diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gitlab/backend/grack_auth.rb | 60 | ||||
| -rw-r--r-- | lib/gitlab/git_access.rb | 4 | ||||
| -rw-r--r-- | lib/gitlab/upgrader.rb | 1 | ||||
| -rw-r--r-- | lib/tasks/gitlab/check.rake | 2 |
4 files changed, 40 insertions, 27 deletions
diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb index b3e111354f5..c2f3b851c07 100644 --- a/lib/gitlab/backend/grack_auth.rb +++ b/lib/gitlab/backend/grack_auth.rb @@ -22,14 +22,16 @@ module Grack @env['SCRIPT_NAME'] = "" - auth! + if project + auth! + else + render_not_found + end end private def auth! - return render_not_found unless project - if @auth.provided? return bad_request unless @auth.basic? @@ -38,12 +40,8 @@ module Grack # Allow authentication for GitLab CI service # if valid token passed - if login == "gitlab-ci-token" && project.gitlab_ci? - token = project.gitlab_ci_service.token - - if token.present? && token == password && service_name == 'git-upload-pack' - return @app.call(env) - end + if gitlab_ci_request?(login, password) + return @app.call(env) end @user = authenticate_user(login, password) @@ -51,23 +49,26 @@ module Grack if @user Gitlab::ShellEnv.set_env(@user) @env['REMOTE_USER'] = @auth.username - else - return unauthorized end - - else - return unauthorized unless project.public? end - if authorized_git_request? + if authorized_request? @app.call(env) else unauthorized end end - def authorized_git_request? - authorize_request(service_name) + def gitlab_ci_request?(login, password) + if login == "gitlab-ci-token" && project.gitlab_ci? + token = project.gitlab_ci_service.token + + if token.present? && token == password && git_cmd == 'git-upload-pack' + return true + end + end + + false end def authenticate_user(login, password) @@ -75,20 +76,31 @@ module Grack auth.find(login, password) end - def authorize_request(service) - case service + def authorized_request? + case git_cmd when *Gitlab::GitAccess::DOWNLOAD_COMMANDS - # Serve only upload request. - # Authorization on push will be serverd by update hook in repository - Gitlab::GitAccess.new.download_allowed?(user, project) + if user + Gitlab::GitAccess.new.download_allowed?(user, project) + elsif project.public? + # Allow clone/fetch for public projects + true + else + false + end when *Gitlab::GitAccess::PUSH_COMMANDS - true + if user + # Skip user authorization on upload request. + # It will be serverd by update hook in repository + true + else + false + end else false end end - def service_name + def git_cmd if @request.get? @request.params['service'] elsif @request.post? diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb index 5fb5505743f..1ab8f9213a3 100644 --- a/lib/gitlab/git_access.rb +++ b/lib/gitlab/git_access.rb @@ -34,7 +34,7 @@ module Gitlab end def download_allowed?(user, project) - if user_allowed?(user) + if user && user_allowed?(user) user.can?(:download_code, project) else false @@ -42,7 +42,7 @@ module Gitlab end def push_allowed?(user, project, ref, oldrev, newrev) - if user_allowed?(user) + if user && user_allowed?(user) action = if project.protected_branch?(ref) :push_code_to_protected_branches else diff --git a/lib/gitlab/upgrader.rb b/lib/gitlab/upgrader.rb index 0fe4888665d..0846359f9b1 100644 --- a/lib/gitlab/upgrader.rb +++ b/lib/gitlab/upgrader.rb @@ -1,3 +1,4 @@ +require_relative "popen" require_relative "version_info" module Gitlab diff --git a/lib/tasks/gitlab/check.rake b/lib/tasks/gitlab/check.rake index 067735d66b1..071760c0c36 100644 --- a/lib/tasks/gitlab/check.rake +++ b/lib/tasks/gitlab/check.rake @@ -742,7 +742,7 @@ namespace :gitlab do end def check_gitlab_shell - required_version = Gitlab::VersionInfo.new(1, 9, 0) + required_version = Gitlab::VersionInfo.new(1, 9, 1) current_version = Gitlab::VersionInfo.parse(gitlab_shell_version) print "GitLab Shell version >= #{required_version} ? ... " |