add gitlab-shell identification
This commit is contained in:
parent
f7342ce567
commit
b5763e91cd
|
@ -39,3 +39,4 @@ public/assets/
|
||||||
.envrc
|
.envrc
|
||||||
dump.rdb
|
dump.rdb
|
||||||
tags
|
tags
|
||||||
|
.gitlab_shell_secret
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
2.0.1
|
2.0.2
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
# Be sure to restart your server when you modify this file.
|
||||||
|
|
||||||
|
require 'securerandom'
|
||||||
|
|
||||||
|
# Your secret key for verifying the gitlab_shell.
|
||||||
|
|
||||||
|
|
||||||
|
secret_file = Rails.root.join('.gitlab_shell_secret')
|
||||||
|
gitlab_shell_symlink = File.join(Gitlab.config.gitlab_shell.path, '.gitlab_shell_secret')
|
||||||
|
|
||||||
|
unless File.exist? secret_file
|
||||||
|
# Generate a new token of 16 random hexadecimal characters and store it in secret_file.
|
||||||
|
token = SecureRandom.hex(16)
|
||||||
|
File.write(secret_file, token)
|
||||||
|
end
|
||||||
|
|
||||||
|
if File.exist?(Gitlab.config.gitlab_shell.path) && !File.exist?(gitlab_shell_symlink)
|
||||||
|
FileUtils.symlink(secret_file, gitlab_shell_symlink)
|
||||||
|
end
|
|
@ -67,6 +67,10 @@ module API
|
||||||
unauthorized! unless current_user
|
unauthorized! unless current_user
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def authenticate_by_gitlab_shell_token!
|
||||||
|
unauthorized! unless secret_token == params['secret_token']
|
||||||
|
end
|
||||||
|
|
||||||
def authenticated_as_admin!
|
def authenticated_as_admin!
|
||||||
forbidden! unless current_user.is_admin?
|
forbidden! unless current_user.is_admin?
|
||||||
end
|
end
|
||||||
|
@ -193,5 +197,9 @@ module API
|
||||||
abilities
|
abilities
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def secret_token
|
||||||
|
File.read(Rails.root.join('.gitlab_shell_secret'))
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,6 +1,10 @@
|
||||||
module API
|
module API
|
||||||
# Internal access API
|
# Internal access API
|
||||||
class Internal < Grape::API
|
class Internal < Grape::API
|
||||||
|
before {
|
||||||
|
authenticate_by_gitlab_shell_token!
|
||||||
|
}
|
||||||
|
|
||||||
namespace 'internal' do
|
namespace 'internal' do
|
||||||
# Check if git command is allowed to project
|
# Check if git command is allowed to project
|
||||||
#
|
#
|
||||||
|
|
|
@ -5,10 +5,11 @@ describe API::API, api: true do
|
||||||
let(:user) { create(:user) }
|
let(:user) { create(:user) }
|
||||||
let(:key) { create(:key, user: user) }
|
let(:key) { create(:key, user: user) }
|
||||||
let(:project) { create(:project) }
|
let(:project) { create(:project) }
|
||||||
|
let(:secret_token) { File.read Rails.root.join('.gitlab_shell_secret') }
|
||||||
|
|
||||||
describe "GET /internal/check", no_db: true do
|
describe "GET /internal/check", no_db: true do
|
||||||
it do
|
it do
|
||||||
get api("/internal/check")
|
get api("/internal/check"), secret_token: secret_token
|
||||||
|
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
json_response['api_version'].should == API::API.version
|
json_response['api_version'].should == API::API.version
|
||||||
|
@ -17,7 +18,7 @@ describe API::API, api: true do
|
||||||
|
|
||||||
describe "GET /internal/discover" do
|
describe "GET /internal/discover" do
|
||||||
it do
|
it do
|
||||||
get(api("/internal/discover"), key_id: key.id)
|
get(api("/internal/discover"), key_id: key.id, secret_token: secret_token)
|
||||||
|
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
|
|
||||||
|
@ -159,7 +160,8 @@ describe API::API, api: true do
|
||||||
api("/internal/allowed"),
|
api("/internal/allowed"),
|
||||||
key_id: key.id,
|
key_id: key.id,
|
||||||
project: project.path_with_namespace,
|
project: project.path_with_namespace,
|
||||||
action: 'git-upload-pack'
|
action: 'git-upload-pack',
|
||||||
|
secret_token: secret_token
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -169,7 +171,8 @@ describe API::API, api: true do
|
||||||
changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
|
changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
|
||||||
key_id: key.id,
|
key_id: key.id,
|
||||||
project: project.path_with_namespace,
|
project: project.path_with_namespace,
|
||||||
action: 'git-receive-pack'
|
action: 'git-receive-pack',
|
||||||
|
secret_token: secret_token
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -179,7 +182,8 @@ describe API::API, api: true do
|
||||||
ref: 'master',
|
ref: 'master',
|
||||||
key_id: key.id,
|
key_id: key.id,
|
||||||
project: project.path_with_namespace,
|
project: project.path_with_namespace,
|
||||||
action: 'git-upload-archive'
|
action: 'git-upload-archive',
|
||||||
|
secret_token: secret_token
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue