From: Stefan Sperling <stsp@stsp.name>
Subject: Re: gotd protected references
To: Omar Polo <op@omarpolo.com>, gameoftrees@openbsd.org
Date: Wed, 5 Apr 2023 10:54:20 +0200

On Wed, Apr 05, 2023 at 08:27:35AM +0200, Stefan Sperling wrote:
> We should detect cases where branches and tags overlap and error out:
> 
>  	protect branch namespace foo/
>  	protect tag namespace foo/

Here is a diff for this:

-----------------------------------------------
 
 reject overlapping protected branch vs. tag namespaces
 
diff f0426190497546f380f3bbd5d7cf464e5423a1c6 e900727f016bcda906e0ce52e6447415461e98e1
commit - f0426190497546f380f3bbd5d7cf464e5423a1c6
commit + e900727f016bcda906e0ce52e6447415461e98e1
blob - 44801b6de7df40ed4df2acd8f523a9ccabe7170b
blob + f02b49fe99d2c6f1ff1201a5dad82ac701b45dbe
--- gotd/parse.y
+++ gotd/parse.y
@@ -93,7 +93,7 @@ static int			 conf_protect_ref_namespace(
 static struct gotd_repo		*conf_new_repo(const char *);
 static void			 conf_new_access_rule(struct gotd_repo *,
 				    enum gotd_access, int, char *);
-static int			 conf_protect_ref_namespace(
+static int			 conf_protect_ref_namespace(char **,
 				    struct got_pathlist_head *, char *);
 static int			 conf_protect_tag_namespace(struct gotd_repo *,
 				    char *);
@@ -915,12 +915,15 @@ conf_protect_ref_namespace(struct got_pathlist_head *r
 }
 
 static int
-conf_protect_ref_namespace(struct got_pathlist_head *refs, char *namespace)
+conf_protect_ref_namespace(char **new, struct got_pathlist_head *refs,
+    char *namespace)
 {
 	const struct got_error *error;
-	struct got_pathlist_entry *new;
+	struct got_pathlist_entry *pe;
 	char *s;
 
+	*new = NULL;
+
 	got_path_strip_trailing_slashes(namespace);
 	if (!refname_is_valid(namespace))
 		return -1;
@@ -929,8 +932,8 @@ conf_protect_ref_namespace(struct got_pathlist_head *r
 		return -1;
 	}
 
-	error = got_pathlist_insert(&new, refs, s, NULL);
-	if (error || new == NULL) {
+	error = got_pathlist_insert(&pe, refs, s, NULL);
+	if (error || pe == NULL) {
 		free(s);
 		if (error)
 			yyerror("got_pathlist_insert: %s", error->msg);
@@ -939,21 +942,48 @@ conf_protect_ref_namespace(struct got_pathlist_head *r
 		return -1;
 	}
 
+	*new = s;
 	return 0;
 }
 
 static int
 conf_protect_tag_namespace(struct gotd_repo *repo, char *namespace)
 {
-	return conf_protect_ref_namespace(&repo->protected_tag_namespaces,
-	    namespace);
+	struct got_pathlist_entry *pe;
+	char *new;
+
+	if (conf_protect_ref_namespace(&new, &repo->protected_tag_namespaces,
+	    namespace) == -1)
+		return -1;
+
+	TAILQ_FOREACH(pe, &repo->protected_branch_namespaces, entry) {
+		if (strcmp(pe->path, new) == 0) {
+			yyerror("duplicate protect namespace %s", namespace);
+			return -1;
+		}
+	}
+
+	return 0;
 }
 
 static int
 conf_protect_branch_namespace(struct gotd_repo *repo, char *namespace)
 {
-	return conf_protect_ref_namespace(&repo->protected_branch_namespaces,
-	    namespace);
+	struct got_pathlist_entry *pe;
+	char *new;
+
+	if (conf_protect_ref_namespace(&new,
+	    &repo->protected_branch_namespaces, namespace) == -1)
+		return -1;
+
+	TAILQ_FOREACH(pe, &repo->protected_tag_namespaces, entry) {
+		if (strcmp(pe->path, new) == 0) {
+			yyerror("duplicate protect namespace %s", namespace);
+			return -1;
+		}
+	}
+
+	return 0;
 }
 
 static int