feat: [PIPE-24894]: Restrict lifecycle operations for reserved repo identifiers (#3426)

* feat: [PIPE-24894]: Restrict lifecycle operations for reserved repo identifiers
2025-05-04 16:52:22 +08:00 · 2025-02-13 12:01:53 +00:00 · 2025-02-13 12:01:53 +00:00 · f85b6c45c3
commit f85b6c45c3
parent 13f6558ca3
6 changed files with 23 additions and 0 deletions
--- a/app/api/controller/repo/archive.go
+++ b/app/api/controller/repo/archive.go
@ -36,6 +36,10 @@ func (c *Controller) Archive(
 		return err
 	}

+	if err = c.repoCheck.LifecycleRestriction(ctx, session, repo); err != nil {
+		return err
+	}
+
 	return c.git.Archive(ctx, git.ArchiveParams{
 		ReadParams:    git.CreateReadParams(repo),
 		ArchiveParams: params,
--- a/app/api/controller/repo/check.go
+++ b/app/api/controller/repo/check.go
@ -18,10 +18,12 @@ import (
 	"context"

 	"github.com/harness/gitness/app/auth"
+	"github.com/harness/gitness/types"
 )

 // Check defines the interface for adding extra checks during repository operations.
 type Check interface {
 	// Create allows adding extra check during create repo operations
 	Create(ctx context.Context, session *auth.Session, in *CreateInput) error
+	LifecycleRestriction(ctx context.Context, session *auth.Session, repo *types.RepositoryCore) error
 }
--- a/app/api/controller/repo/no_op_checks.go
+++ b/app/api/controller/repo/no_op_checks.go
@ -18,6 +18,7 @@ import (
 	"context"

 	"github.com/harness/gitness/app/auth"
+	"github.com/harness/gitness/types"
 )

 var _ Check = (*NoOpRepoChecks)(nil)
@ -32,3 +33,7 @@ func NewNoOpRepoChecks() *NoOpRepoChecks {
 func (c *NoOpRepoChecks) Create(_ context.Context, _ *auth.Session, _ *CreateInput) error {
 	return nil
 }
+
+func (c *NoOpRepoChecks) LifecycleRestriction(_ context.Context, _ *auth.Session, _ *types.RepositoryCore) error {
+	return nil
+}
--- a/app/api/controller/repo/purge.go
+++ b/app/api/controller/repo/purge.go
@ -46,6 +46,10 @@ func (c *Controller) Purge(
 		return err
 	}

+	if err = c.repoCheck.LifecycleRestriction(ctx, session, repo.Core()); err != nil {
+		return err
+	}
+
 	log.Ctx(ctx).Info().
 		Int64("repo.id", repo.ID).
 		Str("repo.path", repo.Path).
--- a/app/api/controller/repo/restore.go
+++ b/app/api/controller/repo/restore.go
@ -50,6 +50,10 @@ func (c *Controller) Restore(
 		return nil, fmt.Errorf("access check failed: %w", err)
 	}

+	if err = c.repoCheck.LifecycleRestriction(ctx, session, repo.Core()); err != nil {
+		return nil, err
+	}
+
 	if repo.Deleted == nil {
 		return nil, usererror.BadRequest("cannot restore a repo that hasn't been deleted")
 	}
--- a/app/api/controller/repo/soft_delete.go
+++ b/app/api/controller/repo/soft_delete.go
@ -50,6 +50,10 @@ func (c *Controller) SoftDelete(
 		return nil, fmt.Errorf("access check failed: %w", err)
 	}

+	if err = c.repoCheck.LifecycleRestriction(ctx, session, repoCore); err != nil {
+		return nil, err
+	}
+
 	repo, err := c.repoStore.Find(ctx, repoCore.ID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to find the repo by ID: %w", err)