added go-rbac dependency

cli/server/harness.wire_gen.go

@@ -55,11 +55,11 @@ func initSystem(ctx context.Context, config *types.Config) (*system, error) {
 	if err != nil {
 		return nil, err
 	}
-	aclClient, err := client.ProvideACLClient(serviceJWTProvider, typesConfig)
+	acl, err := client.ProvideACL(ctx, serviceJWTProvider, typesConfig)
 	if err != nil {
 		return nil, err
 	}
-	authorizer := authz.ProvideAuthorizer(typesConfig, aclClient)
+	authorizer := authz.ProvideAuthorizer(ctx, typesConfig, config, acl)
 	db, err := database.ProvideDatabase(ctx, config)
 	if err != nil {
 		return nil, err

docker/Dockerfile

@@ -2,11 +2,16 @@
 FROM golang:1.19-alpine as builder
 
 RUN apk update \
-    && apk add --no-cache protoc build-base
+    && apk add --no-cache protoc build-base git
 
 # Setup workig dir
 WORKDIR /app
 
+# Access to private repos
+ARG GITHUB_ACCESS_TOKEN
+RUN git config --global url."https://${GITHUB_ACCESS_TOKEN}:x-oauth-basic@github.com/harness".insteadOf "https://github.com/harness"
+RUN go env -w GOPRIVATE=github.com/harness/*
+
 # Get dependancies - will also be cached if we won't change mod/sum
 COPY go.mod .
 COPY go.sum .

go.mod

@@ -21,6 +21,7 @@ require (
 	github.com/gotidy/ptr v1.3.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
 	github.com/guregu/null v4.0.0+incompatible
+	github.com/harness/go-rbac v0.0.0-20230409233212-ca97fe90aac8
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/jmoiron/sqlx v1.3.3
 	github.com/joho/godotenv v1.3.0
@@ -29,11 +30,11 @@ require (
 	github.com/maragudk/migrate v0.4.1
 	github.com/matoous/go-nanoid v1.5.0
 	github.com/matoous/go-nanoid/v2 v2.0.0
-	github.com/mattn/go-isatty v0.0.14
+	github.com/mattn/go-isatty v0.0.17
 	github.com/mattn/go-sqlite3 v1.14.12
 	github.com/pkg/errors v0.9.1
 	github.com/rs/xid v1.4.0
-	github.com/rs/zerolog v1.26.0
+	github.com/rs/zerolog v1.29.0
 	github.com/stretchr/testify v1.8.1
 	github.com/swaggest/openapi-go v0.2.23
 	github.com/swaggest/swgui v1.4.2
@@ -43,159 +44,70 @@ require (
 	golang.org/x/exp v0.0.0-20230108222341-4b8118a2686a
 	golang.org/x/sync v0.1.0
 	golang.org/x/term v0.2.0
+	golang.org/x/text v0.4.0
 	google.golang.org/grpc v1.43.0
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 )
 
 require (
-	cloud.google.com/go v0.99.0 // indirect
-	gitea.com/go-chi/cache v0.2.0 // indirect
-	github.com/42wim/sshsig v0.0.0-20211121163825-841cf5bbc121 // indirect
+	github.com/go-logr/logr v1.2.4
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-logr/zerologr v1.2.3
+	github.com/mattn/go-colorable v0.1.13 // indirect
+)
+
+require (
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20220407094043-a94812496cf5 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
-	github.com/alecthomas/chroma v0.10.0 // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15 // indirect
-	github.com/aymerick/douceur v0.2.0 // indirect
-	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bgentry/speakeasy v0.1.0 // indirect
-	github.com/boombuler/barcode v1.0.1 // indirect
-	github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b // indirect
-	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/cloudflare/cfssl v1.6.1 // indirect
-	github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
-	github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490 // indirect
-	github.com/coreos/go-systemd/v22 v22.3.2 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/denisenkom/go-mssqldb v0.12.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/djherbis/buffer v1.2.0 // indirect
 	github.com/djherbis/nio/v3 v3.0.1 // indirect
-	github.com/dlclark/regexp2 v1.4.0 // indirect
-	github.com/duo-labs/webauthn v0.0.0-20220330035159-03696f3d4499 // indirect
-	github.com/dustin/go-humanize v1.0.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/envoyproxy/go-control-plane v0.10.1 // indirect
-	github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect
-	github.com/form3tech-oss/jwt-go v3.2.3+incompatible // indirect
-	github.com/fullstorydev/grpcurl v1.8.1 // indirect
-	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/go-enry/go-enry/v2 v2.8.2 // indirect
 	github.com/go-enry/go-oniguruma v1.2.1 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
 	github.com/go-git/go-billy/v5 v5.3.1 // indirect
 	github.com/go-git/go-git/v5 v5.4.3-0.20210630082519-b4368b2a2ca4 // indirect
-	github.com/go-redis/redis v6.15.9+incompatible // indirect
-	github.com/go-sql-driver/mysql v1.6.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/goccy/go-json v0.9.7 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
-	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
-	github.com/golang-sql/sqlexp v0.0.0-20170517235910-f1bb20e5a188 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/btree v1.0.1 // indirect
-	github.com/google/certificate-transparency-go v1.1.2-0.20210511102531-373a877eec92 // indirect
 	github.com/google/pprof v0.0.0-20220509035851-59ca7ad80af3 // indirect
 	github.com/google/subcommands v1.0.1 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/gorilla/css v1.0.0 // indirect
-	github.com/gorilla/websocket v1.4.2 // indirect
-	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-version v1.4.0 // indirect
-	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/jackc/pgx/v4 v4.12.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jhump/protoreflect v1.8.2 // indirect
-	github.com/jonboulle/clockwork v0.2.2 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4 // indirect
-	github.com/klauspost/compress v1.15.3 // indirect
-	github.com/klauspost/cpuid/v2 v2.0.12 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/microcosm-cc/bluemonday v1.0.19 // indirect
-	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/minio-go/v7 v7.0.26 // indirect
-	github.com/minio/sha256-simd v1.0.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.4.3 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
-	github.com/oliamb/cutter v0.2.2 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/pquerna/otp v1.3.0 // indirect
-	github.com/prometheus/client_golang v1.12.1 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.32.1 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
-	github.com/rivo/uniseg v0.2.0 // indirect
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/santhosh-tekuri/jsonschema/v5 v5.0.0 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
-	github.com/soheilhy/cmux v0.1.5 // indirect
-	github.com/spf13/cobra v1.3.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/swaggest/jsonschema-go v0.3.40 // indirect
 	github.com/swaggest/refl v1.1.0 // indirect
-	github.com/syndtr/goleveldb v1.0.0 // indirect
-	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
-	github.com/unknwon/com v1.0.1 // indirect
-	github.com/urfave/cli v1.22.9 // indirect
 	github.com/vearutop/statigz v1.1.5 // indirect
-	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.1 // indirect
-	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
-	github.com/yohcop/openid-go v1.0.0 // indirect
 	github.com/yuin/goldmark v1.4.13 // indirect
-	github.com/yuin/goldmark-highlighting v0.0.0-20220208100518-594be1970594 // indirect
-	github.com/yuin/goldmark-meta v1.1.0 // indirect
-	go.etcd.io/bbolt v1.3.6 // indirect
-	go.etcd.io/etcd/api/v3 v3.5.1 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.1 // indirect
-	go.etcd.io/etcd/client/v2 v2.305.1 // indirect
-	go.etcd.io/etcd/client/v3 v3.5.0-alpha.0 // indirect
-	go.etcd.io/etcd/etcdctl/v3 v3.5.0-alpha.0 // indirect
-	go.etcd.io/etcd/pkg/v3 v3.5.0-alpha.0 // indirect
-	go.etcd.io/etcd/raft/v3 v3.5.0-alpha.0 // indirect
-	go.etcd.io/etcd/server/v3 v3.5.0-alpha.0 // indirect
-	go.etcd.io/etcd/tests/v3 v3.5.0-alpha.0 // indirect
-	go.etcd.io/etcd/v3 v3.5.0-alpha.0 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
-	go.uber.org/zap v1.21.0 // indirect
+	go.uber.org/atomic v1.10.0 // indirect
 	golang.org/x/mod v0.6.0 // indirect
 	golang.org/x/net v0.2.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
-	golang.org/x/sys v0.2.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
-	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
+	golang.org/x/sys v0.6.0 // indirect
 	golang.org/x/tools v0.2.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
-	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/ini.v1 v1.66.4 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	mvdan.cc/xurls/v2 v2.4.0 // indirect
-	sigs.k8s.io/yaml v1.2.0 // indirect
 	strk.kbt.io/projects/go/libravatar v0.0.0-20191008002943-06d1c002b251 // indirect
-	xorm.io/builder v0.3.11 // indirect
-	xorm.io/xorm v1.3.2-0.20220714055524-c3bce556200f // indirect
 )

internal/api/controller/pullreq/pr_create.go

@@ -40,7 +40,7 @@ func (c *Controller) Create(
 		return nil, usererror.BadRequest("pull request title can't be empty")
 	}
 
-	targetRepo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoEdit)
+	targetRepo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoPush)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access access to target repo: %w", err)
 	}

internal/api/controller/repo/create.go

@@ -136,7 +136,7 @@ func (c *Controller) checkAuthRepoCreation(ctx context.Context, session *auth.Se
 		Name: "",
 	}
 
-	err = apiauth.Check(ctx, c.authorizer, session, scope, resource, enum.PermissionRepoCreate)
+	err = apiauth.Check(ctx, c.authorizer, session, scope, resource, enum.PermissionRepoEdit)
 	if err != nil {
 		return fmt.Errorf("auth check failed: %w", err)
 	}

internal/api/handler/repo/http_git.go

@@ -12,6 +12,7 @@ import (
 	"strings"
 
 	"github.com/harness/gitness/gitrpc"
+	"github.com/harness/gitness/internal/api/auth"
 	apiauth "github.com/harness/gitness/internal/api/auth"
 	repoctrl "github.com/harness/gitness/internal/api/controller/repo"
 	"github.com/harness/gitness/internal/api/request"
@@ -107,12 +108,18 @@ func PostReceivePack(client gitrpc.Interface, urlProvider *url.Provider,
 	return func(w http.ResponseWriter, r *http.Request) {
 		const service = "receive-pack"
 		if err := serviceRPC(w, r, client, urlProvider, repoStore, authorizer, service, true,
-			enum.PermissionRepoEdit, false); err != nil {
+			enum.PermissionRepoPush, false); err != nil {
 			var authError *GitAuthError
 			if errors.As(err, &authError) {
 				basicAuth(w, authError.AccountID)
 				return
 			}
+
+			if errors.Is(err, auth.ErrNotAuthorized) {
+				http.Error(w, err.Error(), http.StatusForbidden)
+				return
+			}
+
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}

internal/router/router.go

@@ -10,6 +10,8 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/go-logr/logr"
+	"github.com/go-logr/zerologr"
 	"github.com/harness/gitness/internal/api/render"
 	"github.com/harness/gitness/internal/request"
 
@@ -54,7 +56,10 @@ func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	var err error
 	// setup logger for request
 	log := log.Logger.With().Logger()
-	req = req.WithContext(log.WithContext(req.Context()))
+	ctx := log.WithContext(req.Context())
+	// add logger to logr interface for usage in 3rd party libs
+	ctx = logr.NewContext(ctx, zerologr.New(&log))
+	req = req.WithContext(ctx)
 	log.UpdateContext(func(c zerolog.Context) zerolog.Context {
 		return c.
 			Str("http.original_url", req.URL.String())

types/enum/permission.go

@@ -33,10 +33,10 @@ const (
 	/*
 		----- REPOSITORY -----
 	*/
-	PermissionRepoCreate Permission = "repository_create"
-	PermissionRepoView   Permission = "repository_view"
-	PermissionRepoEdit   Permission = "repository_edit"
-	PermissionRepoDelete Permission = "repository_delete"
+	PermissionRepoView   Permission = "repo_view"
+	PermissionRepoEdit   Permission = "repo_edit"
+	PermissionRepoDelete Permission = "repo_delete"
+	PermissionRepoPush   Permission = "repo_push"
 )
 
 const (