From 9b07a8e8d09abf3daa5937237ad527e9841e6f0a Mon Sep 17 00:00:00 2001
From: Raghav Kaul <raghavkaul@google.com>
Date: Thu, 22 Jun 2023 21:46:50 +0000
Subject: [PATCH] check repo access level for private repos

Signed-off-by: Raghav Kaul <raghavkaul@google.com>
---
 clients/gitlabrepo/client.go | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/clients/gitlabrepo/client.go b/clients/gitlabrepo/client.go
index 1254118fffce..150e99bc70e0 100644
--- a/clients/gitlabrepo/client.go
+++ b/clients/gitlabrepo/client.go
@@ -58,6 +58,20 @@ type Client struct {
 	commitDepth   int
 }
 
+var errRepoAccess = errors.New("repo inaccessible")
+
+// raise an error if repository access level isn't public.
+func checkRepoAccessible(repo *gitlab.Project) error {
+	if (repo.RepositoryAccessLevel != gitlab.PublicAccessControl) &&
+		(repo.RepositoryAccessLevel != gitlab.EnabledAccessControl) {
+		return fmt.Errorf("%w: %s access level %s",
+			errRepoAccess, repo.PathWithNamespace, string(repo.RepositoryAccessLevel),
+		)
+	}
+
+	return nil
+}
+
 // InitRepo sets up the GitLab project in local storage for improving performance and GitLab token usage efficiency.
 func (client *Client) InitRepo(inputRepo clients.Repo, commitSHA string, commitDepth int) error {
 	glRepo, ok := inputRepo.(*repoURL)
@@ -71,6 +85,11 @@ func (client *Client) InitRepo(inputRepo clients.Repo, commitSHA string, commitD
 	if err != nil {
 		return sce.WithMessage(sce.ErrRepoUnreachable, proj+"\t"+err.Error())
 	}
+
+	if err = checkRepoAccessible(repo); err != nil {
+		return sce.WithMessage(sce.ErrRepoUnreachable, err.Error())
+	}
+
 	if commitDepth <= 0 {
 		client.commitDepth = 30 // default
 	} else {