Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-workhorse
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kirill Smelkov
gitlab-workhorse
Commits
e5673020
Commit
e5673020
authored
Dec 09, 2015
by
Kirill Smelkov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
.
parent
71f620be
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
27 additions
and
23 deletions
+27
-23
blob.go
blob.go
+27
-23
No files found.
blob.go
View file @
e5673020
...
...
@@ -73,7 +73,28 @@ func NewAuthCache(u *upstream) *AuthCache {
// Verify that download access is ok or not.
// first we try to use the cache; if information is not there -> ask auth backend
// download is ok if AuthReply.RepoPath != ""
func
(
c
*
AuthCache
)
VerifyDownloadAccess
(
key
AuthCacheKey
)
AuthReply
{
func
(
c
*
AuthCache
)
VerifyDownloadAccess
(
project
string
,
query
url
.
Values
,
header
http
.
Header
)
AuthReply
{
// Use only tokens from query/header to minimize cache and avoid
// creating redundant cache entries because of e.g. unrelated headers.
q
:=
url
.
Values
{}
for
k
,
v
:=
range
query
{
if
strings
.
HasSuffix
(
k
,
"_token"
)
{
q
[
k
]
=
v
}
}
h
:=
url
.
Values
{}
for
k
,
v
:=
range
header
{
if
strings
.
HasSuffix
(
strings
.
ToUpper
(
k
),
"-TOKEN"
)
{
h
[
k
]
=
v
}
}
key
:=
AuthCacheKey
{
project
,
q
.
Encode
(),
h
.
Encode
()}
return
c
.
verifyDownloadAccess
(
key
)
}
func
(
c
*
AuthCache
)
verifyDownloadAccess
(
key
AuthCacheKey
)
AuthReply
{
var
authReply
AuthReply
// first try to read from cache in parallel with other readers
...
...
@@ -166,6 +187,7 @@ func (c *AuthCache) refreshEntry(auth *AuthCacheEntry, key AuthCacheKey) {
}
}
// Ask auth backend about cache key
func
(
c
*
AuthCache
)
askAuthBackend
(
key
AuthCacheKey
)
AuthReply
{
// key.header -> url.Values -> http.Header
hv
,
err
:=
url
.
ParseQuery
(
key
.
header
)
...
...
@@ -226,8 +248,8 @@ func askAuthBackend(u *upstream, project, query string, header *http.Header) Aut
return
authReply
}
func
verifyDownloadAccess
(
u
*
upstream
,
project
,
query
string
,
header
string
)
AuthReply
{
return
u
.
authCache
.
VerifyDownloadAccess
(
AuthCacheKey
{
project
,
query
,
header
}
)
func
verifyDownloadAccess
(
u
*
upstream
,
project
string
,
query
url
.
Values
,
header
http
.
Header
)
AuthReply
{
return
u
.
authCache
.
VerifyDownloadAccess
(
project
,
query
,
header
)
}
// HTTP handler for `.../raw/<ref>/path`
...
...
@@ -236,7 +258,7 @@ var rawRe = regexp.MustCompile(`/raw/`)
func
handleGetBlobRaw
(
w
http
.
ResponseWriter
,
r
*
gitRequest
)
{
// Extract project & refpath
// <project>/raw/branch/file -> <project>, branch/file
u
:=
r
.
Request
.
URL
// XXX naming
u
:=
r
.
Request
.
URL
rawLoc
:=
rawRe
.
FindStringIndex
(
u
.
Path
)
if
rawLoc
==
nil
{
fail500
(
w
,
errors
.
New
(
"extract project name"
))
...
...
@@ -245,26 +267,8 @@ func handleGetBlobRaw(w http.ResponseWriter, r *gitRequest) {
project
:=
u
.
Path
[
:
rawLoc
[
0
]]
refpath
:=
u
.
Path
[
rawLoc
[
1
]
:
]
// XXX should be in cache
// Extract only tokens from query
query
:=
url
.
Values
{}
for
k
,
v
:=
range
u
.
Query
()
{
if
strings
.
HasSuffix
(
k
,
"_token"
)
{
query
[
k
]
=
v
}
}
// XXX should be in cache
// Extract only token headers
header
:=
url
.
Values
{}
for
k
,
v
:=
range
r
.
Request
.
Header
{
if
strings
.
HasSuffix
(
strings
.
ToUpper
(
k
),
"-TOKEN"
)
{
header
[
k
]
=
v
}
}
// Query download access auth for this project
authReply
:=
verifyDownloadAccess
(
r
.
u
,
project
,
query
.
Encode
(),
header
.
Encode
()
)
authReply
:=
verifyDownloadAccess
(
r
.
u
,
project
,
u
.
Query
(),
r
.
Request
.
Header
)
if
authReply
.
RepoPath
==
""
{
// access denied - copy auth reply to client in full -
// there are HTTP code and other headers / body relevant for
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment