2020-02-13 10:08:52 -05:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
module Gitlab
|
|
|
|
class GitAccessSnippet < GitAccess
|
2020-02-27 10:09:24 -05:00
|
|
|
extend ::Gitlab::Utils::Override
|
|
|
|
|
2020-02-13 10:08:52 -05:00
|
|
|
ERROR_MESSAGES = {
|
2020-02-27 10:09:24 -05:00
|
|
|
authentication_mechanism: 'The authentication mechanism is not supported.',
|
|
|
|
read_snippet: 'You are not allowed to read this snippet.',
|
|
|
|
update_snippet: 'You are not allowed to update this snippet.',
|
2020-02-13 10:08:52 -05:00
|
|
|
snippet_not_found: 'The snippet you were looking for could not be found.',
|
|
|
|
repository_not_found: 'The snippet repository you were looking for could not be found.'
|
|
|
|
}.freeze
|
|
|
|
|
|
|
|
attr_reader :snippet
|
|
|
|
|
2020-04-06 20:09:33 -04:00
|
|
|
alias_method :container, :snippet
|
|
|
|
|
2020-02-13 10:08:52 -05:00
|
|
|
def initialize(actor, snippet, protocol, **kwargs)
|
|
|
|
@snippet = snippet
|
|
|
|
|
2020-02-27 10:09:24 -05:00
|
|
|
super(actor, snippet&.project, protocol, **kwargs)
|
|
|
|
|
|
|
|
@auth_result_type = nil
|
|
|
|
@authentication_abilities &= [:download_code, :push_code]
|
2020-02-13 10:08:52 -05:00
|
|
|
end
|
|
|
|
|
2020-02-27 10:09:24 -05:00
|
|
|
def check(cmd, changes)
|
|
|
|
# TODO: Investigate if expanding actor/authentication types are needed.
|
|
|
|
# https://gitlab.com/gitlab-org/gitlab/issues/202190
|
|
|
|
if actor && !actor.is_a?(User) && !actor.instance_of?(Key)
|
2020-02-27 13:09:21 -05:00
|
|
|
raise ForbiddenError, ERROR_MESSAGES[:authentication_mechanism]
|
2020-02-27 10:09:24 -05:00
|
|
|
end
|
|
|
|
|
2020-02-13 10:08:52 -05:00
|
|
|
check_snippet_accessibility!
|
|
|
|
|
2020-02-27 10:09:24 -05:00
|
|
|
super
|
2020-02-13 10:08:52 -05:00
|
|
|
end
|
|
|
|
|
2020-02-27 10:09:24 -05:00
|
|
|
private
|
|
|
|
|
2020-05-28 11:08:02 -04:00
|
|
|
override :check_namespace!
|
|
|
|
def check_namespace!
|
|
|
|
return unless snippet.is_a?(ProjectSnippet)
|
|
|
|
|
|
|
|
super
|
|
|
|
end
|
|
|
|
|
2020-02-27 10:09:24 -05:00
|
|
|
override :check_project!
|
2020-06-09 17:08:21 -04:00
|
|
|
def check_project!(cmd)
|
2020-03-17 08:09:52 -04:00
|
|
|
return unless snippet.is_a?(ProjectSnippet)
|
|
|
|
|
2020-06-09 17:08:21 -04:00
|
|
|
super
|
2020-02-13 10:08:52 -05:00
|
|
|
end
|
|
|
|
|
2020-02-27 10:09:24 -05:00
|
|
|
override :check_push_access!
|
|
|
|
def check_push_access!
|
2020-02-27 13:09:21 -05:00
|
|
|
raise ForbiddenError, ERROR_MESSAGES[:update_snippet] unless user
|
2020-02-27 10:09:24 -05:00
|
|
|
|
|
|
|
check_change_access!
|
|
|
|
end
|
2020-02-13 10:08:52 -05:00
|
|
|
|
|
|
|
def check_snippet_accessibility!
|
|
|
|
if snippet.blank?
|
|
|
|
raise NotFoundError, ERROR_MESSAGES[:snippet_not_found]
|
|
|
|
end
|
2020-02-27 10:09:24 -05:00
|
|
|
end
|
|
|
|
|
2020-05-06 14:09:38 -04:00
|
|
|
override :can_read_project?
|
|
|
|
def can_read_project?
|
|
|
|
return true if user&.migration_bot?
|
|
|
|
|
|
|
|
super
|
|
|
|
end
|
|
|
|
|
2020-02-27 10:09:24 -05:00
|
|
|
override :check_download_access!
|
|
|
|
def check_download_access!
|
|
|
|
passed = guest_can_download_code? || user_can_download_code?
|
|
|
|
|
|
|
|
unless passed
|
2020-02-27 13:09:21 -05:00
|
|
|
raise ForbiddenError, ERROR_MESSAGES[:read_snippet]
|
2020-02-27 10:09:24 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
override :guest_can_download_code?
|
|
|
|
def guest_can_download_code?
|
|
|
|
Guest.can?(:read_snippet, snippet)
|
|
|
|
end
|
|
|
|
|
|
|
|
override :user_can_download_code?
|
|
|
|
def user_can_download_code?
|
|
|
|
authentication_abilities.include?(:download_code) && user_access.can_do_action?(:read_snippet)
|
|
|
|
end
|
|
|
|
|
|
|
|
override :check_change_access!
|
|
|
|
def check_change_access!
|
|
|
|
unless user_access.can_do_action?(:update_snippet)
|
2020-02-27 13:09:21 -05:00
|
|
|
raise ForbiddenError, ERROR_MESSAGES[:update_snippet]
|
2020-02-27 10:09:24 -05:00
|
|
|
end
|
|
|
|
|
2020-04-06 20:09:33 -04:00
|
|
|
check_size_before_push!
|
|
|
|
|
2020-02-27 10:09:24 -05:00
|
|
|
changes_list.each do |change|
|
|
|
|
# If user does not have access to make at least one change, cancel all
|
|
|
|
# push by allowing the exception to bubble up
|
|
|
|
check_single_change_access(change)
|
|
|
|
end
|
2020-04-06 20:09:33 -04:00
|
|
|
|
|
|
|
check_push_size!
|
2020-02-27 10:09:24 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def check_single_change_access(change)
|
2020-03-17 02:09:21 -04:00
|
|
|
Checks::SnippetCheck.new(change, logger: logger).validate!
|
2020-05-19 08:08:21 -04:00
|
|
|
Checks::PushFileCountCheck.new(change, repository: repository, limit: Snippet.max_file_limit(user), logger: logger).validate!
|
2020-02-27 10:09:24 -05:00
|
|
|
rescue Checks::TimedLogger::TimeoutError
|
|
|
|
raise TimeoutError, logger.full_message
|
|
|
|
end
|
2020-02-13 10:08:52 -05:00
|
|
|
|
2020-02-27 10:09:24 -05:00
|
|
|
override :check_repository_existence!
|
|
|
|
def check_repository_existence!
|
|
|
|
unless repository.exists?
|
2020-02-13 10:08:52 -05:00
|
|
|
raise NotFoundError, ERROR_MESSAGES[:repository_not_found]
|
|
|
|
end
|
|
|
|
end
|
2020-02-27 10:09:24 -05:00
|
|
|
|
|
|
|
override :user_access
|
|
|
|
def user_access
|
|
|
|
@user_access ||= UserAccessSnippet.new(user, snippet: snippet)
|
|
|
|
end
|
|
|
|
|
|
|
|
# TODO: Implement EE/Geo https://gitlab.com/gitlab-org/gitlab/issues/205629
|
|
|
|
override :check_custom_action
|
|
|
|
def check_custom_action(cmd)
|
|
|
|
nil
|
|
|
|
end
|
2020-05-11 08:10:28 -04:00
|
|
|
|
|
|
|
override :check_size_limit?
|
|
|
|
def check_size_limit?
|
|
|
|
return false if user&.migration_bot?
|
|
|
|
|
|
|
|
super
|
|
|
|
end
|
2020-02-13 10:08:52 -05:00
|
|
|
end
|
|
|
|
end
|