add gitlab-shell identification
This commit is contained in:
parent
f7342ce567
commit
b5763e91cd
|
@ -39,3 +39,4 @@ public/assets/
|
|||
.envrc
|
||||
dump.rdb
|
||||
tags
|
||||
.gitlab_shell_secret
|
||||
|
|
|
@ -1 +1 @@
|
|||
2.0.1
|
||||
2.0.2
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
# Be sure to restart your server when you modify this file.
|
||||
|
||||
require 'securerandom'
|
||||
|
||||
# Your secret key for verifying the gitlab_shell.
|
||||
|
||||
|
||||
secret_file = Rails.root.join('.gitlab_shell_secret')
|
||||
gitlab_shell_symlink = File.join(Gitlab.config.gitlab_shell.path, '.gitlab_shell_secret')
|
||||
|
||||
unless File.exist? secret_file
|
||||
# Generate a new token of 16 random hexadecimal characters and store it in secret_file.
|
||||
token = SecureRandom.hex(16)
|
||||
File.write(secret_file, token)
|
||||
end
|
||||
|
||||
if File.exist?(Gitlab.config.gitlab_shell.path) && !File.exist?(gitlab_shell_symlink)
|
||||
FileUtils.symlink(secret_file, gitlab_shell_symlink)
|
||||
end
|
|
@ -67,6 +67,10 @@ module API
|
|||
unauthorized! unless current_user
|
||||
end
|
||||
|
||||
def authenticate_by_gitlab_shell_token!
|
||||
unauthorized! unless secret_token == params['secret_token']
|
||||
end
|
||||
|
||||
def authenticated_as_admin!
|
||||
forbidden! unless current_user.is_admin?
|
||||
end
|
||||
|
@ -193,5 +197,9 @@ module API
|
|||
abilities
|
||||
end
|
||||
end
|
||||
|
||||
def secret_token
|
||||
File.read(Rails.root.join('.gitlab_shell_secret'))
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,6 +1,10 @@
|
|||
module API
|
||||
# Internal access API
|
||||
class Internal < Grape::API
|
||||
before {
|
||||
authenticate_by_gitlab_shell_token!
|
||||
}
|
||||
|
||||
namespace 'internal' do
|
||||
# Check if git command is allowed to project
|
||||
#
|
||||
|
|
|
@ -5,10 +5,11 @@ describe API::API, api: true do
|
|||
let(:user) { create(:user) }
|
||||
let(:key) { create(:key, user: user) }
|
||||
let(:project) { create(:project) }
|
||||
let(:secret_token) { File.read Rails.root.join('.gitlab_shell_secret') }
|
||||
|
||||
describe "GET /internal/check", no_db: true do
|
||||
it do
|
||||
get api("/internal/check")
|
||||
get api("/internal/check"), secret_token: secret_token
|
||||
|
||||
response.status.should == 200
|
||||
json_response['api_version'].should == API::API.version
|
||||
|
@ -17,7 +18,7 @@ describe API::API, api: true do
|
|||
|
||||
describe "GET /internal/discover" do
|
||||
it do
|
||||
get(api("/internal/discover"), key_id: key.id)
|
||||
get(api("/internal/discover"), key_id: key.id, secret_token: secret_token)
|
||||
|
||||
response.status.should == 200
|
||||
|
||||
|
@ -159,7 +160,8 @@ describe API::API, api: true do
|
|||
api("/internal/allowed"),
|
||||
key_id: key.id,
|
||||
project: project.path_with_namespace,
|
||||
action: 'git-upload-pack'
|
||||
action: 'git-upload-pack',
|
||||
secret_token: secret_token
|
||||
)
|
||||
end
|
||||
|
||||
|
@ -169,7 +171,8 @@ describe API::API, api: true do
|
|||
changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
|
||||
key_id: key.id,
|
||||
project: project.path_with_namespace,
|
||||
action: 'git-receive-pack'
|
||||
action: 'git-receive-pack',
|
||||
secret_token: secret_token
|
||||
)
|
||||
end
|
||||
|
||||
|
@ -179,7 +182,8 @@ describe API::API, api: true do
|
|||
ref: 'master',
|
||||
key_id: key.id,
|
||||
project: project.path_with_namespace,
|
||||
action: 'git-upload-archive'
|
||||
action: 'git-upload-archive',
|
||||
secret_token: secret_token
|
||||
)
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue