CE port Refactor Gitlab::Checks::ChangeAccess class

1 files changed, 18 insertions, 216 deletions

diff --git a/lib/gitlab/checks/change_access.rb b/lib/gitlab/checks/change_access.rb
index 074afe9c412..7778d3068cc 100644
--- a/lib/gitlab/checks/change_access.rb
+++ b/lib/gitlab/checks/change_access.rb
@@ -3,35 +3,11 @@
 module Gitlab
   module Checks
     class ChangeAccess
-      ERROR_MESSAGES = {
-        push_code: 'You are not allowed to push code to this project.',
-        delete_default_branch: 'The default branch of a project cannot be deleted.',
-        force_push_protected_branch: 'You are not allowed to force push code to a protected branch on this project.',
-        non_master_delete_protected_branch: 'You are not allowed to delete protected branches from this project. Only a project maintainer or owner can delete a protected branch.',
-        non_web_delete_protected_branch: 'You can only delete protected branches using the web interface.',
-        merge_protected_branch: 'You are not allowed to merge code into protected branches on this project.',
-        push_protected_branch: 'You are not allowed to push code to protected branches on this project.',
-        change_existing_tags: 'You are not allowed to change existing tags on this project.',
-        update_protected_tag: 'Protected tags cannot be updated.',
-        delete_protected_tag: 'Protected tags cannot be deleted.',
-        create_protected_tag: 'You are not allowed to create this tag as it is protected.',
-        lfs_objects_missing: 'LFS objects are missing. Ensure LFS is properly set up or try a manual "git lfs push --all".'
-      }.freeze
+      ATTRIBUTES = %i[user_access project skip_authorization
+                      skip_lfs_integrity_check protocol oldrev newrev ref
+                      branch_name tag_name logger commits].freeze
 
-      LOG_MESSAGES = {
-        push_checks: "Checking if you are allowed to push...",
-        delete_default_branch_check: "Checking if default branch is being deleted...",
-        protected_branch_checks: "Checking if you are force pushing to a protected branch...",
-        protected_branch_push_checks: "Checking if you are allowed to push to the protected branch...",
-        protected_branch_deletion_checks: "Checking if you are allowed to delete the protected branch...",
-        tag_checks: "Checking if you are allowed to change existing tags...",
-        protected_tag_checks: "Checking if you are creating, updating or deleting a protected tag...",
-        lfs_objects_exist_check: "Scanning repository for blobs stored in LFS and verifying their files have been uploaded to GitLab...",
-        commits_check_file_paths_validation: "Validating commits' file paths...",
-        commits_check: "Validating commit contents..."
-      }.freeze
-
-      attr_reader :user_access, :project, :skip_authorization, :skip_lfs_integrity_check, :protocol, :oldrev, :newrev, :ref, :branch_name, :tag_name, :logger
+      attr_reader(*ATTRIBUTES)
 
       def initialize(
         change, user_access:, project:, skip_authorization: false,
@@ -50,206 +26,32 @@ module Gitlab
         @logger.append_message("Running checks for ref: #{@branch_name || @tag_name}")
       end
 
-      def exec(skip_commits_check: false)
+      def exec
         return true if skip_authorization
 
-        push_checks
-        branch_checks
-        tag_checks
-        lfs_objects_exist_check unless skip_lfs_integrity_check
-        commits_check unless skip_commits_check
+        ref_level_checks
+        # Check of commits should happen as the last step
+        # given they're expensive in terms of performance
+        commits_check
 
         true
       end
 
-      protected
-
-      def push_checks
-        logger.log_timed(LOG_MESSAGES[__method__]) do
-          unless can_push?
-            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:push_code]
-          end
-        end
-      end
-
-      def branch_checks
-        return unless branch_name
-
-        logger.log_timed(LOG_MESSAGES[:delete_default_branch_check]) do
-          if deletion? && branch_name == project.default_branch
-            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:delete_default_branch]
-          end
-        end
-
-        protected_branch_checks
-      end
-
-      def protected_branch_checks
-        logger.log_timed(LOG_MESSAGES[__method__]) do
-          return unless ProtectedBranch.protected?(project, branch_name) # rubocop:disable Cop/AvoidReturnFromBlocks
-
-          if forced_push?
-            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:force_push_protected_branch]
-          end
-        end
-
-        if deletion?
-          protected_branch_deletion_checks
-        else
-          protected_branch_push_checks
-        end
-      end
-
-      def protected_branch_deletion_checks
-        logger.log_timed(LOG_MESSAGES[__method__]) do
-          unless user_access.can_delete_branch?(branch_name)
-            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_master_delete_protected_branch]
-          end
-
-          unless updated_from_web?
-            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:non_web_delete_protected_branch]
-          end
-        end
-      end
-
-      def protected_branch_push_checks
-        logger.log_timed(LOG_MESSAGES[__method__]) do
-          if matching_merge_request?
-            unless user_access.can_merge_to_branch?(branch_name) || user_access.can_push_to_branch?(branch_name)
-              raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:merge_protected_branch]
-            end
-          else
-            unless user_access.can_push_to_branch?(branch_name)
-              raise GitAccess::UnauthorizedError, push_to_protected_branch_rejected_message
-            end
-          end
-        end
-      end
-
-      def tag_checks
-        return unless tag_name
-
-        logger.log_timed(LOG_MESSAGES[__method__]) do
-          if tag_exists? && user_access.cannot_do_action?(:admin_project)
-            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:change_existing_tags]
-          end
-        end
-
-        protected_tag_checks
+      def commits
+        @commits ||= project.repository.new_commits(newrev)
       end
 
-      def protected_tag_checks
-        logger.log_timed(LOG_MESSAGES[__method__]) do
-          return unless ProtectedTag.protected?(project, tag_name) # rubocop:disable Cop/AvoidReturnFromBlocks
-
-          raise(GitAccess::UnauthorizedError, ERROR_MESSAGES[:update_protected_tag]) if update?
-          raise(GitAccess::UnauthorizedError, ERROR_MESSAGES[:delete_protected_tag]) if deletion?
+      protected
 
-          unless user_access.can_create_tag?(tag_name)
-            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:create_protected_tag]
-          end
-        end
+      def ref_level_checks
+        Gitlab::Checks::PushCheck.new(self).validate!
+        Gitlab::Checks::BranchCheck.new(self).validate!
+        Gitlab::Checks::TagCheck.new(self).validate!
+        Gitlab::Checks::LfsCheck.new(self).validate!
       end
 
       def commits_check
-        return if deletion? || newrev.nil?
-        return unless should_run_commit_validations?
-
-        logger.log_timed(LOG_MESSAGES[__method__]) do
-          # n+1: https://gitlab.com/gitlab-org/gitlab-ee/issues/3593
-          ::Gitlab::GitalyClient.allow_n_plus_1_calls do
-            commits.each do |commit|
-              logger.check_timeout_reached
-
-              commit_check.validate(commit, validations_for_commit(commit))
-            end
-          end
-        end
-
-        logger.log_timed(LOG_MESSAGES[:commits_check_file_paths_validation]) do
-          commit_check.validate_file_paths
-        end
-      end
-
-      # Method overwritten in EE to inject custom validations
-      def validations_for_commit(_)
-        []
-      end
-
-      private
-
-      def push_to_protected_branch_rejected_message
-        if project.empty_repo?
-          empty_project_push_message
-        else
-          ERROR_MESSAGES[:push_protected_branch]
-        end
-      end
-
-      def empty_project_push_message
-        <<~MESSAGE
-
-        A default branch (e.g. master) does not yet exist for #{project.full_path}
-        Ask a project Owner or Maintainer to create a default branch:
-
-          #{project_members_url}
-
-        MESSAGE
-      end
-
-      def project_members_url
-        Gitlab::Routing.url_helpers.project_project_members_url(project)
-      end
-
-      def should_run_commit_validations?
-        commit_check.validate_lfs_file_locks?
-      end
-
-      def updated_from_web?
-        protocol == 'web'
-      end
-
-      def tag_exists?
-        project.repository.tag_exists?(tag_name)
-      end
-
-      def forced_push?
-        Gitlab::Checks::ForcePush.force_push?(project, oldrev, newrev)
-      end
-
-      def update?
-        !Gitlab::Git.blank_ref?(oldrev) && !deletion?
-      end
-
-      def deletion?
-        Gitlab::Git.blank_ref?(newrev)
-      end
-
-      def matching_merge_request?
-        Checks::MatchingMergeRequest.new(newrev, branch_name, project).match?
-      end
-
-      def lfs_objects_exist_check
-        logger.log_timed(LOG_MESSAGES[__method__]) do
-          lfs_check = Checks::LfsIntegrity.new(project, newrev, logger.time_left)
-
-          if lfs_check.objects_missing?
-            raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:lfs_objects_missing]
-          end
-        end
-      end
-
-      def commit_check
-        @commit_check ||= Gitlab::Checks::CommitCheck.new(project, user_access.user, newrev, oldrev)
-      end
-
-      def commits
-        @commits ||= project.repository.new_commits(newrev)
-      end
-
-      def can_push?
-        user_access.can_do_action?(:push_code) ||
-          user_access.can_push_to_branch?(branch_name)
+        Gitlab::Checks::DiffCheck.new(self).validate!
       end
     end
   end