2016-02-01 05:33:22 -05:00
|
|
|
require 'base64'
|
|
|
|
require 'json'
|
2016-08-19 13:10:41 -04:00
|
|
|
require 'securerandom'
|
2017-03-24 13:22:42 -04:00
|
|
|
require 'uri'
|
2016-02-01 05:33:22 -05:00
|
|
|
|
|
|
|
module Gitlab
|
|
|
|
class Workhorse
|
2017-02-21 18:32:18 -05:00
|
|
|
SEND_DATA_HEADER = 'Gitlab-Workhorse-Send-Data'.freeze
|
|
|
|
VERSION_FILE = 'GITLAB_WORKHORSE_VERSION'.freeze
|
|
|
|
INTERNAL_API_CONTENT_TYPE = 'application/vnd.gitlab-workhorse+json'.freeze
|
|
|
|
INTERNAL_API_REQUEST_HEADER = 'Gitlab-Workhorse-Api-Request'.freeze
|
2017-02-28 06:07:04 -05:00
|
|
|
NOTIFICATION_CHANNEL = 'workhorse:notifications'.freeze
|
2016-08-19 13:10:41 -04:00
|
|
|
|
|
|
|
# Supposedly the effective key size for HMAC-SHA256 is 256 bits, i.e. 32
|
|
|
|
# bytes https://tools.ietf.org/html/rfc4868#section-2.6
|
|
|
|
SECRET_LENGTH = 32
|
2016-02-02 08:09:55 -05:00
|
|
|
|
2016-02-11 12:10:14 -05:00
|
|
|
class << self
|
2017-05-03 17:07:54 -04:00
|
|
|
def git_http_ok(repository, is_wiki, user, action)
|
|
|
|
project = repository.project
|
2017-03-30 12:48:22 -04:00
|
|
|
repo_path = repository.path_to_repo
|
2016-12-26 12:15:40 -05:00
|
|
|
params = {
|
2016-08-19 13:10:41 -04:00
|
|
|
GL_ID: Gitlab::GlId.gl_id(user),
|
2017-05-03 17:07:54 -04:00
|
|
|
GL_REPOSITORY: Gitlab::GlRepository.gl_repository(project, is_wiki),
|
2017-05-03 07:22:03 -04:00
|
|
|
RepoPath: repo_path
|
2016-04-06 11:52:12 -04:00
|
|
|
}
|
2016-12-26 12:15:40 -05:00
|
|
|
|
2017-03-24 13:22:42 -04:00
|
|
|
if Gitlab.config.gitaly.enabled
|
2017-06-20 10:09:58 -04:00
|
|
|
server = {
|
|
|
|
address: Gitlab::GitalyClient.address(project.repository_storage),
|
2017-06-20 11:31:49 -04:00
|
|
|
token: Gitlab::GitalyClient.token(project.repository_storage)
|
2017-06-20 10:09:58 -04:00
|
|
|
}
|
2017-04-06 10:54:15 -04:00
|
|
|
params[:Repository] = repository.gitaly_repository.to_h
|
2017-03-30 11:24:36 -04:00
|
|
|
|
|
|
|
feature_enabled = case action.to_s
|
|
|
|
when 'git_receive_pack'
|
2017-05-30 22:16:43 -04:00
|
|
|
Gitlab::GitalyClient.feature_enabled?(:post_receive_pack)
|
2017-03-30 11:24:36 -04:00
|
|
|
when 'git_upload_pack'
|
|
|
|
Gitlab::GitalyClient.feature_enabled?(:post_upload_pack)
|
|
|
|
when 'info_refs'
|
|
|
|
true
|
|
|
|
else
|
|
|
|
raise "Unsupported action: #{action}"
|
|
|
|
end
|
2017-06-20 10:09:58 -04:00
|
|
|
if feature_enabled
|
|
|
|
params[:GitalyAddress] = server[:address] # This field will be deprecated
|
|
|
|
params[:GitalyServer] = server
|
|
|
|
end
|
2017-03-24 13:22:42 -04:00
|
|
|
end
|
2016-12-26 12:15:40 -05:00
|
|
|
|
|
|
|
params
|
2016-04-06 11:52:12 -04:00
|
|
|
end
|
|
|
|
|
2016-08-19 13:10:41 -04:00
|
|
|
def lfs_upload_ok(oid, size)
|
|
|
|
{
|
|
|
|
StoreLFSPath: "#{Gitlab.config.lfs.storage_path}/tmp/upload",
|
|
|
|
LfsOid: oid,
|
2017-05-03 07:22:03 -04:00
|
|
|
LfsSize: size
|
2016-08-19 13:10:41 -04:00
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
def artifact_upload_ok
|
|
|
|
{ TempPath: ArtifactUploader.artifacts_upload_path }
|
|
|
|
end
|
|
|
|
|
2016-02-01 05:33:22 -05:00
|
|
|
def send_git_blob(repository, blob)
|
2016-02-02 08:09:55 -05:00
|
|
|
params = {
|
2016-02-01 05:33:22 -05:00
|
|
|
'RepoPath' => repository.path_to_repo,
|
2017-05-03 07:22:03 -04:00
|
|
|
'BlobId' => blob.id
|
2016-02-01 05:33:22 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
[
|
2016-02-02 08:09:55 -05:00
|
|
|
SEND_DATA_HEADER,
|
2016-06-08 08:30:15 -04:00
|
|
|
"git-blob:#{encode(params)}"
|
2016-02-01 05:33:22 -05:00
|
|
|
]
|
|
|
|
end
|
2016-02-02 08:09:55 -05:00
|
|
|
|
2016-06-06 07:16:30 -04:00
|
|
|
def send_git_archive(repository, ref:, format:)
|
2016-02-02 08:09:55 -05:00
|
|
|
format ||= 'tar.gz'
|
|
|
|
format.downcase!
|
2016-06-06 07:16:30 -04:00
|
|
|
params = repository.archive_metadata(ref, Gitlab.config.gitlab.repository_downloads_path, format)
|
2016-02-02 08:09:55 -05:00
|
|
|
raise "Repository or ref not found" if params.empty?
|
|
|
|
|
|
|
|
[
|
|
|
|
SEND_DATA_HEADER,
|
2016-06-08 08:30:15 -04:00
|
|
|
"git-archive:#{encode(params)}"
|
2016-02-02 08:09:55 -05:00
|
|
|
]
|
|
|
|
end
|
2016-05-12 14:50:49 -04:00
|
|
|
|
2016-06-08 08:30:15 -04:00
|
|
|
def send_git_diff(repository, diff_refs)
|
2016-05-12 14:50:49 -04:00
|
|
|
params = {
|
2016-06-08 08:30:15 -04:00
|
|
|
'RepoPath' => repository.path_to_repo,
|
2016-09-20 12:21:52 -04:00
|
|
|
'ShaFrom' => diff_refs.base_sha,
|
2016-06-20 12:51:48 -04:00
|
|
|
'ShaTo' => diff_refs.head_sha
|
2016-05-12 14:50:49 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
[
|
|
|
|
SEND_DATA_HEADER,
|
|
|
|
"git-diff:#{encode(params)}"
|
2016-02-02 08:09:55 -05:00
|
|
|
]
|
|
|
|
end
|
2016-06-06 07:16:30 -04:00
|
|
|
|
2016-07-03 17:01:13 -04:00
|
|
|
def send_git_patch(repository, diff_refs)
|
2016-06-10 08:57:50 -04:00
|
|
|
params = {
|
2016-06-28 08:59:25 -04:00
|
|
|
'RepoPath' => repository.path_to_repo,
|
2016-09-20 12:21:52 -04:00
|
|
|
'ShaFrom' => diff_refs.base_sha,
|
2016-07-03 17:01:13 -04:00
|
|
|
'ShaTo' => diff_refs.head_sha
|
2016-06-10 08:57:50 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
[
|
2016-06-28 08:59:25 -04:00
|
|
|
SEND_DATA_HEADER,
|
2016-06-10 08:57:50 -04:00
|
|
|
"git-format-patch:#{encode(params)}"
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
2016-07-05 10:58:38 -04:00
|
|
|
def send_artifacts_entry(build, entry)
|
|
|
|
params = {
|
|
|
|
'Archive' => build.artifacts_file.path,
|
|
|
|
'Entry' => Base64.encode64(entry.path)
|
|
|
|
}
|
|
|
|
|
|
|
|
[
|
|
|
|
SEND_DATA_HEADER,
|
|
|
|
"artifacts-entry:#{encode(params)}"
|
|
|
|
]
|
|
|
|
end
|
|
|
|
|
2016-11-22 14:55:56 -05:00
|
|
|
def terminal_websocket(terminal)
|
|
|
|
details = {
|
|
|
|
'Terminal' => {
|
|
|
|
'Subprotocols' => terminal[:subprotocols],
|
|
|
|
'Url' => terminal[:url],
|
2017-01-26 13:16:50 -05:00
|
|
|
'Header' => terminal[:headers],
|
2017-05-03 07:22:03 -04:00
|
|
|
'MaxSessionTime' => terminal[:max_session_time]
|
2016-11-22 14:55:56 -05:00
|
|
|
}
|
|
|
|
}
|
2017-06-02 13:11:26 -04:00
|
|
|
details['Terminal']['CAPem'] = terminal[:ca_pem] if terminal.key?(:ca_pem)
|
2016-11-22 14:55:56 -05:00
|
|
|
|
|
|
|
details
|
|
|
|
end
|
|
|
|
|
2016-07-18 07:58:08 -04:00
|
|
|
def version
|
2016-07-21 16:04:28 -04:00
|
|
|
path = Rails.root.join(VERSION_FILE)
|
|
|
|
path.readable? ? path.read.chomp : 'unknown'
|
2016-07-18 07:58:08 -04:00
|
|
|
end
|
|
|
|
|
2016-08-19 13:10:41 -04:00
|
|
|
def secret
|
|
|
|
@secret ||= begin
|
2016-09-13 13:45:02 -04:00
|
|
|
bytes = Base64.strict_decode64(File.read(secret_path).chomp)
|
2016-08-19 13:10:41 -04:00
|
|
|
raise "#{secret_path} does not contain #{SECRET_LENGTH} bytes" if bytes.length != SECRET_LENGTH
|
|
|
|
bytes
|
|
|
|
end
|
|
|
|
end
|
2016-09-20 12:21:52 -04:00
|
|
|
|
2016-08-19 13:10:41 -04:00
|
|
|
def write_secret
|
|
|
|
bytes = SecureRandom.random_bytes(SECRET_LENGTH)
|
2016-09-20 12:21:52 -04:00
|
|
|
File.open(secret_path, 'w:BINARY', 0600) do |f|
|
2016-09-26 08:21:39 -04:00
|
|
|
f.chmod(0600) # If the file already existed, the '0600' passed to 'open' above was a no-op.
|
2016-08-19 13:10:41 -04:00
|
|
|
f.write(Base64.strict_encode64(bytes))
|
|
|
|
end
|
|
|
|
end
|
2016-09-20 12:21:52 -04:00
|
|
|
|
2016-08-19 13:10:41 -04:00
|
|
|
def verify_api_request!(request_headers)
|
2016-08-18 10:31:44 -04:00
|
|
|
decode_jwt(request_headers[INTERNAL_API_REQUEST_HEADER])
|
|
|
|
end
|
|
|
|
|
|
|
|
def decode_jwt(encoded_message)
|
2016-08-19 13:10:41 -04:00
|
|
|
JWT.decode(
|
2016-08-18 10:31:44 -04:00
|
|
|
encoded_message,
|
2016-08-19 13:10:41 -04:00
|
|
|
secret,
|
|
|
|
true,
|
2017-05-03 07:27:17 -04:00
|
|
|
{ iss: 'gitlab-workhorse', verify_iss: true, algorithm: 'HS256' }
|
2016-08-19 13:10:41 -04:00
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
def secret_path
|
2017-03-30 20:37:45 -04:00
|
|
|
Gitlab.config.workhorse.secret_file
|
2016-08-19 13:10:41 -04:00
|
|
|
end
|
2016-09-20 12:21:52 -04:00
|
|
|
|
2017-03-06 05:44:45 -05:00
|
|
|
def set_key_and_notify(key, value, expire: nil, overwrite: true)
|
2017-02-28 06:07:04 -05:00
|
|
|
Gitlab::Redis.with do |redis|
|
|
|
|
result = redis.set(key, value, ex: expire, nx: !overwrite)
|
|
|
|
if result
|
2017-03-06 05:44:45 -05:00
|
|
|
redis.publish(NOTIFICATION_CHANNEL, "#{key}=#{value}")
|
2017-02-28 06:07:04 -05:00
|
|
|
value
|
|
|
|
else
|
|
|
|
redis.get(key)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-02-02 08:09:55 -05:00
|
|
|
protected
|
2016-06-06 07:16:30 -04:00
|
|
|
|
2016-02-02 08:09:55 -05:00
|
|
|
def encode(hash)
|
|
|
|
Base64.urlsafe_encode64(JSON.dump(hash))
|
|
|
|
end
|
2016-02-01 05:33:22 -05:00
|
|
|
end
|
|
|
|
end
|
2016-02-01 06:27:35 -05:00
|
|
|
end
|