2013-02-14 08:25:55 -05:00
|
|
|
require_relative 'shell_env'
|
2013-06-14 07:42:55 -04:00
|
|
|
require_relative 'grack_ldap'
|
|
|
|
require_relative 'grack_helpers'
|
2013-02-14 08:25:55 -05:00
|
|
|
|
2012-06-28 23:30:31 -04:00
|
|
|
module Grack
|
|
|
|
class Auth < Rack::Auth::Basic
|
2013-06-14 07:42:55 -04:00
|
|
|
include LDAP
|
|
|
|
include Helpers
|
|
|
|
|
|
|
|
attr_accessor :user, :project, :ref, :env
|
2012-06-28 23:30:31 -04:00
|
|
|
|
2013-01-14 09:46:55 -05:00
|
|
|
def call(env)
|
|
|
|
@env = env
|
|
|
|
@request = Rack::Request.new(env)
|
|
|
|
@auth = Request.new(env)
|
2013-01-10 13:17:57 -05:00
|
|
|
|
2013-01-14 09:46:55 -05:00
|
|
|
# Need this patch due to the rails mount
|
2013-07-30 10:48:00 -04:00
|
|
|
|
|
|
|
# Need this if under RELATIVE_URL_ROOT
|
|
|
|
unless Gitlab.config.gitlab.relative_url_root.empty?
|
|
|
|
# If website is mounted using relative_url_root need to remove it first
|
|
|
|
@env['PATH_INFO'] = @request.path.sub(Gitlab.config.gitlab.relative_url_root,'')
|
|
|
|
else
|
|
|
|
@env['PATH_INFO'] = @request.path
|
|
|
|
end
|
|
|
|
|
2013-01-14 09:46:55 -05:00
|
|
|
@env['SCRIPT_NAME'] = ""
|
2012-11-26 04:23:08 -05:00
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
auth!
|
2013-01-14 09:46:55 -05:00
|
|
|
end
|
2012-06-29 09:40:23 -04:00
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
private
|
|
|
|
|
|
|
|
def auth!
|
|
|
|
return render_not_found unless project
|
|
|
|
|
2013-01-14 09:46:55 -05:00
|
|
|
if @auth.provided?
|
2013-06-14 07:42:55 -04:00
|
|
|
return bad_request unless @auth.basic?
|
|
|
|
|
2013-01-14 09:46:55 -05:00
|
|
|
# Authentication with username and password
|
|
|
|
login, password = @auth.credentials
|
2013-05-24 13:36:28 -04:00
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
@user = authenticate_user(login, password)
|
2013-05-24 13:36:28 -04:00
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
if @user
|
|
|
|
Gitlab::ShellEnv.set_env(@user)
|
|
|
|
@env['REMOTE_USER'] = @auth.username
|
|
|
|
else
|
|
|
|
return unauthorized
|
|
|
|
end
|
|
|
|
|
|
|
|
else
|
|
|
|
return unauthorized unless project.public
|
2013-01-14 09:46:55 -05:00
|
|
|
end
|
2012-07-02 04:44:45 -04:00
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
if authorized_git_request?
|
|
|
|
@app.call(env)
|
|
|
|
else
|
|
|
|
unauthorized
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def authorized_git_request?
|
2012-06-29 03:43:15 -04:00
|
|
|
# Git upload and receive
|
2012-09-17 06:36:23 -04:00
|
|
|
if @request.get?
|
2013-06-14 07:42:55 -04:00
|
|
|
authorize_request(@request.params['service'])
|
2012-09-17 06:36:23 -04:00
|
|
|
elsif @request.post?
|
2013-06-14 07:42:55 -04:00
|
|
|
authorize_request(File.basename(@request.path))
|
2012-06-29 06:11:37 -04:00
|
|
|
else
|
|
|
|
false
|
2012-06-29 03:43:15 -04:00
|
|
|
end
|
2012-10-21 05:12:14 -04:00
|
|
|
end
|
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
def authenticate_user(login, password)
|
2013-07-16 04:28:19 -04:00
|
|
|
auth = Gitlab::Auth.new
|
|
|
|
auth.find(login, password)
|
2013-05-24 13:36:28 -04:00
|
|
|
end
|
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
def authorize_request(service)
|
|
|
|
case service
|
|
|
|
when 'git-upload-pack'
|
2013-01-14 09:46:55 -05:00
|
|
|
project.public || can?(user, :download_code, project)
|
2013-06-14 07:42:55 -04:00
|
|
|
when'git-receive-pack'
|
|
|
|
action = if project.protected_branch?(ref)
|
2012-10-21 05:12:14 -04:00
|
|
|
:push_code_to_protected_branches
|
|
|
|
else
|
|
|
|
:push_code
|
|
|
|
end
|
|
|
|
|
|
|
|
can?(user, action, project)
|
|
|
|
else
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
2012-06-29 06:11:37 -04:00
|
|
|
|
2013-01-14 09:46:55 -05:00
|
|
|
def project
|
2013-06-14 07:42:55 -04:00
|
|
|
@project ||= project_by_path(@request.path_info)
|
2013-01-14 09:46:55 -05:00
|
|
|
end
|
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
def ref
|
|
|
|
@ref ||= parse_ref
|
2013-01-14 09:46:55 -05:00
|
|
|
end
|
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
def parse_ref
|
|
|
|
input = if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/
|
|
|
|
Zlib::GzipReader.new(@request.body).read
|
|
|
|
else
|
|
|
|
@request.body.read
|
|
|
|
end
|
2012-10-22 11:45:42 -04:00
|
|
|
|
2013-06-14 07:42:55 -04:00
|
|
|
# Need to reset seek point
|
|
|
|
@request.body.rewind
|
|
|
|
/refs\/heads\/([\w\.-]+)/n.match(input.force_encoding('ascii-8bit')).to_a.last
|
2013-05-24 13:36:28 -04:00
|
|
|
end
|
2013-06-14 07:42:55 -04:00
|
|
|
end
|
|
|
|
end
|