Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-shell
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-shell
Commits
f53d09e1
Commit
f53d09e1
authored
Aug 30, 2016
by
Patricio Cano
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Refactored LFS auth logic to use its own API endpoint.
parent
c16f7323
Changes
11
Hide whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
107 additions
and
28 deletions
+107
-28
lib/gitlab_access_status.rb
lib/gitlab_access_status.rb
+3
-4
lib/gitlab_lfs_authentication.rb
lib/gitlab_lfs_authentication.rb
+10
-4
lib/gitlab_net.rb
lib/gitlab_net.rb
+22
-5
lib/gitlab_shell.rb
lib/gitlab_shell.rb
+5
-5
spec/gitlab_access_spec.rb
spec/gitlab_access_spec.rb
+2
-2
spec/gitlab_lfs_authentication_spec.rb
spec/gitlab_lfs_authentication_spec.rb
+3
-2
spec/gitlab_net_spec.rb
spec/gitlab_net_spec.rb
+13
-2
spec/gitlab_shell_spec.rb
spec/gitlab_shell_spec.rb
+1
-2
spec/vcr_cassettes/allowed-pull.yml
spec/vcr_cassettes/allowed-pull.yml
+1
-1
spec/vcr_cassettes/discover-ok.yml
spec/vcr_cassettes/discover-ok.yml
+1
-1
spec/vcr_cassettes/lfs-authenticate-ok.yml
spec/vcr_cassettes/lfs-authenticate-ok.yml
+46
-0
No files found.
lib/gitlab_access_status.rb
View file @
f53d09e1
require
'json'
require
'json'
class
GitAccessStatus
class
GitAccessStatus
attr_reader
:message
,
:repository_path
,
:repository_http_path
attr_reader
:message
,
:repository_path
def
initialize
(
status
,
message
,
repository_path
,
repository_http_path
)
def
initialize
(
status
,
message
,
repository_path
)
@status
=
status
@status
=
status
@message
=
message
@message
=
message
@repository_path
=
repository_path
@repository_path
=
repository_path
@repository_http_path
=
repository_http_path
end
end
def
self
.
create_from_json
(
json
)
def
self
.
create_from_json
(
json
)
values
=
JSON
.
parse
(
json
)
values
=
JSON
.
parse
(
json
)
self
.
new
(
values
[
"status"
],
values
[
"message"
],
values
[
"repository_path"
]
,
values
[
"repository_http_path"
]
)
self
.
new
(
values
[
"status"
],
values
[
"message"
],
values
[
"repository_path"
])
end
end
def
allowed?
def
allowed?
...
...
lib/gitlab_lfs_authentication.rb
View file @
f53d09e1
...
@@ -2,17 +2,23 @@ require 'base64'
...
@@ -2,17 +2,23 @@ require 'base64'
require
'json'
require
'json'
class
GitlabLfsAuthentication
class
GitlabLfsAuthentication
attr_accessor
:user
,
:repository_http_path
attr_accessor
:user
name
,
:lfs_token
,
:repository_http_path
def
initialize
(
user
,
repository_http_path
)
def
initialize
(
username
,
lfs_token
,
repository_http_path
)
@user
=
user
@username
=
username
@lfs_token
=
lfs_token
@repository_http_path
=
repository_http_path
@repository_http_path
=
repository_http_path
end
end
def
self
.
build_from_json
(
json
)
values
=
JSON
.
parse
(
json
)
self
.
new
(
values
[
'username'
],
values
[
'lfs_token'
],
values
[
'repository_http_path'
])
end
def
authenticate!
def
authenticate!
authorization
=
{
authorization
=
{
header:
{
header:
{
Authorization
:
"Basic
#{
Base64
.
strict_encode64
(
"
#{
user
[
'username'
]
}
:
#{
user
[
'lfs_token'
]
}
"
)
}
"
Authorization
:
"Basic
#{
Base64
.
strict_encode64
(
"
#{
user
name
}
:
#{
lfs_token
}
"
)
}
"
},
},
href:
"
#{
repository_http_path
}
/info/lfs/"
href:
"
#{
repository_http_path
}
/info/lfs/"
}
}
...
...
lib/gitlab_net.rb
View file @
f53d09e1
...
@@ -6,6 +6,7 @@ require_relative 'gitlab_config'
...
@@ -6,6 +6,7 @@ require_relative 'gitlab_config'
require_relative
'gitlab_logger'
require_relative
'gitlab_logger'
require_relative
'gitlab_access'
require_relative
'gitlab_access'
require_relative
'gitlab_redis'
require_relative
'gitlab_redis'
require_relative
'gitlab_lfs_authentication'
require_relative
'httpunix'
require_relative
'httpunix'
class
GitlabNet
class
GitlabNet
...
@@ -15,15 +16,12 @@ class GitlabNet
...
@@ -15,15 +16,12 @@ class GitlabNet
READ_TIMEOUT
=
300
READ_TIMEOUT
=
300
def
check_access
(
cmd
,
repo
,
actor
,
changes
,
protocol
)
def
check_access
(
cmd
,
repo
,
actor
,
changes
,
protocol
)
project_name
=
repo
.
gsub
(
"'"
,
""
)
project_name
=
project_name
.
gsub
(
/\.git\Z/
,
""
)
project_name
=
project_name
.
gsub
(
/\A\//
,
""
)
changes
=
changes
.
join
(
"
\n
"
)
unless
changes
.
kind_of?
(
String
)
changes
=
changes
.
join
(
"
\n
"
)
unless
changes
.
kind_of?
(
String
)
params
=
{
params
=
{
action:
cmd
,
action:
cmd
,
changes:
changes
,
changes:
changes
,
project:
project_name
,
project:
project_name
(
repo
)
,
protocol:
protocol
protocol:
protocol
}
}
...
@@ -39,7 +37,7 @@ class GitlabNet
...
@@ -39,7 +37,7 @@ class GitlabNet
if
resp
.
code
==
'200'
if
resp
.
code
==
'200'
GitAccessStatus
.
create_from_json
(
resp
.
body
)
GitAccessStatus
.
create_from_json
(
resp
.
body
)
else
else
GitAccessStatus
.
new
(
false
,
'API is not accessible'
,
nil
,
nil
)
GitAccessStatus
.
new
(
false
,
'API is not accessible'
,
nil
)
end
end
end
end
...
@@ -49,6 +47,19 @@ class GitlabNet
...
@@ -49,6 +47,19 @@ class GitlabNet
JSON
.
parse
(
resp
.
body
)
rescue
nil
JSON
.
parse
(
resp
.
body
)
rescue
nil
end
end
def
lfs_authenticate
(
key
,
repo
)
params
=
{
project:
project_name
(
repo
),
key_id:
key
.
gsub
(
'key-'
,
''
)
}
resp
=
post
(
"
#{
host
}
/lfs_authenticate"
,
params
)
if
resp
.
code
==
'200'
GitlabLfsAuthentication
.
build_from_json
(
resp
.
body
)
end
end
def
broadcast_message
def
broadcast_message
resp
=
get
(
"
#{
host
}
/broadcast_message"
)
resp
=
get
(
"
#{
host
}
/broadcast_message"
)
JSON
.
parse
(
resp
.
body
)
rescue
{}
JSON
.
parse
(
resp
.
body
)
rescue
{}
...
@@ -107,6 +118,12 @@ class GitlabNet
...
@@ -107,6 +118,12 @@ class GitlabNet
protected
protected
def
project_name
(
repo
)
project_name
=
repo
.
gsub
(
"'"
,
""
)
project_name
=
project_name
.
gsub
(
/\.git\Z/
,
""
)
project_name
.
gsub
(
/\A\//
,
""
)
end
def
config
def
config
@config
||=
GitlabConfig
.
new
@config
||=
GitlabConfig
.
new
end
end
...
...
lib/gitlab_shell.rb
View file @
f53d09e1
require
'shellwords'
require
'shellwords'
require_relative
'gitlab_net'
require_relative
'gitlab_net'
require_relative
'gitlab_lfs_authentication'
class
GitlabShell
class
GitlabShell
class
AccessDeniedError
<
StandardError
;
end
class
AccessDeniedError
<
StandardError
;
end
...
@@ -12,7 +11,7 @@ class GitlabShell
...
@@ -12,7 +11,7 @@ class GitlabShell
API_COMMANDS
=
%w(2fa_recovery_codes)
API_COMMANDS
=
%w(2fa_recovery_codes)
GL_PROTOCOL
=
'ssh'
.
freeze
GL_PROTOCOL
=
'ssh'
.
freeze
attr_accessor
:key_id
,
:repo_name
,
:command
,
:git_access
,
:repository_http_path
attr_accessor
:key_id
,
:repo_name
,
:command
,
:git_access
attr_reader
:repo_path
attr_reader
:repo_path
def
initialize
(
key_id
)
def
initialize
(
key_id
)
...
@@ -95,7 +94,6 @@ class GitlabShell
...
@@ -95,7 +94,6 @@ class GitlabShell
raise
AccessDeniedError
,
status
.
message
unless
status
.
allowed?
raise
AccessDeniedError
,
status
.
message
unless
status
.
allowed?
self
.
repo_path
=
status
.
repository_path
self
.
repo_path
=
status
.
repository_path
@repository_http_path
=
status
.
repository_http_path
end
end
def
process_cmd
(
args
)
def
process_cmd
(
args
)
...
@@ -192,9 +190,11 @@ class GitlabShell
...
@@ -192,9 +190,11 @@ class GitlabShell
end
end
def
lfs_authenticate
def
lfs_authenticate
return
unless
user
lfs_access
=
api
.
lfs_authenticate
(
@key_id
,
@repo_name
)
puts
GitlabLfsAuthentication
.
new
(
user
,
repository_http_path
).
authenticate!
return
unless
lfs_access
puts
lfs_access
.
authenticate!
end
end
private
private
...
...
spec/gitlab_access_spec.rb
View file @
f53d09e1
...
@@ -7,7 +7,7 @@ describe GitlabAccess do
...
@@ -7,7 +7,7 @@ describe GitlabAccess do
let
(
:repo_path
)
{
File
.
join
(
repository_path
,
repo_name
)
+
".git"
}
let
(
:repo_path
)
{
File
.
join
(
repository_path
,
repo_name
)
+
".git"
}
let
(
:api
)
do
let
(
:api
)
do
double
(
GitlabNet
).
tap
do
|
api
|
double
(
GitlabNet
).
tap
do
|
api
|
api
.
stub
(
check_access:
GitAccessStatus
.
new
(
true
,
'ok'
,
'/home/git/repositories'
,
'http://gitlab.dev/repo'
))
api
.
stub
(
check_access:
GitAccessStatus
.
new
(
true
,
'ok'
,
'/home/git/repositories'
))
end
end
end
end
subject
do
subject
do
...
@@ -39,7 +39,7 @@ describe GitlabAccess do
...
@@ -39,7 +39,7 @@ describe GitlabAccess do
context
"access is denied"
do
context
"access is denied"
do
before
do
before
do
api
.
stub
(
check_access:
GitAccessStatus
.
new
(
false
,
'denied'
,
nil
,
nil
))
api
.
stub
(
check_access:
GitAccessStatus
.
new
(
false
,
'denied'
,
nil
))
end
end
it
"returns false"
do
it
"returns false"
do
...
...
spec/gitlab_lfs_authentication_spec.rb
View file @
f53d09e1
...
@@ -5,11 +5,12 @@ describe GitlabLfsAuthentication do
...
@@ -5,11 +5,12 @@ describe GitlabLfsAuthentication do
let
(
:user
)
{
{
'username'
=>
'dzaporozhets'
,
'lfs_token'
=>
'wsnys8Zm8Jn7zyhHTAAK'
}
}
let
(
:user
)
{
{
'username'
=>
'dzaporozhets'
,
'lfs_token'
=>
'wsnys8Zm8Jn7zyhHTAAK'
}
}
subject
do
subject
do
GitlabLfsAuthentication
.
new
(
user
,
'http://gitlab.dev/repo'
)
GitlabLfsAuthentication
.
new
(
'dzaporozhets'
,
'wsnys8Zm8Jn7zyhHTAAK'
,
'http://gitlab.dev/repo'
)
end
end
describe
'#initialize'
do
describe
'#initialize'
do
it
{
subject
.
user
.
should
==
user
}
it
{
subject
.
username
.
should
==
'dzaporozhets'
}
it
{
subject
.
lfs_token
.
should
==
'wsnys8Zm8Jn7zyhHTAAK'
}
it
{
subject
.
repository_http_path
.
should
==
'http://gitlab.dev/repo'
}
it
{
subject
.
repository_http_path
.
should
==
'http://gitlab.dev/repo'
}
end
end
...
...
spec/gitlab_net_spec.rb
View file @
f53d09e1
...
@@ -38,7 +38,6 @@ describe GitlabNet, vcr: true do
...
@@ -38,7 +38,6 @@ describe GitlabNet, vcr: true do
VCR
.
use_cassette
(
"discover-ok"
)
do
VCR
.
use_cassette
(
"discover-ok"
)
do
user
=
gitlab_net
.
discover
(
'key-126'
)
user
=
gitlab_net
.
discover
(
'key-126'
)
user
[
'name'
].
should
==
'Dmitriy Zaporozhets'
user
[
'name'
].
should
==
'Dmitriy Zaporozhets'
user
[
'lfs_token'
].
should
==
'wsnys8Zm8Jn7zyhHTAAK'
user
[
'username'
].
should
==
'dzaporozhets'
user
[
'username'
].
should
==
'dzaporozhets'
end
end
end
end
...
@@ -58,6 +57,19 @@ describe GitlabNet, vcr: true do
...
@@ -58,6 +57,19 @@ describe GitlabNet, vcr: true do
end
end
end
end
describe
'#lfs_authenticate'
do
context
'lfs authentication succeeded'
do
it
'should return the correct data'
do
VCR
.
use_cassette
(
'lfs-authenticate-ok'
)
do
lfs_access
=
gitlab_net
.
lfs_authenticate
(
'key-126'
,
'gitlab/gitlabhq.git'
)
lfs_access
.
username
.
should
==
'dzaporozhets'
lfs_access
.
lfs_token
.
should
==
'wsnys8Zm8Jn7zyhHTAAK'
lfs_access
.
repository_http_path
.
should
==
'http://gitlab.dev/gitlab/gitlabhq.git'
end
end
end
end
describe
:broadcast_message
do
describe
:broadcast_message
do
context
"broadcast message exists"
do
context
"broadcast message exists"
do
it
'should return message'
do
it
'should return message'
do
...
@@ -132,7 +144,6 @@ describe GitlabNet, vcr: true do
...
@@ -132,7 +144,6 @@ describe GitlabNet, vcr: true do
VCR
.
use_cassette
(
"allowed-pull"
)
do
VCR
.
use_cassette
(
"allowed-pull"
)
do
access
=
gitlab_net
.
check_access
(
'git-receive-pack'
,
'gitlab/gitlabhq.git'
,
'key-126'
,
changes
,
'ssh'
)
access
=
gitlab_net
.
check_access
(
'git-receive-pack'
,
'gitlab/gitlabhq.git'
,
'key-126'
,
changes
,
'ssh'
)
access
.
allowed?
.
should
be_true
access
.
allowed?
.
should
be_true
access
.
repository_http_path
.
should
==
'http://gitlab.dev/gitlab/gitlabhq.git'
end
end
end
end
...
...
spec/gitlab_shell_spec.rb
View file @
f53d09e1
...
@@ -36,7 +36,6 @@ describe GitlabShell do
...
@@ -36,7 +36,6 @@ describe GitlabShell do
let
(
:repo_name
)
{
'gitlab-ci.git'
}
let
(
:repo_name
)
{
'gitlab-ci.git'
}
let
(
:repo_path
)
{
File
.
join
(
tmp_repos_path
,
repo_name
)
}
let
(
:repo_path
)
{
File
.
join
(
tmp_repos_path
,
repo_name
)
}
let
(
:repo_http_path
)
{
'http://gitlab.dev/dzaporozhets/gitlab.git'
}
before
do
before
do
GitlabConfig
.
any_instance
.
stub
(
audit_usernames:
false
)
GitlabConfig
.
any_instance
.
stub
(
audit_usernames:
false
)
...
@@ -333,7 +332,7 @@ describe GitlabShell do
...
@@ -333,7 +332,7 @@ describe GitlabShell do
end
end
it
"should disallow access and log the attempt if check_access returns false status"
do
it
"should disallow access and log the attempt if check_access returns false status"
do
api
.
stub
(
check_access:
GitAccessStatus
.
new
(
false
,
'denied'
,
nil
,
nil
))
api
.
stub
(
check_access:
GitAccessStatus
.
new
(
false
,
'denied'
,
nil
))
message
=
"gitlab-shell: Access denied for git command <git-upload-pack gitlab-ci.git> "
message
=
"gitlab-shell: Access denied for git command <git-upload-pack gitlab-ci.git> "
message
<<
"by user with key
#{
key_id
}
."
message
<<
"by user with key
#{
key_id
}
."
$logger
.
should_receive
(
:warn
).
with
(
message
)
$logger
.
should_receive
(
:warn
).
with
(
message
)
...
...
spec/vcr_cassettes/allowed-pull.yml
View file @
f53d09e1
...
@@ -42,7 +42,7 @@ http_interactions:
...
@@ -42,7 +42,7 @@ http_interactions:
-
'
0.089741'
-
'
0.089741'
body
:
body
:
encoding
:
UTF-8
encoding
:
UTF-8
string
:
'
{"status":
"true"
,"repository_http_path":
"http://gitlab.dev/gitlab/gitlabhq.git"
}'
string
:
'
{"status":
"true"}'
http_version
:
http_version
:
recorded_at
:
Wed, 03 Sep 2014 11:27:36 GMT
recorded_at
:
Wed, 03 Sep 2014 11:27:36 GMT
recorded_with
:
VCR 2.4.0
recorded_with
:
VCR 2.4.0
spec/vcr_cassettes/discover-ok.yml
View file @
f53d09e1
...
@@ -40,7 +40,7 @@ http_interactions:
...
@@ -40,7 +40,7 @@ http_interactions:
-
'
0.016934'
-
'
0.016934'
body
:
body
:
encoding
:
UTF-8
encoding
:
UTF-8
string
:
'
{"name":"Dmitriy
Zaporozhets","username":"dzaporozhets"
,"lfs_token":"wsnys8Zm8Jn7zyhHTAAK"
}'
string
:
'
{"name":"Dmitriy
Zaporozhets","username":"dzaporozhets"}'
http_version
:
http_version
:
recorded_at
:
Wed, 03 Sep 2014 11:27:35 GMT
recorded_at
:
Wed, 03 Sep 2014 11:27:35 GMT
recorded_with
:
VCR 2.4.0
recorded_with
:
VCR 2.4.0
spec/vcr_cassettes/lfs-authenticate-ok.yml
0 → 100644
View file @
f53d09e1
---
http_interactions
:
-
request
:
method
:
post
uri
:
https://dev.gitlab.org/api/v3/internal/lfs_authenticate
body
:
encoding
:
US-ASCII
string
:
project=gitlab%2Fgitlabhq&key_id=126&secret_token=a123
headers
:
Accept-Encoding
:
-
gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept
:
-
"
*/*"
User-Agent
:
-
Ruby
response
:
status
:
code
:
200
message
:
OK
headers
:
Server
:
-
nginx/1.1.19
Date
:
-
Wed, 03 Sep 2014 11:27:35 GMT
Content-Type
:
-
application/json
Content-Length
:
-
'
56'
Connection
:
-
keep-alive
Status
:
-
200 OK
Etag
:
-
'
"1d75c1cf3d4bfa4d2b7bb6a0bcfd7f55"'
Cache-Control
:
-
max-age=0, private, must-revalidate
X-Request-Id
:
-
ef4513ae-0424-4941-8be0-b5a3a7b4bf12
X-Runtime
:
-
'
0.016934'
body
:
encoding
:
UTF-8
string
:
'
{"username":"dzaporozhets","lfs_token":"wsnys8Zm8Jn7zyhHTAAK","repository_http_path":"http://gitlab.dev/gitlab/gitlabhq.git"}'
http_version
:
recorded_at
:
Wed, 03 Sep 2014 11:27:35 GMT
recorded_with
:
VCR 2.4.0
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment