gitlab-org--gitlab-foss/lib/gitlab/git_access.rb

# Check a user's access to perform a git action. All public methods in this
# class return an instance of `GitlabAccessStatus`
module Gitlab
  class GitAccess
    DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }
    PUSH_COMMANDS = %w{ git-receive-pack }

    attr_reader :actor, :project, :protocol, :user_access, :authentication_abilities

    def initialize(actor, project, protocol, authentication_abilities:)
      @actor    = actor
      @project  = project
      @protocol = protocol
      @authentication_abilities = authentication_abilities
      @user_access = UserAccess.new(user, project: project)
    end

    def check(cmd, changes)
      return build_status_object(false, "Git access over #{protocol.upcase} is not allowed") unless protocol_allowed?

      unless actor
        return build_status_object(false, "No user or key was provided.")
      end

      if user && !user_access.allowed?
        return build_status_object(false, "Your account has been blocked.")
      end

      unless project && (user_access.can_read_project? || deploy_key_can_read_project?)
        return build_status_object(false, 'The project you were looking for could not be found.')
      end

      case cmd
      when *DOWNLOAD_COMMANDS
        download_access_check
      when *PUSH_COMMANDS
        push_access_check(changes)
      else
        build_status_object(false, "The command you're trying to execute is not allowed.")
      end
    end

    def download_access_check
      if user
        user_download_access_check
      elsif deploy_key
        build_status_object(true)
      else
        raise 'Wrong actor'
      end
    end

    def push_access_check(changes)
      if user
        user_push_access_check(changes)
      elsif deploy_key
        build_status_object(false, "Deploy keys are not allowed to push code.")
      else
        raise 'Wrong actor'
      end
    end

    def user_download_access_check
      unless user_can_download_code? || build_can_download_code?
        return build_status_object(false, "You are not allowed to download code from this project.")
      end

      build_status_object(true)
    end

    def user_can_download_code?
      authentication_abilities.include?(:download_code) && user_access.can_do_action?(:download_code)
    end

    def build_can_download_code?
      authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code)
    end

    def user_push_access_check(changes)
      unless authentication_abilities.include?(:push_code)
        return build_status_object(false, "You are not allowed to upload code for this project.")
      end

      if changes.blank?
        return build_status_object(true)
      end

      unless project.repository.exists?
        return build_status_object(false, "A repository for this project does not exist yet.")
      end

      changes_list = Gitlab::ChangesList.new(changes)

      # Iterate over all changes to find if user allowed all of them to be applied
      changes_list.each do |change|
        status = change_access_check(change)
        unless status.allowed?
          # If user does not have access to make at least one change - cancel all push
          return status
        end
      end

      build_status_object(true)
    end

    def change_access_check(change)
      Checks::ChangeAccess.new(change, user_access: user_access, project: project).exec
    end

    def protocol_allowed?
      Gitlab::ProtocolAccess.allowed?(protocol)
    end

    private

    def matching_merge_request?(newrev, branch_name)
      Checks::MatchingMergeRequest.new(newrev, branch_name, project).match?
    end

    def deploy_key
      actor if actor.is_a?(DeployKey)
    end

    def deploy_key_can_read_project?
      if deploy_key
        return true if project.public?
        deploy_key.projects.include?(project)
      else
        false
      end
    end

    protected

    def user
      return @user if defined?(@user)

      @user =
        case actor
        when User
          actor
        when DeployKey
          nil
        when Key
          actor.user
        end
    end

    def build_status_object(status, message = '')
      Gitlab::GitAccessStatus.new(status, message)
    end
  end
end
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`# Check a user's access to perform a git action. All public methods in this`
			# class return an instance of `GitlabAccessStatus`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:01:00 -04:00			`module Gitlab`
			`class GitAccess`
			`DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }`
			`PUSH_COMMANDS = %w{ git-receive-pack }`

Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`attr_reader :actor, :project, :protocol, :user_access, :authentication_abilities`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:01:00 -04:00
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`def initialize(actor, project, protocol, authentication_abilities:)`
Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`@actor = actor`
			`@project = project`
Only allow Git Access on the allowed protocol 2016-06-20 21:40:56 -04:00			`@protocol = protocol`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`@authentication_abilities = authentication_abilities`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`@user_access = UserAccess.new(user, project: project)`
Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`end`

Stop 'git push' over HTTP early Before this change we always let users push Git data over HTTP before deciding whether to accept to push. This was different from pushing over SSH where we terminate a 'git push' early if we already know the user is not allowed to push. This change let Git over HTTP follow the same behavior as Git over SSH. We also distinguish between HTTP 404 and 403 responses when denying Git requests, depending on whether the user is allowed to know the project exists. 2016-08-03 08:54:12 -04:00			`def check(cmd, changes)`
Only allow Git Access on the allowed protocol 2016-06-20 21:40:56 -04:00			`return build_status_object(false, "Git access over #{protocol.upcase} is not allowed") unless protocol_allowed?`

Improve Git access error messages. 2015-05-10 17:07:35 -04:00			`unless actor`
			`return build_status_object(false, "No user or key was provided.")`
			`end`

Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`if user && !user_access.allowed?`
Improve Git access error messages. 2015-05-10 17:07:35 -04:00			`return build_status_object(false, "Your account has been blocked.")`
			`end`

Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`unless project && (user_access.can_read_project? \|\| deploy_key_can_read_project?)`
Improve Git access error messages. 2015-05-10 17:07:35 -04:00			`return build_status_object(false, 'The project you were looking for could not be found.')`
			`end`

Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:01:00 -04:00			`case cmd`
			`when *DOWNLOAD_COMMANDS`
Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`download_access_check`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:01:00 -04:00			`when *PUSH_COMMANDS`
Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`push_access_check(changes)`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:01:00 -04:00			`else`
Improve Git access error messages. 2015-05-10 17:07:35 -04:00			`build_status_object(false, "The command you're trying to execute is not allowed.")`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:01:00 -04:00			`end`
			`end`

Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`def download_access_check`
			`if user`
			`user_download_access_check`
			`elsif deploy_key`
Improve Git access error messages. 2015-05-10 17:07:35 -04:00			`build_status_object(true)`
Fix deploy keys permission check in internal api Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-12-01 09:25:10 -05:00			`else`
			`raise 'Wrong actor'`
			`end`
			`end`

Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`def push_access_check(changes)`
			`if user`
			`user_push_access_check(changes)`
			`elsif deploy_key`
Improve Git access error messages. 2015-05-10 17:07:35 -04:00			`build_status_object(false, "Deploy keys are not allowed to push code.")`
Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`else`
			`raise 'Wrong actor'`
			`end`
			`end`

			`def user_download_access_check`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`unless user_can_download_code? \|\| build_can_download_code?`
Improve Git access error messages. 2015-05-10 17:07:35 -04:00			`return build_status_object(false, "You are not allowed to download code from this project.")`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:01:00 -04:00			`end`

Improve Git access error messages. 2015-05-10 17:07:35 -04:00			`build_status_object(true)`
Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`end`

Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`def user_can_download_code?`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`authentication_abilities.include?(:download_code) && user_access.can_do_action?(:download_code)`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 06:01:25 -04:00			`end`

Use `build_read_container_image` and use `build_download_code` 2016-09-15 04:34:53 -04:00			`def build_can_download_code?`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code)`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 06:01:25 -04:00			`end`

Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`def user_push_access_check(changes)`
Rename capabilities to authentication_abilities 2016-09-16 03:59:10 -04:00			`unless authentication_abilities.include?(:push_code)`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 06:01:25 -04:00			`return build_status_object(false, "You are not allowed to upload code for this project.")`
			`end`

Decline push if repository does not exist Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-12-05 11:17:51 -05:00			`if changes.blank?`
			`return build_status_object(true)`
			`end`

			`unless project.repository.exists?`
Improve Git access error messages. 2015-05-10 17:07:35 -04:00			`return build_status_object(false, "A repository for this project does not exist yet.")`
Decline push if repository does not exist Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-12-05 11:17:51 -05:00			`end`
Rewrite GitAccess for gitlab-shell v2 Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-09-01 12:57:25 -04:00
api for generating new merge request DRY code + fix rubocop Add more test cases Append to changelog DRY changes list find_url service for merge_requests use GET for getting merge request links remove files rename to get_url_service reduce loop add test case for cross project refactor tiny thing update changelog 2016-07-28 00:04:57 -04:00			`changes_list = Gitlab::ChangesList.new(changes)`
Rewrite GitAccess for gitlab-shell v2 Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-09-01 12:57:25 -04:00
			`# Iterate over all changes to find if user allowed all of them to be applied`
api for generating new merge request DRY code + fix rubocop Add more test cases Append to changelog DRY changes list find_url service for merge_requests use GET for getting merge request links remove files rename to get_url_service reduce loop add test case for cross project refactor tiny thing update changelog 2016-07-28 00:04:57 -04:00			`changes_list.each do \|change\|`
Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`status = change_access_check(change)`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 11:23:55 -05:00			`unless status.allowed?`
Rewrite GitAccess for gitlab-shell v2 Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-09-01 12:57:25 -04:00			`# If user does not have access to make at least one change - cancel all push`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 11:23:55 -05:00			`return status`
Rewrite GitAccess for gitlab-shell v2 Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-09-01 12:57:25 -04:00			`end`
			`end`

Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`build_status_object(true)`
Rewrite GitAccess for gitlab-shell v2 Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-09-01 12:57:25 -04:00			`end`

Refactor GitAccess to use instance variables. 2015-03-24 09:10:55 -04:00			`def change_access_check(change)`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`Checks::ChangeAccess.new(change, user_access: user_access, project: project).exec`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:01:00 -04:00			`end`

Correct access control flow for Git HTTP requests. 2016-06-27 12:14:44 -04:00			`def protocol_allowed?`
			`Gitlab::ProtocolAccess.allowed?(protocol)`
			`end`

Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:01:00 -04:00			`private`

Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`def matching_merge_request?(newrev, branch_name)`
			`Checks::MatchingMergeRequest.new(newrev, branch_name, project).match?`
Move protected branch actions into a method. 2014-12-26 03:52:39 -05:00			`end`

Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`def deploy_key`
			`actor if actor.is_a?(DeployKey)`
Fix ref parsing in Gitlab::GitAccess 2014-09-23 07:18:36 -04:00			`end`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 11:23:55 -05:00
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`def deploy_key_can_read_project?`
			`if deploy_key`
Allow to pull code with deploy key from public projects 2016-07-18 06:36:44 -04:00			`return true if project.public?`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`deploy_key.projects.include?(project)`
Revert "Merge branch '18193-developers-can-merge' into 'master' " This reverts commit 9ca633eb4c62231e4ddff5466c723cf8e2bdb25d, reversing changes made to fb229bbf7970ba908962b837b270adf56f14098f. 2016-07-13 14:57:30 -04:00			`else`
Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`false`
Revert "Merge branch '18193-developers-can-merge' into 'master' " This reverts commit 9ca633eb4c62231e4ddff5466c723cf8e2bdb25d, reversing changes made to fb229bbf7970ba908962b837b270adf56f14098f. 2016-07-13 14:57:30 -04:00			`end`
Refactor `Gitlab::GitAccess` 1. Don't use case statements for dispatch anymore. This leads to a lot of duplication, and makes the logic harder to follow. 2. Remove duplicated logic. - For example, the `can_push_to_branch?` exists, but we also have a different way of checking the same condition within `change_access_check`. - This kind of duplication is removed, and the `can_push_to_branch?` method is used in both places. 3. Move checks returning true/false to `UserAccess`. - All public methods in `GitAccess` now return an instance of `GitAccessStatus`. Previously, some methods would return true/false as well, which was confusing. - It makes sense for these kinds of checks to be at the level of a user, so the `UserAccess` class was repurposed for this. The prior `UserAccess.allowed?` classmethod is converted into an instance method. - All external uses of these checks have been migrated to use the `UserAccess` class 4. Move the "change_access_check" into a separate class. - Create the `GitAccess::ChangeAccessCheck` class to run these checks, which are quite substantial. - `ChangeAccessCheck` returns an instance of `GitAccessStatus` as well. 5. Break out the boolean logic in `ChangeAccessCheck` into `if/else` chains - this seems more readable. 6. I can understand that this might look like overkill for !4892, but I think this is a good opportunity to clean it up. - http://martinfowler.com/bliki/OpportunisticRefactoring.html 2016-06-24 01:07:04 -04:00			`end`

Revert "Merge branch '18193-developers-can-merge' into 'master' " This reverts commit 9ca633eb4c62231e4ddff5466c723cf8e2bdb25d, reversing changes made to fb229bbf7970ba908962b837b270adf56f14098f. 2016-07-13 14:57:30 -04:00			`protected`

Revert "Revert "Merge branch '18193-developers-can-merge' into 'master' "" This reverts commit 530f5158e297f3cde27f3566cfe13bad74ba3b50. See !4892. Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-07-18 04:16:56 -04:00			`def user`
			`return @user if defined?(@user)`

			`@user =`
			`case actor`
			`when User`
			`actor`
			`when DeployKey`
			`nil`
			`when Key`
			`actor.user`
			`end`
			`end`

Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 11:23:55 -05:00			`def build_status_object(status, message = '')`
Fixing scope issue in GitAccess. 2016-07-25 17:46:40 -04:00			`Gitlab::GitAccessStatus.new(status, message)`
Better message for failed pushes because of git hooks Conflicts: lib/gitlab/git_access.rb spec/lib/gitlab/git_access_spec.rb 2014-11-14 11:23:55 -05:00			`end`
Add Gitlab::GitAccess class to resolve auth issues during pull/push Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-03-19 15:01:00 -04:00			`end`
			`end`