From 19c28822ef60da0f4eda380e6cab3be4a4cb18e5 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Wed, 19 Mar 2014 21:01:00 +0200
Subject: [PATCH] Add Gitlab::GitAccess class to resolve auth issues during
 pull/push

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
---
 lib/gitlab/git_access.rb | 74 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 lib/gitlab/git_access.rb

diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
new file mode 100644
index 00000000000..5fb5505743f
--- /dev/null
+++ b/lib/gitlab/git_access.rb
@@ -0,0 +1,74 @@
+module Gitlab
+  class GitAccess
+    DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }
+    PUSH_COMMANDS = %w{ git-receive-pack }
+
+    attr_reader :params, :project, :git_cmd, :user
+
+    def allowed?(actor, cmd, project, ref = nil, oldrev = nil, newrev = nil)
+      case cmd
+      when *DOWNLOAD_COMMANDS
+        if actor.is_a? User
+          download_allowed?(actor, project)
+        elsif actor.is_a? DeployKey
+          actor.projects.include?(project)
+        elsif actor.is_a? Key
+          download_allowed?(actor.user, project)
+        else
+          raise 'Wrong actor'
+        end
+      when *PUSH_COMMANDS
+        if actor.is_a? User
+          push_allowed?(actor, project, ref, oldrev, newrev)
+        elsif actor.is_a? DeployKey
+          # Deploy key not allowed to push
+          return false
+        elsif actor.is_a? Key
+          push_allowed?(actor.user, project, ref, oldrev, newrev)
+        else
+          raise 'Wrong actor'
+        end
+      else
+        false
+      end
+    end
+
+    def download_allowed?(user, project)
+      if user_allowed?(user)
+        user.can?(:download_code, project)
+      else
+        false
+      end
+    end
+
+    def push_allowed?(user, project, ref, oldrev, newrev)
+      if user_allowed?(user)
+        action = if project.protected_branch?(ref)
+                   :push_code_to_protected_branches
+                 else
+                   :push_code
+                 end
+        user.can?(action, project)
+      else
+        false
+      end
+    end
+
+    private
+
+    def user_allowed?(user)
+      return false if user.blocked?
+
+      if Gitlab.config.ldap.enabled
+        if user.ldap_user?
+          # Check if LDAP user exists and match LDAP user_filter
+          unless Gitlab::LDAP::Access.new.allowed?(user)
+            return false
+          end
+        end
+      end
+
+      true
+    end
+  end
+end