github/drone
5
0
Fork 0
mirror of https://github.com/harness/drone.git synced 2025-05-21 19:39:59 +08:00
Code Issues Packages Projects Releases Wiki Activity

Only allow admin to bypass rules if bypassing is allowed (#2047)

Browse Source
This commit is contained in:
Johannes Batzill 2024-05-17 22:32:35 +00:00 committed by Harness
parent fdd401c989
commit 6da5c93706
3 changed files with 18 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/services/protection/bypass.go
View File

@ -29,8 +29,7 @@ type DefBypass struct {
func (v DefBypass) matches(actor *types.Principal, isRepoOwner bool) bool { func (v DefBypass) matches(actor *types.Principal, isRepoOwner bool) bool {
return actor != nil && return actor != nil &&
(actor.Admin || (v.RepoOwners && isRepoOwner ||
v.RepoOwners && isRepoOwner ||
slices.Contains(v.UserIDs, actor.ID)) slices.Contains(v.UserIDs, actor.ID))
} }

7
app/services/protection/bypass_test.go
View File

@ -38,10 +38,11 @@ func TestBranch_matches(t *testing.T) {
exp: false, exp: false,
}, },
{ {
name: "admin", name: "admin-no-owner",
bypass: DefBypass{UserIDs: nil, RepoOwners: false}, bypass: DefBypass{UserIDs: nil, RepoOwners: true},
actor: admin, actor: admin,
exp: true, owner: false,
exp: false,
}, },
{ {
name: "repo-owners-false", name: "repo-owners-false",

21
app/services/protection/rule_branch_test.go
View File

@ -47,7 +47,7 @@ func TestBranch_MergeVerify(t *testing.T) {
expVs: []types.RuleViolations{}, expVs: []types.RuleViolations{},
}, },
{ {
name: "admin-no-bypass", name: "admin-no-owner",
branch: Branch{ branch: Branch{
Bypass: DefBypass{}, Bypass: DefBypass{},
PullReq: DefPullReq{ PullReq: DefPullReq{
@ -58,7 +58,8 @@ func TestBranch_MergeVerify(t *testing.T) {
}, },
in: MergeVerifyInput{ in: MergeVerifyInput{
Actor: admin, Actor: admin,
AllowBypass: false, IsRepoOwner: false,
AllowBypass: true,
PullReq: &types.PullReq{UnresolvedCount: 1}, PullReq: &types.PullReq{UnresolvedCount: 1},
}, },
expOut: MergeVerifyOutput{ expOut: MergeVerifyOutput{
@ -68,7 +69,7 @@ func TestBranch_MergeVerify(t *testing.T) {
}, },
expVs: []types.RuleViolations{ expVs: []types.RuleViolations{
{ {
Bypassable: true, Bypassable: false,
Bypassed: false, Bypassed: false,
Violations: []types.Violation{ Violations: []types.Violation{
{Code: codePullReqCommentsReqResolveAll}, {Code: codePullReqCommentsReqResolveAll},
@ -314,7 +315,7 @@ func TestBranch_RequiredChecks(t *testing.T) {
}, },
}, },
{ {
name: "admin-bypassable", name: "admin-no-owner",
branch: Branch{ branch: Branch{
Bypass: DefBypass{}, Bypass: DefBypass{},
PullReq: DefPullReq{ PullReq: DefPullReq{
@ -323,10 +324,11 @@ func TestBranch_RequiredChecks(t *testing.T) {
}, },
in: RequiredChecksInput{ in: RequiredChecksInput{
Actor: admin, Actor: admin,
IsRepoOwner: false,
}, },
expOut: RequiredChecksOutput{ expOut: RequiredChecksOutput{
RequiredIdentifiers: nil, RequiredIdentifiers: map[string]struct{}{"abc": {}},
BypassableIdentifiers: map[string]struct{}{"abc": {}}, BypassableIdentifiers: nil,
}, },
}, },
{ {
@ -407,21 +409,22 @@ func TestBranch_RefChangeVerify(t *testing.T) {
expVs: []types.RuleViolations{}, expVs: []types.RuleViolations{},
}, },
{ {
name: "admin-no-bypass", name: "admin-no-owner",
branch: Branch{ branch: Branch{
Bypass: DefBypass{}, Bypass: DefBypass{},
Lifecycle: DefLifecycle{DeleteForbidden: true}, Lifecycle: DefLifecycle{DeleteForbidden: true},
}, },
in: RefChangeVerifyInput{ in: RefChangeVerifyInput{
Actor: admin, Actor: admin,
AllowBypass: false, IsRepoOwner: false,
AllowBypass: true,
RefAction: RefActionDelete, RefAction: RefActionDelete,
RefType: RefTypeBranch, RefType: RefTypeBranch,
RefNames: []string{"abc"}, RefNames: []string{"abc"},
}, },
expVs: []types.RuleViolations{ expVs: []types.RuleViolations{
{ {
Bypassable: true, Bypassable: false,
Bypassed: false, Bypassed: false,
Violations: []types.Violation{ Violations: []types.Violation{
{Code: codeLifecycleDelete}, {Code: codeLifecycleDelete},