woodpecker-ci · qwerty287 · Nov 12, 2023 · Nov 11, 2023 · Nov 12, 2023 · Nov 12, 2023
diff --git a/cmd/server/server.go b/cmd/server/server.go
@@ -43,6 +43,7 @@ import (
 	"go.woodpecker-ci.org/woodpecker/server/logging"
 	"go.woodpecker-ci.org/woodpecker/server/model"
 	"go.woodpecker-ci.org/woodpecker/server/plugins/config"
+	"go.woodpecker-ci.org/woodpecker/server/plugins/permissions"
 	"go.woodpecker-ci.org/woodpecker/server/pubsub"
 	"go.woodpecker-ci.org/woodpecker/server/router"
 	"go.woodpecker-ci.org/woodpecker/server/router/middleware"
@@ -177,7 +178,6 @@ func run(c *cli.Context) error {
 		webUIServe,
 		middleware.Logger(time.RFC3339, true),
 		middleware.Version,
-		middleware.Config(c),
 		middleware.Store(c, _store),
 	)
 
@@ -367,4 +367,10 @@ func setupEvilGlobals(c *cli.Context, v store.Store, f forge.Forge) {
 
 	// prometheus
 	server.Config.Prometheus.AuthToken = c.String("prometheus-auth-token")
+
+	// permissions
+	server.Config.Permissions.Open = c.Bool("open")
+	server.Config.Permissions.Admins = permissions.NewAdmins(c.StringSlice("admin"))
+	server.Config.Permissions.Orgs = permissions.NewOrgs(c.StringSlice("orgs"))
+	server.Config.Permissions.OwnersWhitelist = permissions.NewOwnersWhitelist(c.StringSlice("repo-owners"))
 }
diff --git a/server/api/login.go b/server/api/login.go
@@ -26,7 +26,6 @@ import (
 
 	"go.woodpecker-ci.org/woodpecker/server"
 	"go.woodpecker-ci.org/woodpecker/server/model"
-	"go.woodpecker-ci.org/woodpecker/server/router/middleware"
 	"go.woodpecker-ci.org/woodpecker/server/store"
 	"go.woodpecker-ci.org/woodpecker/server/store/types"
 	"go.woodpecker-ci.org/woodpecker/shared/httputil"
@@ -60,7 +59,6 @@ func HandleAuth(c *gin.Context) {
 	if tmpuser == nil {
 		return
 	}
-	config := middleware.GetConfig(c)
 
 	// get the user from the database
 	u, err := _store.GetUserRemoteID(tmpuser.ForgeRemoteID, tmpuser.Login)
@@ -71,17 +69,17 @@ func HandleAuth(c *gin.Context) {
 		}
 
 		// if self-registration is disabled we should return a not authorized error
-		if !config.Open && !config.IsAdmin(tmpuser) {
+		if !server.Config.Permissions.Open && !server.Config.Permissions.Admins.IsAdmin(tmpuser) {
 			log.Error().Msgf("cannot register %s. registration closed", tmpuser.Login)
 			c.Redirect(http.StatusSeeOther, server.Config.Server.RootPath+"/login?error=access_denied")
 			return
 		}
 
 		// if self-registration is enabled for whitelisted organizations we need to
 		// check the user's organization membership.
-		if len(config.Orgs) != 0 {
+		if server.Config.Permissions.Orgs.IsConfigured {
 			teams, terr := _forge.Teams(c, tmpuser)
-			if terr != nil || !config.IsMember(teams) {
+			if terr != nil || !server.Config.Permissions.Orgs.IsMember(teams) {
 				log.Error().Err(terr).Msgf("cannot verify team membership for %s.", u.Login)
 				c.Redirect(303, server.Config.Server.RootPath+"/login?error=access_denied")
 				return
@@ -125,13 +123,13 @@ func HandleAuth(c *gin.Context) {
 	u.Avatar = tmpuser.Avatar
 	u.ForgeRemoteID = tmpuser.ForgeRemoteID
 	u.Login = tmpuser.Login
-	u.Admin = u.Admin || config.IsAdmin(tmpuser)
+	u.Admin = u.Admin || server.Config.Permissions.Admins.IsAdmin(tmpuser)
 
 	// if self-registration is enabled for whitelisted organizations we need to
 	// check the user's organization membership.
-	if len(config.Orgs) != 0 {
+	if server.Config.Permissions.Orgs.IsConfigured {
 		teams, terr := _forge.Teams(c, u)
-		if terr != nil || !config.IsMember(teams) {
+		if terr != nil || !server.Config.Permissions.Orgs.IsMember(teams) {
 			log.Error().Err(terr).Msgf("cannot verify team membership for %s.", u.Login)
 			c.Redirect(http.StatusSeeOther, server.Config.Server.RootPath+"/login?error=access_denied")
 			return

diff --git a/server/api/repo.go b/server/api/repo.go
@@ -72,6 +72,11 @@ func PostRepo(c *gin.Context) {
 	}
 	if !from.Perm.Admin {
 		c.String(http.StatusForbidden, "User has to be a admin of this repository")
+		return
+	}
+	if !server.Config.Permissions.OwnersWhitelist.IsAllowed(from) {
+		c.String(http.StatusForbidden, "Repo owner is not allowed")
+		return
 	}
 
 	if enabledOnce {

diff --git a/server/api/user.go b/server/api/user.go
@@ -111,14 +111,17 @@ func GetRepos(c *gin.Context) {
 
 		var repos []*model.Repo
 		for _, r := range _repos {
-			if r.Perm.Push {
+			if r.Perm.Push && server.Config.Permissions.OwnersWhitelist.IsAllowed(r) {
 				if active[r.ForgeRemoteID] != nil {
 					existingRepo := active[r.ForgeRemoteID]
 					existingRepo.Update(r)
 					existingRepo.IsActive = active[r.ForgeRemoteID].IsActive
 					repos = append(repos, existingRepo)
 				} else {
-					repos = append(repos, r)
+					if r.Perm.Admin {
+						// you must be admin to enable the repo
+						repos = append(repos, r)
+					}
 				}
 			}
 		}

diff --git a/server/config.go b/server/config.go
@@ -26,6 +26,7 @@ import (
 	"go.woodpecker-ci.org/woodpecker/server/logging"
 	"go.woodpecker-ci.org/woodpecker/server/model"
 	"go.woodpecker-ci.org/woodpecker/server/plugins/config"
+	"go.woodpecker-ci.org/woodpecker/server/plugins/permissions"
 	"go.woodpecker-ci.org/woodpecker/server/pubsub"
 	"go.woodpecker-ci.org/woodpecker/server/queue"
 )
@@ -96,4 +97,10 @@ var Config = struct {
 			HTTPS string
 		}
 	}
+	Permissions struct {
+		Open            bool
+		Admins          *permissions.Admins
+		Orgs            *permissions.Orgs
+		OwnersWhitelist *permissions.OwnersWhitelist
+	}
 }{}
diff --git a/server/model/settings.go b/server/model/settings.go
diff --git a/server/plugins/permissions/admin.go b/server/plugins/permissions/admin.go
@@ -0,0 +1,18 @@
+package permissions
+
+import (
+	"go.woodpecker-ci.org/woodpecker/server/model"
+	"go.woodpecker-ci.org/woodpecker/shared/utils"
+)
+
+func NewAdmins(admins []string) *Admins {
+	return &Admins{admins: utils.SliceToBoolMap(admins)}
+}
+
+type Admins struct {
+	admins map[string]bool
+}
+
+func (a *Admins) IsAdmin(user *model.User) bool {
+	return a.admins[user.Login]
+}
diff --git a/server/plugins/permissions/orgs.go b/server/plugins/permissions/orgs.go
@@ -0,0 +1,27 @@
+package permissions
+
+import (
+	"go.woodpecker-ci.org/woodpecker/server/model"
+	"go.woodpecker-ci.org/woodpecker/shared/utils"
+)
+
+func NewOrgs(orgs []string) *Orgs {
+	return &Orgs{
+		IsConfigured: len(orgs) > 0,
+		orgs:         utils.SliceToBoolMap(orgs),
+	}
+}
+
+type Orgs struct {
+	IsConfigured bool
+	orgs         map[string]bool
+}
+
+func (o *Orgs) IsMember(teams []*model.Team) bool {
+	for _, team := range teams {
+		if o.orgs[team.Login] {
+			return true
+		}
+	}
+	return false
+}
diff --git a/server/plugins/permissions/repo_owners.go b/server/plugins/permissions/repo_owners.go
@@ -0,0 +1,18 @@
+package permissions
+
+import (
+	"go.woodpecker-ci.org/woodpecker/server/model"
+	"go.woodpecker-ci.org/woodpecker/shared/utils"
+)
+
+func NewOwnersWhitelist(owners []string) *OwnersWhitelist {
+	return &OwnersWhitelist{owners: utils.SliceToBoolMap(owners)}
+}
+
+type OwnersWhitelist struct {
+	owners map[string]bool
+}
+
+func (o *OwnersWhitelist) IsAllowed(repo *model.Repo) bool {
+	return len(o.owners) > 0 && o.owners[repo.Owner]
+}
diff --git a/server/router/middleware/config.go b/server/router/middleware/config.go
diff --git a/shared/utils/slices.go b/shared/utils/slices.go
@@ -57,3 +57,15 @@ func sliceToCountMap[E comparable](list []E) map[E]int {
 	}
 	return m
 }
+
+// sliceToMap is a helper function to convert a string slice to a map.
+func SliceToBoolMap(s []string) map[string]bool {
+	v := map[string]bool{}
+	for _, ss := range s {
+		if ss == "" {
+			continue
+		}
+		v[ss] = true
+	}
+	return v
+}