gitlab-org--gitlab-foss/lib/gitlab/backend/grack_auth.rb

require_relative 'shell_env'

module Grack
  class Auth < Rack::Auth::Basic

    attr_accessor :user, :project, :env

    def call(env)
      @env = env
      @request = Rack::Request.new(env)
      @auth = Request.new(env)

      # Need this patch due to the rails mount

      # Need this if under RELATIVE_URL_ROOT
      unless Gitlab.config.gitlab.relative_url_root.empty?
        # If website is mounted using relative_url_root need to remove it first
        @env['PATH_INFO'] = @request.path.sub(Gitlab.config.gitlab.relative_url_root,'')
      else
        @env['PATH_INFO'] = @request.path
      end

      @env['SCRIPT_NAME'] = ""

      if project
        auth!
      else
        render_not_found
      end
    end

    private

    def auth!
      if @auth.provided?
        return bad_request unless @auth.basic?

        # Authentication with username and password
        login, password = @auth.credentials

        # Allow authentication for GitLab CI service
        # if valid token passed
        if gitlab_ci_request?(login, password)
          return @app.call(env)
        end

        @user = authenticate_user(login, password)

        if @user
          Gitlab::ShellEnv.set_env(@user)
          @env['REMOTE_USER'] = @auth.username
        end
      end

      if authorized_request?
        @app.call(env)
      else
        unauthorized
      end
    end

    def gitlab_ci_request?(login, password)
      if login == "gitlab-ci-token" && project.gitlab_ci?
        token = project.gitlab_ci_service.token

        if token.present? && token == password && git_cmd == 'git-upload-pack'
          return true
        end
      end

      false
    end

    def authenticate_user(login, password)
      auth = Gitlab::Auth.new
      auth.find(login, password)
    end

    def authorized_request?
      case git_cmd
      when *Gitlab::GitAccess::DOWNLOAD_COMMANDS
        if user
          Gitlab::GitAccess.new.download_allowed?(user, project)
        elsif project.public?
          # Allow clone/fetch for public projects
          true
        else
          false
        end
      when *Gitlab::GitAccess::PUSH_COMMANDS
        if user
          # Skip user authorization on upload request.
          # It will be serverd by update hook in repository
          true
        else
          false
        end
      else
        false
      end
    end

    def git_cmd
      if @request.get?
        @request.params['service']
      elsif @request.post?
        File.basename(@request.path)
      else
        nil
      end
    end

    def project
      @project ||= project_by_path(@request.path_info)
    end

    def project_by_path(path)
      if m = /^([\w\.\/-]+)\.git/.match(path).to_a
        path_with_namespace = m.last
        path_with_namespace.gsub!(/\.wiki$/, '')

        Project.find_with_namespace(path_with_namespace)
      end
    end

    def render_not_found
      [404, {"Content-Type" => "text/plain"}, ["Not Found"]]
    end
  end
end
require missing lib 2013-02-14 08:25:55 -05:00			`require_relative 'shell_env'`

mount grack to git, u can 'git clone http://localhost/git/xx.git' now 2012-06-28 23:30:31 -04:00			`module Grack`
			`class Auth < Rack::Auth::Basic`
Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00
push via http now served via /allowed API Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:02:39 -04:00			`attr_accessor :user, :project, :env`
mount grack to git, u can 'git clone http://localhost/git/xx.git' now 2012-06-28 23:30:31 -04:00
Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`def call(env)`
			`@env = env`
			`@request = Rack::Request.new(env)`
			`@auth = Request.new(env)`
Public git read-only access via http 2013-01-10 13:17:57 -05:00
Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`# Need this patch due to the rails mount`
Fix issue when developers are able to push to protected branch When that branch contain a '/' in the branch name. Fix for git over HTTP 2013-08-26 05:54:57 -04:00
Fixes grack authentification under relative_url_root Ref: https://github.com/gitlabhq/gitlabhq/commit/e6159b8725f99af78f446f8d33fa0e52b7780430 Ref: https://github.com/gitlabhq/gitlabhq/pull/3204 Ref: https://github.com/gitlabhq/gitlabhq/issues/1228 Add Rails' variable in application.rb to support relative url This variable is used by assets compilation and other modules. Note that user needs to change application.rb too Restrict session cookie to the relative path if set. Ref: https://github.com/gitlabhq/gitlabhq/commit/2c2f1e31856a4decdae469974f5bea8245316f7e Fix Update attachment_uploader.rb bug with relative URL See: https://github.com/gitlabhq/gitlabhq/commit/161afda3fa4fca58f396e9c3acbd72bc14490ace Fix Wall relative bug with attachement files (javascript) 2013-07-30 10:48:00 -04:00			`# Need this if under RELATIVE_URL_ROOT`
			`unless Gitlab.config.gitlab.relative_url_root.empty?`
			`# If website is mounted using relative_url_root need to remove it first`
			`@env['PATH_INFO'] = @request.path.sub(Gitlab.config.gitlab.relative_url_root,'')`
			`else`
			`@env['PATH_INFO'] = @request.path`
			`end`
Fix issue when developers are able to push to protected branch When that branch contain a '/' in the branch name. Fix for git over HTTP 2013-08-26 05:54:57 -04:00
Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`@env['SCRIPT_NAME'] = ""`
Fix http push with namespaces. Allow use of username as login 2012-11-26 04:23:08 -05:00
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`if project`
			`auth!`
			`else`
			`render_not_found`
			`end`
Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`end`
fix a npe, and need a patch for path_info 2012-06-29 09:40:23 -04:00
Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00			`private`

			`def auth!`
Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`if @auth.provided?`
Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00			`return bad_request unless @auth.basic?`

Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`# Authentication with username and password`
			`login, password = @auth.credentials`
Fix ldap auth for http push 2013-05-24 13:36:28 -04:00
Allow git clone with http for GitLab CI service: If you enable GitLab CI for project you will be able to clone project source code with next command: git clone http://gitlab-ci-token:XXXXXXXXXXXX@host:project.git Requires for GitLab CI 4.0 2013-10-24 10:17:22 -04:00			`# Allow authentication for GitLab CI service`
			`# if valid token passed`
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`if gitlab_ci_request?(login, password)`
			`return @app.call(env)`
Allow git clone with http for GitLab CI service: If you enable GitLab CI for project you will be able to clone project source code with next command: git clone http://gitlab-ci-token:XXXXXXXXXXXX@host:project.git Requires for GitLab CI 4.0 2013-10-24 10:17:22 -04:00			`end`

Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00			`@user = authenticate_user(login, password)`
Fix ldap auth for http push 2013-05-24 13:36:28 -04:00
Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00			`if @user`
			`Gitlab::ShellEnv.set_env(@user)`
			`@env['REMOTE_USER'] = @auth.username`
			`end`
Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`end`
bypass gitolite update hook, and set an GL_USER variable. 2012-07-02 04:44:45 -04:00
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`if authorized_request?`
Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00			`@app.call(env)`
			`else`
			`unauthorized`
			`end`
			`end`

Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`def gitlab_ci_request?(login, password)`
			`if login == "gitlab-ci-token" && project.gitlab_ci?`
			`token = project.gitlab_ci_service.token`

			`if token.present? && token == password && git_cmd == 'git-upload-pack'`
Fix gitlab-ci integration Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 17:04:57 -04:00			`return true`
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`end`
			`end`

			`false`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 05:12:14 -04:00			`end`

Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00			`def authenticate_user(login, password)`
Add LDAP support to /api/session 2013-07-16 04:28:19 -04:00			`auth = Gitlab::Auth.new`
			`auth.find(login, password)`
Fix ldap auth for http push 2013-05-24 13:36:28 -04:00			`end`

Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`def authorized_request?`
			`case git_cmd`
Improve grack auth Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-20 04:53:03 -04:00			`when *Gitlab::GitAccess::DOWNLOAD_COMMANDS`
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`if user`
			`Gitlab::GitAccess.new.download_allowed?(user, project)`
			`elsif project.public?`
			`# Allow clone/fetch for public projects`
			`true`
			`else`
			`false`
			`end`
Improve grack auth Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-20 04:53:03 -04:00			`when *Gitlab::GitAccess::PUSH_COMMANDS`
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`if user`
			`# Skip user authorization on upload request.`
			`# It will be serverd by update hook in repository`
			`true`
			`else`
			`false`
			`end`
Improve grack auth Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-20 04:53:03 -04:00			`else`
			`false`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 05:12:14 -04:00			`end`
			`end`
implements protected branches to smart http protocal 2012-06-29 06:11:37 -04:00
Fix http clone for public project Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-21 08:52:30 -04:00			`def git_cmd`
Allow git clone with http for GitLab CI service: If you enable GitLab CI for project you will be able to clone project source code with next command: git clone http://gitlab-ci-token:XXXXXXXXXXXX@host:project.git Requires for GitLab CI 4.0 2013-10-24 10:17:22 -04:00			`if @request.get?`
			`@request.params['service']`
			`elsif @request.post?`
			`File.basename(@request.path)`
			`else`
			`nil`
			`end`
			`end`

Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`def project`
Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00			`@project \|\|= project_by_path(@request.path_info)`
Public HTTP clones and remove auth request for public projects 2013-01-14 09:46:55 -05:00			`end`
Improve grack auth Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-20 04:53:03 -04:00
			`def project_by_path(path)`
			`if m = /^([\w\.\/-]+)\.git/.match(path).to_a`
			`path_with_namespace = m.last`
			`path_with_namespace.gsub!(/\.wiki$/, '')`

			`Project.find_with_namespace(path_with_namespace)`
			`end`
			`end`

			`def render_not_found`
			`[404, {"Content-Type" => "text/plain"}, ["Not Found"]]`
			`end`
Refactor grack auth module. Add git over http wiki support 2013-06-14 07:42:55 -04:00			`end`
			`end`