Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
228d819b
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
228d819b
编写于
9月 06, 2018
作者:
S
Sean McGivern
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'ash.mckenzie/geo-git-push-ssh-proxy' into 'master'
Custom Action support See merge request gitlab-org/gitlab-ce!21034
上级
98ae35a8
21cccabe
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
147 addition
and
36 deletion
+147
-36
changelogs/unreleased/ash-mckenzie-geo-git-push-ssh-proxy.yml
...gelogs/unreleased/ash-mckenzie-geo-git-push-ssh-proxy.yml
+5
-0
lib/api/internal.rb
lib/api/internal.rb
+38
-21
lib/gitlab/git_access.rb
lib/gitlab/git_access.rb
+9
-1
lib/gitlab/git_access_result/custom_action.rb
lib/gitlab/git_access_result/custom_action.rb
+25
-0
lib/gitlab/git_access_result/success.rb
lib/gitlab/git_access_result/success.rb
+8
-0
spec/requests/api/internal_spec.rb
spec/requests/api/internal_spec.rb
+62
-14
未找到文件。
changelogs/unreleased/ash-mckenzie-geo-git-push-ssh-proxy.yml
0 → 100644
浏览文件 @
228d819b
---
title
:
'
Support
a
custom
action,
such
as
proxying
to
another
server,
after
/api/v4/internal/allowed
check
succeeds'
merge_request
:
21034
author
:
type
:
changed
lib/api/internal.rb
浏览文件 @
228d819b
...
...
@@ -6,8 +6,17 @@ module API
helpers
::
API
::
Helpers
::
InternalHelpers
helpers
::
Gitlab
::
Identifier
UNKNOWN_CHECK_RESULT_ERROR
=
'Unknown check result'
.
freeze
helpers
do
def
response_with_status
(
code:
200
,
success:
true
,
message:
nil
,
**
extra_options
)
status
code
{
status:
success
,
message:
message
}.
merge
(
extra_options
).
compact
end
end
namespace
'internal'
do
# Check if git command is allowed
to
project
# Check if git command is allowed
for
project
#
# Params:
# key_id - ssh key id for Git over SSH
...
...
@@ -18,8 +27,6 @@ module API
# action - git action (git-upload-pack or git-receive-pack)
# changes - changes as "oldrev newrev ref", see Gitlab::ChangesList
post
"/allowed"
do
status
200
# Stores some Git-specific env thread-safely
env
=
parse_env
Gitlab
::
Git
::
HookEnv
.
set
(
gl_repository
,
env
)
if
project
...
...
@@ -49,27 +56,37 @@ module API
namespace_path:
namespace_path
,
project_path:
project_path
,
redirected_path:
redirected_path
)
begin
access_checker
.
check
(
params
[
:action
],
params
[
:changes
])
@project
||=
access_checker
.
project
rescue
Gitlab
::
GitAccess
::
UnauthorizedError
,
Gitlab
::
GitAccess
::
NotFoundError
=>
e
break
{
status:
false
,
message:
e
.
message
}
end
check_result
=
begin
result
=
access_checker
.
check
(
params
[
:action
],
params
[
:changes
])
@project
||=
access_checker
.
project
result
rescue
Gitlab
::
GitAccess
::
UnauthorizedError
=>
e
break
response_with_status
(
code:
401
,
success:
false
,
message:
e
.
message
)
rescue
Gitlab
::
GitAccess
::
NotFoundError
=>
e
break
response_with_status
(
code:
404
,
success:
false
,
message:
e
.
message
)
end
log_user_activity
(
actor
)
{
status:
true
,
gl_repository:
gl_repository
,
gl_id:
Gitlab
::
GlId
.
gl_id
(
user
),
gl_username:
user
&
.
username
,
# This repository_path is a bogus value but gitlab-shell still requires
# its presence. https://gitlab.com/gitlab-org/gitlab-shell/issues/135
repository_path:
'/'
,
gitaly:
gitaly_payload
(
params
[
:action
])
}
case
check_result
when
::
Gitlab
::
GitAccessResult
::
Success
payload
=
{
gl_repository:
gl_repository
,
gl_id:
Gitlab
::
GlId
.
gl_id
(
user
),
gl_username:
user
&
.
username
,
# This repository_path is a bogus value but gitlab-shell still requires
# its presence. https://gitlab.com/gitlab-org/gitlab-shell/issues/135
repository_path:
'/'
,
gitaly:
gitaly_payload
(
params
[
:action
])
}
response_with_status
(
**
payload
)
when
::
Gitlab
::
GitAccessResult
::
CustomAction
response_with_status
(
code:
300
,
message:
check_result
.
message
,
payload:
check_result
.
payload
)
else
response_with_status
(
code:
500
,
success:
false
,
message:
UNKNOWN_CHECK_RESULT_ERROR
)
end
end
post
"/lfs_authenticate"
do
...
...
lib/gitlab/git_access.rb
浏览文件 @
228d819b
...
...
@@ -50,6 +50,10 @@ module Gitlab
check_authentication_abilities!
(
cmd
)
check_command_disabled!
(
cmd
)
check_command_existence!
(
cmd
)
custom_action
=
check_custom_action
(
cmd
)
return
custom_action
if
custom_action
check_db_accessibility!
(
cmd
)
ensure_project_on_push!
(
cmd
,
changes
)
...
...
@@ -65,7 +69,7 @@ module Gitlab
check_push_access!
end
true
::
Gitlab
::
GitAccessResult
::
Success
.
new
end
def
guest_can_download_code?
...
...
@@ -92,6 +96,10 @@ module Gitlab
private
def
check_custom_action
(
cmd
)
nil
end
def
check_valid_actor!
return
unless
actor
.
is_a?
(
Key
)
...
...
lib/gitlab/git_access_result/custom_action.rb
0 → 100644
浏览文件 @
228d819b
# frozen_string_literal: true
module
Gitlab
module
GitAccessResult
class
CustomAction
attr_reader
:payload
,
:message
# Example of payload:
#
# {
# 'action' => 'geo_proxy_to_primary',
# 'data' => {
# 'api_endpoints' => %w{geo/proxy_git_push_ssh/info_refs geo/proxy_git_push_ssh/push},
# 'gl_username' => user.username,
# 'primary_repo' => geo_primary_http_url_to_repo(project_or_wiki)
# }
# }
#
def
initialize
(
payload
,
message
)
@payload
=
payload
@message
=
message
end
end
end
end
lib/gitlab/git_access_result/success.rb
0 → 100644
浏览文件 @
228d819b
# frozen_string_literal: true
module
Gitlab
module
GitAccessResult
class
Success
end
end
end
spec/requests/api/internal_spec.rb
浏览文件 @
228d819b
...
...
@@ -381,7 +381,7 @@ describe API::Internal do
it
do
pull
(
key
,
project
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
have_gitlab_http_status
(
401
)
expect
(
json_response
[
"status"
]).
to
be_falsey
expect
(
user
.
reload
.
last_activity_on
).
to
be_nil
end
...
...
@@ -391,13 +391,61 @@ describe API::Internal do
it
do
push
(
key
,
project
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
have_gitlab_http_status
(
401
)
expect
(
json_response
[
"status"
]).
to
be_falsey
expect
(
user
.
reload
.
last_activity_on
).
to
be_nil
end
end
end
context
"custom action"
do
let
(
:access_checker
)
{
double
(
Gitlab
::
GitAccess
)
}
let
(
:message
)
{
'CustomActionError message'
}
let
(
:payload
)
do
{
'action'
=>
'geo_proxy_to_primary'
,
'data'
=>
{
'api_endpoints'
=>
%w{geo/proxy_git_push_ssh/info_refs geo/proxy_git_push_ssh/push}
,
'gl_username'
=>
'testuser'
,
'primary_repo'
=>
'http://localhost:3000/testuser/repo.git'
}
}
end
let
(
:custom_action_result
)
{
Gitlab
::
GitAccessResult
::
CustomAction
.
new
(
payload
,
message
)
}
before
do
project
.
add_guest
(
user
)
expect
(
Gitlab
::
GitAccess
).
to
receive
(
:new
).
with
(
key
,
project
,
'ssh'
,
{
authentication_abilities:
[
:read_project
,
:download_code
,
:push_code
],
namespace_path:
project
.
namespace
.
name
,
project_path:
project
.
path
,
redirected_path:
nil
}
).
and_return
(
access_checker
)
expect
(
access_checker
).
to
receive
(
:check
).
with
(
'git-receive-pack'
,
'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master'
).
and_return
(
custom_action_result
)
end
context
"git push"
do
it
do
push
(
key
,
project
)
expect
(
response
).
to
have_gitlab_http_status
(
300
)
expect
(
json_response
[
'status'
]).
to
be_truthy
expect
(
json_response
[
'message'
]).
to
eql
(
message
)
expect
(
json_response
[
'payload'
]).
to
eql
(
payload
)
expect
(
user
.
reload
.
last_activity_on
).
to
be_nil
end
end
end
context
"blocked user"
do
let
(
:personal_project
)
{
create
(
:project
,
namespace:
user
.
namespace
)
}
...
...
@@ -409,7 +457,7 @@ describe API::Internal do
it
do
pull
(
key
,
personal_project
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
have_gitlab_http_status
(
401
)
expect
(
json_response
[
"status"
]).
to
be_falsey
expect
(
user
.
reload
.
last_activity_on
).
to
be_nil
end
...
...
@@ -419,7 +467,7 @@ describe API::Internal do
it
do
push
(
key
,
personal_project
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
have_gitlab_http_status
(
401
)
expect
(
json_response
[
"status"
]).
to
be_falsey
expect
(
user
.
reload
.
last_activity_on
).
to
be_nil
end
...
...
@@ -445,7 +493,7 @@ describe API::Internal do
it
do
push
(
key
,
project
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
have_gitlab_http_status
(
401
)
expect
(
json_response
[
"status"
]).
to
be_falsey
end
end
...
...
@@ -477,7 +525,7 @@ describe API::Internal do
it
do
archive
(
key
,
project
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
have_gitlab_http_status
(
404
)
expect
(
json_response
[
"status"
]).
to
be_falsey
end
end
...
...
@@ -489,7 +537,7 @@ describe API::Internal do
pull
(
key
,
project
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
have_gitlab_http_status
(
404
)
expect
(
json_response
[
"status"
]).
to
be_falsey
end
end
...
...
@@ -498,7 +546,7 @@ describe API::Internal do
it
do
pull
(
OpenStruct
.
new
(
id:
0
),
project
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
have_gitlab_http_status
(
404
)
expect
(
json_response
[
"status"
]).
to
be_falsey
end
end
...
...
@@ -511,7 +559,7 @@ describe API::Internal do
it
'rejects the SSH push'
do
push
(
key
,
project
)
expect
(
response
.
status
).
to
eq
(
200
)
expect
(
response
.
status
).
to
eq
(
401
)
expect
(
json_response
[
'status'
]).
to
be_falsey
expect
(
json_response
[
'message'
]).
to
eq
'Git access over SSH is not allowed'
end
...
...
@@ -519,7 +567,7 @@ describe API::Internal do
it
'rejects the SSH pull'
do
pull
(
key
,
project
)
expect
(
response
.
status
).
to
eq
(
200
)
expect
(
response
.
status
).
to
eq
(
401
)
expect
(
json_response
[
'status'
]).
to
be_falsey
expect
(
json_response
[
'message'
]).
to
eq
'Git access over SSH is not allowed'
end
...
...
@@ -533,7 +581,7 @@ describe API::Internal do
it
'rejects the HTTP push'
do
push
(
key
,
project
,
'http'
)
expect
(
response
.
status
).
to
eq
(
200
)
expect
(
response
.
status
).
to
eq
(
401
)
expect
(
json_response
[
'status'
]).
to
be_falsey
expect
(
json_response
[
'message'
]).
to
eq
'Git access over HTTP is not allowed'
end
...
...
@@ -541,7 +589,7 @@ describe API::Internal do
it
'rejects the HTTP pull'
do
pull
(
key
,
project
,
'http'
)
expect
(
response
.
status
).
to
eq
(
200
)
expect
(
response
.
status
).
to
eq
(
401
)
expect
(
json_response
[
'status'
]).
to
be_falsey
expect
(
json_response
[
'message'
]).
to
eq
'Git access over HTTP is not allowed'
end
...
...
@@ -571,14 +619,14 @@ describe API::Internal do
it
'rejects the push'
do
push
(
key
,
project
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
have_gitlab_http_status
(
404
)
expect
(
json_response
[
'status'
]).
to
be_falsy
end
it
'rejects the SSH pull'
do
pull
(
key
,
project
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
have_gitlab_http_status
(
404
)
expect
(
json_response
[
'status'
]).
to
be_falsy
end
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录