Supports wildcard protected branch

models/git/protected_branch_list.go

@@ -0,0 +1,87 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package git
+
+import (
+	"context"
+	"sort"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/modules/git"
+
+	"github.com/gobwas/glob"
+)
+
+type ProtectedBranchRules []*ProtectedBranch
+
+func (rules ProtectedBranchRules) GetFirstMatched(branchName string) *ProtectedBranch {
+	for _, rule := range rules {
+		if rule.Match(branchName) {
+			return rule
+		}
+	}
+	return nil
+}
+
+func (rules ProtectedBranchRules) Sort() {
+	sort.Slice(rules, func(i, j int) bool {
+		rules[i].loadGlob()
+		rules[j].loadGlob()
+		if rules[i].isPlainName {
+			if !rules[j].isPlainName {
+				return true
+			}
+		} else if rules[j].isPlainName {
+			return true
+		}
+		return rules[i].CreatedUnix < rules[j].CreatedUnix
+	})
+}
+
+// FindRepoProtectedBranchRules load all repository's protected rules
+func FindRepoProtectedBranchRules(ctx context.Context, repoID int64) (ProtectedBranchRules, error) {
+	var rules ProtectedBranchRules
+	err := db.GetEngine(ctx).Where("repo_id = ?", repoID).Asc("created_unix").Find(&rules)
+	if err != nil {
+		return nil, err
+	}
+	rules.Sort()
+	return rules, nil
+}
+
+// FindAllMatchedBranches find all matched branches
+func FindAllMatchedBranches(ctx context.Context, gitRepo *git.Repository, ruleName string) ([]string, error) {
+	// FIXME: how many should we get?
+	branches, _, err := gitRepo.GetBranchNames(0, 9999999)
+	if err != nil {
+		return nil, err
+	}
+	rule := glob.MustCompile(ruleName)
+	results := make([]string, 0, len(branches))
+	for _, branch := range branches {
+		if rule.Match(branch) {
+			results = append(results, branch)
+		}
+	}
+	return results, nil
+}
+
+// GetFirstMatchProtectedBranchRule returns the first matched rules
+func GetFirstMatchProtectedBranchRule(ctx context.Context, repoID int64, branchName string) (*ProtectedBranch, error) {
+	rules, err := FindRepoProtectedBranchRules(ctx, repoID)
+	if err != nil {
+		return nil, err
+	}
+	return rules.GetFirstMatched(branchName), nil
+}
+
+// IsBranchProtected checks if branch is protected
+func IsBranchProtected(repoID int64, branchName string) (bool, error) {
+	rule, err := GetFirstMatchProtectedBranchRule(db.DefaultContext, repoID, branchName)
+	if err != nil {
+		return false, err
+	}
+	return rule != nil, nil
+}

models/git/protected_branch_test.go

@@ -0,0 +1,69 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package git
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestBranchRuleMatch(t *testing.T) {
+	kases := []struct {
+		Rule          string
+		BranchName    string
+		ExpectedMatch bool
+	}{
+		{
+			Rule:          "release/*",
+			BranchName:    "release/v1.17",
+			ExpectedMatch: true,
+		},
+		{
+			Rule:          "release/**/v1.17",
+			BranchName:    "release/test/v1.17",
+			ExpectedMatch: true,
+		},
+		{
+			Rule:          "release/**/v1.17",
+			BranchName:    "release/test/1/v1.17",
+			ExpectedMatch: true,
+		},
+		{
+			Rule:          "release/*/v1.17",
+			BranchName:    "release/test/1/v1.17",
+			ExpectedMatch: false,
+		},
+		{
+			Rule:          "release/v*",
+			BranchName:    "release/v1.16",
+			ExpectedMatch: true,
+		},
+		{
+			Rule:          "*",
+			BranchName:    "release/v1.16",
+			ExpectedMatch: false,
+		},
+		{
+			Rule:          "**",
+			BranchName:    "release/v1.16",
+			ExpectedMatch: true,
+		},
+	}
+
+	for _, kase := range kases {
+		pb := ProtectedBranch{BranchName: kase.Rule}
+		var should, infact string
+		if !kase.ExpectedMatch {
+			should = " not"
+		} else {
+			infact = " not"
+		}
+		assert.EqualValues(t, kase.ExpectedMatch, pb.Match(kase.BranchName),
+			fmt.Sprintf("%s should%s match %s but it is%s", kase.BranchName, should, kase.Rule, infact),
+		)
+	}
+}

models/issues/pull.go

@@ -165,9 +165,8 @@ type PullRequest struct {
 	HeadBranch          string
 	HeadCommitID        string `xorm:"-"`
 	BaseBranch          string
-	ProtectedBranch     *git_model.ProtectedBranch `xorm:"-"`
-	MergeBase           string                     `xorm:"VARCHAR(40)"`
-	AllowMaintainerEdit bool                       `xorm:"NOT NULL DEFAULT false"`
+	MergeBase           string `xorm:"VARCHAR(40)"`
+	AllowMaintainerEdit bool   `xorm:"NOT NULL DEFAULT false"`
 
 	HasMerged      bool               `xorm:"INDEX"`
 	MergedCommitID string             `xorm:"VARCHAR(40)"`
@@ -313,28 +312,6 @@ func (pr *PullRequest) LoadIssueCtx(ctx context.Context) (err error) {
 	return err
 }
 
-// LoadProtectedBranch loads the protected branch of the base branch
-func (pr *PullRequest) LoadProtectedBranch() (err error) {
-	return pr.LoadProtectedBranchCtx(db.DefaultContext)
-}
-
-// LoadProtectedBranchCtx loads the protected branch of the base branch
-func (pr *PullRequest) LoadProtectedBranchCtx(ctx context.Context) (err error) {
-	if pr.ProtectedBranch == nil {
-		if pr.BaseRepo == nil {
-			if pr.BaseRepoID == 0 {
-				return nil
-			}
-			pr.BaseRepo, err = repo_model.GetRepositoryByIDCtx(ctx, pr.BaseRepoID)
-			if err != nil {
-				return
-			}
-		}
-		pr.ProtectedBranch, err = git_model.GetProtectedBranchBy(ctx, pr.BaseRepo.ID, pr.BaseBranch)
-	}
-	return err
-}
-
 // ReviewCount represents a count of Reviews
 type ReviewCount struct {
 	IssueID int64

models/issues/review.go

@@ -272,15 +272,17 @@ func IsOfficialReviewer(ctx context.Context, issue *Issue, reviewers ...*user_mo
 	if err != nil {
 		return false, err
 	}
-	if err = pr.LoadProtectedBranchCtx(ctx); err != nil {
+
+	rule, err := git_model.GetFirstMatchProtectedBranchRule(ctx, pr.BaseRepoID, pr.BaseBranch)
+	if err != nil {
 		return false, err
 	}
-	if pr.ProtectedBranch == nil {
+	if rule == nil {
 		return false, nil
 	}
 
 	for _, reviewer := range reviewers {
-		official, err := git_model.IsUserOfficialReviewerCtx(ctx, pr.ProtectedBranch, reviewer)
+		official, err := git_model.IsUserOfficialReviewer(ctx, rule, reviewer)
 		if official || err != nil {
 			return official, err
 		}
@@ -295,18 +297,19 @@ func IsOfficialReviewerTeam(ctx context.Context, issue *Issue, team *organizatio
 	if err != nil {
 		return false, err
 	}
-	if err = pr.LoadProtectedBranchCtx(ctx); err != nil {
+	pb, err := git_model.GetFirstMatchProtectedBranchRule(ctx, pr.BaseRepoID, pr.BaseBranch)
+	if err != nil {
 		return false, err
 	}
-	if pr.ProtectedBranch == nil {
+	if pb == nil {
 		return false, nil
 	}
 
-	if !pr.ProtectedBranch.EnableApprovalsWhitelist {
+	if !pb.EnableApprovalsWhitelist {
 		return team.UnitAccessModeCtx(ctx, unit.TypeCode) >= perm.AccessModeWrite, nil
 	}
 
-	return base.Int64sContains(pr.ProtectedBranch.ApprovalsWhitelistTeamIDs, team.ID), nil
+	return base.Int64sContains(pb.ApprovalsWhitelistTeamIDs, team.ID), nil
 }
 
 // CreateReview creates a new review based on opts

modules/context/repo.go

@@ -120,7 +120,7 @@ type CanCommitToBranchResults struct {
 //
 // and branch is not protected for push
 func (r *Repository) CanCommitToBranch(ctx context.Context, doer *user_model.User) (CanCommitToBranchResults, error) {
-	protectedBranch, err := git_model.GetProtectedBranchBy(ctx, r.Repository.ID, r.BranchName)
+	protectedBranch, err := git_model.GetFirstMatchProtectedBranchRule(ctx, r.Repository.ID, r.BranchName)
 	if err != nil {
 		return CanCommitToBranchResults{}, err
 	}

modules/structs/repo_branch.go

@@ -53,7 +53,7 @@ type BranchProtection struct {
 
 // CreateBranchProtectionOption options for creating a branch protection
 type CreateBranchProtectionOption struct {
-	BranchName                    string   `json:"branch_name"`
+	RuleName                      string   `json:"branch_name"` // it now in fact stores rule name not only branch name
 	EnablePush                    bool     `json:"enable_push"`
 	EnablePushWhitelist           bool     `json:"enable_push_whitelist"`
 	PushWhitelistUsernames        []string `json:"push_whitelist_usernames"`

options/locale/locale_en-US.ini

@@ -1809,6 +1809,7 @@ settings.mirror_sync_in_progress = Mirror synchronization is in progress. Check
 settings.site = Website
 settings.update_settings = Update Settings
 settings.branches.update_default_branch = Update Default Branch
+settings.branches.add_new_rule = Add New Rule
 settings.advanced_settings = Advanced Settings
 settings.wiki_desc = Enable Repository Wiki
 settings.use_internal_wiki = Use Built-In Wiki
@@ -2052,6 +2053,8 @@ settings.deploy_key_deletion_desc = Removing a deploy key will revoke its access
 settings.deploy_key_deletion_success = The deploy key has been removed.
 settings.branches = Branches
 settings.protected_branch = Branch Protection
+settings.protected_branch.save_rule = Save Rule
+settings.protected_branch.delete_rule = Delete Rule
 settings.protected_branch_can_push = Allow push?
 settings.protected_branch_can_push_yes = You can push
 settings.protected_branch_can_push_no = You can not push
@@ -2086,15 +2089,16 @@ settings.dismiss_stale_approvals = Dismiss stale approvals
 settings.dismiss_stale_approvals_desc = When new commits that change the content of the pull request are pushed to the branch, old approvals will be dismissed.
 settings.require_signed_commits = Require Signed Commits
 settings.require_signed_commits_desc = Reject pushes to this branch if they are unsigned or unverifiable.
+settings.protect_branch_name_pattern = Protected Branch Name Pattern
 settings.protect_protected_file_patterns = Protected file patterns (separated using semicolon '\;'):
 settings.protect_protected_file_patterns_desc = Protected files that are not allowed to be changed directly even if user has rights to add, edit, or delete files in this branch. Multiple patterns can be separated using semicolon ('\;'). See <a href="https://pkg.go.dev/github.com/gobwas/glob#Compile">github.com/gobwas/glob</a> documentation for pattern syntax. Examples: <code>.drone.yml</code>, <code>/docs/**/*.txt</code>.
 settings.protect_unprotected_file_patterns = Unprotected file patterns (separated using semicolon '\;'):
 settings.protect_unprotected_file_patterns_desc = Unprotected files that are allowed to be changed directly if user has write access, bypassing push restriction. Multiple patterns can be separated using semicolon ('\;'). See <a href="https://pkg.go.dev/github.com/gobwas/glob#Compile">github.com/gobwas/glob</a> documentation for pattern syntax. Examples: <code>.drone.yml</code>, <code>/docs/**/*.txt</code>.
 settings.add_protected_branch = Enable protection
 settings.delete_protected_branch = Disable protection
-settings.update_protect_branch_success = Branch protection for branch '%s' has been updated.
-settings.remove_protected_branch_success = Branch protection for branch '%s' has been disabled.
-settings.protected_branch_deletion = Disable Branch Protection
+settings.update_protect_branch_success = Branch protection for rule '%s' has been updated.
+settings.remove_protected_branch_success = Branch protection for rule '%s' has been removed.
+settings.protected_branch_deletion = Delete Branch Protection
 settings.protected_branch_deletion_desc = Disabling branch protection allows users with write permission to push to the branch. Continue?
 settings.block_rejected_reviews = Block merge on rejected reviews
 settings.block_rejected_reviews_desc = Merging will not be possible when changes are requested by official reviewers, even if there are enough approvals.