2018-09-25 23:45:43 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-07-20 12:41:26 -04:00
|
|
|
# This file should be identical in GitLab Community Edition and Enterprise Edition
|
|
|
|
|
|
|
|
class Projects::GitHttpClientController < Projects::ApplicationController
|
|
|
|
include ActionController::HttpAuthentication::Basic
|
|
|
|
include KerberosSpnegoHelper
|
|
|
|
|
2017-06-15 20:04:17 -04:00
|
|
|
attr_reader :authentication_result, :redirected_path
|
2016-09-16 07:34:05 -04:00
|
|
|
|
|
|
|
delegate :actor, :authentication_abilities, to: :authentication_result, allow_nil: true
|
2018-03-27 11:35:27 -04:00
|
|
|
delegate :type, to: :authentication_result, allow_nil: true, prefix: :auth_result
|
2016-09-16 07:34:05 -04:00
|
|
|
|
|
|
|
alias_method :user, :actor
|
2017-10-03 02:28:22 -04:00
|
|
|
alias_method :authenticated_user, :actor
|
2016-07-20 12:41:26 -04:00
|
|
|
|
|
|
|
# Git clients will not know what authenticity token to send along
|
|
|
|
skip_before_action :verify_authenticity_token
|
|
|
|
skip_before_action :repository
|
|
|
|
before_action :authenticate_user
|
|
|
|
|
|
|
|
private
|
|
|
|
|
2016-11-21 10:31:51 -05:00
|
|
|
def download_request?
|
|
|
|
raise NotImplementedError
|
|
|
|
end
|
|
|
|
|
|
|
|
def upload_request?
|
|
|
|
raise NotImplementedError
|
|
|
|
end
|
|
|
|
|
2016-07-20 12:41:26 -04:00
|
|
|
def authenticate_user
|
2016-09-16 10:07:21 -04:00
|
|
|
@authentication_result = Gitlab::Auth::Result.new
|
|
|
|
|
2016-07-20 12:41:26 -04:00
|
|
|
if allow_basic_auth? && basic_auth_provided?
|
|
|
|
login, password = user_name_and_password(request)
|
2016-08-08 06:01:25 -04:00
|
|
|
|
2016-09-15 12:54:24 -04:00
|
|
|
if handle_basic_authentication(login, password)
|
2016-07-20 12:41:26 -04:00
|
|
|
return # Allow access
|
|
|
|
end
|
|
|
|
elsif allow_kerberos_spnego_auth? && spnego_provided?
|
2016-09-20 09:41:41 -04:00
|
|
|
kerberos_user = find_kerberos_user
|
2016-09-16 07:34:05 -04:00
|
|
|
|
2016-09-20 09:41:41 -04:00
|
|
|
if kerberos_user
|
2016-09-16 07:34:05 -04:00
|
|
|
@authentication_result = Gitlab::Auth::Result.new(
|
2016-09-20 09:41:41 -04:00
|
|
|
kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)
|
2016-07-20 12:41:26 -04:00
|
|
|
|
|
|
|
send_final_spnego_response
|
|
|
|
return # Allow access
|
|
|
|
end
|
2016-11-02 17:50:44 -04:00
|
|
|
elsif project && download_request? && Guest.can?(:download_code, project)
|
|
|
|
@authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code])
|
|
|
|
|
|
|
|
return # Allow access
|
2016-07-20 12:41:26 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
send_challenges
|
2018-07-02 06:43:06 -04:00
|
|
|
render plain: "HTTP Basic: Access denied\n", status: :unauthorized
|
2017-10-12 05:27:16 -04:00
|
|
|
rescue Gitlab::Auth::MissingPersonalAccessTokenError
|
|
|
|
render_missing_personal_access_token
|
2016-07-20 12:41:26 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def basic_auth_provided?
|
|
|
|
has_basic_credentials?(request)
|
|
|
|
end
|
|
|
|
|
|
|
|
def send_challenges
|
|
|
|
challenges = []
|
|
|
|
challenges << 'Basic realm="GitLab"' if allow_basic_auth?
|
|
|
|
challenges << spnego_challenge if allow_kerberos_spnego_auth?
|
|
|
|
headers['Www-Authenticate'] = challenges.join("\n") if challenges.any?
|
|
|
|
end
|
|
|
|
|
|
|
|
def project
|
2017-06-15 20:04:17 -04:00
|
|
|
parse_repo_path unless defined?(@project)
|
2016-07-20 12:41:26 -04:00
|
|
|
|
2017-06-15 20:04:17 -04:00
|
|
|
@project
|
|
|
|
end
|
2016-07-20 12:41:26 -04:00
|
|
|
|
2017-06-15 20:04:17 -04:00
|
|
|
def parse_repo_path
|
|
|
|
@project, @wiki, @redirected_path = Gitlab::RepoPath.parse("#{params[:namespace_id]}/#{params[:project_id]}")
|
2016-07-20 12:41:26 -04:00
|
|
|
end
|
|
|
|
|
2017-10-12 05:27:16 -04:00
|
|
|
def render_missing_personal_access_token
|
2016-08-17 18:21:18 -04:00
|
|
|
render plain: "HTTP Basic: Access denied\n" \
|
2017-06-07 15:49:45 -04:00
|
|
|
"You must use a personal access token with 'api' scope for Git over HTTP.\n" \
|
2016-08-15 16:47:29 -04:00
|
|
|
"You can generate one at #{profile_personal_access_tokens_url}",
|
2018-07-02 06:43:06 -04:00
|
|
|
status: :unauthorized
|
2016-08-11 12:42:34 -04:00
|
|
|
end
|
|
|
|
|
2016-07-20 12:41:26 -04:00
|
|
|
def repository
|
2017-01-24 15:04:45 -05:00
|
|
|
wiki? ? project.wiki.repository : project.repository
|
|
|
|
end
|
|
|
|
|
|
|
|
def wiki?
|
2017-06-15 20:04:17 -04:00
|
|
|
parse_repo_path unless defined?(@wiki)
|
2016-07-20 12:41:26 -04:00
|
|
|
|
2017-06-15 20:04:17 -04:00
|
|
|
@wiki
|
2016-07-20 12:41:26 -04:00
|
|
|
end
|
|
|
|
|
2016-09-16 07:34:05 -04:00
|
|
|
def handle_basic_authentication(login, password)
|
|
|
|
@authentication_result = Gitlab::Auth.find_for_git_client(
|
|
|
|
login, password, project: project, ip: request.ip)
|
2016-08-19 13:10:41 -04:00
|
|
|
|
2017-05-16 15:58:46 -04:00
|
|
|
@authentication_result.success?
|
2016-09-16 07:34:05 -04:00
|
|
|
end
|
|
|
|
|
2016-09-16 10:07:21 -04:00
|
|
|
def ci?
|
2016-09-20 04:24:47 -04:00
|
|
|
authentication_result.ci?(project)
|
2016-09-16 10:07:21 -04:00
|
|
|
end
|
2016-07-20 12:41:26 -04:00
|
|
|
end
|