dehub/accessctl/access_control.go

// Package accessctl implements functionality related to allowing or denying
// actions in a repo based on who is taking what actions.
package accessctl

import (
	"errors"
	"fmt"

	"dehub.dev/src/dehub.git/sigcred"

	yaml "gopkg.in/yaml.v2"
)

// DefaultAccessControlsStr is the encoded form of the default access control
// set which is applied to all CommitRequests if no user-supplied ones match.
//
// The effect of these AccessControls is to allow all commit types on any branch
// (with the exception of the main branch, which only allows change commits), as
// long as the commit has one signature from a configured account.
var DefaultAccessControlsStr = `
  - action: allow
    filters:
    - type: not
      filter:
        type: branch
        pattern: main
    - type: signature
      any_account: true
      count: 1
  
  - action: deny
    filters:
    - type: commit_attributes
      non_fast_forward: true

  - action: allow
    filters:
    - type: branch
      pattern: main
    - type: payload_type
      payload_type: change
    - type: signature
      any_account: true
      count: 1
  
  - action: deny
`

// DefaultAccessControls is the decoded form of DefaultAccessControlsStr.
var DefaultAccessControls = func() []AccessControl {
	var acl []AccessControl
	if err := yaml.Unmarshal([]byte(DefaultAccessControlsStr), &acl); err != nil {
		panic(err)
	}
	return acl
}()

// CommitRequest is used to describe a set of interactions which are being
// requested to be performed.
type CommitRequest struct {
	// Type describes what type of commit is being requested. Possibilities are
	// determined by the requester.
	Type string

	// Branch is the name of the branch the interactions are being attempted on.
	// It is required.
	Branch string

	// Credentials are the credentials attached to the commit.
	Credentials []sigcred.CredentialUnion

	// FilesChanged is the set of file paths (relative to the repo root) which
	// have been modified in some way.
	FilesChanged []string

	// NonFastForward should be set to true if the branch HEAD and this commit
	// are not directly related (i.e. neither is a direct ancestor of the
	// other).
	NonFastForward bool
}

// Action describes what action an AccessControl should perform
// when given a CommitRequest.
type Action string

// Enumerates possible Action values
const (
	ActionAllow Action = "allow"
	ActionDeny  Action = "deny"

	// ActionNext is used internally when a request does not match an
	// AccessControl's filters. It _could_ be used in the Config as well, but it
	// would be pretty pointless to do so, so we don't talk about it.
	ActionNext Action = "next"
)

// AccessControl describes a set of Filters, and the Actions which should be
// taken on a CommitRequest if those Filters all match on the CommitRequest.
type AccessControl struct {
	Action  Action        `yaml:"action"`
	Filters []FilterUnion `yaml:"filters"`
}

// ActionForCommit returns what Action this AccessControl says to take for a
// given CommitRequest. It may return ActionNext if the request is not matched
// by the AccessControl's Filters.
func (ac AccessControl) ActionForCommit(req CommitRequest) (Action, error) {
	for _, filterUn := range ac.Filters {
		if err := filterUn.Filter().MatchCommit(req); errors.As(err, new(ErrFilterNoMatch)) {
			return ActionNext, nil

		} else if err != nil {
			return "", fmt.Errorf("matching commit using filter of type %q: %w", filterUn.Type(), err)
		}
	}
	return ac.Action, nil
}

// ErrCommitRequestDenied is returned from AssertCanCommit when a particular
// AccessControl has explicitly disallowed the CommitRequest.
type ErrCommitRequestDenied struct {
	By AccessControl
}

func (e ErrCommitRequestDenied) Error() string {
	acB, err := yaml.Marshal(e.By)
	if err != nil {
		panic(err)
	}
	return fmt.Sprintf("commit matched and denied by this access control:\n%s", string(acB))
}

// AssertCanCommit asserts that the given CommitRequest is allowed by the given
// AccessControls.
func AssertCanCommit(acl []AccessControl, req CommitRequest) error {
	acl = append(acl, DefaultAccessControls...)
	for _, ac := range acl {
		action, err := ac.ActionForCommit(req)
		if err != nil {
			return err
		}
		switch action {
		case ActionNext:
			continue
		case ActionAllow:
			return nil
		case ActionDeny:
			return ErrCommitRequestDenied{By: ac}
		default:
			return fmt.Errorf("invalid action %q", action)
		}
	}

	panic("should not be able to get here")
}