Merge pull request #230 from bozaro/git-lfs-authenticate

Add git-lfs-authenticate to command white list

Merge pull request #230 from bozaro/git-lfs-authenticate
Add git-lfs-authenticate to command white list
64996dbb · Dmitriy Zaporozhets · 4d30c0c5 · 0bd76995 · 64996dbb · 64996dbb
Commit 64996dbb authored Jul 06, 2015 by Dmitriy Zaporozhets
Hide whitespace changes
Inline Side-by-side

Showing with 45 additions and 3 deletions

README.md README.md +29 -0

lib/gitlab_shell.rb lib/gitlab_shell.rb +16 -3

No files found.
--- a/README.md
+++ b/README.md
@@ -139,3 +139,32 @@ List all keys:
 Remove all keys from authorized_keys file:

    ./bin/gitlab-keys clear
+
+## Git LFS remark
+
+If you want to play with git-lfs (https://git-lfs.github.com/) on GitLab, you should do the following:
+
+ * Install LFS-server (no production-ready implementation yet, but you can use https://github.com/github/lfs-test-server) on any host;
+ * Add some user on LFS-server (for example: user ```foo``` with password ```bar```);
+ * Add ```git-lfs-authenticate``` script in any PATH-available directory on GIT-server like this:
+```
+#!/bin/sh
+echo "{
+  \"href\": \"http://lfs.test.local:9999/test/test\",
+  \"header\": {
+    \"Authorization\": \"Basic `echo -n foo:bar | base64`\"
+  }
+}"
+ ```
+
+After that you can play with git-lfs (git-lfs feature will be available via ssh protocol).
+
+This design will work without a script git-lfs-authenticate, but with the following limitations:
+
+ * You will need to manually configure lfs-server URL for every user working copy;
+ * SSO don't work and you need to manually add lfs-server credentials for every user working copy (otherwise, git-lfs will ask for the password for each file).
+
+Usefull links:
+
+ * https://github.com/github/git-lfs/tree/master/docs/api - Git LFS API, also contains more information about ```git-lfs-authenticate```;
+ * https://github.com/github/git-lfs/wiki/Implementations - Git LFS-server implementations.
--- a/lib/gitlab_shell.rb
+++ b/lib/gitlab_shell.rb
@@ -7,7 +7,7 @@ class GitlabShell
  class DisallowedCommandError < StandardError; end
  class InvalidRepositoryPathError < StandardError; end

-  GIT_COMMANDS = %w(git-upload-pack git-receive-pack git-upload-archive git-annex-shell).freeze
+  GIT_COMMANDS = %w(git-upload-pack git-receive-pack git-upload-archive git-annex-shell git-lfs-authenticate).freeze

  attr_accessor :key_id, :repo_name, :git_cmd, :repos_path, :repo_name

@@ -56,16 +56,29 @@ class GitlabShell
  def parse_cmd
    args = Shellwords.shellwords(@origin_cmd)
    @git_cmd = args.first
+    @git_access = @git_cmd

    raise DisallowedCommandError unless GIT_COMMANDS.include?(@git_cmd)

-    if @git_cmd == 'git-annex-shell'
+    case @git_cmd
+    when 'git-annex-shell'
      raise DisallowedCommandError unless @config.git_annex_enabled?

      @repo_name = escape_path(args[2].sub(/\A\/~\//, ''))

      # Make sure repository has git-annex enabled
      init_git_annex(@repo_name)
+    when 'git-lfs-authenticate'
+      raise DisallowedCommandError unless args.count >= 2
+      @repo_name = escape_path(args[1])
+      case args[2]
+      when 'download'
+        @git_access = 'git-upload-pack'
+      when 'upload'
+        @git_access = 'git-receive-pack'
+      else
+        raise DisallowedCommandError
+      end
    else
      raise DisallowedCommandError unless args.count == 2
      @repo_name = escape_path(args.last)
@@ -73,7 +86,7 @@ class GitlabShell
  end

  def verify_access
-    status = api.check_access(@git_cmd, @repo_name, @key_id, '_any')
+    status = api.check_access(@git_access, @repo_name, @key_id, '_any')

    raise AccessDeniedError, status.message unless status.allowed?
  end