add gitlab-shell identification

b5763e91 · Valery Sizov · f7342ce5 · b5763e91 · b5763e91 · b5763e91
Commit b5763e91 authored Oct 15, 2014 by Valery Sizov
6 changed files
--- a/.gitignore
+++ b/.gitignore
@@ -39,3 +39,4 @@ public/assets/
 .envrc
 dump.rdb
 tags
+.gitlab_shell_secret
--- a/GITLAB_SHELL_VERSION
+++ b/GITLAB_SHELL_VERSION
-2.0.1
+2.0.2
--- a/config/initializers/gitlab_shell_secret_token.rb
+++ b/config/initializers/gitlab_shell_secret_token.rb
+# Be sure to restart your server when you modify this file.
+
+require 'securerandom'
+
+# Your secret key for verifying the gitlab_shell.
+
+
+secret_file = Rails.root.join('.gitlab_shell_secret')
+gitlab_shell_symlink = File.join(Gitlab.config.gitlab_shell.path, '.gitlab_shell_secret')
+
+unless File.exist? secret_file
+  # Generate a new token of 16 random hexadecimal characters and store it in secret_file.
+  token = SecureRandom.hex(16)
+  File.write(secret_file, token)
+end
+
+if File.exist?(Gitlab.config.gitlab_shell.path) && !File.exist?(gitlab_shell_symlink)
+  FileUtils.symlink(secret_file, gitlab_shell_symlink)
+end
\ No newline at end of file
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -67,6 +67,10 @@ module API
      unauthorized! unless current_user
    end

+    def authenticate_by_gitlab_shell_token!
+      unauthorized! unless secret_token == params['secret_token']
+    end
+
    def authenticated_as_admin!
      forbidden! unless current_user.is_admin?
    end
@@ -193,5 +197,9 @@ module API
                       abilities
                     end
    end
+
+    def secret_token
+      File.read(Rails.root.join('.gitlab_shell_secret'))
+    end
  end
 end
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
 module API
  # Internal access API
  class Internal < Grape::API
+    before {
+      authenticate_by_gitlab_shell_token!
+    }
+
    namespace 'internal' do
      # Check if git command is allowed to project
      #

--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@@ -5,10 +5,11 @@ describe API::API, api: true  do
  let(:user) { create(:user) }
  let(:key) { create(:key, user: user) }
  let(:project) { create(:project) }
+  let(:secret_token) { File.read Rails.root.join('.gitlab_shell_secret') }

  describe "GET /internal/check", no_db: true do
    it do
-      get api("/internal/check")
+      get api("/internal/check"), secret_token: secret_token

      response.status.should == 200
      json_response['api_version'].should == API::API.version
@@ -17,7 +18,7 @@ describe API::API, api: true  do

  describe "GET /internal/discover" do
    it do
-      get(api("/internal/discover"), key_id: key.id)
+      get(api("/internal/discover"), key_id: key.id, secret_token: secret_token)

      response.status.should == 200

@@ -159,7 +160,8 @@ describe API::API, api: true  do
      api("/internal/allowed"),
      key_id: key.id,
      project: project.path_with_namespace,
-      action: 'git-upload-pack'
+      action: 'git-upload-pack',
+      secret_token: secret_token
    )
  end

@@ -169,7 +171,8 @@ describe API::API, api: true  do
      changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
      key_id: key.id,
      project: project.path_with_namespace,
-      action: 'git-receive-pack'
+      action: 'git-receive-pack',
+      secret_token: secret_token
    )
  end

@@ -179,7 +182,8 @@ describe API::API, api: true  do
      ref: 'master',
      key_id: key.id,
      project: project.path_with_namespace,
-      action: 'git-upload-archive'
+      action: 'git-upload-archive',
+      secret_token: secret_token
    )
  end
 end