Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-workhorse
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kirill Smelkov
gitlab-workhorse
Commits
aed96aca
Commit
aed96aca
authored
Dec 02, 2015
by
Kirill Smelkov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
X Clarify errors from askAuthBackend
parent
902684ec
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
11 additions
and
39 deletions
+11
-39
blob.go
blob.go
+11
-39
No files found.
blob.go
View file @
aed96aca
...
@@ -9,7 +9,6 @@ package main
...
@@ -9,7 +9,6 @@ package main
import
(
import
(
"bufio"
"bufio"
"errors"
"fmt"
"fmt"
"io"
"io"
"log"
"log"
...
@@ -67,6 +66,7 @@ func authRefreshEntry(u *upstream, project string) {
...
@@ -67,6 +66,7 @@ func authRefreshEntry(u *upstream, project string) {
break
// no need to further refresh
break
// no need to further refresh
}
}
// clear cache entry if it is not used
log
.
Printf
(
"AUTH refresh - %v #hit: %v"
,
project
,
auth
.
Nhit
)
log
.
Printf
(
"AUTH refresh - %v #hit: %v"
,
project
,
auth
.
Nhit
)
if
auth
.
Nhit
==
0
{
// not used - we can remove and stop refreshing
if
auth
.
Nhit
==
0
{
// not used - we can remove and stop refreshing
log
.
Printf
(
"AUTH - removing %v"
,
project
)
log
.
Printf
(
"AUTH - removing %v"
,
project
)
...
@@ -77,14 +77,7 @@ func authRefreshEntry(u *upstream, project string) {
...
@@ -77,14 +77,7 @@ func authRefreshEntry(u *upstream, project string) {
log
.
Printf
(
"AUTH - refreshing %v"
,
project
)
log
.
Printf
(
"AUTH - refreshing %v"
,
project
)
// XXX what if it stucks?
// XXX what if it stucks?
authReply
,
err
:=
askAuthBackend
(
u
,
project
)
authReply
:=
askAuthBackend
(
u
,
project
)
log
.
Printf
(
"<- err: %v"
,
err
)
if
err
!=
nil
{
// an error -> delete entry from cache and be done with
// refreshing XXX lock, unify with ^^^
delete
(
authCache
,
project
)
break
}
// XXX lock
// XXX lock
auth
.
AuthReply
=
authReply
auth
.
AuthReply
=
authReply
...
@@ -96,8 +89,6 @@ func authRefreshEntry(u *upstream, project string) {
...
@@ -96,8 +89,6 @@ func authRefreshEntry(u *upstream, project string) {
// Ask auth backend about whether download is ok for a project.
// Ask auth backend about whether download is ok for a project.
// Authorization is approved if AuthReply.RepoPath != "" on return
// Authorization is approved if AuthReply.RepoPath != "" on return
// In case of errors, diagnostic is emitted to AuthReply.RawReply XXX not only diagnostic
// In case of errors, diagnostic is emitted to AuthReply.RawReply XXX not only diagnostic
var
ErrAuthFailed
=
errors
.
New
(
"authorization failed"
)
func
askAuthBackend
(
u
*
upstream
,
project
string
)
AuthReply
{
func
askAuthBackend
(
u
*
upstream
,
project
string
)
AuthReply
{
authReply
:=
AuthReply
{
authReply
:=
AuthReply
{
RawReply
:
httptest
.
NewRecorder
(),
RawReply
:
httptest
.
NewRecorder
(),
...
@@ -110,34 +101,32 @@ func askAuthBackend(u *upstream, project string) AuthReply {
...
@@ -110,34 +101,32 @@ func askAuthBackend(u *upstream, project string) AuthReply {
project
+
".git/info/refs?service=git-upload-pack"
,
nil
)
project
+
".git/info/refs?service=git-upload-pack"
,
nil
)
if
err
!=
nil
{
if
err
!=
nil
{
fail500
(
authReply
.
RawReply
,
"GET git-upload-pack"
,
err
)
fail500
(
authReply
.
RawReply
,
"GET git-upload-pack"
,
err
)
return
authReply
,
err
return
authReply
}
}
// prepare everything and go through preAuthorizeHandler() that will send
// prepare everything and go through preAuthorizeHandler() that will send
// request to auth backend and analyze/parse the reply into r.authorizationResponse
// request to auth backend and analyze/parse the reply into r.authorizationResponse
// it also logs/emits output in case of errors - we do not have to do it here
r
:=
&
gitRequest
{
r
:=
&
gitRequest
{
Request
:
reqDownloadAccess
,
Request
:
reqDownloadAccess
,
u
:
u
,
u
:
u
,
}
}
err
=
ErrAuthFailed
preAuthorizeHandler
(
preAuthorizeHandler
(
func
(
w
http
.
ResponseWriter
,
r
*
gitRequest
)
{
func
(
w
http
.
ResponseWriter
,
r
*
gitRequest
)
{
// XXX
// if we ever get to this point - auth handler approved
// if we ever get to this point - auth handler approved
// access and thus it is ok to download
// access and thus it is ok to download
err
=
nil
// propagate authorizationResponse back
authReply
.
authorizationResponse
=
r
.
authorizationResponse
authReply
.
authorizationResponse
=
r
.
authorizationResponse
},
""
)(
authReply
.
RawReply
,
r
)
},
""
)(
authReply
.
RawReply
,
r
)
return
authReply
,
err
return
authReply
}
}
// Verify that download access is ok or not.
// Verify that download access is ok or not.
// first we try to see authCache; if information is not there -> ask auth backend
// first we try to see authCache; if information is not there -> ask auth backend
// download is ok if AuthReply.RepoPath != ""
// XXX return -> *AuthReply ?
// XXX return -> *AuthReply ?
func
verifyDownloadAccess
(
w
http
.
ResponseWriter
,
u
*
upstream
,
project
string
)
(
AuthReply
,
error
)
{
func
verifyDownloadAccess
(
w
http
.
ResponseWriter
,
u
*
upstream
,
project
string
)
AuthReply
{
// XXX lock authCache
// XXX lock authCache
auth
,
ok
:=
authCache
[
project
]
auth
,
ok
:=
authCache
[
project
]
if
ok
{
if
ok
{
...
@@ -146,20 +135,17 @@ func verifyDownloadAccess(w http.ResponseWriter, u *upstream, project string) (A
...
@@ -146,20 +135,17 @@ func verifyDownloadAccess(w http.ResponseWriter, u *upstream, project string) (A
// project,
// project,
// time.Since(time.Unix(auth.Tauth, 0)),
// time.Since(time.Unix(auth.Tauth, 0)),
// auth.Nhit)
// auth.Nhit)
return
auth
.
AuthReply
,
nil
return
auth
.
AuthReply
}
}
authReply
,
err
:=
askAuthBackend
(
u
,
project
)
authReply
:=
askAuthBackend
(
u
,
project
)
if
err
!=
nil
{
return
authReply
,
err
}
// XXX lock
// XXX lock
// store in cache and start cache entry refresher
// store in cache and start cache entry refresher
authCache
[
project
]
=
&
AuthCacheEntry
{
authReply
,
time
.
Now
()
.
Unix
(),
0
}
authCache
[
project
]
=
&
AuthCacheEntry
{
authReply
,
time
.
Now
()
.
Unix
(),
0
}
go
authRefreshEntry
(
u
,
project
)
go
authRefreshEntry
(
u
,
project
)
return
authReply
,
nil
return
authReply
}
}
// HTTP handler for `.../raw/<ref>/path`
// HTTP handler for `.../raw/<ref>/path`
...
@@ -182,11 +168,7 @@ func handleGetBlobRaw(w http.ResponseWriter, r *gitRequest) {
...
@@ -182,11 +168,7 @@ func handleGetBlobRaw(w http.ResponseWriter, r *gitRequest) {
refpath
=
refpath
[
4
:
]
// strip 'raw/...'
refpath
=
refpath
[
4
:
]
// strip 'raw/...'
// Query download access auth for this project
// Query download access auth for this project
authReply
,
err
:=
verifyDownloadAccess
(
w
,
r
.
u
,
project
)
authReply
:=
verifyDownloadAccess
(
w
,
r
.
u
,
project
)
if
err
!=
nil
{
fail500
(
w
,
"verifyDownloadAccess"
,
err
)
return
}
if
authReply
.
RepoPath
==
""
{
if
authReply
.
RepoPath
==
""
{
// access denied - copy auth reply to client in full -
// access denied - copy auth reply to client in full -
// there are HTTP code and other headers / body relevant for
// there are HTTP code and other headers / body relevant for
...
@@ -203,16 +185,6 @@ func handleGetBlobRaw(w http.ResponseWriter, r *gitRequest) {
...
@@ -203,16 +185,6 @@ func handleGetBlobRaw(w http.ResponseWriter, r *gitRequest) {
emitBlob
(
w
,
authReply
.
RepoPath
,
refpath
)
emitBlob
(
w
,
authReply
.
RepoPath
,
refpath
)
}
}
/*
Cache-Control: private
ETag: "4c10677531b44f555ebbdaff24a9b2d6"
X-Content-Type-Options: nosniff
Content-Disposition: inline
Content-Transfer-Encoding: binary
Content-Type: text/plain; charset=utf-8
*/
// Emit content of blob located at <ref>/path (jointly denoted as 'refpath') to output
// Emit content of blob located at <ref>/path (jointly denoted as 'refpath') to output
func
emitBlob
(
w
http
.
ResponseWriter
,
repopath
string
,
refpath
string
)
{
func
emitBlob
(
w
http
.
ResponseWriter
,
repopath
string
,
refpath
string
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment