Adding Repo Level Settings (#1145)

app/api/controller/githook/controller.go

@@ -24,6 +24,7 @@ import (
  "github.com/harness/gitness/app/auth/authz"
  eventsgit "github.com/harness/gitness/app/events/git"
  "github.com/harness/gitness/app/services/protection"
+ "github.com/harness/gitness/app/services/settings"
  "github.com/harness/gitness/app/store"
  "github.com/harness/gitness/app/url"
  "github.com/harness/gitness/types"
@@ -38,7 +39,8 @@ type Controller struct {
  pullreqStore store.PullReqStore
  urlProvider url.Provider
  protectionManager *protection.Manager
- resourceLimiter limiter.ResourceLimiter
+ limiter limiter.ResourceLimiter
+ settings *settings.Service
  preReceiveExtender PreReceiveExtender
  updateExtender UpdateExtender
  postReceiveExtender PostReceiveExtender
@@ -53,6 +55,7 @@ func NewController(
  urlProvider url.Provider,
  protectionManager *protection.Manager,
  limiter limiter.ResourceLimiter,
+ settings *settings.Service,
  preReceiveExtender PreReceiveExtender,
  updateExtender UpdateExtender,
  postReceiveExtender PostReceiveExtender,
@@ -66,7 +69,8 @@ func NewController(
  pullreqStore: pullreqStore,
  urlProvider: urlProvider,
  protectionManager: protectionManager,
- resourceLimiter: limiter,
+ limiter: limiter,
+ settings: settings,
  preReceiveExtender: preReceiveExtender,
  updateExtender: updateExtender,
  postReceiveExtender: postReceiveExtender,

app/api/controller/githook/pre_receive.go

@@ -46,7 +46,7 @@ func (c *Controller) PreReceive(
  return hook.Output{}, err
  }
 
- if err := c.resourceLimiter.RepoSize(ctx, in.RepoID); err != nil {
+ if err := c.limiter.RepoSize(ctx, in.RepoID); err != nil {
  return hook.Output{}, fmt.Errorf(
  "resource limit exceeded: %w",
  limiter.ErrMaxRepoSizeReached)

app/api/controller/repo/controller.go

@@ -30,6 +30,7 @@ import (
  "github.com/harness/gitness/app/services/importer"
  "github.com/harness/gitness/app/services/keywordsearch"
  "github.com/harness/gitness/app/services/protection"
+ "github.com/harness/gitness/app/services/settings"
  "github.com/harness/gitness/app/store"
  "github.com/harness/gitness/app/url"
  "github.com/harness/gitness/git"
@@ -56,6 +57,7 @@ type Controller struct {
  pipelineStore store.PipelineStore
  principalStore store.PrincipalStore
  ruleStore store.RuleStore
+ settings *settings.Service
  principalInfoCache store.PrincipalInfoCache
  protectionManager *protection.Manager
  git git.Interface
@@ -79,6 +81,7 @@ func NewController(
  pipelineStore store.PipelineStore,
  principalStore store.PrincipalStore,
  ruleStore store.RuleStore,
+ settings *settings.Service,
  principalInfoCache store.PrincipalInfoCache,
  protectionManager *protection.Manager,
  git git.Interface,
@@ -102,6 +105,7 @@ func NewController(
  pipelineStore: pipelineStore,
  principalStore: principalStore,
  ruleStore: ruleStore,
+ settings: settings,
  principalInfoCache: principalInfoCache,
  protectionManager: protectionManager,
  git: git,
@@ -121,20 +125,11 @@ func (c *Controller) getRepo(
  ctx context.Context,
  repoRef string,
 ) (*types.Repository, error) {
- if repoRef == "" {
- return nil, usererror.BadRequest("A valid repository reference must be provided.")
- }
-
- repo, err := c.repoStore.FindByRef(ctx, repoRef)
- if err != nil {
- return nil, fmt.Errorf("failed to find repository: %w", err)
- }
-
- if repo.Importing {
- return nil, usererror.BadRequest("Repository import is in progress.")
- }
-
- return repo, nil
+ return GetRepo(
+ ctx,
+ c.repoStore,
+ repoRef,
+ )
 }
 
 // getRepoCheckAccess fetches an active repo (not one that is currently being imported)
@@ -146,16 +141,15 @@ func (c *Controller) getRepoCheckAccess(
  reqPermission enum.Permission,
  orPublic bool,
 ) (*types.Repository, error) {
- repo, err := c.getRepo(ctx, repoRef)
- if err != nil {
- return nil, fmt.Errorf("failed to find repo: %w", err)
- }
-
- if err = apiauth.CheckRepo(ctx, c.authorizer, session, repo, reqPermission, orPublic); err != nil {
- return nil, fmt.Errorf("access check failed: %w", err)
- }
-
- return repo, nil
+ return GetRepoCheckAccess(
+ ctx,
+ c.repoStore,
+ c.authorizer,
+ session,
+ repoRef,
+ reqPermission,
+ orPublic,
+ )
 }
 
 func (c *Controller) validateParentRef(parentRef string) error {

app/api/controller/repo/helper.go

@@ -0,0 +1,73 @@
+// Copyright 2023 Harness, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http:https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package repo
+
+import (
+ "context"
+ "fmt"
+
+ apiauth "github.com/harness/gitness/app/api/auth"
+ "github.com/harness/gitness/app/api/usererror"
+ "github.com/harness/gitness/app/auth"
+ "github.com/harness/gitness/app/auth/authz"
+ "github.com/harness/gitness/app/store"
+ "github.com/harness/gitness/types"
+ "github.com/harness/gitness/types/enum"
+)
+
+// GetRepo fetches an active repo (not one that is currently being imported).
+func GetRepo(
+ ctx context.Context,
+ repoStore store.RepoStore,
+ repoRef string,
+) (*types.Repository, error) {
+ if repoRef == "" {
+ return nil, usererror.BadRequest("A valid repository reference must be provided.")
+ }
+
+ repo, err := repoStore.FindByRef(ctx, repoRef)
+ if err != nil {
+ return nil, fmt.Errorf("failed to find repository: %w", err)
+ }
+
+ if repo.Importing {
+ return nil, usererror.BadRequest("Repository import is in progress.")
+ }
+
+ return repo, nil
+}
+
+// GetRepoCheckAccess fetches an active repo (not one that is currently being imported)
+// and checks if the current user has permission to access it.
+func GetRepoCheckAccess(
+ ctx context.Context,
+ repoStore store.RepoStore,
+ authorizer authz.Authorizer,
+ session *auth.Session,
+ repoRef string,
+ reqPermission enum.Permission,
+ orPublic bool,
+) (*types.Repository, error) {
+ repo, err := GetRepo(ctx, repoStore, repoRef)
+ if err != nil {
+ return nil, fmt.Errorf("failed to find repo: %w", err)
+ }
+
+ if err = apiauth.CheckRepo(ctx, authorizer, session, repo, reqPermission, orPublic); err != nil {
+ return nil, fmt.Errorf("access check failed: %w", err)
+ }
+
+ return repo, nil
+}

app/api/controller/repo/wire.go

@@ -22,6 +22,7 @@ import (
  "github.com/harness/gitness/app/services/importer"
  "github.com/harness/gitness/app/services/keywordsearch"
  "github.com/harness/gitness/app/services/protection"
+ "github.com/harness/gitness/app/services/settings"
  "github.com/harness/gitness/app/store"
  "github.com/harness/gitness/app/url"
  "github.com/harness/gitness/git"
@@ -48,6 +49,7 @@ func ProvideController(
  pipelineStore store.PipelineStore,
  principalStore store.PrincipalStore,
  ruleStore store.RuleStore,
+ settings *settings.Service,
  principalInfoCache store.PrincipalInfoCache,
  protectionManager *protection.Manager,
  rpcClient git.Interface,
@@ -63,7 +65,7 @@ func ProvideController(
  return NewController(config, tx, urlProvider,
  authorizer, repoStore,
  spaceStore, pipelineStore,
- principalStore, ruleStore, principalInfoCache, protectionManager,
+ principalStore, ruleStore, settings, principalInfoCache, protectionManager,
  rpcClient, importer, codeOwners, reporeporter, indexer, limiter, mtxManager, identifierCheck, repoChecks)
 }
 

app/api/controller/reposettings/controller.go

@@ -0,0 +1,65 @@
+// Copyright 2023 Harness, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http:https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package reposettings
+
+import (
+ "context"
+
+ "github.com/harness/gitness/app/api/controller/repo"
+ "github.com/harness/gitness/app/auth"
+ "github.com/harness/gitness/app/auth/authz"
+ "github.com/harness/gitness/app/services/settings"
+ "github.com/harness/gitness/app/store"
+ "github.com/harness/gitness/types"
+ "github.com/harness/gitness/types/enum"
+)
+
+type Controller struct {
+ authorizer authz.Authorizer
+ repoStore store.RepoStore
+ settings *settings.Service
+}
+
+func NewController(
+ authorizer authz.Authorizer,
+ repoStore store.RepoStore,
+ settings *settings.Service,
+) *Controller {
+ return &Controller{
+ authorizer: authorizer,
+ repoStore: repoStore,
+ settings: settings,
+ }
+}
+
+// getRepoCheckAccess fetches an active repo (not one that is currently being imported)
+// and checks if the current user has permission to access it.
+func (c *Controller) getRepoCheckAccess(
+ ctx context.Context,
+ session *auth.Session,
+ repoRef string,
+ reqPermission enum.Permission,
+ orPublic bool,
+) (*types.Repository, error) {
+ return repo.GetRepoCheckAccess(
+ ctx,
+ c.repoStore,
+ c.authorizer,
+ session,
+ repoRef,
+ reqPermission,
+ orPublic,
+ )
+}

app/api/controller/reposettings/security.go

@@ -0,0 +1,46 @@
+// Copyright 2023 Harness, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http:https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package reposettings
+
+import (
+ "github.com/harness/gitness/app/services/settings"
+
+ "github.com/gotidy/ptr"
+)
+
+// SecuritySettings represents the security related part of repository settings as exposed externally.
+type SecuritySettings struct {
+ SecretScanningEnabled *bool `json:"secret_scanning_enabled"`
+}
+
+func GetDefaultSecuritySettings() *SecuritySettings {
+ return &SecuritySettings{
+ SecretScanningEnabled: ptr.Bool(settings.DefaultSecretScanningEnabled),
+ }
+}
+
+func GetSecuritySettingsMappings(s *SecuritySettings) []settings.SettingHandler {
+ return []settings.SettingHandler{
+ settings.Mapping(settings.KeySecretScanningEnabled, s.SecretScanningEnabled),
+ }
+}
+
+func GetSecuritySettingsAsKeyValues(s *SecuritySettings) []settings.KeyValue {
+ kvs := make([]settings.KeyValue, 0, 1)
+ if s.SecretScanningEnabled != nil {
+ kvs = append(kvs, settings.KeyValue{Key: settings.KeySecretScanningEnabled, Value: *s.SecretScanningEnabled})
+ }
+ return kvs
+}

app/api/controller/reposettings/security_find.go

@@ -0,0 +1,44 @@
+// Copyright 2023 Harness, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http:https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package reposettings
+
+import (
+ "context"
+ "fmt"
+
+ "github.com/harness/gitness/app/auth"
+ "github.com/harness/gitness/types/enum"
+)
+
+// SecurityFind returns the security settings of a repo.
+func (c *Controller) SecurityFind(
+ ctx context.Context,
+ session *auth.Session,
+ repoRef string,
+) (*SecuritySettings, error) {
+ repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView, true)
+ if err != nil {
+ return nil, err
+ }
+
+ out := GetDefaultSecuritySettings()
+ mappings := GetSecuritySettingsMappings(out)
+ err = c.settings.RepoMap(ctx, repo.ID, mappings...)
+ if err != nil {
+ return nil, fmt.Errorf("failed to map settings: %w", err)
+ }
+
+ return out, nil
+}