Merge remote-tracking branch 'upstream/main' into revert-dir-parsePush

Author: jescalada

index.ts

@@ -1,5 +1,6 @@
 #!/usr/bin/env tsx
 /* eslint-disable max-len */
+import path from 'path';
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 import * as fs from 'fs';
@@ -19,7 +20,7 @@ const argv = yargs(hideBin(process.argv))
     },
     config: {
       description: 'Path to custom git-proxy configuration file.',
-      default: 'proxy.config.json',
+      default: path.join(__dirname, 'proxy.config.json'),
       required: false,
       alias: 'c',
       type: 'string',

package-lock.json

@@ -52,7 +52,7 @@
     "cors": "^2.8.5",
     "diff2html": "^3.4.33",
     "env-paths": "^2.2.1",
-    "express": "^4.18.2",
+    "express": "^4.21.2",
     "express-http-proxy": "^2.0.0",
     "express-rate-limit": "^7.1.5",
     "express-session": "^1.17.1",
@@ -83,9 +83,9 @@
     "yargs": "^17.7.2"
   },
   "devDependencies": {
-    "@babel/core": "^7.23.2",
-    "@babel/eslint-parser": "^7.22.9",
-    "@babel/preset-react": "^7.22.5",
+    "@babel/core": "^7.27.1",
+    "@babel/eslint-parser": "^7.27.1",
+    "@babel/preset-react": "^7.27.1",
     "@commitlint/cli": "^19.0.0",
     "@commitlint/config-conventional": "^19.0.0",
     "@types/domutils": "^1.7.8",
@@ -102,7 +102,7 @@
     "@vitejs/plugin-react": "^4.0.2",
     "chai": "^4.2.0",
     "chai-http": "^4.3.0",
-    "cypress": "^14.0.0",
+    "cypress": "^14.5.1",
     "eslint": "^8.57.0",
     "eslint-config-google": "^0.14.0",
     "eslint-config-prettier": "^10.0.1",
@@ -113,22 +113,22 @@
     "eslint-plugin-typescript": "^0.14.0",
     "husky": "^9.0.0",
     "mocha": "^10.8.2",
-    "nyc": "^17.0.0",
+    "nyc": "^17.1.0",
     "prettier": "^3.0.0",
     "proxyquire": "^2.1.3",
     "sinon": "^21.0.0",
     "ts-mocha": "^11.1.0",
     "ts-node": "^10.9.2",
     "tsx": "^4.19.3",
     "typescript": "^5.7.3",
-    "vite": "^4.5.13",
+    "vite": "^4.5.14",
     "vite-tsconfig-paths": "^5.1.4"
   },
   "optionalDependencies": {
-    "@esbuild/darwin-arm64": "^0.18.20",
-    "@esbuild/darwin-x64": "^0.23.0",
-    "@esbuild/linux-x64": "0.23.0",
-    "@esbuild/win32-x64": "0.23.0"
+    "@esbuild/darwin-arm64": "^0.25.6",
+    "@esbuild/darwin-x64": "^0.25.6",
+    "@esbuild/linux-x64": "0.25.6",
+    "@esbuild/win32-x64": "0.25.6"
   },
   "browserslist": {
     "production": [

package.json

@@ -2,7 +2,7 @@ import { readFileSync } from 'fs';
 import { join } from 'path';
 import { validate as jsonSchemaValidate } from 'jsonschema';
 
-export let configFile: string = join(process.cwd(), 'proxy.config.json');
+export let configFile: string = join(__dirname, '../../proxy.config.json');
 
 /**
  * Set the config file path.
@@ -20,7 +20,7 @@ export function setConfigFile(file: string) {
  */
 export function validate(configFilePath: string = configFile!): boolean {
   const config = JSON.parse(readFileSync(configFilePath, 'utf-8'));
-  const schemaPath = join(process.cwd(), 'config.schema.json');
+  const schemaPath = join(__dirname, '../../config.schema.json');
   const schema = JSON.parse(readFileSync(schemaPath, 'utf-8'));
   jsonSchemaValidate(config, schema, { required: true, throwError: true });
   return true;

src/config/file.ts

@@ -126,13 +126,7 @@ export const getAPIAuthMethods = (): Authentication[] => {
     _apiAuthentication = _userSettings.apiAuthentication;
   }
 
-  const enabledAuthMethods = _apiAuthentication.filter((auth) => auth.enabled);
-
-  if (enabledAuthMethods.length === 0) {
-    console.log('Warning: No authentication method enabled for API endpoints.');
-  }
-
-  return enabledAuthMethods;
+  return _apiAuthentication.filter((auth) => auth.enabled);
 };
 
 // Log configuration to console

src/config/index.ts

@@ -48,6 +48,7 @@ class Action {
   attestation?: string;
   lastStep?: Step;
   proxyGitPath?: string;
+  newIdxFiles?: string[];
 
   /**
    * Create an action.

src/proxy/actions/Action.ts

@@ -9,9 +9,11 @@ const pushActionChain: ((req: any, action: Action) => Promise<Action>)[] = [
   proc.push.checkCommitMessages,
   proc.push.checkAuthorEmails,
   proc.push.checkUserPushPermission,
-  proc.push.checkIfWaitingAuth,
   proc.push.pullRemote,
   proc.push.writePack,
+  proc.push.checkHiddenCommits,
+  proc.push.checkIfWaitingAuth,
+  proc.push.getMissingData,
   proc.push.preReceive,
   proc.push.getDiff,
   // run before clear remote

src/proxy/chain.ts

@@ -0,0 +1,6 @@
+export const BRANCH_PREFIX = 'refs/heads/';
+export const EMPTY_COMMIT_HASH = '0000000000000000000000000000000000000000';
+export const FLUSH_PACKET = '0000';
+export const PACK_SIGNATURE = 'PACK';
+export const PACKET_SIZE = 4;
+export const GIT_OBJECT_TYPE_COMMIT = 1;

src/proxy/processors/constants.ts

@@ -0,0 +1,82 @@
+import path from 'path';
+import { Action, Step } from '../../actions';
+import { spawnSync } from 'child_process';
+
+const exec = async (req: any, action: Action): Promise<Action> => {
+  const step = new Step('checkHiddenCommits');
+
+  try {
+    const repoPath = `${action.proxyGitPath}/${action.repoName}`;
+
+    const oldOid = action.commitFrom;
+    const newOid = action.commitTo;
+    if (!oldOid || !newOid) {
+      throw new Error('Both action.commitFrom and action.commitTo must be defined');
+    }
+
+    // build introducedCommits set
+    const introducedCommits = new Set<string>();
+    const revRange =
+      oldOid === '0000000000000000000000000000000000000000' ? newOid : `${oldOid}..${newOid}`;
+    const revList = spawnSync('git', ['rev-list', revRange], { cwd: repoPath, encoding: 'utf-8' })
+      .stdout.trim()
+      .split('\n')
+      .filter(Boolean);
+    revList.forEach((sha) => introducedCommits.add(sha));
+    step.log(`Total introduced commits: ${introducedCommits.size}`);
+
+    // build packCommits set
+    const packPath = path.join('.git', 'objects', 'pack');
+    const packCommits = new Set<string>();
+    (action.newIdxFiles || []).forEach((idxFile) => {
+      const idxPath = path.join(packPath, idxFile);
+      const out = spawnSync('git', ['verify-pack', '-v', idxPath], {
+        cwd: repoPath,
+        encoding: 'utf-8',
+      })
+        .stdout.trim()
+        .split('\n');
+      out.forEach((line) => {
+        const [sha, type] = line.split(/\s+/);
+        if (type === 'commit') packCommits.add(sha);
+      });
+    });
+    step.log(`Total commits in the pack: ${packCommits.size}`);
+
+    // subset check
+    const isSubset = [...packCommits].every((sha) => introducedCommits.has(sha));
+    if (!isSubset) {
+      // build detailed lists
+      const [referenced, unreferenced] = [...packCommits].reduce<[string[], string[]]>(
+        ([ref, unref], sha) =>
+          introducedCommits.has(sha) ? [[...ref, sha], unref] : [ref, [...unref, sha]],
+        [[], []],
+      );
+
+      step.log(`Referenced commits: ${referenced.length}`);
+      step.log(`Unreferenced commits: ${unreferenced.length}`);
+
+      step.setError(
+        `Unreferenced commits in pack (${unreferenced.length}): ${unreferenced.join(', ')}.\n` +
+          `This usually happens when a branch was made from a commit that hasn't been approved and pushed to the remote.\n` +
+          `Please get approval on the commits, push them and try again.`,
+      );
+      action.error = true;
+      step.setContent(`Referenced: ${referenced.length}, Unreferenced: ${unreferenced.length}`);
+    } else {
+      // all good, no logging of individual SHAs needed
+      step.log('All pack commits are referenced in the introduced range.');
+      step.setContent(`All ${packCommits.size} pack commits are within introduced commits.`);
+    }
+  } catch (e: any) {
+    step.setError(e.message);
+    throw e;
+  } finally {
+    action.addStep(step);
+  }
+
+  return action;
+};
+
+exec.displayName = 'checkHiddenCommits.exec';
+export { exec };

src/proxy/processors/push-action/checkHiddenCommits.ts

@@ -5,7 +5,26 @@ import { trimTrailingDotGit } from '../../../db/helper';
 // Execute if the repo is approved
 const exec = async (req: any, action: Action): Promise<Action> => {
   const step = new Step('checkUserPushPermission');
+  const user = action.user;
 
+  if (!user) {
+    console.log('Action has no user set. This may be due to a fast-forward ref update. Deferring to getMissingData action.');
+    return action;
+  }
+
+  return await validateUser(user, action, step);
+};
+
+/**
+ * Helper that validates the user's push permission.
+ * This can be used by other actions that need it. For example, when the user is missing from the commit data,
+ * validation is deferred to getMissingData, but the logic is the same.
+ * @param {string} user The user to validate
+ * @param {Action} action The action object
+ * @param {Step} step The step object
+ * @return {Promise<Action>} The action object
+ */
+const validateUser = async (user: string, action: Action, step: Step): Promise<Action> => { 
   const repoSplit = trimTrailingDotGit(action.repo.toLowerCase()).split('/');
   // we expect there to be exactly one / separating org/repoName
   if (repoSplit.length != 2) {
@@ -16,7 +35,6 @@ const exec = async (req: any, action: Action): Promise<Action> => {
   // pull the 2nd value of the split for repoName
   const repoName = repoSplit[1];
   let isUserAllowed = false;
-  let user = action.user;
 
   // Find the user associated with this Git Account
   const list = await getUsers({ gitAccount: action.user });
@@ -53,4 +71,4 @@ const exec = async (req: any, action: Action): Promise<Action> => {
 
 exec.displayName = 'checkUserPushPermission.exec';
 
-export { exec };
+export { exec, validateUser };