gitlab-org--gitlab-foss/app/controllers/projects/git_http_controller.rb

# This file should be identical in GitLab Community Edition and Enterprise Edition

class Projects::GitHttpController < Projects::GitHttpClientController
  before_action :verify_workhorse_api!

  # GET /foo/bar.git/info/refs?service=git-upload-pack (git pull)
  # GET /foo/bar.git/info/refs?service=git-receive-pack (git push)
  def info_refs
    if upload_pack? && upload_pack_allowed?
      render_ok
    elsif receive_pack? && receive_pack_allowed?
      render_ok
    elsif http_blocked?
      render_http_not_allowed
    else
      render_denied
    end
  end

  # POST /foo/bar.git/git-upload-pack (git pull)
  def git_upload_pack
    if upload_pack? && upload_pack_allowed?
      render_ok
    else
      render_denied
    end
  end

  # POST /foo/bar.git/git-receive-pack" (git push)
  def git_receive_pack
    if receive_pack? && receive_pack_allowed?
      render_ok
    else
      render_denied
    end
  end

  private

  def download_request?
    upload_pack?
  end

  def upload_pack?
    git_command == 'git-upload-pack'
  end

  def receive_pack?
    git_command == 'git-receive-pack'
  end

  def git_command
    if action_name == 'info_refs'
      params[:service]
    else
      action_name.dasherize
    end
  end

  def render_ok
    set_workhorse_internal_api_content_type
    render json: Gitlab::Workhorse.git_http_ok(repository, user)
  end

  def render_http_not_allowed
    render plain: access_check.message, status: :forbidden
  end

  def render_denied
    if user && user.can?(:read_project, project)
      render plain: 'Access denied', status: :forbidden
    else
      # Do not leak information about project existence
      render_not_found
    end
  end

  def upload_pack_allowed?
    return false unless Gitlab.config.gitlab_shell.upload_pack

    if user
      access_check.allowed?
    else
      ci? || project.public?
    end
  end

  def access
    @access ||= Gitlab::GitAccess.new(user, project, 'http', authentication_abilities: authentication_abilities)
  end

  def access_check
    # Use the magic string '_any' to indicate we do not know what the
    # changes are. This is also what gitlab-shell does.
    @access_check ||= access.check(git_command, '_any')
  end

  def http_blocked?
    !access.protocol_allowed?
  end

  def receive_pack_allowed?
    return false unless Gitlab.config.gitlab_shell.receive_pack

    access_check.allowed?
  end
end
Groundwork for Kerberos SPNEGO (EE feature) 2016-07-01 05:46:56 -04:00			`# This file should be identical in GitLab Community Edition and Enterprise Edition`

Add LFS controllers 2016-07-20 12:41:26 -04:00			`class Projects::GitHttpController < Projects::GitHttpClientController`
Verify JWT messages from gitlab-workhorse 2016-08-19 13:10:41 -04:00			`before_action :verify_workhorse_api!`

Some changes after review from Rémy and Valery 2016-04-22 07:24:53 -04:00			`# GET /foo/bar.git/info/refs?service=git-upload-pack (git pull)`
			`# GET /foo/bar.git/info/refs?service=git-receive-pack (git push)`
			`def info_refs`
Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`if upload_pack? && upload_pack_allowed?`
Add some upload specs 2016-03-24 13:58:29 -04:00			`render_ok`
			`elsif receive_pack? && receive_pack_allowed?`
			`render_ok`
Render :forbidden only if HTTP is disabled. 2016-06-23 23:01:44 -04:00			`elsif http_blocked?`
Stop 'git push' over HTTP early Before this change we always let users push Git data over HTTP before deciding whether to accept to push. This was different from pushing over SSH where we terminate a 'git push' early if we already know the user is not allowed to push. This change let Git over HTTP follow the same behavior as Git over SSH. We also distinguish between HTTP 404 and 403 responses when denying Git requests, depending on whether the user is allowed to know the project exists. 2016-08-03 08:54:12 -04:00			`render_http_not_allowed`
Add some upload specs 2016-03-24 13:58:29 -04:00			`else`
Stop 'git push' over HTTP early Before this change we always let users push Git data over HTTP before deciding whether to accept to push. This was different from pushing over SSH where we terminate a 'git push' early if we already know the user is not allowed to push. This change let Git over HTTP follow the same behavior as Git over SSH. We also distinguish between HTTP 404 and 403 responses when denying Git requests, depending on whether the user is allowed to know the project exists. 2016-08-03 08:54:12 -04:00			`render_denied`
Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`end`
			`end`
Comment and whitespace 2016-04-15 06:40:43 -04:00
Some changes after review from Rémy and Valery 2016-04-22 07:24:53 -04:00			`# POST /foo/bar.git/git-upload-pack (git pull)`
			`def git_upload_pack`
			`if upload_pack? && upload_pack_allowed?`
			`render_ok`
			`else`
Stop 'git push' over HTTP early Before this change we always let users push Git data over HTTP before deciding whether to accept to push. This was different from pushing over SSH where we terminate a 'git push' early if we already know the user is not allowed to push. This change let Git over HTTP follow the same behavior as Git over SSH. We also distinguish between HTTP 404 and 403 responses when denying Git requests, depending on whether the user is allowed to know the project exists. 2016-08-03 08:54:12 -04:00			`render_denied`
Some changes after review from Rémy and Valery 2016-04-22 07:24:53 -04:00			`end`
			`end`

			`# POST /foo/bar.git/git-receive-pack" (git push)`
			`def git_receive_pack`
			`if receive_pack? && receive_pack_allowed?`
			`render_ok`
			`else`
Stop 'git push' over HTTP early Before this change we always let users push Git data over HTTP before deciding whether to accept to push. This was different from pushing over SSH where we terminate a 'git push' early if we already know the user is not allowed to push. This change let Git over HTTP follow the same behavior as Git over SSH. We also distinguish between HTTP 404 and 403 responses when denying Git requests, depending on whether the user is allowed to know the project exists. 2016-08-03 08:54:12 -04:00			`render_denied`
Some changes after review from Rémy and Valery 2016-04-22 07:24:53 -04:00			`end`
Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`end`

			`private`

Add LFS controllers 2016-07-20 12:41:26 -04:00			`def download_request?`
			`upload_pack?`
Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`end`

			`def upload_pack?`
Some changes after review from Rémy and Valery 2016-04-22 07:24:53 -04:00			`git_command == 'git-upload-pack'`
Add some upload specs 2016-03-24 13:58:29 -04:00			`end`

			`def receive_pack?`
Some changes after review from Rémy and Valery 2016-04-22 07:24:53 -04:00			`git_command == 'git-receive-pack'`
Add some upload specs 2016-03-24 13:58:29 -04:00			`end`

Some changes after review from Rémy and Valery 2016-04-22 07:24:53 -04:00			`def git_command`
Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`if action_name == 'info_refs'`
Add some upload specs 2016-03-24 13:58:29 -04:00			`params[:service]`
Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`else`
Changes after more review from Rémy 2016-06-03 08:57:34 -04:00			`action_name.dasherize`
Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`end`
			`end`
Comment and whitespace 2016-04-15 06:40:43 -04:00
Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`def render_ok`
Verify JWT messages from gitlab-workhorse 2016-08-19 13:10:41 -04:00			`set_workhorse_internal_api_content_type`
Move workhorse protocol code into lib 2016-04-06 11:52:12 -04:00			`render json: Gitlab::Workhorse.git_http_ok(repository, user)`
Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`end`
Comment and whitespace 2016-04-15 06:40:43 -04:00
Stop 'git push' over HTTP early Before this change we always let users push Git data over HTTP before deciding whether to accept to push. This was different from pushing over SSH where we terminate a 'git push' early if we already know the user is not allowed to push. This change let Git over HTTP follow the same behavior as Git over SSH. We also distinguish between HTTP 404 and 403 responses when denying Git requests, depending on whether the user is allowed to know the project exists. 2016-08-03 08:54:12 -04:00			`def render_http_not_allowed`
			`render plain: access_check.message, status: :forbidden`
			`end`

			`def render_denied`
			`if user && user.can?(:read_project, project)`
			`render plain: 'Access denied', status: :forbidden`
			`else`
			`# Do not leak information about project existence`
			`render_not_found`
			`end`
Return :forbidden if HTTP protocol access is not allowed 2016-06-23 18:37:57 -04:00			`end`

Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`def upload_pack_allowed?`
Refactor _allowed? methods as Rémy asked 2016-06-03 09:28:35 -04:00			`return false unless Gitlab.config.gitlab_shell.upload_pack`

			`if user`
Stop 'git push' over HTTP early Before this change we always let users push Git data over HTTP before deciding whether to accept to push. This was different from pushing over SSH where we terminate a 'git push' early if we already know the user is not allowed to push. This change let Git over HTTP follow the same behavior as Git over SSH. We also distinguish between HTTP 404 and 403 responses when denying Git requests, depending on whether the user is allowed to know the project exists. 2016-08-03 08:54:12 -04:00			`access_check.allowed?`
Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`else`
Refactor _allowed? methods as Rémy asked 2016-06-03 09:28:35 -04:00			`ci? \|\| project.public?`
Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`end`
			`end`
Add some upload specs 2016-03-24 13:58:29 -04:00
Correct access control flow for Git HTTP requests. 2016-06-27 12:14:44 -04:00			`def access`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`@access \|\|= Gitlab::GitAccess.new(user, project, 'http', authentication_abilities: authentication_abilities)`
Correct access control flow for Git HTTP requests. 2016-06-27 12:14:44 -04:00			`end`

Stop 'git push' over HTTP early Before this change we always let users push Git data over HTTP before deciding whether to accept to push. This was different from pushing over SSH where we terminate a 'git push' early if we already know the user is not allowed to push. This change let Git over HTTP follow the same behavior as Git over SSH. We also distinguish between HTTP 404 and 403 responses when denying Git requests, depending on whether the user is allowed to know the project exists. 2016-08-03 08:54:12 -04:00			`def access_check`
			`# Use the magic string '_any' to indicate we do not know what the`
			`# changes are. This is also what gitlab-shell does.`
			`@access_check \|\|= access.check(git_command, '_any')`
Simplify access checks 2016-06-22 14:08:02 -04:00			`end`

Render :forbidden only if HTTP is disabled. 2016-06-23 23:01:44 -04:00			`def http_blocked?`
Correct access control flow for Git HTTP requests. 2016-06-27 12:14:44 -04:00			`!access.protocol_allowed?`
Render :forbidden only if HTTP is disabled. 2016-06-23 23:01:44 -04:00			`end`

Add some upload specs 2016-03-24 13:58:29 -04:00			`def receive_pack_allowed?`
Refactor _allowed? methods as Rémy asked 2016-06-03 09:28:35 -04:00			`return false unless Gitlab.config.gitlab_shell.receive_pack`

Stop 'git push' over HTTP early Before this change we always let users push Git data over HTTP before deciding whether to accept to push. This was different from pushing over SSH where we terminate a 'git push' early if we already know the user is not allowed to push. This change let Git over HTTP follow the same behavior as Git over SSH. We also distinguish between HTTP 404 and 403 responses when denying Git requests, depending on whether the user is allowed to know the project exists. 2016-08-03 08:54:12 -04:00			`access_check.allowed?`
Add some upload specs 2016-03-24 13:58:29 -04:00			`end`
Get Grack::Auth tests to pass 2016-03-23 13:34:16 -04:00			`end`