateRepo.DefaultBranch, branch.BranchName) {
+			if err := git.Push(generateRepo.RepoPath(), git.PushOptions{
+				Remote: generateRepo.RepoPath(),
+				Branch: fmt.Sprintf("%s:%s%s", generateRepo.DefaultBranch, git.BranchPrefix, branch.BranchName),
+				Env:    InternalPushingEnvironment(doer, generateRepo),
+			}); err != nil {
+				if git.IsErrPushOutOfDate(err) || git.IsErrPushRejected(err) {
+					return err
+				}
+				return fmt.Errorf("push: %v", err)
+			}
+		}
+
+		// Copy protections
+		protectBranch := &ProtectedBranch{
+			RepoID:                        generateRepo.ID,
+			BranchName:                    branch.BranchName,
+			CanPush:                       branch.CanPush,
+			EnableStatusCheck:             branch.EnableStatusCheck,
+			StatusCheckContexts:           branch.StatusCheckContexts,
+			RequiredApprovals:             branch.RequiredApprovals,
+			BlockOnRejectedReviews:        branch.BlockOnRejectedReviews,
+			BlockOnOfficialReviewRequests: branch.BlockOnOfficialReviewRequests,
+			BlockOnOutdatedBranch:         branch.BlockOnOutdatedBranch,
+			DismissStaleApprovals:         branch.DismissStaleApprovals,
+			RequireSignedCommits:          branch.RequireSignedCommits,
+			ProtectedFilePatterns:         branch.ProtectedFilePatterns,
+		}
+
+		if err := updateProtectBranch(ctx.e, generateRepo, protectBranch, WhitelistOptions{}); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

modules/auth/repo_form.go

@@ -41,14 +41,16 @@ type CreateRepoForm struct {
 	Readme        string
 	Template      bool
 
-	RepoTemplate int64
-	GitContent   bool
-	Topics       bool
-	GitHooks     bool
-	Webhooks     bool
-	Avatar       bool
-	Labels       bool
-	TrustModel   string
+	RepoTemplate     int64
+	GitContent       bool
+	Topics           bool
+	GitHooks         bool
+	Webhooks         bool
+	Avatar           bool
+	Labels           bool
+	BranchProtection bool
+
+	TrustModel string
 }
 
 // Validate validates the fields

modules/repository/generate.go

@@ -252,6 +252,7 @@ func GenerateRepository(ctx models.DBContext, doer, owner *models.User, template
 		IsFsckEnabled: templateRepo.IsFsckEnabled,
 		TemplateID:    templateRepo.ID,
 		TrustModel:    templateRepo.TrustModel,
+		DefaultBranch: templateRepo.DefaultBranch,
 	}
 
 	if err = models.CreateRepository(ctx, doer, owner, generateRepo, false); err != nil {

options/locale/locale_en-US.ini

@@ -731,6 +731,7 @@ template.webhooks = Webhooks
 template.topics = Topics
 template.avatar = Avatar
 template.issue_labels = Issue Labels
+template.branch_protection = Branch Protection
 template.one_item = Must select at least one template item
 template.invalid = Must select a template repository
 

routers/repo/repo.go

@@ -205,15 +205,16 @@ func CreatePost(ctx *context.Context, form auth.CreateRepoForm) {
 	var err error
 	if form.RepoTemplate > 0 {
 		opts := models.GenerateRepoOptions{
-			Name:        form.RepoName,
-			Description: form.Description,
-			Private:     form.Private,
-			GitContent:  form.GitContent,
-			Topics:      form.Topics,
-			GitHooks:    form.GitHooks,
-			Webhooks:    form.Webhooks,
-			Avatar:      form.Avatar,
-			IssueLabels: form.Labels,
+			Name:             form.RepoName,
+			Description:      form.Description,
+			Private:          form.Private,
+			GitContent:       form.GitContent,
+			Topics:           form.Topics,
+			GitHooks:         form.GitHooks,
+			Webhooks:         form.Webhooks,
+			Avatar:           form.Avatar,
+			IssueLabels:      form.Labels,
+			BranchProtection: form.BranchProtection,
 		}
 
 		if !opts.IsValid() {

services/repository/generate.go

@@ -25,6 +25,13 @@ func GenerateRepository(doer, owner *models.User, templateRepo *models.Repositor
 			if err = repo_module.GenerateGitContent(ctx, templateRepo, generateRepo); err != nil {
 				return err
 			}
+
+			// Branch Protection
+			if opts.BranchProtection {
+				if err := models.GenerateBranchProtection(ctx, doer, templateRepo, generateRepo); err != nil {
+					return err
+				}
+			}
 		}
 
 		// Topics

templates/repo/create.tmpl

@@ -70,7 +70,7 @@
 						<div class="inline field">
 							<label>{{.i18n.Tr "repo.template.items"}}</label>
 							<div class="ui checkbox">
-								<input class="hidden" name="git_content" type="checkbox" tabindex="0" {{if .git_content}}checked{{end}}>
+								<input class="hidden" id="git_content" name="git_content" type="checkbox" tabindex="0" {{if .git_content}}checked{{end}}>
 								<label>{{.i18n.Tr "repo.template.git_content"}}</label>
 							</div>
 							<div class="ui checkbox{{if not .SignedUser.CanEditGitHook}} poping up{{end}}"{{if not .SignedUser.CanEditGitHook}} data-content="{{.i18n.Tr "repo.template.git_hooks_tooltip"}}"{{end}}>
@@ -100,6 +100,13 @@
 								<label>{{.i18n.Tr "repo.template.issue_labels"}}</label>
 							</div>
 						</div>
+						<div class="inline field">
+							<label></label>
+							<div class="ui checkbox">
+								<input class="hidden" id="branch_protection" name="branch_protection" type="checkbox" tabindex="0" {{if .branch_protection}}checked{{end}} {{if not .git_content}}disabled{{end}}>
+								<label>{{.i18n.Tr "repo.template.branch_protection"}}</label>
+							</div>
+						</div>
 					</div>
 
 					<div id="non_template">

web_src/js/index.js

@@ -2291,6 +2291,15 @@ function initWipTitle() {
   });
 }
 
+function initTemplateBranchProtection() {
+  const $gitContent = $('#git_content');
+  const $branchProtection = $('#branch_protection');
+  $gitContent.on('change', () => {
+    $branchProtection.prop('checked', false);
+    $branchProtection.prop('disabled', !$gitContent.is(':checked'));
+  });
+}
+
 function initTemplateSearch() {
   const $repoTemplate = $('#repo_template');
   const checkTemplate = function () {
@@ -2552,6 +2561,7 @@ $(document).ready(async () => {
   initWipTitle();
   initPullRequestReview();
   initRepoStatusChecker();
+  initTemplateBranchProtection();
   initTemplateSearch();
   initContextPopups();
   initTableSort();