gitlab-org--gitlab-foss/lib/api/internal.rb

module API
  # Internal access API
  class Internal < Grape::API
    before { authenticate_by_gitlab_shell_token! }

    helpers ::API::Helpers::InternalHelpers

    namespace 'internal' do
      # Check if git command is allowed to project
      #
      # Params:
      #   key_id - ssh key id for Git over SSH
      #   user_id - user id for Git over HTTP
      #   protocol - Git access protocol being used, e.g. HTTP or SSH
      #   project - project path with namespace
      #   action - git action (git-upload-pack or git-receive-pack)
      #   changes - changes as "oldrev newrev ref", see Gitlab::ChangesList
      post "/allowed" do
        status 200

        # Stores some Git-specific env thread-safely
        Gitlab::Git::Env.set(parse_env)

        actor =
          if params[:key_id]
            Key.find_by(id: params[:key_id])
          elsif params[:user_id]
            User.find_by(id: params[:user_id])
          end

        protocol = params[:protocol]

        actor.update_last_used_at if actor.is_a?(Key)
        user =
          if actor.is_a?(Key)
            actor.user
          else
            actor
          end

        access_checker_klass = wiki? ? Gitlab::GitAccessWiki : Gitlab::GitAccess
        access_checker = access_checker_klass
          .new(actor, project, protocol, authentication_abilities: ssh_authentication_abilities, redirected_path: redirected_path)

        begin
          access_checker.check(params[:action], params[:changes])
        rescue Gitlab::GitAccess::UnauthorizedError, Gitlab::GitAccess::NotFoundError => e
          return { status: false, message: e.message }
        end

        log_user_activity(actor)

        {
          status: true,
          gl_repository: gl_repository,
          gl_username: user&.username,
          repository_path: repository_path,
          gitaly: gitaly_payload(params[:action])
        }
      end

      post "/lfs_authenticate" do
        status 200

        key = Key.find(params[:key_id])
        key.update_last_used_at

        token_handler = Gitlab::LfsToken.new(key)

        {
          username: token_handler.actor_name,
          lfs_token: token_handler.token,
          repository_http_path: project.http_url_to_repo
        }
      end

      get "/merge_request_urls" do
        merge_request_urls
      end

      #
      # Discover user by ssh key or user id
      #
      get "/discover" do
        if params[:key_id]
          key = Key.find(params[:key_id])
          user = key.user
        elsif params[:user_id]
          user = User.find_by(id: params[:user_id])
        end
        present user, with: Entities::UserSafe
      end

      get "/check" do
        {
          api_version: API.version,
          gitlab_version: Gitlab::VERSION,
          gitlab_rev: Gitlab::REVISION,
          redis: redis_ping
        }
      end

      get "/broadcast_messages" do
        if messages = BroadcastMessage.current
          present messages, with: Entities::BroadcastMessage
        else
          []
        end
      end

      get "/broadcast_message" do
        if message = BroadcastMessage.current&.last
          present message, with: Entities::BroadcastMessage
        else
          {}
        end
      end

      post '/two_factor_recovery_codes' do
        status 200

        key = Key.find_by(id: params[:key_id])

        if key
          key.update_last_used_at
        else
          return { 'success' => false, 'message' => 'Could not find the given key' }
        end

        if key.is_a?(DeployKey)
          return { success: false, message: 'Deploy keys cannot be used to retrieve recovery codes' }
        end

        user = key.user

        unless user
          return { success: false, message: 'Could not find a user for the given key' }
        end

        unless user.two_factor_enabled?
          return { success: false, message: 'Two-factor authentication is not enabled for this user' }
        end

        codes = nil

        ::Users::UpdateService.new(current_user, user: user).execute! do |user|
          codes = user.generate_otp_backup_codes!
        end

        { success: true, recovery_codes: codes }
      end

      post '/pre_receive' do
        status 200

        reference_counter_increased = Gitlab::ReferenceCounter.new(params[:gl_repository]).increase

        { reference_counter_increased: reference_counter_increased }
      end

      post "/notify_post_receive" do
        status 200

        # TODO: Re-enable when Gitaly is processing the post-receive notification
        # return unless Gitlab::GitalyClient.enabled?
        #
        # begin
        #   repository = wiki? ? project.wiki.repository : project.repository
        #   Gitlab::GitalyClient::NotificationService.new(repository.raw_repository).post_receive
        # rescue GRPC::Unavailable => e
        #   render_api_error!(e, 500)
        # end
      end

      post '/post_receive' do
        status 200

        PostReceive.perform_async(params[:gl_repository], params[:identifier],
          params[:changes])
        broadcast_message = BroadcastMessage.current&.last&.message
        reference_counter_decreased = Gitlab::ReferenceCounter.new(params[:gl_repository]).decrease

        {
          merge_request_urls: merge_request_urls,
          broadcast_message: broadcast_message,
          reference_counter_decreased: reference_counter_decreased
        }
      end
    end
  end
end
Refactor API classes. So api classes like Gitlab::Issues become API::Issues 2013-05-14 08:33:31 -04:00			`module API`
Fixed: post-receive, project remove, tests 2013-02-05 05:47:50 -05:00			`# Internal access API`
Internal API 2013-02-04 10:53:43 -05:00			`class Internal < Grape::API`
Avoid using {...} for multi-line blocks 2015-02-03 00:22:57 -05:00			`before { authenticate_by_gitlab_shell_token! }`
add gitlab-shell identification 2014-10-15 11:26:15 -04:00
Fix POST /internal/allowed to cope with gitlab-shell v4.0.0 project paths gitlab-shell v3.6.6 would give project paths like so: * namespace/project gitlab-shell v4.0.0 can give project paths like so: * /namespace1/namespace2/project * /namespace/project * /path/to/repository/storage/namespace1/namespace2/project * /path/to/repository/storage/namespace/project 2016-11-15 10:02:44 -05:00			`helpers ::API::Helpers::InternalHelpers`

Fixed: post-receive, project remove, tests 2013-02-05 05:47:50 -05:00			`namespace 'internal' do`
Use GitAccess in internal api Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:02:12 -04:00			`# Check if git command is allowed to project`
Fixed: post-receive, project remove, tests 2013-02-05 05:47:50 -05:00			`#`
specs for api/internal 2013-02-26 15:53:59 -05:00			`# Params:`
Use GitAccess in internal api Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:02:12 -04:00			`# key_id - ssh key id for Git over SSH`
			`# user_id - user id for Git over HTTP`
Set Git-specific env in /api/internal/allowed Signed-off-by: Rémy Coutable <remy@rymai.me> 2017-04-05 03:29:30 -04:00			`# protocol - Git access protocol being used, e.g. HTTP or SSH`
specs for api/internal 2013-02-26 15:53:59 -05:00			`# project - project path with namespace`
			`# action - git action (git-upload-pack or git-receive-pack)`
Set Git-specific env in /api/internal/allowed Signed-off-by: Rémy Coutable <remy@rymai.me> 2017-04-05 03:29:30 -04:00			`# changes - changes as "oldrev newrev ref", see Gitlab::ChangesList`
/api/allowed use POST now Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-09-03 02:06:16 -04:00			`post "/allowed" do`
Make sure /api/allowed return 200 status code Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-09-03 06:33:44 -04:00			`status 200`
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00
Set Git-specific env in /api/internal/allowed Signed-off-by: Rémy Coutable <remy@rymai.me> 2017-04-05 03:29:30 -04:00			`# Stores some Git-specific env thread-safely`
			`Gitlab::Git::Env.set(parse_env)`

Add "action" tag to /internal/allowed API This allows us to re-use any other analytics that rely on the "action" tag having a value set. 2016-04-18 11:42:48 -04:00			`actor =`
Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`if params[:key_id]`
			`Key.find_by(id: params[:key_id])`
			`elsif params[:user_id]`
			`User.find_by(id: params[:user_id])`
			`end`
Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-02-23 17:14:57 -05:00
Only allow Git Access on the allowed protocol 2016-06-20 21:40:56 -04:00			`protocol = params[:protocol]`

Record and show last used date of SSH Keys Addresses: Issue #13810 1. Adds a last_used_at attribute to the Key table/model 2. Update a key's last_used_at whenever it gets used 3. Display how long ago an ssh key was last used 2016-12-21 09:59:54 -05:00			`actor.update_last_used_at if actor.is_a?(Key)`
add username to authorized result, so that gitlab-shell can pass it to hooks 2017-08-03 14:38:33 -04:00			`user =`
			`if actor.is_a?(Key)`
			`actor.user`
			`else`
			`actor`
			`end`
Record and show last used date of SSH Keys Addresses: Issue #13810 1. Adds a last_used_at attribute to the Key table/model 2. Update a key's last_used_at whenever it gets used 3. Display how long ago an ssh key was last used 2016-12-21 09:59:54 -05:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`access_checker_klass = wiki? ? Gitlab::GitAccessWiki : Gitlab::GitAccess`
			`access_checker = access_checker_klass`
Add “Project moved” error to Git-over-SSH 2017-06-15 20:03:54 -04:00			`.new(actor, project, protocol, authentication_abilities: ssh_authentication_abilities, redirected_path: redirected_path)`
Refactor repository paths handling to allow multiple git mount points 2016-06-22 17:04:51 -04:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`begin`
Refactor construction of response 2017-05-23 14:34:58 -04:00			`access_checker.check(params[:action], params[:changes])`
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`rescue Gitlab::GitAccess::UnauthorizedError, Gitlab::GitAccess::NotFoundError => e`
			`return { status: false, message: e.message }`
			`end`
Refactor repository paths handling to allow multiple git mount points 2016-06-22 17:04:51 -04:00
Refactor to let GitAccess errors bubble up No external behavior change. This allows `GitHttpController` to set the HTTP status based on the type of error. Alternatively, we could have added an attribute to GitAccessStatus, but this pattern seemed appropriate. 2017-05-19 15:58:45 -04:00			`log_user_activity(actor)`
Add user activity service and spec. Also added relevant - NOT offline - migration It uses a user activity table instead of a column in users. Tested with mySQL and postgreSQL 2016-10-05 10:41:32 -04:00
Remove unnecessary variable 2017-06-05 13:39:32 -04:00			`{`
Refactor construction of response 2017-05-23 14:34:58 -04:00			`status: true,`
			`gl_repository: gl_repository,`
add username to authorized result, so that gitlab-shell can pass it to hooks 2017-08-03 14:38:33 -04:00			`gl_username: user&.username,`
Send Gitaly Repository with /api/internal/allowed - Make single gitaly payload - Add feature-flag specs to verify payload 2017-06-26 09:55:06 -04:00			`repository_path: repository_path,`
			`gitaly: gitaly_payload(params[:action])`
Refactor construction of response 2017-05-23 14:34:58 -04:00			`}`
Fixed: post-receive, project remove, tests 2013-02-05 05:47:50 -05:00			`end`

Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. 2016-09-19 10:34:32 -04:00			`post "/lfs_authenticate" do`
			`status 200`

			`key = Key.find(params[:key_id])`
Record and show last used date of SSH Keys Addresses: Issue #13810 1. Adds a last_used_at attribute to the Key table/model 2. Update a key's last_used_at whenever it gets used 3. Display how long ago an ssh key was last used 2016-12-21 09:59:54 -05:00			`key.update_last_used_at`

Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. 2016-09-19 10:34:32 -04:00			`token_handler = Gitlab::LfsToken.new(key)`

			`{`
			`username: token_handler.actor_name,`
Handle LFS token creation and retrieval in the same method, and in the same Redis connection. Reset expiry time of token, if token is retrieved again before it expires. 2016-09-28 12:02:31 -04:00			`lfs_token: token_handler.token,`
Revert "Revert all changes introduced by https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6043" This reverts commit 6d43c95b7011ec7ec4600e00bdc8df76bb39813c. 2016-09-19 10:34:32 -04:00			`repository_http_path: project.http_url_to_repo`
			`}`
			`end`

api for generating new merge request DRY code + fix rubocop Add more test cases Append to changelog DRY changes list find_url service for merge_requests use GET for getting merge request links remove files rename to get_url_service reduce loop add test case for cross project refactor tiny thing update changelog 2016-07-28 00:04:57 -04:00			`get "/merge_request_urls" do`
Implement /internal/post_receive unified endpoint for PostReceive tasks 2017-08-29 22:10:41 -04:00			`merge_request_urls`
api for generating new merge request DRY code + fix rubocop Add more test cases Append to changelog DRY changes list find_url service for merge_requests use GET for getting merge request links remove files rename to get_url_service reduce loop add test case for cross project refactor tiny thing update changelog 2016-07-28 00:04:57 -04:00			`end`

Fixed: post-receive, project remove, tests 2013-02-05 05:47:50 -05:00			`#`
Allow discover by userid - issue 28517 2017-06-20 10:53:28 -04:00			`# Discover user by ssh key or user id`
Fixed: post-receive, project remove, tests 2013-02-05 05:47:50 -05:00			`#`
			`get "/discover" do`
Allow discover by userid - issue 28517 2017-06-20 10:53:28 -04:00			`if params[:key_id]`
			`key = Key.find(params[:key_id])`
			`user = key.user`
			`elsif params[:user_id]`
			`user = User.find_by(id: params[:user_id])`
			`end`
			`present user, with: Entities::UserSafe`
Fixed: post-receive, project remove, tests 2013-02-05 05:47:50 -05:00			`end`
api check call 2013-02-05 08:55:49 -05:00
			`get "/check" do`
			`{`
Refactor API classes. So api classes like Gitlab::Issues become API::Issues 2013-05-14 08:33:31 -04:00			`api_version: API.version,`
uppercase Gitlab version and revision constants. check api return gitlab version now 2013-02-16 07:42:22 -05:00			`gitlab_version: Gitlab::VERSION,`
Return a value to check if redis is available on /internal/check 2017-08-31 17:00:40 -04:00			`gitlab_rev: Gitlab::REVISION,`
			`redis: redis_ping`
api check call 2013-02-05 08:55:49 -05:00			`}`
			`end`
Add internal broadcast message API. 2015-02-07 10:41:30 -05:00
#13336 - display multiple messages in both the UI and git output 2017-06-15 09:47:33 -04:00			`get "/broadcast_messages" do`
			`if messages = BroadcastMessage.current`
			`present messages, with: Entities::BroadcastMessage`
			`else`
			`[]`
			`end`
			`end`

Add internal broadcast message API. 2015-02-07 10:41:30 -05:00			`get "/broadcast_message" do`
Handle case when BroadcastMessage.current is nil Somehow Rails.cache.fetch occasionally returns `nil` values, which causes this endpoint to crash. Closes #35094 2017-07-14 00:38:26 -04:00			`if message = BroadcastMessage.current&.last`
Add internal broadcast message API. 2015-02-07 10:41:30 -05:00			`present message, with: Entities::BroadcastMessage`
Improve broadcast message API 2015-02-18 17:58:20 -05:00			`else`
			`{}`
Add internal broadcast message API. 2015-02-07 10:41:30 -05:00			`end`
			`end`
Add two factor recovery endpoint to internal API 2016-07-26 17:48:51 -04:00
			`post '/two_factor_recovery_codes' do`
			`status 200`

Minor edits to two_factor_recovery_codes API error catching 2016-08-24 20:58:05 -04:00			`key = Key.find_by(id: params[:key_id])`

Record and show last used date of SSH Keys Addresses: Issue #13810 1. Adds a last_used_at attribute to the Key table/model 2. Update a key's last_used_at whenever it gets used 3. Display how long ago an ssh key was last used 2016-12-21 09:59:54 -05:00			`if key`
			`key.update_last_used_at`
			`else`
Minor edits to two_factor_recovery_codes API error catching 2016-08-24 20:58:05 -04:00			`return { 'success' => false, 'message' => 'Could not find the given key' }`
			`end`
Add two factor recovery endpoint to internal API 2016-07-26 17:48:51 -04:00
Minor edits to two_factor_recovery_codes API error catching 2016-08-24 20:58:05 -04:00			`if key.is_a?(DeployKey)`
Add two factor recovery endpoint to internal API 2016-07-26 17:48:51 -04:00			`return { success: false, message: 'Deploy keys cannot be used to retrieve recovery codes' }`
			`end`

Minor edits to two_factor_recovery_codes API error catching 2016-08-24 20:58:05 -04:00			`user = key.user`

			`unless user`
Add two factor recovery endpoint to internal API 2016-07-26 17:48:51 -04:00			`return { success: false, message: 'Could not find a user for the given key' }`
			`end`

			`unless user.two_factor_enabled?`
			`return { success: false, message: 'Two-factor authentication is not enabled for this user' }`
			`end`

update code based on feedback 2017-06-23 11:11:31 -04:00			`codes = nil`

refactor users update service 2017-09-27 05:48:33 -04:00			`::Users::UpdateService.new(current_user, user: user).execute! do \|user\|`
update code based on feedback 2017-06-23 11:11:31 -04:00			`codes = user.generate_otp_backup_codes!`
more refactoring based on feedback 2017-06-22 05:27:37 -04:00			`end`
Add two factor recovery endpoint to internal API 2016-07-26 17:48:51 -04:00
update code based on feedback 2017-06-23 11:11:31 -04:00			`{ success: true, recovery_codes: codes }`
Add two factor recovery endpoint to internal API 2016-07-26 17:48:51 -04:00			`end`
Add internal endpoint to notify post-receive to Gitaly 2017-02-05 13:04:23 -05:00
Implement /internal/pre-receive for shell operations 2017-08-31 17:01:07 -04:00			`post '/pre_receive' do`
			`status 200`

			`reference_counter_increased = Gitlab::ReferenceCounter.new(params[:gl_repository]).increase`

			`{ reference_counter_increased: reference_counter_increased }`
			`end`

Add internal endpoint to notify post-receive to Gitaly 2017-02-05 13:04:23 -05:00			`post "/notify_post_receive" do`
			`status 200`

Prevent errors from non-functional notify_post_receive endpoint 2017-05-18 15:33:43 -04:00			`# TODO: Re-enable when Gitaly is processing the post-receive notification`
			`# return unless Gitlab::GitalyClient.enabled?`
			`#`
			`# begin`
			`# repository = wiki? ? project.wiki.repository : project.repository`
Renamed Gitaly services 2017-07-18 03:59:36 -04:00			`# Gitlab::GitalyClient::NotificationService.new(repository.raw_repository).post_receive`
Prevent errors from non-functional notify_post_receive endpoint 2017-05-18 15:33:43 -04:00			`# rescue GRPC::Unavailable => e`
			`# render_api_error!(e, 500)`
			`# end`
Add internal endpoint to notify post-receive to Gitaly 2017-02-05 13:04:23 -05:00			`end`
Implement /internal/post_receive unified endpoint for PostReceive tasks 2017-08-29 22:10:41 -04:00
			`post '/post_receive' do`
			`status 200`

			`PostReceive.perform_async(params[:gl_repository], params[:identifier],`
			`params[:changes])`
			`broadcast_message = BroadcastMessage.current&.last&.message`
			`reference_counter_decreased = Gitlab::ReferenceCounter.new(params[:gl_repository]).decrease`

			`{`
			`merge_request_urls: merge_request_urls,`
			`broadcast_message: broadcast_message,`
			`reference_counter_decreased: reference_counter_decreased`
			`}`
			`end`
Internal API 2013-02-04 10:53:43 -05:00			`end`
			`end`
			`end`