Commit ab2db486 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'security-api-internal-publicity' into 'master'

Gitlab-shell identification

Part of gitlab/gitlabhq#1528

See merge request !1185
parents d4bc1255 2e485af7
...@@ -39,3 +39,4 @@ public/assets/ ...@@ -39,3 +39,4 @@ public/assets/
.envrc .envrc
dump.rdb dump.rdb
tags tags
.gitlab_shell_secret
# Be sure to restart your server when you modify this file.
require 'securerandom'
# Your secret key for verifying the gitlab_shell.
secret_file = Rails.root.join('.gitlab_shell_secret')
gitlab_shell_symlink = File.join(Gitlab.config.gitlab_shell.path, '.gitlab_shell_secret')
unless File.exist? secret_file
# Generate a new token of 16 random hexadecimal characters and store it in secret_file.
token = SecureRandom.hex(16)
File.write(secret_file, token)
end
if File.exist?(Gitlab.config.gitlab_shell.path) && !File.exist?(gitlab_shell_symlink)
FileUtils.symlink(secret_file, gitlab_shell_symlink)
end
\ No newline at end of file
...@@ -67,6 +67,10 @@ module API ...@@ -67,6 +67,10 @@ module API
unauthorized! unless current_user unauthorized! unless current_user
end end
def authenticate_by_gitlab_shell_token!
unauthorized! unless secret_token == params['secret_token']
end
def authenticated_as_admin! def authenticated_as_admin!
forbidden! unless current_user.is_admin? forbidden! unless current_user.is_admin?
end end
...@@ -193,5 +197,9 @@ module API ...@@ -193,5 +197,9 @@ module API
abilities abilities
end end
end end
def secret_token
File.read(Rails.root.join('.gitlab_shell_secret'))
end
end end
end end
module API module API
# Internal access API # Internal access API
class Internal < Grape::API class Internal < Grape::API
before {
authenticate_by_gitlab_shell_token!
}
namespace 'internal' do namespace 'internal' do
# Check if git command is allowed to project # Check if git command is allowed to project
# #
......
...@@ -5,10 +5,11 @@ describe API::API, api: true do ...@@ -5,10 +5,11 @@ describe API::API, api: true do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:key) { create(:key, user: user) } let(:key) { create(:key, user: user) }
let(:project) { create(:project) } let(:project) { create(:project) }
let(:secret_token) { File.read Rails.root.join('.gitlab_shell_secret') }
describe "GET /internal/check", no_db: true do describe "GET /internal/check", no_db: true do
it do it do
get api("/internal/check") get api("/internal/check"), secret_token: secret_token
response.status.should == 200 response.status.should == 200
json_response['api_version'].should == API::API.version json_response['api_version'].should == API::API.version
...@@ -17,7 +18,7 @@ describe API::API, api: true do ...@@ -17,7 +18,7 @@ describe API::API, api: true do
describe "GET /internal/discover" do describe "GET /internal/discover" do
it do it do
get(api("/internal/discover"), key_id: key.id) get(api("/internal/discover"), key_id: key.id, secret_token: secret_token)
response.status.should == 200 response.status.should == 200
...@@ -159,7 +160,8 @@ describe API::API, api: true do ...@@ -159,7 +160,8 @@ describe API::API, api: true do
api("/internal/allowed"), api("/internal/allowed"),
key_id: key.id, key_id: key.id,
project: project.path_with_namespace, project: project.path_with_namespace,
action: 'git-upload-pack' action: 'git-upload-pack',
secret_token: secret_token
) )
end end
...@@ -169,7 +171,8 @@ describe API::API, api: true do ...@@ -169,7 +171,8 @@ describe API::API, api: true do
changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master', changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
key_id: key.id, key_id: key.id,
project: project.path_with_namespace, project: project.path_with_namespace,
action: 'git-receive-pack' action: 'git-receive-pack',
secret_token: secret_token
) )
end end
...@@ -179,7 +182,8 @@ describe API::API, api: true do ...@@ -179,7 +182,8 @@ describe API::API, api: true do
ref: 'master', ref: 'master',
key_id: key.id, key_id: key.id,
project: project.path_with_namespace, project: project.path_with_namespace,
action: 'git-upload-archive' action: 'git-upload-archive',
secret_token: secret_token
) )
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment