gitlab-org--gitlab-foss/app/controllers/projects/git_http_client_controller.rb

# This file should be identical in GitLab Community Edition and Enterprise Edition

class Projects::GitHttpClientController < Projects::ApplicationController
  include ActionController::HttpAuthentication::Basic
  include KerberosSpnegoHelper

  attr_reader :authentication_result, :redirected_path

  delegate :actor, :authentication_abilities, to: :authentication_result, allow_nil: true

  alias_method :user, :actor

  # Git clients will not know what authenticity token to send along
  skip_before_action :verify_authenticity_token
  skip_before_action :repository
  before_action :authenticate_user

  private

  def download_request?
    raise NotImplementedError
  end

  def upload_request?
    raise NotImplementedError
  end

  def authenticate_user
    @authentication_result = Gitlab::Auth::Result.new

    if allow_basic_auth? && basic_auth_provided?
      login, password = user_name_and_password(request)

      if handle_basic_authentication(login, password)
        return # Allow access
      end
    elsif allow_kerberos_spnego_auth? && spnego_provided?
      kerberos_user = find_kerberos_user

      if kerberos_user
        @authentication_result = Gitlab::Auth::Result.new(
          kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)

        send_final_spnego_response
        return # Allow access
      end
    elsif project && download_request? && Guest.can?(:download_code, project)
      @authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code])

      return # Allow access
    end

    send_challenges
    render plain: "HTTP Basic: Access denied\n", status: 401
  rescue Gitlab::Auth::MissingPersonalTokenError
    render_missing_personal_token
  end

  def basic_auth_provided?
    has_basic_credentials?(request)
  end

  def send_challenges
    challenges = []
    challenges << 'Basic realm="GitLab"' if allow_basic_auth?
    challenges << spnego_challenge if allow_kerberos_spnego_auth?
    headers['Www-Authenticate'] = challenges.join("\n") if challenges.any?
  end

  def project
    parse_repo_path unless defined?(@project)

    @project
  end

  def parse_repo_path
    @project, @wiki, @redirected_path = Gitlab::RepoPath.parse("#{params[:namespace_id]}/#{params[:project_id]}")
  end

  def render_missing_personal_token
    render plain: "HTTP Basic: Access denied\n" \
                  "You must use a personal access token with 'api' scope for Git over HTTP.\n" \
                  "You can generate one at #{profile_personal_access_tokens_url}",
           status: 401
  end

  def repository
    wiki? ? project.wiki.repository : project.repository
  end

  def wiki?
    parse_repo_path unless defined?(@wiki)

    @wiki
  end

  def handle_basic_authentication(login, password)
    @authentication_result = Gitlab::Auth.find_for_git_client(
      login, password, project: project, ip: request.ip)

    @authentication_result.success?
  end

  def ci?
    authentication_result.ci?(project)
  end
end
Add LFS controllers 2016-07-20 12:41:26 -04:00			`# This file should be identical in GitLab Community Edition and Enterprise Edition`

			`class Projects::GitHttpClientController < Projects::ApplicationController`
			`include ActionController::HttpAuthentication::Basic`
			`include KerberosSpnegoHelper`

Add “Project moved” error to Git-over-HTTP 2017-06-15 20:04:17 -04:00			`attr_reader :authentication_result, :redirected_path`
Simplify checking of allowed abilities in git_http_client_controller 2016-09-16 07:34:05 -04:00
			`delegate :actor, :authentication_abilities, to: :authentication_result, allow_nil: true`

			`alias_method :user, :actor`
Add LFS controllers 2016-07-20 12:41:26 -04:00
			`# Git clients will not know what authenticity token to send along`
			`skip_before_action :verify_authenticity_token`
			`skip_before_action :repository`
			`before_action :authenticate_user`

			`private`

Move LfsHelper to a new LfsRequest concern Also create a new WorkhorseRequest concern Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-11-21 10:31:51 -05:00			`def download_request?`
			`raise NotImplementedError`
			`end`

			`def upload_request?`
			`raise NotImplementedError`
			`end`

Add LFS controllers 2016-07-20 12:41:26 -04:00			`def authenticate_user`
Improve authentication_result usage 2016-09-16 10:07:21 -04:00			`@authentication_result = Gitlab::Auth::Result.new`

Add LFS controllers 2016-07-20 12:41:26 -04:00			`if allow_basic_auth? && basic_auth_provided?`
			`login, password = user_name_and_password(request)`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 06:01:25 -04:00
Refactored authentication code to make it a bit clearer, added test for wrong SSH key. 2016-09-15 12:54:24 -04:00			`if handle_basic_authentication(login, password)`
Add LFS controllers 2016-07-20 12:41:26 -04:00			`return # Allow access`
			`end`
			`elsif allow_kerberos_spnego_auth? && spnego_provided?`
Post-merge improve of CI permissions 2016-09-20 09:41:41 -04:00			`kerberos_user = find_kerberos_user`
Simplify checking of allowed abilities in git_http_client_controller 2016-09-16 07:34:05 -04:00
Post-merge improve of CI permissions 2016-09-20 09:41:41 -04:00			`if kerberos_user`
Simplify checking of allowed abilities in git_http_client_controller 2016-09-16 07:34:05 -04:00			`@authentication_result = Gitlab::Auth::Result.new(`
Post-merge improve of CI permissions 2016-09-20 09:41:41 -04:00			`kerberos_user, nil, :kerberos, Gitlab::Auth.full_authentication_abilities)`
Add LFS controllers 2016-07-20 12:41:26 -04:00
			`send_final_spnego_response`
			`return # Allow access`
			`end`
Merge branch 'fix-unathorized-cloning' into 'security' Ensure external users are not able to clone disabled repositories. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/23788 See merge request !2017 Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-11-02 17:50:44 -04:00			`elsif project && download_request? && Guest.can?(:download_code, project)`
			`@authentication_result = Gitlab::Auth::Result.new(nil, project, :none, [:download_code])`

			`return # Allow access`
Add LFS controllers 2016-07-20 12:41:26 -04:00			`end`

			`send_challenges`
			`render plain: "HTTP Basic: Access denied\n", status: 401`
Better authentication handling, syntax fixes and better actor handling for LFS Tokens 2016-09-06 17:32:39 -04:00			`rescue Gitlab::Auth::MissingPersonalTokenError`
Added LFS support to SSH - Required on the GitLab Rails side is mostly authentication and API related. 2016-08-25 18:26:20 -04:00			`render_missing_personal_token`
Add LFS controllers 2016-07-20 12:41:26 -04:00			`end`

			`def basic_auth_provided?`
			`has_basic_credentials?(request)`
			`end`

			`def send_challenges`
			`challenges = []`
			`challenges << 'Basic realm="GitLab"' if allow_basic_auth?`
			`challenges << spnego_challenge if allow_kerberos_spnego_auth?`
			`headers['Www-Authenticate'] = challenges.join("\n") if challenges.any?`
			`end`

			`def project`
Add “Project moved” error to Git-over-HTTP 2017-06-15 20:04:17 -04:00			`parse_repo_path unless defined?(@project)`
Add LFS controllers 2016-07-20 12:41:26 -04:00
Add “Project moved” error to Git-over-HTTP 2017-06-15 20:04:17 -04:00			`@project`
			`end`
Add LFS controllers 2016-07-20 12:41:26 -04:00
Add “Project moved” error to Git-over-HTTP 2017-06-15 20:04:17 -04:00			`def parse_repo_path`
			`@project, @wiki, @redirected_path = Gitlab::RepoPath.parse("#{params[:namespace_id]}/#{params[:project_id]}")`
Add LFS controllers 2016-07-20 12:41:26 -04:00			`end`

Moved 2FA check to `auth.rb` and cleaned up the flow `authenticate_user` 2016-08-15 16:47:29 -04:00			`def render_missing_personal_token`
Refactor `find_for_git_client` method to not use assignment in conditionals and syntax fixes. 2016-08-17 18:21:18 -04:00			`render plain: "HTTP Basic: Access denied\n" \`
Instruct user to use a personal access token for Git over HTTP If internal auth is disabled and LDAP is not configured on the instance, present the user with a message to create a personal access token if his Git over HTTP auth attempt fails. 2017-06-07 15:49:45 -04:00			`"You must use a personal access token with 'api' scope for Git over HTTP.\n" \`
Moved 2FA check to `auth.rb` and cleaned up the flow `authenticate_user` 2016-08-15 16:47:29 -04:00			`"You can generate one at #{profile_personal_access_tokens_url}",`
			`status: 401`
2FA check is now done in the main GitHTTPClientController 2016-08-11 12:42:34 -04:00			`end`

Add LFS controllers 2016-07-20 12:41:26 -04:00			`def repository`
Fix access to the wiki code via HTTP when repository feature disabled 2017-01-24 15:04:45 -05:00			`wiki? ? project.wiki.repository : project.repository`
			`end`

			`def wiki?`
Add “Project moved” error to Git-over-HTTP 2017-06-15 20:04:17 -04:00			`parse_repo_path unless defined?(@wiki)`
Add LFS controllers 2016-07-20 12:41:26 -04:00
Add “Project moved” error to Git-over-HTTP 2017-06-15 20:04:17 -04:00			`@wiki`
Add LFS controllers 2016-07-20 12:41:26 -04:00			`end`

Simplify checking of allowed abilities in git_http_client_controller 2016-09-16 07:34:05 -04:00			`def handle_basic_authentication(login, password)`
			`@authentication_result = Gitlab::Auth.find_for_git_client(`
			`login, password, project: project, ip: request.ip)`
Verify JWT messages from gitlab-workhorse 2016-08-19 13:10:41 -04:00
Move CI access logic into GitAccess 2017-05-16 15:58:46 -04:00			`@authentication_result.success?`
Simplify checking of allowed abilities in git_http_client_controller 2016-09-16 07:34:05 -04:00			`end`

Improve authentication_result usage 2016-09-16 10:07:21 -04:00			`def ci?`
Move logic to check ci? or lfs_deploy_token? to Gitlab::Auth::Result 2016-09-20 04:24:47 -04:00			`authentication_result.ci?(project)`
Improve authentication_result usage 2016-09-16 10:07:21 -04:00			`end`
Add LFS controllers 2016-07-20 12:41:26 -04:00			`end`