Refactor grack auth module. Add git over http wiki support

b4e8fea2 · Dmitriy Zaporozhets · a8bcb9a5 · b4e8fea2 · b4e8fea2 · b4e8fea2
Commit b4e8fea2 authored Jun 14, 2013 by Dmitriy Zaporozhets
3 changed files
--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
 require_relative 'shell_env'
-require 'omniauth-ldap'
+require_relative 'grack_ldap'
+require_relative 'grack_helpers'
 module Grack
  class Auth < Rack::Auth::Basic
-    attr_accessor :user, :project
+    include LDAP
+    include Helpers
+    attr_accessor :user, :project, :ref, :env
    def call(env)
      @env = env
@@ -14,42 +18,52 @@ module Grack
      @env['PATH_INFO'] = @request.path
      @env['SCRIPT_NAME'] = ""
-      return render_not_found unless project
+      auth!
-      return unauthorized unless project.public || @auth.provided?
-      return bad_request if @auth.provided? && !@auth.basic?
-      if valid?
-        if @auth.provided?
-          @env['REMOTE_USER'] = @auth.username
-        end
-        return @app.call(env)
-      else
-        unauthorized
-      end
    end
-    def valid?
+    private
+    def auth!
+      return render_not_found unless project
      if @auth.provided?
+        return bad_request unless @auth.basic?
        # Authentication with username and password
        login, password = @auth.credentials
-        @user = authenticate(login, password)
+        @user = authenticate_user(login, password)
-        return false unless @user
-        Gitlab::ShellEnv.set_env(@user)
+        if @user
+          Gitlab::ShellEnv.set_env(@user)
+          @env['REMOTE_USER'] = @auth.username
+        else
+          return unauthorized
+        end
+      else
+        return unauthorized unless project.public
      end
+      if authorized_git_request?
+        @app.call(env)
+      else
+        unauthorized
+      end
+    end
+    def authorized_git_request?
      # Git upload and receive
      if @request.get?
-        validate_get_request
+        authorize_request(@request.params['service'])
      elsif @request.post?
-        validate_post_request
+        authorize_request(File.basename(@request.path))
      else
        false
      end
    end
-    def authenticate(login, password)
+    def authenticate_user(login, password)
      user = User.find_by_email(login) || User.find_by_username(login)
      # If the provided login was not a known email or username
@@ -65,34 +79,12 @@ module Grack
      end
    end
-    def ldap_auth(login, password)
+    def authorize_request(service)
-      # Check user against LDAP backend if user is not authenticated
+      case service
-      # Only check with valid login and password to prevent anonymous bind results
+      when 'git-upload-pack'
-      return nil unless ldap_conf.enabled && !login.blank? && !password.blank?
-      ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
-      ldap_user = ldap.bind_as(
-        filter: Net::LDAP::Filter.eq(ldap.uid, login),
-        size: 1,
-        password: password
-      )
-      User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user
-    end
-    def validate_get_request
-      validate_request(@request.params['service'])
-    end
-    def validate_post_request
-      validate_request(File.basename(@request.path))
-    end
-    def validate_request(service)
-      if service == 'git-upload-pack'
        project.public || can?(user, :download_code, project)
-      elsif service == 'git-receive-pack'
+      when'git-receive-pack'
-        action = if project.protected_branch?(current_ref)
+        action = if project.protected_branch?(ref)
                   :push_code_to_protected_branches
                 else
                   :push_code
@@ -104,49 +96,24 @@ module Grack
      end
    end
-    def can?(object, action, subject)
-      abilities.allowed?(object, action, subject)
-    end
-    def current_ref
-      if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/
-        input = Zlib::GzipReader.new(@request.body).read
-      else
-        input = @request.body.read
-      end
-      # Need to reset seek point
-      @request.body.rewind
-      /refs\/heads\/([\w\.-]+)/n.match(input.force_encoding('ascii-8bit')).to_a.last
-    end
    def project
-      unless instance_variable_defined? :@project
+      @project ||= project_by_path(@request.path_info)
-        # Find project by PATH_INFO from env
-        if m = /^\/([\w\.\/-]+)\.git/.match(@request.path_info).to_a
-          @project = Project.find_with_namespace(m.last)
-        end
-      end
-      return @project
    end
-    PLAIN_TYPE = {"Content-Type" => "text/plain"}
+    def ref
+      @ref ||= parse_ref
-    def render_not_found
-      [404, PLAIN_TYPE, ["Not Found"]]
    end
-    protected
+    def parse_ref
+      input = if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/
+                Zlib::GzipReader.new(@request.body).read
+              else
+                @request.body.read
+              end
-    def abilities
+      # Need to reset seek point
-      @abilities ||= begin
+      @request.body.rewind
-                       abilities = Six.new
+      /refs\/heads\/([\w\.-]+)/n.match(input.force_encoding('ascii-8bit')).to_a.last
-                       abilities << Ability
-                       abilities
-                     end
-    end
-    def ldap_conf
-      @ldap_conf ||= Gitlab.config.ldap
    end
-  end# Auth
+  end
-end# Grack
+end
--- a/lib/gitlab/backend/grack_helpers.rb
+++ b/lib/gitlab/backend/grack_helpers.rb
+module Grack
+  module Helpers
+    def project_by_path(path)
+      if m = /^\/([\w\.\/-]+)\.git/.match(path).to_a
+        path_with_namespace = m.last
+        path_with_namespace.gsub!(/.wiki$/, '')
+        Project.find_with_namespace(path_with_namespace)
+      end
+    end
+    def render_not_found
+      [404, {"Content-Type" => "text/plain"}, ["Not Found"]]
+    end
+    def can?(object, action, subject)
+      abilities.allowed?(object, action, subject)
+    end
+    def abilities
+      @abilities ||= begin
+                       abilities = Six.new
+                       abilities << Ability
+                       abilities
+                     end
+    end
+  end
+end
--- a/lib/gitlab/backend/grack_ldap.rb
+++ b/lib/gitlab/backend/grack_ldap.rb
+require 'omniauth-ldap'
+module Grack
+  module LDAP
+    def ldap_auth(login, password)
+      # Check user against LDAP backend if user is not authenticated
+      # Only check with valid login and password to prevent anonymous bind results
+      return nil unless ldap_conf.enabled && !login.blank? && !password.blank?
+      ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
+      ldap_user = ldap.bind_as(
+        filter: Net::LDAP::Filter.eq(ldap.uid, login),
+        size: 1,
+        password: password
+      )
+      User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user
+    end
+    def ldap_conf
+      @ldap_conf ||= Gitlab.config.ldap
+    end
+  end
+end