gitlab-org--gitlab-foss/lib/gitlab/git_access_snippet.rb

# frozen_string_literal: true

module Gitlab
  class GitAccessSnippet < GitAccess
    extend ::Gitlab::Utils::Override

    ERROR_MESSAGES = {
      authentication_mechanism: 'The authentication mechanism is not supported.',
      read_snippet: 'You are not allowed to read this snippet.',
      update_snippet: 'You are not allowed to update this snippet.',
      snippet_not_found: 'The snippet you were looking for could not be found.',
      no_repo: 'The snippet repository you were looking for could not be found.'
    }.freeze

    alias_method :snippet, :container

    def initialize(actor, snippet, protocol, **kwargs)
      super(actor, snippet, protocol, **kwargs)

      @auth_result_type = nil
      @authentication_abilities &= [:download_code, :push_code]
    end

    override :project
    def project
      container.project if container.is_a?(ProjectSnippet)
    end

    override :check
    def check(cmd, changes)
      check_snippet_accessibility!

      super.tap do |_|
        # Ensure HEAD points to the default branch in case it is not master
        snippet.change_head_to_default_branch
      end
    end

    override :download_ability
    def download_ability
      :read_snippet
    end

    override :push_ability
    def push_ability
      :update_snippet
    end

    private

    # TODO: Implement EE/Geo https://gitlab.com/gitlab-org/gitlab/issues/205629
    override :check_custom_action
    def check_custom_action
      # snippets never return custom actions, such as geo replication.
    end

    override :check_valid_actor!
    def check_valid_actor!
      # TODO: Investigate if expanding actor/authentication types are needed.
      # https://gitlab.com/gitlab-org/gitlab/issues/202190
      if actor && !allowed_actor?
        raise ForbiddenError, error_message(:authentication_mechanism)
      end

      super
    end

    def allowed_actor?
      actor.is_a?(User) || actor.instance_of?(Key)
    end

    override :check_push_access!
    def check_push_access!
      raise ForbiddenError, error_message(:update_snippet) unless user

      if snippet&.repository_read_only?
        raise ForbiddenError, error_message(:read_only)
      end

      check_change_access!
    end

    def check_snippet_accessibility!
      if snippet.blank?
        raise NotFoundError, error_message(:snippet_not_found)
      end
    end

    override :can_read_project?
    def can_read_project?
      return true if user&.migration_bot?

      super
    end

    override :check_download_access!
    def check_download_access!
      passed = guest_can_download_code? || user_can_download_code?

      unless passed
        raise ForbiddenError, error_message(:read_snippet)
      end
    end

    override :check_change_access!
    def check_change_access!
      unless user_can_push?
        raise ForbiddenError, error_message(:update_snippet)
      end

      check_size_before_push!

      changes_list.each do |change|
        # If user does not have access to make at least one change, cancel all
        # push by allowing the exception to bubble up
        check_single_change_access(change)
      end

      check_push_size!
    end

    override :check_single_change_access
    def check_single_change_access(change, _skip_lfs_integrity_check: false)
      Checks::SnippetCheck.new(change, default_branch: snippet.default_branch, root_ref: snippet.repository.root_ref, logger: logger).validate!
      Checks::PushFileCountCheck.new(change, repository: repository, limit: Snippet.max_file_limit, logger: logger).validate!
    rescue Checks::TimedLogger::TimeoutError
      raise TimeoutError, logger.full_message
    end

    override :user_access
    def user_access
      @user_access ||= UserAccessSnippet.new(user, snippet: snippet)
    end

    override :check_size_limit?
    def check_size_limit?
      return false if user&.migration_bot?

      super
    end
  end
end

Gitlab::GitAccessSnippet.prepend_if_ee('EE::Gitlab::GitAccessSnippet')
Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00			`# frozen_string_literal: true`

			`module Gitlab`
			`class GitAccessSnippet < GitAccess`
Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`extend ::Gitlab::Utils::Override`

Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00			`ERROR_MESSAGES = {`
Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`authentication_mechanism: 'The authentication mechanism is not supported.',`
			`read_snippet: 'You are not allowed to read this snippet.',`
			`update_snippet: 'You are not allowed to update this snippet.',`
Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00			`snippet_not_found: 'The snippet you were looking for could not be found.',`
Add latest changes from gitlab-org/gitlab@master 2020-07-21 14:09:45 -04:00			`no_repo: 'The snippet repository you were looking for could not be found.'`
Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00			`}.freeze`

Add latest changes from gitlab-org/gitlab@master 2020-07-21 14:09:45 -04:00			`alias_method :snippet, :container`
Add latest changes from gitlab-org/gitlab@master 2020-04-06 20:09:33 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00			`def initialize(actor, snippet, protocol, **kwargs)`
Add latest changes from gitlab-org/gitlab@master 2020-07-21 14:09:45 -04:00			`super(actor, snippet, protocol, **kwargs)`
Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00
			`@auth_result_type = nil`
			`@authentication_abilities &= [:download_code, :push_code]`
Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00			`end`

Add latest changes from gitlab-org/gitlab@master 2020-10-05 11:08:56 -04:00			`override :project`
			`def project`
			`container.project if container.is_a?(ProjectSnippet)`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-07-21 14:09:45 -04:00			`override :check`
Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`def check(cmd, changes)`
Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00			`check_snippet_accessibility!`

Add latest changes from gitlab-org/gitlab@master 2020-12-23 04:10:13 -05:00			`super.tap do \|_\|`
			`# Ensure HEAD points to the default branch in case it is not master`
			`snippet.change_head_to_default_branch`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00			`end`

Add latest changes from gitlab-org/gitlab@master 2020-07-21 14:09:45 -04:00			`override :download_ability`
			`def download_ability`
			`:read_snippet`
			`end`

			`override :push_ability`
			`def push_ability`
			`:update_snippet`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`private`

Add latest changes from gitlab-org/gitlab@master 2020-07-21 14:09:45 -04:00			`# TODO: Implement EE/Geo https://gitlab.com/gitlab-org/gitlab/issues/205629`
			`override :check_custom_action`
			`def check_custom_action`
			`# snippets never return custom actions, such as geo replication.`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-05-28 11:08:02 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-07-21 14:09:45 -04:00			`override :check_valid_actor!`
			`def check_valid_actor!`
			`# TODO: Investigate if expanding actor/authentication types are needed.`
			`# https://gitlab.com/gitlab-org/gitlab/issues/202190`
Add latest changes from gitlab-org/gitlab@master 2020-09-30 23:09:55 -04:00			`if actor && !allowed_actor?`
Add latest changes from gitlab-org/gitlab@master 2021-01-11 13:10:43 -05:00			`raise ForbiddenError, error_message(:authentication_mechanism)`
Add latest changes from gitlab-org/gitlab@master 2020-07-21 14:09:45 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2020-03-17 08:09:52 -04:00
Add latest changes from gitlab-org/gitlab@master 2020-06-09 17:08:21 -04:00			`super`
Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00			`end`

Add latest changes from gitlab-org/gitlab@master 2020-09-30 23:09:55 -04:00			`def allowed_actor?`
			`actor.is_a?(User) \|\| actor.instance_of?(Key)`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`override :check_push_access!`
			`def check_push_access!`
Add latest changes from gitlab-org/gitlab@master 2021-01-11 13:10:43 -05:00			`raise ForbiddenError, error_message(:update_snippet) unless user`

			`if snippet&.repository_read_only?`
			`raise ForbiddenError, error_message(:read_only)`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00
			`check_change_access!`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00
			`def check_snippet_accessibility!`
			`if snippet.blank?`
Add latest changes from gitlab-org/gitlab@master 2021-01-11 13:10:43 -05:00			`raise NotFoundError, error_message(:snippet_not_found)`
Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00			`end`
Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`end`

Add latest changes from gitlab-org/gitlab@master 2020-05-06 14:09:38 -04:00			`override :can_read_project?`
			`def can_read_project?`
			`return true if user&.migration_bot?`

			`super`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`override :check_download_access!`
			`def check_download_access!`
			`passed = guest_can_download_code? \|\| user_can_download_code?`

			`unless passed`
Add latest changes from gitlab-org/gitlab@master 2021-01-11 13:10:43 -05:00			`raise ForbiddenError, error_message(:read_snippet)`
Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`end`
			`end`

			`override :check_change_access!`
			`def check_change_access!`
Add latest changes from gitlab-org/gitlab@master 2020-07-21 14:09:45 -04:00			`unless user_can_push?`
Add latest changes from gitlab-org/gitlab@master 2021-01-11 13:10:43 -05:00			`raise ForbiddenError, error_message(:update_snippet)`
Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`end`

Add latest changes from gitlab-org/gitlab@master 2020-04-06 20:09:33 -04:00			`check_size_before_push!`

Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`changes_list.each do \|change\|`
			`# If user does not have access to make at least one change, cancel all`
			`# push by allowing the exception to bubble up`
			`check_single_change_access(change)`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-04-06 20:09:33 -04:00
			`check_push_size!`
Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`end`

Add latest changes from gitlab-org/gitlab@master 2020-07-21 14:09:45 -04:00			`override :check_single_change_access`
			`def check_single_change_access(change, _skip_lfs_integrity_check: false)`
Add latest changes from gitlab-org/gitlab@master 2020-12-03 10:09:46 -05:00			`Checks::SnippetCheck.new(change, default_branch: snippet.default_branch, root_ref: snippet.repository.root_ref, logger: logger).validate!`
Add latest changes from gitlab-org/gitlab@master 2020-10-06 14:08:49 -04:00			`Checks::PushFileCountCheck.new(change, repository: repository, limit: Snippet.max_file_limit, logger: logger).validate!`
Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`rescue Checks::TimedLogger::TimeoutError`
			`raise TimeoutError, logger.full_message`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00
Add latest changes from gitlab-org/gitlab@master 2020-02-27 10:09:24 -05:00			`override :user_access`
			`def user_access`
			`@user_access \|\|= UserAccessSnippet.new(user, snippet: snippet)`
			`end`

Add latest changes from gitlab-org/gitlab@master 2020-05-11 08:10:28 -04:00			`override :check_size_limit?`
			`def check_size_limit?`
			`return false if user&.migration_bot?`

			`super`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-02-13 10:08:52 -05:00			`end`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-09-30 23:09:55 -04:00
			`Gitlab::GitAccessSnippet.prepend_if_ee('EE::Gitlab::GitAccessSnippet')`