gitlab-org--gitlab-foss/lib/gitlab/git_access.rb

module Gitlab
  class GitAccess
    DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }
    PUSH_COMMANDS = %w{ git-receive-pack }

    attr_reader :params, :project, :git_cmd, :user

    def self.can_push_to_branch?(user, project, ref)
      if project.protected_branch?(ref)  &&
          !(project.developers_can_push_to_protected_branch?(ref) && project.team.developer?(user))
        user.can?(:push_code_to_protected_branches, project)
      else
        user.can?(:push_code, project)
      end
    end

    def check(actor, cmd, project, changes = nil)
      case cmd
      when *DOWNLOAD_COMMANDS
        download_access_check(actor, project)
      when *PUSH_COMMANDS
        if actor.is_a? User
          push_access_check(actor, project, changes)
        elsif actor.is_a? DeployKey
          return build_status_object(false, "Deploy key not allowed to push")
        elsif actor.is_a? Key
          push_access_check(actor.user, project, changes)
        else
          raise 'Wrong actor'
        end
      else
        return build_status_object(false, "Wrong command")
      end
    end

    def download_access_check(actor, project)
      if actor.is_a?(User)
        user_download_access_check(actor, project)
      elsif actor.is_a?(DeployKey)
        if actor.projects.include?(project)
          build_status_object(true)
        else
          build_status_object(false, "Deploy key not allowed to access this project")
        end
      elsif actor.is_a? Key
        user_download_access_check(actor.user, project)
      else
        raise 'Wrong actor'
      end
    end

    def user_download_access_check(user, project)
      if user && user_allowed?(user) && user.can?(:download_code, project)
        build_status_object(true)
      else
        build_status_object(false, "You don't have access")
      end
    end

    def push_access_check(user, project, changes)
      unless user && user_allowed?(user)
        return build_status_object(false, "You don't have access")
      end

      if changes.blank?
        return build_status_object(true)
      end

      unless project.repository.exists?
        return build_status_object(false, "Repository does not exist")
      end

      changes = changes.lines if changes.kind_of?(String)

      # Iterate over all changes to find if user allowed all of them to be applied
      changes.map(&:strip).reject(&:blank?).each do |change|
        status = change_access_check(user, project, change)
        unless status.allowed?
          # If user does not have access to make at least one change - cancel all push
          return status
        end
      end

      return build_status_object(true)
    end

    def change_access_check(user, project, change)
      oldrev, newrev, ref = change.split(' ')

      action = if project.protected_branch?(branch_name(ref))
                 protected_branch_action(project, oldrev, newrev, branch_name(ref))
               elsif protected_tag?(project, tag_name(ref))
                 # Prevent any changes to existing git tag unless user has permissions
                 :admin_project
               else
                 :push_code
               end

      if user.can?(action, project)
        build_status_object(true)
      else
        build_status_object(false, "You don't have permission")
      end
    end

    def forced_push?(project, oldrev, newrev)
      Gitlab::ForcePushCheck.force_push?(project, oldrev, newrev)
    end

    private

    def protected_branch_action(project, oldrev, newrev, branch_name)
      # we dont allow force push to protected branch
      if forced_push?(project, oldrev, newrev)
       :force_push_code_to_protected_branches
      elsif newrev == Gitlab::Git::BLANK_SHA
       # and we dont allow remove of protected branch
       :remove_protected_branches
      elsif project.developers_can_push_to_protected_branch?(branch_name)
       :push_code
      else
       :push_code_to_protected_branches
      end
    end

    def protected_tag?(project, tag_name)
      project.repository.tag_names.include?(tag_name)
    end

    def user_allowed?(user)
      Gitlab::UserAccess.allowed?(user)
    end

    def branch_name(ref)
      ref = ref.to_s
      if ref.start_with?('refs/heads')
        ref.sub(%r{\Arefs/heads/}, '')
      else
        nil
      end
    end

    def tag_name(ref)
      ref = ref.to_s
      if ref.start_with?('refs/tags')
        ref.sub(%r{\Arefs/tags/}, '')
      else
        nil
      end
    end

    protected

    def build_status_object(status, message = '')
      GitAccessStatus.new(status, message)
    end
  end
end
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`module Gitlab`
			`class GitAccess`
			`DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }`
			`PUSH_COMMANDS = %w{ git-receive-pack }`

			`attr_reader :params, :project, :git_cmd, :user`

developer can push to protected branches 2015-01-20 23:23:37 +00:00			`def self.can_push_to_branch?(user, project, ref)`
			`if project.protected_branch?(ref) &&`
			`!(project.developers_can_push_to_protected_branch?(ref) && project.team.developer?(user))`
			`user.can?(:push_code_to_protected_branches, project)`
			`else`
			`user.can?(:push_code, project)`
			`end`
			`end`

Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`def check(actor, cmd, project, changes = nil)`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`case cmd`
			`when *DOWNLOAD_COMMANDS`
Fix deploy keys permission check in internal api Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-12-01 14:25:10 +00:00			`download_access_check(actor, project)`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`when *PUSH_COMMANDS`
			`if actor.is_a? User`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`push_access_check(actor, project, changes)`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`elsif actor.is_a? DeployKey`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`return build_status_object(false, "Deploy key not allowed to push")`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`elsif actor.is_a? Key`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`push_access_check(actor.user, project, changes)`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`else`
			`raise 'Wrong actor'`
			`end`
			`else`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`return build_status_object(false, "Wrong command")`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`end`
			`end`

Fix deploy keys permission check in internal api Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-12-01 14:25:10 +00:00			`def download_access_check(actor, project)`
			`if actor.is_a?(User)`
			`user_download_access_check(actor, project)`
			`elsif actor.is_a?(DeployKey)`
			`if actor.projects.include?(project)`
			`build_status_object(true)`
			`else`
			`build_status_object(false, "Deploy key not allowed to access this project")`
			`end`
			`elsif actor.is_a? Key`
			`user_download_access_check(actor.user, project)`
			`else`
			`raise 'Wrong actor'`
			`end`
			`end`

			`def user_download_access_check(user, project)`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`if user && user_allowed?(user) && user.can?(:download_code, project)`
			`build_status_object(true)`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`else`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`build_status_object(false, "You don't have access")`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`end`
			`end`

Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`def push_access_check(user, project, changes)`
Decline push if repository does not exist Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-12-05 16:17:51 +00:00			`unless user && user_allowed?(user)`
			`return build_status_object(false, "You don't have access")`
			`end`

			`if changes.blank?`
			`return build_status_object(true)`
			`end`

			`unless project.repository.exists?`
			`return build_status_object(false, "Repository does not exist")`
			`end`
Rewrite GitAccess for gitlab-shell v2 Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-09-01 16:57:25 +00:00
			`changes = changes.lines if changes.kind_of?(String)`

			`# Iterate over all changes to find if user allowed all of them to be applied`
Be more careful with parsing changes from gitlab-shell 2015-01-29 01:00:40 +00:00			`changes.map(&:strip).reject(&:blank?).each do \|change\|`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`status = change_access_check(user, project, change)`
			`unless status.allowed?`
Rewrite GitAccess for gitlab-shell v2 Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-09-01 16:57:25 +00:00			`# If user does not have access to make at least one change - cancel all push`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`return status`
Rewrite GitAccess for gitlab-shell v2 Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-09-01 16:57:25 +00:00			`end`
			`end`

Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`return build_status_object(true)`
Rewrite GitAccess for gitlab-shell v2 Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-09-01 16:57:25 +00:00			`end`

Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`def change_access_check(user, project, change)`
Developers can push to wiki repo. Protected branches does not affect wiki repo any more Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-07 13:05:24 +00:00			`oldrev, newrev, ref = change.split(' ')`

			`action = if project.protected_branch?(branch_name(ref))`
Move protected branch actions into a method. 2014-12-26 08:52:39 +00:00			`protected_branch_action(project, oldrev, newrev, branch_name(ref))`
Add option to disable/enable developers push to already protected branches. 2014-12-26 10:39:12 +00:00			`elsif protected_tag?(project, tag_name(ref))`
Developers can push to wiki repo. Protected branches does not affect wiki repo any more Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-07 13:05:24 +00:00			`# Prevent any changes to existing git tag unless user has permissions`
			`:admin_project`
			`else`
			`:push_code`
			`end`

Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00			`if user.can?(action, project)`
			`build_status_object(true)`
			`else`
			`build_status_object(false, "You don't have permission")`
			`end`
Developers can push to wiki repo. Protected branches does not affect wiki repo any more Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-10-07 13:05:24 +00:00			`end`

Fix ref parsing in Gitlab::GitAccess 2014-09-23 11:18:36 +00:00			`def forced_push?(project, oldrev, newrev)`
Reload mr code on force push too Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-12-02 15:42:56 +00:00			`Gitlab::ForcePushCheck.force_push?(project, oldrev, newrev)`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`end`

			`private`

Move protected branch actions into a method. 2014-12-26 08:52:39 +00:00			`def protected_branch_action(project, oldrev, newrev, branch_name)`
			`# we dont allow force push to protected branch`
			`if forced_push?(project, oldrev, newrev)`
			`:force_push_code_to_protected_branches`
			`elsif newrev == Gitlab::Git::BLANK_SHA`
Rubocop: comment indentation 2015-02-03 05:34:16 +00:00			`# and we dont allow remove of protected branch`
Move protected branch actions into a method. 2014-12-26 08:52:39 +00:00			`:remove_protected_branches`
			`elsif project.developers_can_push_to_protected_branch?(branch_name)`
			`:push_code`
			`else`
			`:push_code_to_protected_branches`
			`end`
			`end`

Add option to disable/enable developers push to already protected branches. 2014-12-26 10:39:12 +00:00			`def protected_tag?(project, tag_name)`
Move protected branch actions into a method. 2014-12-26 08:52:39 +00:00			`project.repository.tag_names.include?(tag_name)`
			`end`

Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`def user_allowed?(user)`
Move user access check to Gitlab::UserAccess 2014-05-15 08:17:13 +00:00			`Gitlab::UserAccess.allowed?(user)`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`end`
Fix ref parsing in Gitlab::GitAccess 2014-09-23 11:18:36 +00:00
			`def branch_name(ref)`
			`ref = ref.to_s`
			`if ref.start_with?('refs/heads')`
			`ref.sub(%r{\Arefs/heads/}, '')`
			`else`
			`nil`
			`end`
			`end`

			`def tag_name(ref)`
			`ref = ref.to_s`
			`if ref.start_with?('refs/tags')`
			`ref.sub(%r{\Arefs/tags/}, '')`
			`else`
			`nil`
			`end`
			`end`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 16:23:55 +00:00
			`protected`

			`def build_status_object(status, message = '')`
			`GitAccessStatus.new(status, message)`
			`end`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 19:01:00 +00:00			`end`
			`end`