Commit a2792bac authored by Nick Thomas's avatar Nick Thomas

Merge branch '207869-refactor-repository-routing' into 'master'

Generalize repository routing

See merge request gitlab-org/gitlab!45872
parents f53be7f0 abe3a8cf
...@@ -87,8 +87,12 @@ module Repositories ...@@ -87,8 +87,12 @@ module Repositories
@project @project
end end
def repository_path
@repository_path ||= params[:repository_path]
end
def parse_repo_path def parse_repo_path
@container, @project, @repo_type, @redirected_path = Gitlab::RepoPath.parse("#{params[:namespace_id]}/#{params[:repository_id]}") @container, @project, @repo_type, @redirected_path = Gitlab::RepoPath.parse(repository_path)
end end
def render_missing_personal_access_token def render_missing_personal_access_token
......
...@@ -90,7 +90,6 @@ module Repositories ...@@ -90,7 +90,6 @@ module Repositories
def access def access
@access ||= access_klass.new(access_actor, container, 'http', @access ||= access_klass.new(access_actor, container, 'http',
authentication_abilities: authentication_abilities, authentication_abilities: authentication_abilities,
namespace_path: params[:namespace_id],
repository_path: repository_path, repository_path: repository_path,
redirected_path: redirected_path, redirected_path: redirected_path,
auth_result_type: auth_result_type) auth_result_type: auth_result_type)
...@@ -113,10 +112,6 @@ module Repositories ...@@ -113,10 +112,6 @@ module Repositories
@access_klass ||= repo_type.access_checker_class @access_klass ||= repo_type.access_checker_class
end end
def repository_path
@repository_path ||= params[:repository_id].sub(/\.git$/, '')
end
def log_user_activity def log_user_activity
Users::ActivityService.new(user).execute Users::ActivityService.new(user).execute
end end
......
concern :gitactionable do scope(path: '*repository_path', format: false) do
constraints(repository_path: Gitlab::PathRegex.repository_git_route_regex) do
scope(module: :repositories) do
# Git HTTP API
scope(controller: :git_http) do scope(controller: :git_http) do
get '/info/refs', action: :info_refs get '/info/refs', action: :info_refs
post '/git-upload-pack', action: :git_upload_pack post '/git-upload-pack', action: :git_upload_pack
post '/git-receive-pack', action: :git_receive_pack post '/git-receive-pack', action: :git_receive_pack
end end
end
concern :lfsable do # NOTE: LFS routes are exposed on all repository types, but we still check for
# LFS availability on the repository container in LfsRequest#require_lfs_enabled!
# Git LFS API (metadata) # Git LFS API (metadata)
scope(path: 'info/lfs/objects', controller: :lfs_api) do scope(path: 'info/lfs/objects', controller: :lfs_api) do
post :batch post :batch
...@@ -25,36 +29,19 @@ concern :lfsable do ...@@ -25,36 +29,19 @@ concern :lfsable do
scope(path: 'gitlab-lfs/objects/*oid', controller: :lfs_storage, constraints: { oid: /[a-f0-9]{64}/ }) do scope(path: 'gitlab-lfs/objects/*oid', controller: :lfs_storage, constraints: { oid: /[a-f0-9]{64}/ }) do
get '/', action: :download get '/', action: :download
scope constraints: { size: /[0-9]+/ } do constraints(size: /[0-9]+/) do
put '/*size/authorize', action: :upload_authorize put '/*size/authorize', action: :upload_authorize
put '/*size', action: :upload_finalize put '/*size', action: :upload_finalize
end end
end end
end
# Git route for personal and project snippets
scope(path: ':namespace_id/:repository_id',
format: nil,
constraints: { namespace_id: Gitlab::PathRegex.personal_and_project_snippets_path_regex, repository_id: /\d+\.git/ },
module: :repositories) do
concerns :gitactionable
end
scope(path: '*namespace_id/:repository_id',
format: nil,
constraints: { namespace_id: Gitlab::PathRegex.full_namespace_route_regex }) do
scope(constraints: { repository_id: Gitlab::PathRegex.project_git_route_regex }) do
scope(module: :repositories) do
concerns :gitactionable
concerns :lfsable
end end
end end
# Redirect /group/project.wiki.git to the project wiki # Redirect /group/project.wiki.git to the project wiki
scope(format: true, constraints: { repository_id: Gitlab::PathRegex.project_wiki_git_route_regex, format: :git }) do constraints(repository_path: Gitlab::PathRegex.repository_wiki_git_route_regex) do
wiki_redirect = redirect do |params, request| wiki_redirect = redirect do |params, request|
project_id = params[:repository_id].delete_suffix('.wiki') container_path = params[:repository_path].delete_suffix('.wiki.git')
path = [params[:namespace_id], project_id, 'wikis'].join('/') path = File.join(container_path, '-', 'wikis')
path << "?#{request.query_string}" unless request.query_string.blank? path << "?#{request.query_string}" unless request.query_string.blank?
path path
end end
...@@ -63,22 +50,14 @@ scope(path: '*namespace_id/:repository_id', ...@@ -63,22 +50,14 @@ scope(path: '*namespace_id/:repository_id',
end end
# Redirect /group/project/info/refs to /group/project.git/info/refs # Redirect /group/project/info/refs to /group/project.git/info/refs
scope(constraints: { repository_id: Gitlab::PathRegex.project_route_regex }) do # This allows cloning a repository without the trailing `.git`
# Allow /info/refs, /info/refs?service=git-upload-pack, and constraints(repository_path: Gitlab::PathRegex.repository_route_regex) do
# /info/refs?service=git-receive-pack, but nothing else.
#
git_http_handshake = lambda do |request|
::Constraints::ProjectUrlConstrainer.new.matches?(request, existence_check: false) &&
(request.query_string.blank? ||
request.query_string.match(/\Aservice=git-(upload|receive)-pack\z/))
end
ref_redirect = redirect do |params, request| ref_redirect = redirect do |params, request|
path = "#{params[:namespace_id]}/#{params[:repository_id]}.git/info/refs" path = "#{params[:repository_path]}.git/info/refs"
path << "?#{request.query_string}" unless request.query_string.blank? path << "?#{request.query_string}" unless request.query_string.blank?
path path
end end
get '/info/refs', constraints: git_http_handshake, to: ref_redirect get '/info/refs', constraints: ::Constraints::RepositoryRedirectUrlConstrainer.new, to: ref_redirect
end end
end end
...@@ -75,11 +75,7 @@ module EE ...@@ -75,11 +75,7 @@ module EE
end end
def jwt_scope_valid? def jwt_scope_valid?
decoded_authorization[:scope] == repository_full_path decoded_authorization[:scope] == repository_path.delete_suffix('.git')
end
def repository_full_path
File.join(params[:namespace_id], repository_path)
end end
def decoded_authorization def decoded_authorization
......
...@@ -11,8 +11,7 @@ RSpec.describe Gitlab::GitAccess do ...@@ -11,8 +11,7 @@ RSpec.describe Gitlab::GitAccess do
let(:actor) { user } let(:actor) { user }
let(:project) { create(:project, :repository) } let(:project) { create(:project, :repository) }
let(:repository) { project.repository } let(:repository) { project.repository }
let(:namespace_path) { nil } let(:repository_path) { "#{project.full_path}.git" }
let(:project_path) { nil }
let(:protocol) { 'web' } let(:protocol) { 'web' }
let(:authentication_abilities) { %i[read_project download_code push_code] } let(:authentication_abilities) { %i[read_project download_code push_code] }
let(:redirected_path) { nil } let(:redirected_path) { nil }
...@@ -408,8 +407,6 @@ RSpec.describe Gitlab::GitAccess do ...@@ -408,8 +407,6 @@ RSpec.describe Gitlab::GitAccess do
end end
describe '#check_push_access!' do describe '#check_push_access!' do
let(:project_path) { project.path }
let(:namespace_path) { project&.namespace&.path }
let(:protocol) { 'ssh' } let(:protocol) { 'ssh' }
let(:unprotected_branch) { 'unprotected_branch' } let(:unprotected_branch) { 'unprotected_branch' }
...@@ -771,8 +768,7 @@ RSpec.describe Gitlab::GitAccess do ...@@ -771,8 +768,7 @@ RSpec.describe Gitlab::GitAccess do
project, project,
protocol, protocol,
authentication_abilities: authentication_abilities, authentication_abilities: authentication_abilities,
namespace_path: namespace_path, repository_path: repository_path,
repository_path: project_path,
redirected_path: redirected_path redirected_path: redirected_path
) )
end end
......
...@@ -97,16 +97,23 @@ RSpec.describe Repositories::GitHttpController, type: :request do ...@@ -97,16 +97,23 @@ RSpec.describe Repositories::GitHttpController, type: :request do
it_behaves_like 'triggers Geo' it_behaves_like 'triggers Geo'
end end
context 'with personal snippet' do context 'with a project wiki' do
let_it_be(:wiki) { create(:project_wiki, :empty_repo, project: project) }
let_it_be(:path) { "#{wiki.full_path}.git" }
it_behaves_like 'triggers Geo'
end
context 'with a personal snippet' do
let_it_be(:snippet) { create(:personal_snippet, :repository, author: user) } let_it_be(:snippet) { create(:personal_snippet, :repository, author: user) }
let(:path) { "snippets/#{snippet.id}.git" } let_it_be(:path) { "snippets/#{snippet.id}.git" }
it_behaves_like 'triggers Geo' it_behaves_like 'triggers Geo'
end end
context 'with project snippet' do context 'with a project snippet' do
let_it_be(:snippet) { create(:project_snippet, :repository, author: user, project: project) } let_it_be(:snippet) { create(:project_snippet, :repository, author: user, project: project) }
let(:path) { "#{project.full_path}/snippets/#{snippet.id}.git" } let_it_be(:path) { "#{project.full_path}/snippets/#{snippet.id}.git" }
it_behaves_like 'triggers Geo' it_behaves_like 'triggers Geo'
end end
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'EE git_http routing' do
describe 'Geo routing' do
it_behaves_like 'git repository routes' do
let(:path) { '/-/push_from_secondary/node/gitlab-org/gitlab-test.git' }
let(:container_path) { '/gitlab-org/gitlab-test' }
let(:params) { { geo_node_id: 'node', repository_path: 'gitlab-org/gitlab-test.git' } }
end
end
end
...@@ -31,8 +31,7 @@ module API ...@@ -31,8 +31,7 @@ module API
def access_checker_for(actor, protocol) def access_checker_for(actor, protocol)
access_checker_klass.new(actor.key_or_user, container, protocol, access_checker_klass.new(actor.key_or_user, container, protocol,
authentication_abilities: ssh_authentication_abilities, authentication_abilities: ssh_authentication_abilities,
namespace_path: namespace_path, repository_path: repository_path,
repository_path: project_path,
redirected_path: redirected_path) redirected_path: redirected_path)
end end
...@@ -71,18 +70,22 @@ module API ...@@ -71,18 +70,22 @@ module API
false false
end end
def project_path
project&.path || project_path_match[:project_path]
end
def namespace_path
project&.namespace&.full_path || project_path_match[:namespace_path]
end
private private
def project_path_match def repository_path
@project_path_match ||= params[:project].match(Gitlab::PathRegex.full_project_git_path_regex) || {} if container
"#{container.full_path}.git"
elsif params[:project]
# When the project doesn't exist, we still need to pass on the path
# to support auto-creation in `GitAccessProject`.
#
# For consistency with the Git HTTP controllers, we normalize the path
# to remove a leading slash and ensure a trailing `.git`.
#
# NOTE: For GitLab Shell, `params[:project]` is the full repository path
# from the SSH command, with an optional trailing `.git`.
"#{params[:project].delete_prefix('/').delete_suffix('.git')}.git"
end
end end
# rubocop:disable Gitlab/ModuleWithInstanceVariables # rubocop:disable Gitlab/ModuleWithInstanceVariables
...@@ -96,7 +99,7 @@ module API ...@@ -96,7 +99,7 @@ module API
end end
# rubocop:enable Gitlab/ModuleWithInstanceVariables # rubocop:enable Gitlab/ModuleWithInstanceVariables
# Project id to pass between components that don't share/don't have # Repository id to pass between components that don't share/don't have
# access to the same filesystem mounts # access to the same filesystem mounts
def gl_repository def gl_repository
repo_type.identifier_for_container(container) repo_type.identifier_for_container(container)
...@@ -106,8 +109,9 @@ module API ...@@ -106,8 +109,9 @@ module API
repository.full_path repository.full_path
end end
# Return the repository depending on whether we want the wiki or the # Return the repository for the detected type and container
# regular repository #
# @returns [Repository]
def repository def repository
@repository ||= repo_type.repository_for(container) @repository ||= repo_type.repository_for(container)
end end
......
...@@ -4,7 +4,7 @@ module Constraints ...@@ -4,7 +4,7 @@ module Constraints
class ProjectUrlConstrainer class ProjectUrlConstrainer
def matches?(request, existence_check: true) def matches?(request, existence_check: true)
namespace_path = request.params[:namespace_id] namespace_path = request.params[:namespace_id]
project_path = request.params[:project_id] || request.params[:id] || request.params[:repository_id] project_path = request.params[:project_id] || request.params[:id]
full_path = [namespace_path, project_path].join('/') full_path = [namespace_path, project_path].join('/')
return false unless ProjectPathValidator.valid_path?(full_path) return false unless ProjectPathValidator.valid_path?(full_path)
......
# frozen_string_literal: true
module Constraints
class RepositoryRedirectUrlConstrainer
def matches?(request)
path = request.params[:repository_path].delete_suffix('.git')
query = request.query_string
git_request?(query) && container_path?(path)
end
# Allow /info/refs, /info/refs?service=git-upload-pack, and
# /info/refs?service=git-receive-pack, but nothing else.
def git_request?(query)
query.blank? ||
query == 'service=git-upload-pack' ||
query == 'service=git-receive-pack'
end
# Check if the path matches any known repository containers.
# These also cover wikis, since a `.wiki` suffix is valid in project/group paths too.
def container_path?(path)
NamespacePathValidator.valid_path?(path) ||
ProjectPathValidator.valid_path?(path) ||
path =~ Gitlab::PathRegex.full_snippets_repository_path_regex
end
end
end
...@@ -43,7 +43,7 @@ module Gitlab ...@@ -43,7 +43,7 @@ module Gitlab
ALL_COMMANDS = DOWNLOAD_COMMANDS + PUSH_COMMANDS ALL_COMMANDS = DOWNLOAD_COMMANDS + PUSH_COMMANDS
attr_reader :actor, :protocol, :authentication_abilities, attr_reader :actor, :protocol, :authentication_abilities,
:namespace_path, :redirected_path, :auth_result_type, :repository_path, :redirected_path, :auth_result_type,
:cmd, :changes :cmd, :changes
attr_accessor :container attr_accessor :container
...@@ -57,21 +57,16 @@ module Gitlab ...@@ -57,21 +57,16 @@ module Gitlab
raise ArgumentError, "No error message defined for #{key}" raise ArgumentError, "No error message defined for #{key}"
end end
def initialize(actor, container, protocol, authentication_abilities:, namespace_path: nil, repository_path: nil, redirected_path: nil, auth_result_type: nil) def initialize(actor, container, protocol, authentication_abilities:, repository_path: nil, redirected_path: nil, auth_result_type: nil)
@actor = actor @actor = actor
@container = container @container = container
@protocol = protocol @protocol = protocol
@authentication_abilities = Array(authentication_abilities) @authentication_abilities = Array(authentication_abilities)
@namespace_path = namespace_path
@repository_path = repository_path @repository_path = repository_path
@redirected_path = redirected_path @redirected_path = redirected_path
@auth_result_type = auth_result_type @auth_result_type = auth_result_type
end end
def repository_path
@repository_path ||= project&.path
end
def check(cmd, changes) def check(cmd, changes)
@changes = changes @changes = changes
@cmd = cmd @cmd = cmd
......
...@@ -35,7 +35,19 @@ module Gitlab ...@@ -35,7 +35,19 @@ module Gitlab
end end
def namespace def namespace
@namespace ||= Namespace.find_by_full_path(namespace_path) strong_memoize(:namespace) { Namespace.find_by_full_path(namespace_path) }
end
def namespace_path
strong_memoize(:namespace_path) { repository_path_match[:namespace_path] }
end
def project_path
strong_memoize(:project_path) { repository_path_match[:project_path] }
end
def repository_path_match
strong_memoize(:repository_path_match) { repository_path.match(Gitlab::PathRegex.full_project_git_path_regex) || {} }
end end
def ensure_project_on_push! def ensure_project_on_push!
...@@ -44,7 +56,7 @@ module Gitlab ...@@ -44,7 +56,7 @@ module Gitlab
return unless user&.can?(:create_projects, namespace) return unless user&.can?(:create_projects, namespace)
project_params = { project_params = {
path: repository_path, path: project_path,
namespace_id: namespace.id, namespace_id: namespace.id,
visibility_level: Gitlab::VisibilityLevel::PRIVATE visibility_level: Gitlab::VisibilityLevel::PRIVATE
} }
......
...@@ -180,12 +180,16 @@ module Gitlab ...@@ -180,12 +180,16 @@ module Gitlab
end end
end end
def project_git_route_regex def repository_route_regex
@project_git_route_regex ||= /#{project_route_regex}\.git/.freeze @repository_route_regex ||= /#{full_namespace_route_regex}|#{personal_snippet_repository_path_regex}/.freeze
end end
def project_wiki_git_route_regex def repository_git_route_regex
@project_wiki_git_route_regex ||= /#{PATH_REGEX_STR}\.wiki/.freeze @repository_git_route_regex ||= /#{repository_route_regex}\.git/.freeze
end
def repository_wiki_git_route_regex
@repository_wiki_git_route_regex ||= /#{full_namespace_route_regex}\.wiki\.git/.freeze
end end
def full_namespace_path_regex def full_namespace_path_regex
...@@ -250,10 +254,6 @@ module Gitlab ...@@ -250,10 +254,6 @@ module Gitlab
%r{\A(#{personal_snippet_repository_path_regex}|#{project_snippet_repository_path_regex})\z} %r{\A(#{personal_snippet_repository_path_regex}|#{project_snippet_repository_path_regex})\z}
end end
def personal_and_project_snippets_path_regex
%r{#{personal_snippet_path_regex}|#{project_snippet_path_regex}}
end
def container_image_regex def container_image_regex
@container_image_regex ||= %r{([\w\.-]+\/){0,1}[\w\.-]+}.freeze @container_image_regex ||= %r{([\w\.-]+\/){0,1}[\w\.-]+}.freeze
end end
......
...@@ -5,7 +5,7 @@ module Gitlab ...@@ -5,7 +5,7 @@ module Gitlab
NotFoundError = Class.new(StandardError) NotFoundError = Class.new(StandardError)
def self.parse(path) def self.parse(path)
repo_path = path.sub(/\.git\z/, '').sub(%r{\A/}, '') repo_path = path.delete_prefix('/').delete_suffix('.git')
redirected_path = nil redirected_path = nil
# Detect the repo type based on the path, the first one tried is the project # Detect the repo type based on the path, the first one tried is the project
......
...@@ -9,16 +9,9 @@ RSpec.describe Repositories::GitHttpController do ...@@ -9,16 +9,9 @@ RSpec.describe Repositories::GitHttpController do
let_it_be(:personal_snippet) { create(:personal_snippet, :public, :repository) } let_it_be(:personal_snippet) { create(:personal_snippet, :public, :repository) }
let_it_be(:project_snippet) { create(:project_snippet, :public, :repository, project: project) } let_it_be(:project_snippet) { create(:project_snippet, :public, :repository, project: project) }
let(:namespace_id) { project.namespace.to_param } shared_examples Repositories::GitHttpController do
let(:repository_id) { project.path + '.git' } let(:repository_path) { "#{container.full_path}.git" }
let(:container_params) do let(:params) { { repository_path: repository_path } }
{
namespace_id: namespace_id,
repository_id: repository_id
}
end
let(:params) { container_params }
describe 'HEAD #info_refs' do describe 'HEAD #info_refs' do
it 'returns 403' do it 'returns 403' do
...@@ -28,9 +21,8 @@ RSpec.describe Repositories::GitHttpController do ...@@ -28,9 +21,8 @@ RSpec.describe Repositories::GitHttpController do
end end
end end
shared_examples 'info_refs behavior' do
describe 'GET #info_refs' do describe 'GET #info_refs' do
let(:params) { container_params.merge(service: 'git-upload-pack') } let(:params) { super().merge(service: 'git-upload-pack') }
it 'returns 401 for unauthenticated requests to public repositories when http protocol is disabled' do it 'returns 401 for unauthenticated requests to public repositories when http protocol is disabled' do
stub_application_setting(enabled_git_access_protocol: 'ssh') stub_application_setting(enabled_git_access_protocol: 'ssh')
...@@ -43,6 +35,26 @@ RSpec.describe Repositories::GitHttpController do ...@@ -43,6 +35,26 @@ RSpec.describe Repositories::GitHttpController do
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:unauthorized)
end end
it 'calls the right access checker class with the right object' do
allow(controller).to receive(:verify_workhorse_api!).and_return(true)
access_double = double
options = {
authentication_abilities: [:download_code],
repository_path: repository_path,
redirected_path: nil,
auth_result_type: :none
}
expect(access_checker_class).to receive(:new)
.with(nil, container, 'http', hash_including(options))
.and_return(access_double)
allow(access_double).to receive(:check).and_return(false)
get :info_refs, params: params
end
context 'with authorized user' do context 'with authorized user' do
before do before do
request.headers.merge! auth_env(user.username, user.password, nil) request.headers.merge! auth_env(user.username, user.password, nil)
...@@ -97,14 +109,29 @@ RSpec.describe Repositories::GitHttpController do ...@@ -97,14 +109,29 @@ RSpec.describe Repositories::GitHttpController do
end end
end end
end end
describe 'POST #git_upload_pack' do
before do
allow(controller).to receive(:verify_workhorse_api!).and_return(true)
end
it 'returns 200' do
post :git_upload_pack, params: params
expect(response).to have_gitlab_http_status(:ok)
end
end
end end
shared_examples 'git_upload_pack behavior' do |expected| context 'when repository container is a project' do
it_behaves_like Repositories::GitHttpController do
let(:container) { project }
let(:user) { project.owner }
let(:access_checker_class) { Gitlab::GitAccess }
describe 'POST #git_upload_pack' do describe 'POST #git_upload_pack' do
before do before do
allow(controller).to receive(:authenticate_user).and_return(true)
allow(controller).to receive(:verify_workhorse_api!).and_return(true) allow(controller).to receive(:verify_workhorse_api!).and_return(true)
allow(controller).to receive(:access_check).and_return(nil)
end end
def send_request def send_request
...@@ -123,99 +150,48 @@ RSpec.describe Repositories::GitHttpController do ...@@ -123,99 +150,48 @@ RSpec.describe Repositories::GitHttpController do
end end
end end
if expected
context 'when project_statistics_sync feature flag is disabled' do context 'when project_statistics_sync feature flag is disabled' do
before do before do
stub_feature_flags(project_statistics_sync: false) stub_feature_flags(project_statistics_sync: false)
end end
it 'updates project statistics async' do it 'updates project statistics async for projects' do
expect(ProjectDailyStatisticsWorker).to receive(:perform_async) expect(ProjectDailyStatisticsWorker).to receive(:perform_async)
send_request send_request
end end
end end
it 'updates project statistics sync' do it 'updates project statistics sync for projects' do
expect { send_request }.to change { expect { send_request }.to change {
Projects::DailyStatisticsFinder.new(project).total_fetch_count Projects::DailyStatisticsFinder.new(container).total_fetch_count
}.from(0).to(1) }.from(0).to(1)
end end
else
context 'when project_statistics_sync feature flag is disabled' do
before do
stub_feature_flags(project_statistics_sync: false)
end
it 'does not update project statistics' do
expect(ProjectDailyStatisticsWorker).not_to receive(:perform_async)
send_request
end
end
it 'does not update project statistics' do
expect { send_request }.not_to change {
Projects::DailyStatisticsFinder.new(project).total_fetch_count
}.from(0)
end
end end
end end
end end
shared_examples 'access checker class' do context 'when repository container is a project wiki' do
let(:params) { container_params.merge(service: 'git-upload-pack') } it_behaves_like Repositories::GitHttpController do
let(:container) { create(:project_wiki, :empty_repo, project: project) }
it 'calls the right access class checker with the right object' do
allow(controller).to receive(:verify_workhorse_api!).and_return(true)
access_double = double
expect(expected_class).to receive(:new).with(anything, expected_object, 'http', anything).and_return(access_double)
allow(access_double).to receive(:check).and_return(false)
get :info_refs, params: params
end
end
context 'when repository container is a project' do
it_behaves_like 'info_refs behavior' do
let(:user) { project.owner } let(:user) { project.owner }
end let(:access_checker_class) { Gitlab::GitAccessWiki }
it_behaves_like 'git_upload_pack behavior', true
it_behaves_like 'access checker class' do
let(:expected_class) { Gitlab::GitAccess }
let(:expected_object) { project }
end end
end end
context 'when repository container is a personal snippet' do context 'when repository container is a personal snippet' do
let(:namespace_id) { 'snippets' } it_behaves_like Repositories::GitHttpController do
let(:repository_id) { personal_snippet.to_param + '.git' } let(:container) { personal_snippet }
it_behaves_like 'info_refs behavior' do
let(:user) { personal_snippet.author } let(:user) { personal_snippet.author }
end let(:access_checker_class) { Gitlab::GitAccessSnippet }
it_behaves_like 'git_upload_pack behavior', false
it_behaves_like 'access checker class' do
let(:expected_class) { Gitlab::GitAccessSnippet }
let(:expected_object) { personal_snippet }
end end
end end
context 'when repository container is a project snippet' do context 'when repository container is a project snippet' do
let(:namespace_id) { project.full_path + '/snippets' } it_behaves_like Repositories::GitHttpController do
let(:repository_id) { project_snippet.to_param + '.git' } let(:container) { project_snippet }
it_behaves_like 'info_refs behavior' do
let(:user) { project_snippet.author } let(:user) { project_snippet.author }
end let(:access_checker_class) { Gitlab::GitAccessSnippet }
it_behaves_like 'git_upload_pack behavior', false
it_behaves_like 'access checker class' do
let(:expected_class) { Gitlab::GitAccessSnippet }
let(:expected_object) { project_snippet }
end end
end end
end end
...@@ -23,8 +23,7 @@ RSpec.describe Repositories::LfsStorageController do ...@@ -23,8 +23,7 @@ RSpec.describe Repositories::LfsStorageController do
let(:params) do let(:params) do
{ {
namespace_id: project.namespace.path, repository_path: "#{project.full_path}.git",
repository_id: "#{project.path}.git",
oid: '6b9765d3888aaec789e8c309eb05b05c3a87895d6ad70d2264bd7270fff665ac', oid: '6b9765d3888aaec789e8c309eb05b05c3a87895d6ad70d2264bd7270fff665ac',
size: '6725030' size: '6725030'
} }
......
...@@ -13,5 +13,6 @@ FactoryBot.define do ...@@ -13,5 +13,6 @@ FactoryBot.define do
sequence(:past_time) { |n| 4.hours.ago + (2 * n).seconds } sequence(:past_time) { |n| 4.hours.ago + (2 * n).seconds }
sequence(:iid) sequence(:iid)
sequence(:sha) { |n| Digest::SHA1.hexdigest("commit-like-#{n}") } sequence(:sha) { |n| Digest::SHA1.hexdigest("commit-like-#{n}") }
sequence(:oid) { |n| Digest::SHA2.hexdigest("oid-like-#{n}") }
sequence(:variable) { |n| "var#{n}" } sequence(:variable) { |n| "var#{n}" }
end end
...@@ -9,6 +9,7 @@ RSpec.describe Gitlab::GitAccessProject do ...@@ -9,6 +9,7 @@ RSpec.describe Gitlab::GitAccessProject do
let(:actor) { user } let(:actor) { user }
let(:project_path) { project.path } let(:project_path) { project.path }
let(:namespace_path) { project&.namespace&.path } let(:namespace_path) { project&.namespace&.path }
let(:repository_path) { "#{namespace_path}/#{project_path}.git" }
let(:protocol) { 'ssh' } let(:protocol) { 'ssh' }
let(:authentication_abilities) { %i[read_project download_code push_code] } let(:authentication_abilities) { %i[read_project download_code push_code] }
let(:changes) { Gitlab::GitAccess::ANY } let(:changes) { Gitlab::GitAccess::ANY }
...@@ -17,7 +18,7 @@ RSpec.describe Gitlab::GitAccessProject do ...@@ -17,7 +18,7 @@ RSpec.describe Gitlab::GitAccessProject do
let(:access) do let(:access) do
described_class.new(actor, container, protocol, described_class.new(actor, container, protocol,
authentication_abilities: authentication_abilities, authentication_abilities: authentication_abilities,
repository_path: project_path, namespace_path: namespace_path) repository_path: repository_path)
end end
describe '#check_namespace!' do describe '#check_namespace!' do
...@@ -103,6 +104,20 @@ RSpec.describe Gitlab::GitAccessProject do ...@@ -103,6 +104,20 @@ RSpec.describe Gitlab::GitAccessProject do
end end
end end
context 'when namespace is blank' do
let(:repository_path) { 'project.git' }
it_behaves_like 'no project is created' do
let(:raise_specific_error) { raise_namespace_not_found }
end
end
context 'when namespace does not exist' do
let(:namespace_path) { 'unknown' }
it_behaves_like 'no project is created'
end
context 'when user cannot create project in namespace' do context 'when user cannot create project in namespace' do
let(:user2) { create(:user) } let(:user2) { create(:user) }
let(:namespace_path) { user2.namespace.path } let(:namespace_path) { user2.namespace.path }
......
...@@ -10,8 +10,7 @@ RSpec.describe Gitlab::GitAccess do ...@@ -10,8 +10,7 @@ RSpec.describe Gitlab::GitAccess do
let(:actor) { user } let(:actor) { user }
let(:project) { create(:project, :repository) } let(:project) { create(:project, :repository) }
let(:project_path) { project&.path } let(:repository_path) { "#{project.full_path}.git" }
let(:namespace_path) { project&.namespace&.path }
let(:protocol) { 'ssh' } let(:protocol) { 'ssh' }
let(:authentication_abilities) { %i[read_project download_code push_code] } let(:authentication_abilities) { %i[read_project download_code push_code] }
let(:redirected_path) { nil } let(:redirected_path) { nil }
...@@ -210,10 +209,9 @@ RSpec.describe Gitlab::GitAccess do ...@@ -210,10 +209,9 @@ RSpec.describe Gitlab::GitAccess do
end end
end end
context 'when the project is nil' do context 'when the project does not exist' do
let(:project) { nil } let(:project) { nil }
let(:project_path) { "new-project" } let(:repository_path) { "#{user.namespace.path}/new-project.git" }
let(:namespace_path) { user.namespace.path }
it 'blocks push and pull with "not found"' do it 'blocks push and pull with "not found"' do
aggregate_failures do aggregate_failures do
...@@ -452,9 +450,8 @@ RSpec.describe Gitlab::GitAccess do ...@@ -452,9 +450,8 @@ RSpec.describe Gitlab::GitAccess do
context 'when project is public' do context 'when project is public' do
let(:public_project) { create(:project, :public, :repository) } let(:public_project) { create(:project, :public, :repository) }
let(:project_path) { public_project.path } let(:repository_path) { "#{public_project.full_path}.git" }
let(:namespace_path) { public_project.namespace.path } let(:access) { access_class.new(nil, public_project, 'web', authentication_abilities: [:download_code], repository_path: repository_path) }
let(:access) { access_class.new(nil, public_project, 'web', authentication_abilities: [:download_code], repository_path: project_path, namespace_path: namespace_path) }
context 'when repository is enabled' do context 'when repository is enabled' do
it 'give access to download code' do it 'give access to download code' do
...@@ -1169,7 +1166,7 @@ RSpec.describe Gitlab::GitAccess do ...@@ -1169,7 +1166,7 @@ RSpec.describe Gitlab::GitAccess do
def access def access
access_class.new(actor, project, protocol, access_class.new(actor, project, protocol,
authentication_abilities: authentication_abilities, authentication_abilities: authentication_abilities,
namespace_path: namespace_path, repository_path: project_path, repository_path: repository_path,
redirected_path: redirected_path, auth_result_type: auth_result_type) redirected_path: redirected_path, auth_result_type: auth_result_type)
end end
......
...@@ -433,37 +433,85 @@ RSpec.describe Gitlab::PathRegex do ...@@ -433,37 +433,85 @@ RSpec.describe Gitlab::PathRegex do
it { is_expected.not_to match('gitlab.git') } it { is_expected.not_to match('gitlab.git') }
end end
shared_examples 'invalid snippet routes' do context 'repository routes' do
it { is_expected.not_to match('gitlab-org/gitlab/snippets/1.git') } # Paths that match a known container
it { is_expected.not_to match('snippets/1.git') } let_it_be(:container_paths) do
it { is_expected.not_to match('gitlab-org/gitlab/snippets/') } [
it { is_expected.not_to match('/gitlab-org/gitlab/snippets/1') } 'gitlab-org',
it { is_expected.not_to match('gitlab-org/gitlab/snippets/foo') } 'gitlab-org/gitlab-test',
it { is_expected.not_to match('root/snippets/1') } 'gitlab-org/gitlab-test/snippets/1',
it { is_expected.not_to match('/snippets/1') } 'gitlab-org/gitlab-test/snippets/foo', # ambiguous, we allow creating a sub-group called 'snippets'
it { is_expected.not_to match('snippets/') } 'snippets/1'
it { is_expected.not_to match('snippets/foo') } ]
end end
describe '.full_snippets_repository_path_regex' do # Paths that never match a container
subject { described_class.full_snippets_repository_path_regex } let_it_be(:invalid_paths) do
[
'gitlab/',
'/gitlab',
'gitlab/foo/',
'?gitlab',
'git lab',
'/snippets/1',
'snippets/foo',
'gitlab-org/gitlab/snippets/'
]
end
let_it_be(:git_paths) { container_paths.map { |path| path + '.git' } }
let_it_be(:snippet_paths) { container_paths.grep(%r{snippets/\d}) }
let_it_be(:wiki_git_paths) { (container_paths - snippet_paths).map { |path| path + '.wiki.git' } }
let_it_be(:invalid_git_paths) { invalid_paths.map { |path| path + '.git' } }
def expect_route_match(paths)
paths.each { |path| is_expected.to match(path) }
end
def expect_no_route_match(paths)
paths.each { |path| is_expected.not_to match(path) }
end
it { is_expected.to match('gitlab-org/gitlab/snippets/1') } describe '.repository_route_regex' do
it { is_expected.to match('snippets/1') } subject { %r{\A#{described_class.repository_route_regex}\z} }
it_behaves_like 'invalid snippet routes' it 'matches the expected paths' do
expect_route_match(container_paths)
expect_no_route_match(invalid_paths + git_paths)
end
end end
describe '.personal_and_project_snippets_path_regex' do describe '.repository_git_route_regex' do
subject { %r{\A#{described_class.personal_and_project_snippets_path_regex}\z} } subject { %r{\A#{described_class.repository_git_route_regex}\z} }
it { is_expected.to match('gitlab-org/gitlab/snippets') } it 'matches the expected paths' do
it { is_expected.to match('snippets') } expect_route_match(git_paths + wiki_git_paths)
expect_no_route_match(container_paths + invalid_paths + invalid_git_paths)
end
end
it { is_expected.not_to match('gitlab-org/gitlab/snippets/1') } describe '.repository_wiki_git_route_regex' do
it { is_expected.not_to match('snippets/1') } subject { %r{\A#{described_class.repository_wiki_git_route_regex}\z} }
it_behaves_like 'invalid snippet routes' it 'matches the expected paths' do
expect_route_match(wiki_git_paths)
expect_no_route_match(git_paths + invalid_git_paths)
end
it { is_expected.not_to match('snippets/1.wiki.git') }
end
describe '.full_snippets_repository_path_regex' do
subject { described_class.full_snippets_repository_path_regex }
it 'matches the expected paths' do
expect_route_match(snippet_paths)
expect_no_route_match(container_paths - snippet_paths + git_paths + invalid_paths)
end
it { is_expected.not_to match('root/snippets/1') }
it { is_expected.not_to match('gitlab-org/gitlab-test/snippets/foo') }
end
end end
describe '.container_image_regex' do describe '.container_image_regex' do
......
...@@ -722,8 +722,7 @@ RSpec.describe API::Internal::Base do ...@@ -722,8 +722,7 @@ RSpec.describe API::Internal::Base do
'ssh', 'ssh',
{ {
authentication_abilities: [:read_project, :download_code, :push_code], authentication_abilities: [:read_project, :download_code, :push_code],
namespace_path: project.namespace.path, repository_path: "#{project.full_path}.git",
repository_path: project.path,
redirected_path: nil redirected_path: nil
} }
).and_return(access_checker) ).and_return(access_checker)
......
...@@ -3,22 +3,60 @@ ...@@ -3,22 +3,60 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe 'git_http routing' do RSpec.describe 'git_http routing' do
include RSpec::Rails::RequestExampleGroup describe 'code repositories' do
it_behaves_like 'git repository routes' do
let(:path) { '/gitlab-org/gitlab-test.git' }
end
end
describe 'wiki repositories' do
context 'in project' do
let(:path) { '/gitlab-org/gitlab-test.wiki.git' }
describe 'wiki.git routing', 'routing' do it_behaves_like 'git repository routes'
let(:wiki_path) { '/gitlab/gitlabhq/wikis' }
describe 'redirects', type: :request do
let(:web_path) { '/gitlab-org/gitlab-test/-/wikis' }
it 'redirects namespace/project.wiki.git to the project wiki' do it 'redirects namespace/project.wiki.git to the project wiki' do
expect(get('/gitlab/gitlabhq.wiki.git')).to redirect_to(wiki_path) expect(get(path)).to redirect_to(web_path)
end end
it 'preserves query parameters' do it 'preserves query parameters' do
expect(get('/gitlab/gitlabhq.wiki.git?foo=bar&baz=qux')).to redirect_to("#{wiki_path}?foo=bar&baz=qux") expect(get("#{path}?foo=bar&baz=qux")).to redirect_to("#{web_path}?foo=bar&baz=qux")
end end
it 'only redirects when the format is .git' do it 'only redirects when the format is .git' do
expect(get('/gitlab/gitlabhq.wiki')).not_to redirect_to(wiki_path) expect(get(path.delete_suffix('.git'))).not_to redirect_to(web_path)
expect(get('/gitlab/gitlabhq.wiki.json')).not_to redirect_to(wiki_path) expect(get(path.delete_suffix('.git') + '.json')).not_to redirect_to(web_path)
end
end
end
context 'in toplevel group' do
it_behaves_like 'git repository routes' do
let(:path) { '/gitlab-org.wiki.git' }
end
end
context 'in child group' do
it_behaves_like 'git repository routes' do
let(:path) { '/gitlab-org/child.wiki.git' }
end
end
end
describe 'snippet repositories' do
context 'personal snippet' do
it_behaves_like 'git repository routes' do
let(:path) { '/snippets/123.git' }
end
end
context 'project snippet' do
it_behaves_like 'git repository routes' do
let(:path) { '/gitlab-org/gitlab-test/snippets/123.git' }
end
end end
end end
end end
...@@ -54,10 +54,6 @@ RSpec.describe "Mounted Apps", "routing" do ...@@ -54,10 +54,6 @@ RSpec.describe "Mounted Apps", "routing" do
it "to API" do it "to API" do
expect(get("/api/issues")).to be_routable expect(get("/api/issues")).to be_routable
end end
it "to Grack" do
expect(get("/gitlab/gitlabhq.git")).to be_routable
end
end end
# snippets GET /snippets(.:format) snippets#index # snippets GET /snippets(.:format) snippets#index
......
...@@ -5,45 +5,45 @@ require_relative 'workhorse_helpers' ...@@ -5,45 +5,45 @@ require_relative 'workhorse_helpers'
module GitHttpHelpers module GitHttpHelpers
include WorkhorseHelpers include WorkhorseHelpers
def clone_get(project, **options) def clone_get(repository_path, **options)
get "/#{project}/info/refs", params: { service: 'git-upload-pack' }, headers: auth_env(*options.values_at(:user, :password, :spnego_request_token)) get "/#{repository_path}/info/refs", params: { service: 'git-upload-pack' }, headers: auth_env(*options.values_at(:user, :password, :spnego_request_token))
end end
def clone_post(project, **options) def clone_post(repository_path, **options)
post "/#{project}/git-upload-pack", headers: auth_env(*options.values_at(:user, :password, :spnego_request_token)) post "/#{repository_path}/git-upload-pack", headers: auth_env(*options.values_at(:user, :password, :spnego_request_token))
end end
def push_get(project, **options) def push_get(repository_path, **options)
get "/#{project}/info/refs", params: { service: 'git-receive-pack' }, headers: auth_env(*options.values_at(:user, :password, :spnego_request_token)) get "/#{repository_path}/info/refs", params: { service: 'git-receive-pack' }, headers: auth_env(*options.values_at(:user, :password, :spnego_request_token))
end end
def push_post(project, **options) def push_post(repository_path, **options)
post "/#{project}/git-receive-pack", headers: auth_env(*options.values_at(:user, :password, :spnego_request_token)) post "/#{repository_path}/git-receive-pack", headers: auth_env(*options.values_at(:user, :password, :spnego_request_token))
end end
def download(project, user: nil, password: nil, spnego_request_token: nil) def download(repository_path, user: nil, password: nil, spnego_request_token: nil)
args = { user: user, password: password, spnego_request_token: spnego_request_token } args = { user: user, password: password, spnego_request_token: spnego_request_token }
clone_get(project, **args) clone_get(repository_path, **args)
yield response yield response
clone_post(project, **args) clone_post(repository_path, **args)
yield response yield response
end end
def upload(project, user: nil, password: nil, spnego_request_token: nil) def upload(repository_path, user: nil, password: nil, spnego_request_token: nil)
args = { user: user, password: password, spnego_request_token: spnego_request_token } args = { user: user, password: password, spnego_request_token: spnego_request_token }
push_get(project, **args) push_get(repository_path, **args)
yield response yield response
push_post(project, **args) push_post(repository_path, **args)
yield response yield response
end end
def download_or_upload(project, **args, &block) def download_or_upload(repository_path, **args, &block)
download(project, **args, &block) download(repository_path, **args, &block)
upload(project, **args, &block) upload(repository_path, **args, &block)
end end
def auth_env(user, password, spnego_request_token) def auth_env(user, password, spnego_request_token)
......
# frozen_string_literal: true
RSpec.shared_examples 'git repository routes' do
let(:params) { { repository_path: path.delete_prefix('/') } }
let(:container_path) { path.delete_suffix('.git') }
it 'routes Git endpoints' do
expect(get("#{path}/info/refs")).to route_to('repositories/git_http#info_refs', **params)
expect(post("#{path}/git-upload-pack")).to route_to('repositories/git_http#git_upload_pack', **params)
expect(post("#{path}/git-receive-pack")).to route_to('repositories/git_http#git_receive_pack', **params)
end
context 'requests without .git format' do
it 'redirects requests to /info/refs', type: :request do
expect(get("#{container_path}/info/refs")).to redirect_to("#{container_path}.git/info/refs")
expect(get("#{container_path}/info/refs?service=git-upload-pack")).to redirect_to("#{container_path}.git/info/refs?service=git-upload-pack")
expect(get("#{container_path}/info/refs?service=git-receive-pack")).to redirect_to("#{container_path}.git/info/refs?service=git-receive-pack")
end
it 'does not redirect other requests' do
expect(post("#{container_path}/git-upload-pack")).not_to be_routable
end
end
it 'routes LFS endpoints' do
oid = generate(:oid)
expect(post("#{path}/info/lfs/objects/batch")).to route_to('repositories/lfs_api#batch', **params)
expect(post("#{path}/info/lfs/objects")).to route_to('repositories/lfs_api#deprecated', **params)
expect(get("#{path}/info/lfs/objects/#{oid}")).to route_to('repositories/lfs_api#deprecated', oid: oid, **params)
expect(post("#{path}/info/lfs/locks/123/unlock")).to route_to('repositories/lfs_locks_api#unlock', id: '123', **params)
expect(post("#{path}/info/lfs/locks/verify")).to route_to('repositories/lfs_locks_api#verify', **params)
expect(get("#{path}/gitlab-lfs/objects/#{oid}")).to route_to('repositories/lfs_storage#download', oid: oid, **params)
expect(put("#{path}/gitlab-lfs/objects/#{oid}/456/authorize")).to route_to('repositories/lfs_storage#upload_authorize', oid: oid, size: '456', **params)
expect(put("#{path}/gitlab-lfs/objects/#{oid}/456")).to route_to('repositories/lfs_storage#upload_finalize', oid: oid, size: '456', **params)
expect(put("#{path}/gitlab-lfs/objects/foo")).not_to be_routable
expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo")).not_to be_routable
expect(put("#{path}/gitlab-lfs/objects/#{oid}/foo/authorize")).not_to be_routable
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment