Add ability to disallow pull requests from forks

henrytk · henrytk · commit 2531eb215165 · 2016-11-22T13:59:39.000Z
In some cases you may want to only allow pull requests from within
your own team. This is useful in scenarios where you cannot have
untrusted code being pulled into your Concourse pipeline.

This commit adds the ability to optionally set a `disallow_forks`
configuration, which if set to true will only consider pull requests
valid if they are raised from within the same repository. The value
of this configuration is false by default and does not interfere
with the normal behaviour of the resource.
diff --git a/README.md b/README.md
@@ -73,6 +73,8 @@ concourse version 1.2.x and higher and the [`version: every`](http://concourse.c
   See the [`git-config(1)` manual page](https://www.kernel.org/pub/software/scm/git/docs/git-config.html)
   for more information and documentation of existing git options.
 
+* `disallow_forks`: *Optional*. If set to `true` it will only detect pull requests raised from within the same repository. Pull requests from forks will not generate new versions of the resource within Concourse. The default value is `false`.
+
 ## Behavior
 
 ### `check`: Check for new pull requests
diff --git a/assets/lib/commands/check.rb b/assets/lib/commands/check.rb
@@ -10,7 +10,11 @@ class Check < Commands::Base
 
     def output
       if return_all_versions?
-        repo.pull_requests
+        if disallow_forks?
+          repo.pull_requests.select { |pr| !pr.from_fork? }
+        else
+          repo.pull_requests
+        end
       else
         next_pull_request
       end
@@ -22,11 +26,16 @@ def return_all_versions?
       input['source']['every'] == true
     end
 
+    def disallow_forks?
+      input['source']['disallow_forks'] == true
+    end
+
     def next_pull_request
       pull_request = repo.next_pull_request(
         id: input['version']['pr'],
         sha: input['version']['ref'],
-        base: input['source']['base']
+        base: input['source']['base'],
+        disallow_forks: disallow_forks?,
       )
 
       if pull_request
diff --git a/assets/lib/pull_request.rb b/assets/lib/pull_request.rb
@@ -10,6 +10,10 @@ def ready?
     statuses.empty?
   end
 
+  def from_fork?
+    base_repo != head_repo
+  end
+
   def equals?(id:, sha:)
     [self.sha, self.id.to_s] == [sha, id.to_s]
   end
@@ -36,6 +40,14 @@ def url
 
   private
 
+  def base_repo
+    @pr['base']['label'].split(':').first
+  end
+
+  def head_repo
+    @pr['head']['label'].split(':').first
+  end
+
   def statuses
     @statuses ||= Octokit.statuses(@repo.name, sha).select do |status|
       status['context'] =~ /^concourse-ci/
diff --git a/assets/lib/repository.rb b/assets/lib/repository.rb
@@ -19,16 +19,24 @@ def pull_request(id:)
     PullRequest.new(repo: self, pr: pr)
   end
 
-  def next_pull_request(id: nil, sha: nil, base: nil)
+  def next_pull_request(id: nil, sha: nil, base: nil, disallow_forks: false)
     return if pull_requests(base: base).empty?
 
     if id && sha
       current = pull_requests.find { |pr| pr.equals?(id: id, sha: sha) }
-      return if current && current.ready?
+      if disallow_forks
+        return if current && current.ready? && !current.from_fork?
+      else
+        return if current && current.ready?
+      end
     end
 
     pull_requests.find do |pr|
-      pr != current && pr.ready?
+      if disallow_forks
+        pr != current && pr.ready? && !pr.from_fork?
+      else
+        pr != current && pr.ready?
+      end
     end
   end
 
diff --git a/spec/commands/check_spec.rb b/spec/commands/check_spec.rb
@@ -187,4 +187,49 @@ def stub_json(uri, body)
       end
     end
   end
+
+  context 'when the head of the only pull request is on a fork' do
+    before do
+      stub_json('https://api.github.com/repos/jtarchie/test/statuses/abcdef', [])
+      stub_json('https://api.github.com/repos/jtarchie/test/pulls?direction=asc&per_page=100&sort=updated&state=open', [
+                  { number: 1, head: { sha: 'abcdef', label: 'someotherrepo:master' }, base: { label: 'thisrepo:master' } }
+                ])
+    end
+
+    context 'and `disallow_forks` is not set' do
+      it 'returns the pull request' do
+        expect(check('source' => { 'repo' => 'jtarchie/test' })).to eq [{ 'ref' => 'abcdef', 'pr' => '1' }]
+      end
+    end
+
+    context 'and `disallow_forks` is set to true' do
+      it 'returns nothing' do
+        expect(check('source' => { 'repo' => 'jtarchie/test', 'disallow_forks' => true })).to eq []
+      end
+    end
+  end
+
+  context 'when there is a mix of pull requests from forks and non-forks' do
+    before do
+      stub_json('https://api.github.com/repos/jtarchie/test/statuses/abcdef', [])
+      stub_json('https://api.github.com/repos/jtarchie/test/statuses/ghijkl', [])
+      stub_json('https://api.github.com/repos/jtarchie/test/pulls?direction=asc&per_page=100&sort=updated&state=open', [
+                  { number: 1, head: { sha: 'abcdef', label: 'someotherrepo:master' }, base: { label: 'thisrepo:master' } },
+                  { number: 2, head: { sha: 'ghijkl', label: 'thisrepo:master' }, base: { label: 'thisrepo:master' } },
+                ])
+    end
+
+    context 'and `disallow_forks` is not set' do
+      it 'returns the most recently updated pull request' do
+        expect(check('source' => { 'repo' => 'jtarchie/test' })).to eq [{ 'ref' => 'abcdef', 'pr' => '1' }]
+      end
+    end
+
+    context 'and `disallow_forks` is set to true' do
+      it 'returns the most recently updated internal pull request' do
+        expect(check('source' => { 'repo' => 'jtarchie/test', 'disallow_forks' => true  })).to eq [{ 'ref' => 'ghijkl', 'pr' => '2' }]
+      end
+    end
+  end
+
 end
