2013-02-14 13:25:55 +00:00
|
|
|
require_relative 'shell_env'
|
2013-06-14 11:42:55 +00:00
|
|
|
require_relative 'grack_helpers'
|
2013-02-14 13:25:55 +00:00
|
|
|
|
2012-06-29 03:30:31 +00:00
|
|
|
module Grack
|
|
|
|
class Auth < Rack::Auth::Basic
|
2013-06-14 11:42:55 +00:00
|
|
|
include Helpers
|
|
|
|
|
|
|
|
attr_accessor :user, :project, :ref, :env
|
2012-06-29 03:30:31 +00:00
|
|
|
|
2013-01-14 14:46:55 +00:00
|
|
|
def call(env)
|
|
|
|
@env = env
|
|
|
|
@request = Rack::Request.new(env)
|
|
|
|
@auth = Request.new(env)
|
2013-01-10 18:17:57 +00:00
|
|
|
|
2013-01-14 14:46:55 +00:00
|
|
|
# Need this patch due to the rails mount
|
2013-08-26 09:54:57 +00:00
|
|
|
|
2013-07-30 14:48:00 +00:00
|
|
|
# Need this if under RELATIVE_URL_ROOT
|
|
|
|
unless Gitlab.config.gitlab.relative_url_root.empty?
|
|
|
|
# If website is mounted using relative_url_root need to remove it first
|
|
|
|
@env['PATH_INFO'] = @request.path.sub(Gitlab.config.gitlab.relative_url_root,'')
|
|
|
|
else
|
|
|
|
@env['PATH_INFO'] = @request.path
|
|
|
|
end
|
2013-08-26 09:54:57 +00:00
|
|
|
|
2013-01-14 14:46:55 +00:00
|
|
|
@env['SCRIPT_NAME'] = ""
|
2012-11-26 09:23:08 +00:00
|
|
|
|
2013-06-14 11:42:55 +00:00
|
|
|
auth!
|
2013-01-14 14:46:55 +00:00
|
|
|
end
|
2012-06-29 13:40:23 +00:00
|
|
|
|
2013-06-14 11:42:55 +00:00
|
|
|
private
|
|
|
|
|
|
|
|
def auth!
|
|
|
|
return render_not_found unless project
|
|
|
|
|
2013-01-14 14:46:55 +00:00
|
|
|
if @auth.provided?
|
2013-06-14 11:42:55 +00:00
|
|
|
return bad_request unless @auth.basic?
|
|
|
|
|
2013-01-14 14:46:55 +00:00
|
|
|
# Authentication with username and password
|
|
|
|
login, password = @auth.credentials
|
2013-05-24 17:36:28 +00:00
|
|
|
|
2013-10-24 14:17:22 +00:00
|
|
|
# Allow authentication for GitLab CI service
|
|
|
|
# if valid token passed
|
|
|
|
if login == "gitlab-ci-token" && project.gitlab_ci?
|
|
|
|
token = project.gitlab_ci_service.token
|
|
|
|
|
|
|
|
if token.present? && token == password && service_name == 'git-upload-pack'
|
|
|
|
return @app.call(env)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-06-14 11:42:55 +00:00
|
|
|
@user = authenticate_user(login, password)
|
2013-05-24 17:36:28 +00:00
|
|
|
|
2013-06-14 11:42:55 +00:00
|
|
|
if @user
|
|
|
|
Gitlab::ShellEnv.set_env(@user)
|
|
|
|
@env['REMOTE_USER'] = @auth.username
|
|
|
|
else
|
|
|
|
return unauthorized
|
|
|
|
end
|
|
|
|
|
|
|
|
else
|
2013-11-06 15:13:21 +00:00
|
|
|
return unauthorized unless project.public?
|
2013-01-14 14:46:55 +00:00
|
|
|
end
|
2012-07-02 08:44:45 +00:00
|
|
|
|
2013-06-14 11:42:55 +00:00
|
|
|
if authorized_git_request?
|
|
|
|
@app.call(env)
|
|
|
|
else
|
|
|
|
unauthorized
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def authorized_git_request?
|
2013-10-24 14:17:22 +00:00
|
|
|
authorize_request(service_name)
|
2012-10-21 09:12:14 +00:00
|
|
|
end
|
|
|
|
|
2013-06-14 11:42:55 +00:00
|
|
|
def authenticate_user(login, password)
|
2013-07-16 08:28:19 +00:00
|
|
|
auth = Gitlab::Auth.new
|
|
|
|
auth.find(login, password)
|
2013-05-24 17:36:28 +00:00
|
|
|
end
|
|
|
|
|
2013-06-14 11:42:55 +00:00
|
|
|
def authorize_request(service)
|
|
|
|
case service
|
|
|
|
when 'git-upload-pack'
|
2013-11-06 15:13:21 +00:00
|
|
|
can?(user, :download_code, project)
|
2013-06-14 11:42:55 +00:00
|
|
|
when'git-receive-pack'
|
2013-11-20 09:06:19 +00:00
|
|
|
refs.each do |ref|
|
|
|
|
action = if project.protected_branch?(ref)
|
|
|
|
:push_code_to_protected_branches
|
|
|
|
else
|
|
|
|
:push_code
|
|
|
|
end
|
|
|
|
|
|
|
|
return false unless can?(user, action, project)
|
|
|
|
end
|
2012-10-21 09:12:14 +00:00
|
|
|
|
2013-11-20 09:06:19 +00:00
|
|
|
true
|
2012-10-21 09:12:14 +00:00
|
|
|
else
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
2012-06-29 10:11:37 +00:00
|
|
|
|
2013-10-24 14:17:22 +00:00
|
|
|
def service_name
|
|
|
|
if @request.get?
|
|
|
|
@request.params['service']
|
|
|
|
elsif @request.post?
|
|
|
|
File.basename(@request.path)
|
|
|
|
else
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-01-14 14:46:55 +00:00
|
|
|
def project
|
2013-06-14 11:42:55 +00:00
|
|
|
@project ||= project_by_path(@request.path_info)
|
2013-01-14 14:46:55 +00:00
|
|
|
end
|
|
|
|
|
2013-11-20 09:06:19 +00:00
|
|
|
def refs
|
|
|
|
@refs ||= parse_refs
|
2013-01-14 14:46:55 +00:00
|
|
|
end
|
|
|
|
|
2013-11-20 09:06:19 +00:00
|
|
|
def parse_refs
|
2013-06-14 11:42:55 +00:00
|
|
|
input = if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/
|
|
|
|
Zlib::GzipReader.new(@request.body).read
|
|
|
|
else
|
|
|
|
@request.body.read
|
|
|
|
end
|
2012-10-22 15:45:42 +00:00
|
|
|
|
2013-06-14 11:42:55 +00:00
|
|
|
# Need to reset seek point
|
|
|
|
@request.body.rewind
|
2013-11-22 10:41:55 +00:00
|
|
|
|
|
|
|
# Parse refs
|
|
|
|
refs = input.force_encoding('ascii-8bit').scan(/refs\/heads\/([\/\w\.-]+)/n).flatten.compact
|
|
|
|
|
|
|
|
# Cleanup grabare from refs
|
|
|
|
# if push to multiple branches
|
|
|
|
refs.map do |ref|
|
2013-11-22 10:55:20 +00:00
|
|
|
ref.gsub(/00.*/, "")
|
2013-11-22 10:41:55 +00:00
|
|
|
end
|
2013-05-24 17:36:28 +00:00
|
|
|
end
|
2013-06-14 11:42:55 +00:00
|
|
|
end
|
|
|
|
end
|