Backport of LFS File Locking APIrd-35856-backport-lfs-file-locking-api

3 files changed, 91 insertions, 1 deletions

diff --git a/lib/gitlab/checks/change_access.rb b/lib/gitlab/checks/change_access.rb
index 945d70e7a24..d75e73dac10 100644
--- a/lib/gitlab/checks/change_access.rb
+++ b/lib/gitlab/checks/change_access.rb
@@ -31,13 +31,14 @@ module Gitlab
         @protocol = protocol
       end
 
-      def exec
+      def exec(skip_commits_check: false)
         return true if skip_authorization
 
         push_checks
         branch_checks
         tag_checks
         lfs_objects_exist_check
+        commits_check unless skip_commits_check
 
         true
       end
@@ -117,6 +118,24 @@ module Gitlab
         end
       end
 
+      def commits_check
+        return if deletion? || newrev.nil?
+
+        # n+1: https://gitlab.com/gitlab-org/gitlab-ee/issues/3593
+        ::Gitlab::GitalyClient.allow_n_plus_1_calls do
+          commits.each do |commit|
+            commit_check.validate(commit, validations_for_commit(commit))
+          end
+        end
+
+        commit_check.validate_file_paths
+      end
+
+      # Method overwritten in EE to inject custom validations
+      def validations_for_commit(_)
+        []
+      end
+
       private
 
       def updated_from_web?
@@ -150,6 +169,14 @@ module Gitlab
           raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:lfs_objects_missing]
         end
       end
+
+      def commit_check
+        @commit_check ||= Gitlab::Checks::CommitCheck.new(project, user_access.user, newrev, oldrev)
+      end
+
+      def commits
+        project.repository.new_commits(newrev)
+      end
     end
   end
 end
diff --git a/lib/gitlab/checks/commit_check.rb b/lib/gitlab/checks/commit_check.rb
new file mode 100644
index 00000000000..ae0cd142378
--- /dev/null
+++ b/lib/gitlab/checks/commit_check.rb
@@ -0,0 +1,61 @@
+module Gitlab
+  module Checks
+    class CommitCheck
+      include Gitlab::Utils::StrongMemoize
+
+      attr_reader :project, :user, :newrev, :oldrev
+
+      def initialize(project, user, newrev, oldrev)
+        @project = project
+        @user = user
+        @newrev = user
+        @oldrev = user
+        @file_paths = []
+      end
+
+      def validate(commit, validations)
+        return if validations.empty? && path_validations.empty?
+
+        commit.raw_deltas.each do |diff|
+          @file_paths << (diff.new_path || diff.old_path)
+
+          validations.each do |validation|
+            if error = validation.call(diff)
+              raise ::Gitlab::GitAccess::UnauthorizedError, error
+            end
+          end
+        end
+      end
+
+      def validate_file_paths
+        path_validations.each do |validation|
+          if error = validation.call(@file_paths)
+            raise ::Gitlab::GitAccess::UnauthorizedError, error
+          end
+        end
+      end
+
+      private
+
+      def validate_lfs_file_locks?
+        strong_memoize(:validate_lfs_file_locks) do
+          project.lfs_enabled? && project.lfs_file_locks.any? && newrev && oldrev
+        end
+      end
+
+      def lfs_file_locks_validation
+        lambda do |paths|
+          lfs_lock = project.lfs_file_locks.where(path: paths).where.not(user_id: user.id).first
+
+          if lfs_lock
+            return "The path '#{lfs_lock.path}' is locked in Git LFS by #{lfs_lock.user.name}"
+          end
+        end
+      end
+
+      def path_validations
+        validate_lfs_file_locks? ? [lfs_file_locks_validation] : []
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/import_export/import_export.yml b/lib/gitlab/import_export/import_export.yml
index 2daed10f678..9f404003125 100644
--- a/lib/gitlab/import_export/import_export.yml
+++ b/lib/gitlab/import_export/import_export.yml
@@ -27,6 +27,8 @@ project_tree:
   - :releases
   - project_members:
     - :user
+  - lfs_file_locks:
+    - :user
   - merge_requests:
     - notes:
       - :author