Add Gitlab::GitAccess class to resolve auth issues during pull/push

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 21:01:00 +0200
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-20 10:16:17 +0200
commit: 19c28822ef60da0f4eda380e6cab3be4a4cb18e5 (patch)
tree: 1d9772bc5148f77e41b8a3b964681ed485cb8e93 /lib
parent: 189f88de5b6a85d1bae43cc4625e5d6604bbe6a8 (diff)
download: gitlab-ce-19c28822ef60da0f4eda380e6cab3be4a4cb18e5.tar.gz
1 files changed, 74 insertions, 0 deletions
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
new file mode 100644
index 00000000000..5fb5505743f
--- /dev/null
+++ b/lib/gitlab/git_access.rb
@@ -0,0 +1,74 @@
+module Gitlab
+  class GitAccess
+    DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }
+    PUSH_COMMANDS = %w{ git-receive-pack }
+
+    attr_reader :params, :project, :git_cmd, :user
+
+    def allowed?(actor, cmd, project, ref = nil, oldrev = nil, newrev = nil)
+      case cmd
+      when *DOWNLOAD_COMMANDS
+        if actor.is_a? User
+          download_allowed?(actor, project)
+        elsif actor.is_a? DeployKey
+          actor.projects.include?(project)
+        elsif actor.is_a? Key
+          download_allowed?(actor.user, project)
+        else
+          raise 'Wrong actor'
+        end
+      when *PUSH_COMMANDS
+        if actor.is_a? User
+          push_allowed?(actor, project, ref, oldrev, newrev)
+        elsif actor.is_a? DeployKey
+          # Deploy key not allowed to push
+          return false
+        elsif actor.is_a? Key
+          push_allowed?(actor.user, project, ref, oldrev, newrev)
+        else
+          raise 'Wrong actor'
+        end
+      else
+        false
+      end
+    end
+
+    def download_allowed?(user, project)
+      if user_allowed?(user)
+        user.can?(:download_code, project)
+      else
+        false
+      end
+    end
+
+    def push_allowed?(user, project, ref, oldrev, newrev)
+      if user_allowed?(user)
+        action = if project.protected_branch?(ref)
+                   :push_code_to_protected_branches
+                 else
+                   :push_code
+                 end
+        user.can?(action, project)
+      else
+        false
+      end
+    end
+
+    private
+
+    def user_allowed?(user)
+      return false if user.blocked?
+
+      if Gitlab.config.ldap.enabled
+        if user.ldap_user?
+          # Check if LDAP user exists and match LDAP user_filter
+          unless Gitlab::LDAP::Access.new.allowed?(user)
+            return false
+          end
+        end
+      end
+
+      true
+    end
+  end
+end
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2014-03-19 21:01:00 +0200
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2014-03-20 10:16:17 +0200
commit	19c28822ef60da0f4eda380e6cab3be4a4cb18e5 (patch)
tree	1d9772bc5148f77e41b8a3b964681ed485cb8e93 /lib
parent	189f88de5b6a85d1bae43cc4625e5d6604bbe6a8 (diff)
download	gitlab-ce-19c28822ef60da0f4eda380e6cab3be4a4cb18e5.tar.gz