From 11f87700e8bceeec96440809682406ae24334ed8 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Thu, 15 Sep 2016 11:57:09 +0200 Subject: Add access specs --- lib/api/internal.rb | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 6e6efece7c4..2ec94570506 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -51,9 +51,9 @@ module API access = if wiki? - Gitlab::GitAccessWiki.new(actor, project, protocol) + Gitlab::GitAccessWiki.new(actor, project, protocol, capabilities: ssh_capabilities) else - Gitlab::GitAccess.new(actor, project, protocol) + Gitlab::GitAccess.new(actor, project, protocol, capabilities: ssh_capabilities) end access_status = access.check(params[:action], params[:changes]) @@ -130,6 +130,16 @@ module API { success: true, recovery_codes: codes } end + + private + + def ssh_capabilities + [ + :read_project, + :download_code, + :push_code + ] + end end end end -- cgit v1.2.1 From 9d1ccd2ad3af37139649100476b568d219343a57 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Thu, 15 Sep 2016 13:49:11 +0200 Subject: Fix existing authorization specs --- lib/api/internal.rb | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 2ec94570506..2610fd329d6 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -35,6 +35,14 @@ module API Project.find_with_namespace(project_path) end end + + def ssh_capabilities + [ + :read_project, + :download_code, + :push_code + ] + end end post "/allowed" do @@ -130,16 +138,6 @@ module API { success: true, recovery_codes: codes } end - - private - - def ssh_capabilities - [ - :read_project, - :download_code, - :push_code - ] - end end end end -- cgit v1.2.1 From e40e3fdc8271d1becf7952c7e30546c5abecb79b Mon Sep 17 00:00:00 2001 From: Patricio Cano Date: Thu, 25 Aug 2016 17:26:20 -0500 Subject: Added LFS support to SSH - Required on the GitLab Rails side is mostly authentication and API related. --- lib/api/internal.rb | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 6e6efece7c4..7c0a6eaa652 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -69,6 +69,10 @@ module API else project.repository.path_to_repo end + + # Return HTTP full path, so that gitlab-shell has this information + # ready for git-lfs-authenticate + response[:repository_http_path] = project.http_url_to_repo end response @@ -83,7 +87,14 @@ module API # get "/discover" do key = Key.find(params[:key_id]) - present key.user, with: Entities::UserSafe + user = key.user + if user + user.ensure_lfs_token! + present user, with: Entities::UserSafe + else + key.ensure_lfs_token! + { username: 'lfs-deploy-key', lfs_token: key.lfs_token } + end end get "/check" do -- cgit v1.2.1 From cb85cf1f0a7047c485d7b29b2792b8965e270898 Mon Sep 17 00:00:00 2001 From: Patricio Cano Date: Mon, 29 Aug 2016 13:05:07 -0500 Subject: Refactor LFS token logic to use a Redis key instead of a DB field, making it a 1 use only token. --- lib/api/internal.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 7c0a6eaa652..760f69663ab 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -88,12 +88,13 @@ module API get "/discover" do key = Key.find(params[:key_id]) user = key.user + if user - user.ensure_lfs_token! - present user, with: Entities::UserSafe + token = Gitlab::LfsToken.new(user).set_token + { name: user.name, username: user.username, lfs_token: token } else - key.ensure_lfs_token! - { username: 'lfs-deploy-key', lfs_token: key.lfs_token } + token = Gitlab::LfsToken.new(key).set_token + { username: "lfs-deploy-key-#{key.id}", lfs_token: token } end end -- cgit v1.2.1 From 48f1a61fd5c6aac395be0ce5d59aee61bbb69fe9 Mon Sep 17 00:00:00 2001 From: Patricio Cano Date: Tue, 30 Aug 2016 13:38:22 -0500 Subject: Refactored LFS auth logic when using SSH to use its own API endpoint `/lfs_authenticate` and added tests. --- lib/api/internal.rb | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 760f69663ab..1b3388347a8 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -69,12 +69,26 @@ module API else project.repository.path_to_repo end + end + + response + end + + post "/lfs_authenticate" do + status 200 + + key = Key.find(params[:key_id]) + user = key.user - # Return HTTP full path, so that gitlab-shell has this information - # ready for git-lfs-authenticate - response[:repository_http_path] = project.http_url_to_repo + if user + token = Gitlab::LfsToken.new(user).generate + response = { username: user.username, lfs_token: token } + else + token = Gitlab::LfsToken.new(key).generate + response = { username: "lfs-deploy-key-#{key.id}", lfs_token: token } end + response[:repository_http_path] = project.http_url_to_repo response end @@ -87,15 +101,7 @@ module API # get "/discover" do key = Key.find(params[:key_id]) - user = key.user - - if user - token = Gitlab::LfsToken.new(user).set_token - { name: user.name, username: user.username, lfs_token: token } - else - token = Gitlab::LfsToken.new(key).set_token - { username: "lfs-deploy-key-#{key.id}", lfs_token: token } - end + present key.user, with: Entities::UserSafe end get "/check" do -- cgit v1.2.1 From c25630ee2c2804e351a2c3ae4fd9224434e4698a Mon Sep 17 00:00:00 2001 From: Patricio Cano Date: Tue, 30 Aug 2016 18:43:24 -0500 Subject: Refactored handling of the `LfsToken` and added functionality to it to simplify external code. --- lib/api/internal.rb | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 1b3388347a8..1f189d81d16 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -80,16 +80,18 @@ module API key = Key.find(params[:key_id]) user = key.user - if user - token = Gitlab::LfsToken.new(user).generate - response = { username: user.username, lfs_token: token } - else - token = Gitlab::LfsToken.new(key).generate - response = { username: "lfs-deploy-key-#{key.id}", lfs_token: token } - end + token_handler = + if user + Gitlab::LfsToken.new(user) + else + Gitlab::LfsToken.new(key) + end - response[:repository_http_path] = project.http_url_to_repo - response + { + username: token_handler.actor_name, + lfs_token: token_handler.generate, + repository_http_path: project.http_url_to_repo + } end get "/merge_request_urls" do -- cgit v1.2.1 From c144db2935f0f71c7f282a3015d126526bc16b57 Mon Sep 17 00:00:00 2001 From: Patricio Cano Date: Tue, 6 Sep 2016 16:32:39 -0500 Subject: Better authentication handling, syntax fixes and better actor handling for LFS Tokens --- lib/api/internal.rb | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 1f189d81d16..f8211bdd8af 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -78,14 +78,7 @@ module API status 200 key = Key.find(params[:key_id]) - user = key.user - - token_handler = - if user - Gitlab::LfsToken.new(user) - else - Gitlab::LfsToken.new(key) - end + token_handler = Gitlab::LfsToken.new(key) { username: token_handler.actor_name, -- cgit v1.2.1 From e941365f3be88cebd57e9b08ba8702c1b688cb94 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Fri, 16 Sep 2016 09:59:10 +0200 Subject: Rename capabilities to authentication_abilities --- lib/api/internal.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 865379c51c4..090d04544da 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -36,7 +36,7 @@ module API end end - def ssh_capabilities + def ssh_authentication_abilities [ :read_project, :download_code, @@ -59,9 +59,9 @@ module API access = if wiki? - Gitlab::GitAccessWiki.new(actor, project, protocol, capabilities: ssh_capabilities) + Gitlab::GitAccessWiki.new(actor, project, protocol, authentication_abilities: ssh_authentication_abilities) else - Gitlab::GitAccess.new(actor, project, protocol, capabilities: ssh_capabilities) + Gitlab::GitAccess.new(actor, project, protocol, authentication_abilities: ssh_authentication_abilities) end access_status = access.check(params[:action], params[:changes]) -- cgit v1.2.1 From 6d43c95b7011ec7ec4600e00bdc8df76bb39813c Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Mon, 19 Sep 2016 13:38:58 +0200 Subject: Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043 --- lib/api/internal.rb | 13 ------------- 1 file changed, 13 deletions(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 090d04544da..1114fd21784 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -82,19 +82,6 @@ module API response end - post "/lfs_authenticate" do - status 200 - - key = Key.find(params[:key_id]) - token_handler = Gitlab::LfsToken.new(key) - - { - username: token_handler.actor_name, - lfs_token: token_handler.generate, - repository_http_path: project.http_url_to_repo - } - end - get "/merge_request_urls" do ::MergeRequests::GetUrlsService.new(project).execute(params[:changes]) end -- cgit v1.2.1 From 3c1bb3432b0b8448262ec9a9a3468641c82db5c1 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Mon, 19 Sep 2016 16:34:32 +0200 Subject: Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. --- lib/api/internal.rb | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 1114fd21784..090d04544da 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -82,6 +82,19 @@ module API response end + post "/lfs_authenticate" do + status 200 + + key = Key.find(params[:key_id]) + token_handler = Gitlab::LfsToken.new(key) + + { + username: token_handler.actor_name, + lfs_token: token_handler.generate, + repository_http_path: project.http_url_to_repo + } + end + get "/merge_request_urls" do ::MergeRequests::GetUrlsService.new(project).execute(params[:changes]) end -- cgit v1.2.1 From 2772109ac15bed2bd199294f8d770f49a749b4bd Mon Sep 17 00:00:00 2001 From: Patricio Cano Date: Wed, 28 Sep 2016 11:02:31 -0500 Subject: Handle LFS token creation and retrieval in the same method, and in the same Redis connection. Reset expiry time of token, if token is retrieved again before it expires. --- lib/api/internal.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 090d04544da..9a5d1ece070 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -90,7 +90,7 @@ module API { username: token_handler.actor_name, - lfs_token: token_handler.generate, + lfs_token: token_handler.token, repository_http_path: project.http_url_to_repo } end -- cgit v1.2.1 From 3095ac0ca45b044f2055cbd44654c83891245928 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Thu, 27 Oct 2016 12:51:57 +0300 Subject: Make internal api work with full repo path instead of name Signed-off-by: Dmitriy Zaporozhets --- lib/api/internal.rb | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 9a5d1ece070..8b5d2259b45 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -17,15 +17,25 @@ module API # helpers do + def project_path + @project_path ||= begin + project_path = params[:project].sub(/\.git\z/, '') + + Gitlab.config.repositories.storages.each do |_, storage_path| + project_path.sub!(storage_path, '') + end + + project_path + end + end + def wiki? - @wiki ||= params[:project].end_with?('.wiki') && - !Project.find_with_namespace(params[:project]) + @wiki ||= project_path.end_with?('.wiki') && + !Project.find_with_namespace(project_path) end def project @project ||= begin - project_path = params[:project] - # Check for *.wiki repositories. # Strip out the .wiki from the pathname before finding the # project. This applies the correct project permissions to -- cgit v1.2.1 From 440604ad1ba67dcbdd23633765b9140fae4bd4b9 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Fri, 28 Oct 2016 15:55:55 +0300 Subject: Refactor storage path extraction from full repo path Signed-off-by: Dmitriy Zaporozhets --- lib/api/internal.rb | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index 8b5d2259b45..ccf181402f9 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -20,12 +20,7 @@ module API def project_path @project_path ||= begin project_path = params[:project].sub(/\.git\z/, '') - - Gitlab.config.repositories.storages.each do |_, storage_path| - project_path.sub!(storage_path, '') - end - - project_path + Repository.remove_storage_from_path(project_path) end end -- cgit v1.2.1 From 1c994dbc05c147714479288126742f3fee158fd8 Mon Sep 17 00:00:00 2001 From: Nick Thomas Date: Tue, 15 Nov 2016 15:02:44 +0000 Subject: Fix POST /internal/allowed to cope with gitlab-shell v4.0.0 project paths gitlab-shell v3.6.6 would give project paths like so: * namespace/project gitlab-shell v4.0.0 can give project paths like so: * /namespace1/namespace2/project * /namespace/project * /path/to/repository/storage/namespace1/namespace2/project * /path/to/repository/storage/namespace/project --- lib/api/internal.rb | 38 ++------------------------------------ 1 file changed, 2 insertions(+), 36 deletions(-) (limited to 'lib/api/internal.rb') diff --git a/lib/api/internal.rb b/lib/api/internal.rb index ccf181402f9..7087ce11401 100644 --- a/lib/api/internal.rb +++ b/lib/api/internal.rb @@ -3,6 +3,8 @@ module API class Internal < Grape::API before { authenticate_by_gitlab_shell_token! } + helpers ::API::Helpers::InternalHelpers + namespace 'internal' do # Check if git command is allowed to project # @@ -14,42 +16,6 @@ module API # ref - branch name # forced_push - forced_push # protocol - Git access protocol being used, e.g. HTTP or SSH - # - - helpers do - def project_path - @project_path ||= begin - project_path = params[:project].sub(/\.git\z/, '') - Repository.remove_storage_from_path(project_path) - end - end - - def wiki? - @wiki ||= project_path.end_with?('.wiki') && - !Project.find_with_namespace(project_path) - end - - def project - @project ||= begin - # Check for *.wiki repositories. - # Strip out the .wiki from the pathname before finding the - # project. This applies the correct project permissions to - # the wiki repository as well. - project_path.chomp!('.wiki') if wiki? - - Project.find_with_namespace(project_path) - end - end - - def ssh_authentication_abilities - [ - :read_project, - :download_code, - :push_code - ] - end - end - post "/allowed" do status 200 -- cgit v1.2.1