module Gitlab module Git class GitlabProjects include Gitlab::Git::Popen # Absolute path to directory where repositories are stored. # Example: /home/git/repositories attr_reader :shard_path # Relative path is a directory name for repository with .git at the end. # Example: gitlab-org/gitlab-test.git attr_reader :repository_relative_path # Absolute path to the repository. # Example: /home/git/repositorities/gitlab-org/gitlab-test.git attr_reader :repository_absolute_path # This is the path at which the gitlab-shell hooks directory can be found. # It's essential for integration between git and GitLab proper. All new # repositories should have their hooks directory symlinked here. attr_reader :global_hooks_path attr_reader :logger def initialize(shard_path, repository_relative_path, global_hooks_path:, logger:) @shard_path = shard_path @repository_relative_path = repository_relative_path @logger = logger @global_hooks_path = global_hooks_path @repository_absolute_path = File.join(shard_path, repository_relative_path) @output = StringIO.new end def output io = @output.dup io.rewind io.read end def rm_project logger.info "Removing repository <#{repository_absolute_path}>." FileUtils.rm_rf(repository_absolute_path) end # Move repository from one directory to another # # Example: gitlab/gitlab-ci.git -> randx/six.git # # Won't work if target namespace directory does not exist # def mv_project(new_path) new_absolute_path = File.join(shard_path, new_path) # verify that the source repo exists unless File.exist?(repository_absolute_path) logger.error "mv-project failed: source path <#{repository_absolute_path}> does not exist." return false end # ...and that the target repo does not exist if File.exist?(new_absolute_path) logger.error "mv-project failed: destination path <#{new_absolute_path}> already exists." return false end logger.info "Moving repository from <#{repository_absolute_path}> to <#{new_absolute_path}>." FileUtils.mv(repository_absolute_path, new_absolute_path) end # Import project via git clone --bare # URL must be publicly cloneable def import_project(source, timeout) # Skip import if repo already exists return false if File.exist?(repository_absolute_path) masked_source = mask_password_in_url(source) logger.info "Importing project from <#{masked_source}> to <#{repository_absolute_path}>." cmd = %W(git clone --bare -- #{source} #{repository_absolute_path}) success = run_with_timeout(cmd, timeout, nil) unless success logger.error("Importing project from <#{masked_source}> to <#{repository_absolute_path}> failed.") FileUtils.rm_rf(repository_absolute_path) return false end Gitlab::Git::Repository.create_hooks(repository_absolute_path, global_hooks_path) # The project was imported successfully. # Remove the origin URL since it may contain password. remove_origin_in_repo true end def fork_repository(new_shard_path, new_repository_relative_path) from_path = repository_absolute_path to_path = File.join(new_shard_path, new_repository_relative_path) # The repository cannot already exist if File.exist?(to_path) logger.error "fork-repository failed: destination repository <#{to_path}> already exists." return false end # Ensure the namepsace / hashed storage directory exists FileUtils.mkdir_p(File.dirname(to_path), mode: 0770) logger.info "Forking repository from <#{from_path}> to <#{to_path}>." cmd = %W(git clone --bare --no-local -- #{from_path} #{to_path}) run(cmd, nil) && Gitlab::Git::Repository.create_hooks(to_path, global_hooks_path) end def fetch_remote(name, timeout, force:, tags:, ssh_key: nil, known_hosts: nil) tags_option = tags ? '--tags' : '--no-tags' logger.info "Fetching remote #{name} for repository #{repository_absolute_path}." cmd = %W(git fetch #{name} --prune --quiet) cmd << '--force' if force cmd << tags_option setup_ssh_auth(ssh_key, known_hosts) do |env| success = run_with_timeout(cmd, timeout, repository_absolute_path, env) unless success logger.error "Fetching remote #{name} for repository #{repository_absolute_path} failed." end success end end def push_branches(remote_name, timeout, force, branch_names) logger.info "Pushing branches from #{repository_absolute_path} to remote #{remote_name}: #{branch_names}" cmd = %w(git push) cmd << '--force' if force cmd += %W(-- #{remote_name}).concat(branch_names) success = run_with_timeout(cmd, timeout, repository_absolute_path) unless success logger.error("Pushing branches to remote #{remote_name} failed.") end success end def delete_remote_branches(remote_name, branch_names) branches = branch_names.map { |branch_name| ":#{branch_name}" } logger.info "Pushing deleted branches from #{repository_absolute_path} to remote #{remote_name}: #{branch_names}" cmd = %W(git push -- #{remote_name}).concat(branches) success = run(cmd, repository_absolute_path) unless success logger.error("Pushing deleted branches to remote #{remote_name} failed.") end success end protected def run(*args) output, exitstatus = popen(*args) @output << output exitstatus&.zero? end def run_with_timeout(*args) output, exitstatus = popen_with_timeout(*args) @output << output exitstatus&.zero? rescue Timeout::Error @output.puts('Timed out') false end def mask_password_in_url(url) result = URI(url) result.password = "*****" unless result.password.nil? result.user = "*****" unless result.user.nil? # it's needed for oauth access_token result rescue url end def remove_origin_in_repo cmd = %w(git remote rm origin) run(cmd, repository_absolute_path) end # Builds a small shell script that can be used to execute SSH with a set of # custom options. # # Options are expanded as `'-oKey="Value"'`, so SSH will correctly interpret # paths with spaces in them. We trust the user not to embed single or double # quotes in the key or value. def custom_ssh_script(options = {}) args = options.map { |k, v| %Q{'-o#{k}="#{v}"'} }.join(' ') [ "#!/bin/sh", "exec ssh #{args} \"$@\"" ].join("\n") end # Known hosts data and private keys can be passed to gitlab-shell in the # environment. If present, this method puts them into temporary files, writes # a script that can substitute as `ssh`, setting the options to respect those # files, and yields: { "GIT_SSH" => "/tmp/myScript" } def setup_ssh_auth(key, known_hosts) options = {} if key key_file = Tempfile.new('gitlab-shell-key-file') key_file.chmod(0o400) key_file.write(key) key_file.close options['IdentityFile'] = key_file.path options['IdentitiesOnly'] = 'yes' end if known_hosts known_hosts_file = Tempfile.new('gitlab-shell-known-hosts') known_hosts_file.chmod(0o400) known_hosts_file.write(known_hosts) known_hosts_file.close options['StrictHostKeyChecking'] = 'yes' options['UserKnownHostsFile'] = known_hosts_file.path end return yield({}) if options.empty? script = Tempfile.new('gitlab-shell-ssh-wrapper') script.chmod(0o755) script.write(custom_ssh_script(options)) script.close yield('GIT_SSH' => script.path) ensure key_file&.close! known_hosts_file&.close! script&.close! end end end end