github/drone
5
0
Fork 0
mirror of https://github.com/harness/drone.git synced 2025-05-09 03:52:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
1a727b8be1
drone/app/services/protection/verify_pullreq.go
Marko Gacesa 1a727b8be1 refactor of protection package (#734)
2023-10-27 14:06:09 +00:00

277 lines
8.0 KiB
Go
Raw Blame History

// Copyright 2023 Harness, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package protection
import (
"context"
"errors"
"fmt"
"github.com/harness/gitness/app/services/codeowners"
"github.com/harness/gitness/types"
"github.com/harness/gitness/types/enum"
"golang.org/x/exp/slices"
)
type (
MergeVerifier interface {
MergeVerify(ctx context.Context, in MergeVerifyInput) (MergeVerifyOutput, []types.RuleViolations, error)
}
MergeVerifyInput struct {
Actor *types.Principal
IsSpaceOwner bool
Membership *types.Membership
TargetRepo *types.Repository
SourceRepo *types.Repository
PullReq *types.PullReq
Reviewers []*types.PullReqReviewer
Method enum.MergeMethod
CheckResults []types.CheckResult
CodeOwners *codeowners.Evaluation
}
MergeVerifyOutput struct {
DeleteSourceBranch bool
}
)
// ensures that the DefPullReq type implements Sanitizer and MergeVerifier interface.
var (
_ Sanitizer = (*DefPullReq)(nil)
_ MergeVerifier = (*DefPullReq)(nil)
)
const (
codePullReqApprovalReqMinCount = "pullreq.approvals.require_minimum_count"
codePullReqApprovalReqLatestCommit = "pullreq.approvals.require_latest_commit"
codePullReqApprovalReqCodeOwnersNoApproval = "pullreq.approvals.require_code_owners:no_approval"
codePullReqApprovalReqCodeOwnersChangeRequested = "pullreq.approvals.require_code_owners:change_requested"
codePullReqApprovalReqCodeOwnersNoLatestApproval = "pullreq.approvals.require_code_owners:no_latest_approval"
codePullReqCommentsReqResolveAll = "pullreq.comments.require_resolve_all"
codePullReqStatusChecksReqUIDs = "pullreq.status_checks.required_uids"
codePullReqMergeStrategiesAllowed = "pullreq.merge.strategies_allowed"
codePullReqMergeDeleteBranch = "pullreq.merge.delete_branch"
)
//nolint:gocognit // well aware of this
func (v *DefPullReq) MergeVerify(
_ context.Context,
in MergeVerifyInput,
) (MergeVerifyOutput, []types.RuleViolations, error) {
var out MergeVerifyOutput
var violations types.RuleViolations
out.DeleteSourceBranch = v.Merge.DeleteBranch
// pullreq.approvals
approvedBy := make([]types.PrincipalInfo, 0, len(in.Reviewers))
for _, reviewer := range in.Reviewers {
if reviewer.ReviewDecision != enum.PullReqReviewDecisionApproved {
continue
}
if v.Approvals.RequireLatestCommit && reviewer.SHA != in.PullReq.SourceSHA {
continue
}
approvedBy = append(approvedBy, reviewer.Reviewer)
}
if len(approvedBy) < v.Approvals.RequireMinimumCount {
violations.Addf(codePullReqApprovalReqMinCount,
"Insufficient number of approvals. Have %d but need at least %d.",
len(approvedBy), v.Approvals.RequireMinimumCount)
}
if v.Approvals.RequireCodeOwners {
for _, entry := range in.CodeOwners.EvaluationEntries {
reviewDecision, approvers := getCodeOwnerApprovalStatus(entry.OwnerEvaluations)
if reviewDecision == enum.PullReqReviewDecisionPending {
violations.Addf(codePullReqApprovalReqCodeOwnersNoApproval,
"Code owners approval pending for %q", entry.Pattern)
continue
}
if reviewDecision == enum.PullReqReviewDecisionChangeReq {
violations.Addf(codePullReqApprovalReqCodeOwnersChangeRequested,
"Code owners requested changes for %q", entry.Pattern)
continue
}
// pull req approved. check other settings
if !v.Approvals.RequireLatestCommit {
continue
}
latestSHAApproved := slices.ContainsFunc(approvers, func(ev codeowners.OwnerEvaluation) bool {
return ev.ReviewSHA == in.PullReq.SourceSHA
})
if !latestSHAApproved {
violations.Addf(codePullReqApprovalReqCodeOwnersNoLatestApproval,
"Code owners approval pending on latest commit for %q", entry.Pattern)
}
}
}
// pullreq.comments
if v.Comments.RequireResolveAll && in.PullReq.UnresolvedCount > 0 {
violations.Addf(codePullReqCommentsReqResolveAll,
"All comments must be resolved. There are %d unresolved comments.",
in.PullReq.UnresolvedCount)
}
// pullreq.status_checks
for _, requiredUID := range v.StatusChecks.RequireUIDs {
var succeeded bool
for i := range in.CheckResults {
if in.CheckResults[i].UID == requiredUID {
succeeded = in.CheckResults[i].Status == enum.CheckStatusSuccess
break
}
}
if !succeeded {
violations.Add(codePullReqStatusChecksReqUIDs,
"At least one required status check hasn't completed successfully.")
}
}
// pullreq.merge
if len(v.Merge.StrategiesAllowed) > 0 { // Note: Empty allowed strategies list means all are allowed
if !slices.Contains(v.Merge.StrategiesAllowed, in.Method) {
violations.Addf(codePullReqMergeStrategiesAllowed,
"The requested merge strategy %q is not allowed. Allowed strategies are %v.",
in.Method, v.Merge.StrategiesAllowed)
}
}
return out, []types.RuleViolations{violations}, nil
}
type DefApprovals struct {
RequireCodeOwners bool `json:"require_code_owners,omitempty"`
RequireMinimumCount int `json:"require_minimum_count,omitempty"`
RequireLatestCommit bool `json:"require_latest_commit,omitempty"`
}
func (v *DefApprovals) Sanitize() error {
if v.RequireMinimumCount < 0 {
return errors.New("minimum count must be zero or a positive integer")
}
return nil
}
type DefComments struct {
RequireResolveAll bool `json:"require_resolve_all,omitempty"`
}
func (DefComments) Sanitize() error {
return nil
}
type DefStatusChecks struct {
RequireUIDs []string `json:"require_uids,omitempty"`
}
func (v *DefStatusChecks) Sanitize() error {
if err := validateUIDSlice(v.RequireUIDs); err != nil {
return fmt.Errorf("required UIDs error: %w", err)
}
return nil
}
type DefMerge struct {
StrategiesAllowed []enum.MergeMethod `json:"strategies_allowed,omitempty"`
DeleteBranch bool `json:"delete_branch,omitempty"`
}
func (v *DefMerge) Sanitize() error {
m := make(map[enum.MergeMethod]struct{}, 0)
for _, strategy := range v.StrategiesAllowed {
if _, ok := strategy.Sanitize(); !ok {
return fmt.Errorf("unrecognized merge strategy: %s", strategy)
}
if _, ok := m[strategy]; ok {
return fmt.Errorf("duplicate entry in merge strategy list: %s", strategy)
}
m[strategy] = struct{}{}
}
return nil
}
type DefPush struct {
Block bool `json:"block,omitempty"`
}
func (v *DefPush) Sanitize() error {
return nil
}
type DefPullReq struct {
Approvals DefApprovals `json:"approvals"`
Comments DefComments `json:"comments"`
StatusChecks DefStatusChecks `json:"status_checks"`
Merge DefMerge `json:"merge"`
}
func (v *DefPullReq) Sanitize() error {
if err := v.Approvals.Sanitize(); err != nil {
return fmt.Errorf("approvals: %w", err)
}
if err := v.Comments.Sanitize(); err != nil {
return fmt.Errorf("comments: %w", err)
}
if err := v.StatusChecks.Sanitize(); err != nil {
return fmt.Errorf("status checks: %w", err)
}
if err := v.Merge.Sanitize(); err != nil {
return fmt.Errorf("merge: %w", err)
}
return nil
}
func getCodeOwnerApprovalStatus(
ownerStatus []codeowners.OwnerEvaluation,
) (enum.PullReqReviewDecision, []codeowners.OwnerEvaluation) {
approvers := make([]codeowners.OwnerEvaluation, 0)
for _, o := range ownerStatus {
if o.ReviewDecision == enum.PullReqReviewDecisionChangeReq {
return enum.PullReqReviewDecisionChangeReq, nil
}
if o.ReviewDecision == enum.PullReqReviewDecisionApproved {
approvers = append(approvers, o)
}
}
if len(approvers) > 0 {
return enum.PullReqReviewDecisionApproved, approvers
}
return enum.PullReqReviewDecisionPending, nil
}
Reference in New Issue View Git Blame Copy Permalink