From d3305df7aac4e632707492118a0ce91e67ed74ce Mon Sep 17 00:00:00 2001 From: Jacob Vosmaer Date: Tue, 28 Jul 2015 14:33:19 +0200 Subject: Experimental support for gitlab-git-http-server https://gitlab.com/gitlab-org/gitlab-git-http-server This change introduces the GITLAB_GRACK_AUTH_ONLY environment variable. When set, Grack requests to GitLab will only respond with the user's GL_ID (if the request is OK) or an error. This allows gitlab-git-http-server to use the main GitLab application as an authentication and authorization backend. If we like how this works we should drop the GITLAB_GRACK_AUTH_ONLY variable at some point in the future. --- lib/gitlab/backend/grack_auth.rb | 7 ++++++- lib/gitlab/backend/shell_env.rb | 6 +++++- lib/support/nginx/gitlab | 25 +++++++++++++++++++++++++ lib/support/nginx/gitlab-ssl | 25 +++++++++++++++++++++++++ 4 files changed, 61 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb index 03cef30c97d..f7fc97651f2 100644 --- a/lib/gitlab/backend/grack_auth.rb +++ b/lib/gitlab/backend/grack_auth.rb @@ -26,7 +26,12 @@ module Grack auth! if project && authorized_request? - @app.call(env) + if ENV['GITLAB_GRACK_AUTH_ONLY'] == '1' + # Tell gitlab-git-http-server the request is OK, and what the GL_ID is + [200, { "Content-Type" => "text/plain" }, [Gitlab::ShellEnv.gl_id(@user)]] + else + @app.call(env) + end elsif @user.nil? && !@gitlab_ci unauthorized else diff --git a/lib/gitlab/backend/shell_env.rb b/lib/gitlab/backend/shell_env.rb index 17ec029eed4..009a3ec1a4b 100644 --- a/lib/gitlab/backend/shell_env.rb +++ b/lib/gitlab/backend/shell_env.rb @@ -7,7 +7,7 @@ module Gitlab def set_env(user) # Set GL_ID env variable if user - ENV['GL_ID'] = "user-#{user.id}" + ENV['GL_ID'] = gl_id(user) end end @@ -15,5 +15,9 @@ module Gitlab # Reset GL_ID env variable ENV['GL_ID'] = nil end + + def gl_id(user) + "user-#{user.id}" + end end end diff --git a/lib/support/nginx/gitlab b/lib/support/nginx/gitlab index edb987875df..efa0898900f 100644 --- a/lib/support/nginx/gitlab +++ b/lib/support/nginx/gitlab @@ -38,6 +38,11 @@ upstream gitlab { server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0; } +## Experimental: gitlab-git-http-server +# upstream gitlab-git-http-server { +# server localhost:8181; +# } + ## Normal HTTP host server { ## Either remove "default_server" from the listen line below, @@ -109,6 +114,26 @@ server { proxy_pass http://gitlab; } + ## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn + # location ~ [-\/\w\.]+\.git\/ { + # ## If you use HTTPS make sure you disable gzip compression + # ## to be safe against BREACH attack. + # # gzip off; + + # ## https://github.com/gitlabhq/gitlabhq/issues/694 + # ## Some requests take more than 30 seconds. + # proxy_read_timeout 300; + # proxy_connect_timeout 300; + # proxy_redirect off; + + # proxy_set_header Host $http_host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + + # proxy_pass http://gitlab-git-http-server; + # } + ## Enable gzip compression as per rails guide: ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression ## WARNING: If you are using relative urls remove the block below diff --git a/lib/support/nginx/gitlab-ssl b/lib/support/nginx/gitlab-ssl index 766559b49f6..314525518f1 100644 --- a/lib/support/nginx/gitlab-ssl +++ b/lib/support/nginx/gitlab-ssl @@ -42,6 +42,11 @@ upstream gitlab { server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0; } +## Experimental: gitlab-git-http-server +# upstream gitlab-git-http-server { +# server localhost:8181; +# } + ## Redirects all HTTP traffic to the HTTPS host server { ## Either remove "default_server" from the listen line below, @@ -156,6 +161,26 @@ server { proxy_pass http://gitlab; } + ## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn + # location ~ [-\/\w\.]+\.git\/ { + # ## If you use HTTPS make sure you disable gzip compression + # ## to be safe against BREACH attack. + # gzip off; + + # ## https://github.com/gitlabhq/gitlabhq/issues/694 + # ## Some requests take more than 30 seconds. + # proxy_read_timeout 300; + # proxy_connect_timeout 300; + # proxy_redirect off; + + # proxy_set_header Host $http_host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-Ssl on; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_pass http://gitlab-git-http-server; + # } + ## Enable gzip compression as per rails guide: ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression ## WARNING: If you are using relative urls remove the block below -- cgit v1.2.1 From ae9e5eea3c6955d278182005808fbdfccd4d447b Mon Sep 17 00:00:00 2001 From: GitLab Date: Tue, 28 Jul 2015 15:17:06 +0200 Subject: Handle missing @user during Git HTTP requests --- lib/gitlab/backend/grack_auth.rb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb index f7fc97651f2..5966d394b62 100644 --- a/lib/gitlab/backend/grack_auth.rb +++ b/lib/gitlab/backend/grack_auth.rb @@ -28,7 +28,7 @@ module Grack if project && authorized_request? if ENV['GITLAB_GRACK_AUTH_ONLY'] == '1' # Tell gitlab-git-http-server the request is OK, and what the GL_ID is - [200, { "Content-Type" => "text/plain" }, [Gitlab::ShellEnv.gl_id(@user)]] + render_grack_auth_ok else @app.call(env) end @@ -179,6 +179,15 @@ module Grack end end + def render_grack_auth_ok + if @user.present? + body = Gitlab::ShellEnv.gl_id(@user) + else + body = '' + end + [200, { "Content-Type" => "text/plain" }, [body]] + end + def render_not_found [404, { "Content-Type" => "text/plain" }, ["Not Found"]] end -- cgit v1.2.1 From 6912f21e5c9dd812286fce156534ebc094466e17 Mon Sep 17 00:00:00 2001 From: GitLab Date: Tue, 28 Jul 2015 15:55:53 +0200 Subject: Send GL_ID to gitlab-git-http-server as JSON --- lib/gitlab/backend/grack_auth.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb index 5966d394b62..e8cb0c77fb4 100644 --- a/lib/gitlab/backend/grack_auth.rb +++ b/lib/gitlab/backend/grack_auth.rb @@ -181,11 +181,12 @@ module Grack def render_grack_auth_ok if @user.present? - body = Gitlab::ShellEnv.gl_id(@user) + gl_id = Gitlab::ShellEnv.gl_id(@user) else - body = '' + gl_id = '' end - [200, { "Content-Type" => "text/plain" }, [body]] + + [200, { "Content-Type" => "application/json" }, [JSON.dump({'GL_ID' => gl_id})]] end def render_not_found -- cgit v1.2.1 From 16dcf356b5afe351a78ac976db30e4999600b13b Mon Sep 17 00:00:00 2001 From: GitLab Date: Tue, 28 Jul 2015 18:04:57 +0200 Subject: Fix style points To make Rubocop and Douwe happy --- lib/gitlab/backend/grack_auth.rb | 8 +------- lib/gitlab/backend/shell_env.rb | 7 ++++++- 2 files changed, 7 insertions(+), 8 deletions(-) (limited to 'lib') diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb index e8cb0c77fb4..12292f614e9 100644 --- a/lib/gitlab/backend/grack_auth.rb +++ b/lib/gitlab/backend/grack_auth.rb @@ -180,13 +180,7 @@ module Grack end def render_grack_auth_ok - if @user.present? - gl_id = Gitlab::ShellEnv.gl_id(@user) - else - gl_id = '' - end - - [200, { "Content-Type" => "application/json" }, [JSON.dump({'GL_ID' => gl_id})]] + [200, { "Content-Type" => "application/json" }, [JSON.dump({ 'GL_ID' => Gitlab::ShellEnv.gl_id(@user) })]] end def render_not_found diff --git a/lib/gitlab/backend/shell_env.rb b/lib/gitlab/backend/shell_env.rb index 009a3ec1a4b..9f5adee594a 100644 --- a/lib/gitlab/backend/shell_env.rb +++ b/lib/gitlab/backend/shell_env.rb @@ -17,7 +17,12 @@ module Gitlab end def gl_id(user) - "user-#{user.id}" + if user.present? + "user-#{user.id}" + else + # This empty string is used in the render_grack_auth_ok method + "" + end end end end -- cgit v1.2.1