gitlab-org--gitlab-foss/lib/gitlab/backend/grack_auth.rb

require_relative 'shell_env'
require_relative 'grack_helpers'

module Grack
  class Auth < Rack::Auth::Basic
    include Helpers

    attr_accessor :user, :project, :env

    def call(env)
      @env = env
      @request = Rack::Request.new(env)
      @auth = Request.new(env)

      # Need this patch due to the rails mount

      # Need this if under RELATIVE_URL_ROOT
      unless Gitlab.config.gitlab.relative_url_root.empty?
        # If website is mounted using relative_url_root need to remove it first
        @env['PATH_INFO'] = @request.path.sub(Gitlab.config.gitlab.relative_url_root,'')
      else
        @env['PATH_INFO'] = @request.path
      end

      @env['SCRIPT_NAME'] = ""

      auth!
    end

    private

    def auth!
      return render_not_found unless project

      if @auth.provided?
        return bad_request unless @auth.basic?

        # Authentication with username and password
        login, password = @auth.credentials

        # Allow authentication for GitLab CI service
        # if valid token passed
        if login == "gitlab-ci-token" && project.gitlab_ci?
          token = project.gitlab_ci_service.token

          if token.present? && token == password && service_name == 'git-upload-pack'
            return @app.call(env)
          end
        end

        @user = authenticate_user(login, password)

        if @user
          Gitlab::ShellEnv.set_env(@user)
          @env['REMOTE_USER'] = @auth.username
        else
          return unauthorized
        end

      else
        return unauthorized unless project.public?
      end

      if authorized_git_request?
        @app.call(env)
      else
        unauthorized
      end
    end

    def authorized_git_request?
      authorize_request(service_name)
    end

    def authenticate_user(login, password)
      auth = Gitlab::Auth.new
      auth.find(login, password)
    end

    def authorize_request(service)
      case service
      when 'git-upload-pack'
        # Serve only upload request.
        # Authorization on push will be serverd by update hook in repository
        Gitlab::GitAccess.new.download_allowed?(user, project)
      else
        true
      end
    end

    def service_name
      if @request.get?
        @request.params['service']
      elsif @request.post?
        File.basename(@request.path)
      else
        nil
      end
    end

    def project
      @project ||= project_by_path(@request.path_info)
    end
  end
end
require missing lib 2013-02-14 13:25:55 +00:00			`require_relative 'shell_env'`
Refactor grack auth module. Add git over http wiki support 2013-06-14 11:42:55 +00:00			`require_relative 'grack_helpers'`
require missing lib 2013-02-14 13:25:55 +00:00
mount grack to git, u can 'git clone http://localhost/git/xx.git' now 2012-06-29 03:30:31 +00:00			`module Grack`
			`class Auth < Rack::Auth::Basic`
Refactor grack auth module. Add git over http wiki support 2013-06-14 11:42:55 +00:00			`include Helpers`

push via http now served via /allowed API Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:02:39 +00:00			`attr_accessor :user, :project, :env`
mount grack to git, u can 'git clone http://localhost/git/xx.git' now 2012-06-29 03:30:31 +00:00
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`def call(env)`
			`@env = env`
			`@request = Rack::Request.new(env)`
			`@auth = Request.new(env)`
Public git read-only access via http 2013-01-10 18:17:57 +00:00
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`# Need this patch due to the rails mount`
Fix issue when developers are able to push to protected branch When that branch contain a '/' in the branch name. Fix for git over HTTP 2013-08-26 09:54:57 +00:00
Fixes grack authentification under relative_url_root Ref: https://github.com/gitlabhq/gitlabhq/commit/e6159b8725f99af78f446f8d33fa0e52b7780430 Ref: https://github.com/gitlabhq/gitlabhq/pull/3204 Ref: https://github.com/gitlabhq/gitlabhq/issues/1228 Add Rails' variable in application.rb to support relative url This variable is used by assets compilation and other modules. Note that user needs to change application.rb too Restrict session cookie to the relative path if set. Ref: https://github.com/gitlabhq/gitlabhq/commit/2c2f1e31856a4decdae469974f5bea8245316f7e Fix Update attachment_uploader.rb bug with relative URL See: https://github.com/gitlabhq/gitlabhq/commit/161afda3fa4fca58f396e9c3acbd72bc14490ace Fix Wall relative bug with attachement files (javascript) 2013-07-30 14:48:00 +00:00			`# Need this if under RELATIVE_URL_ROOT`
			`unless Gitlab.config.gitlab.relative_url_root.empty?`
			`# If website is mounted using relative_url_root need to remove it first`
			`@env['PATH_INFO'] = @request.path.sub(Gitlab.config.gitlab.relative_url_root,'')`
			`else`
			`@env['PATH_INFO'] = @request.path`
			`end`
Fix issue when developers are able to push to protected branch When that branch contain a '/' in the branch name. Fix for git over HTTP 2013-08-26 09:54:57 +00:00
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`@env['SCRIPT_NAME'] = ""`
Fix http push with namespaces. Allow use of username as login 2012-11-26 09:23:08 +00:00
Refactor grack auth module. Add git over http wiki support 2013-06-14 11:42:55 +00:00			`auth!`
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`end`
fix a npe, and need a patch for path_info 2012-06-29 13:40:23 +00:00
Refactor grack auth module. Add git over http wiki support 2013-06-14 11:42:55 +00:00			`private`

			`def auth!`
			`return render_not_found unless project`

Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`if @auth.provided?`
Refactor grack auth module. Add git over http wiki support 2013-06-14 11:42:55 +00:00			`return bad_request unless @auth.basic?`

Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`# Authentication with username and password`
			`login, password = @auth.credentials`
Fix ldap auth for http push 2013-05-24 17:36:28 +00:00
Allow git clone with http for GitLab CI service: If you enable GitLab CI for project you will be able to clone project source code with next command: git clone http://gitlab-ci-token:XXXXXXXXXXXX@host:project.git Requires for GitLab CI 4.0 2013-10-24 14:17:22 +00:00			`# Allow authentication for GitLab CI service`
			`# if valid token passed`
			`if login == "gitlab-ci-token" && project.gitlab_ci?`
			`token = project.gitlab_ci_service.token`

			`if token.present? && token == password && service_name == 'git-upload-pack'`
			`return @app.call(env)`
			`end`
			`end`

Refactor grack auth module. Add git over http wiki support 2013-06-14 11:42:55 +00:00			`@user = authenticate_user(login, password)`
Fix ldap auth for http push 2013-05-24 17:36:28 +00:00
Refactor grack auth module. Add git over http wiki support 2013-06-14 11:42:55 +00:00			`if @user`
			`Gitlab::ShellEnv.set_env(@user)`
			`@env['REMOTE_USER'] = @auth.username`
			`else`
			`return unauthorized`
			`end`

			`else`
Adding authenticated public mode (internal). Added visibility_level icons to project view (rather than just text). Added public projects to search results. Added ability to restrict visibility levels standard users can set. 2013-11-06 15:13:21 +00:00			`return unauthorized unless project.public?`
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`end`
bypass gitolite update hook, and set an GL_USER variable. 2012-07-02 08:44:45 +00:00
Refactor grack auth module. Add git over http wiki support 2013-06-14 11:42:55 +00:00			`if authorized_git_request?`
			`@app.call(env)`
			`else`
			`unauthorized`
			`end`
			`end`

			`def authorized_git_request?`
Allow git clone with http for GitLab CI service: If you enable GitLab CI for project you will be able to clone project source code with next command: git clone http://gitlab-ci-token:XXXXXXXXXXXX@host:project.git Requires for GitLab CI 4.0 2013-10-24 14:17:22 +00:00			`authorize_request(service_name)`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 09:12:14 +00:00			`end`

Refactor grack auth module. Add git over http wiki support 2013-06-14 11:42:55 +00:00			`def authenticate_user(login, password)`
Add LDAP support to /api/session 2013-07-16 08:28:19 +00:00			`auth = Gitlab::Auth.new`
			`auth.find(login, password)`
Fix ldap auth for http push 2013-05-24 17:36:28 +00:00			`end`

Refactor grack auth module. Add git over http wiki support 2013-06-14 11:42:55 +00:00			`def authorize_request(service)`
			`case service`
			`when 'git-upload-pack'`
push via http now served via /allowed API Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:02:39 +00:00			`# Serve only upload request.`
			`# Authorization on push will be serverd by update hook in repository`
			`Gitlab::GitAccess.new.download_allowed?(user, project)`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 09:12:14 +00:00			`else`
push via http now served via /allowed API Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:02:39 +00:00			`true`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 09:12:14 +00:00			`end`
			`end`
implements protected branches to smart http protocal 2012-06-29 10:11:37 +00:00
Allow git clone with http for GitLab CI service: If you enable GitLab CI for project you will be able to clone project source code with next command: git clone http://gitlab-ci-token:XXXXXXXXXXXX@host:project.git Requires for GitLab CI 4.0 2013-10-24 14:17:22 +00:00			`def service_name`
			`if @request.get?`
			`@request.params['service']`
			`elsif @request.post?`
			`File.basename(@request.path)`
			`else`
			`nil`
			`end`
			`end`

Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`def project`
Refactor grack auth module. Add git over http wiki support 2013-06-14 11:42:55 +00:00			`@project \|\|= project_by_path(@request.path_info)`
Public HTTP clones and remove auth request for public projects 2013-01-14 14:46:55 +00:00			`end`
Refactor grack auth module. Add git over http wiki support 2013-06-14 11:42:55 +00:00			`end`
			`end`