Experimental support for gitlab-git-http-server

https://gitlab.com/gitlab-org/gitlab-git-http-server This change introduces the GITLAB_GRACK_AUTH_ONLY environment variable. When set, Grack requests to GitLab will only respond with the user's GL_ID (if the request is OK) or an error. This allows gitlab-git-http-server to use the main GitLab application as an authentication and authorization backend. If we like how this works we should drop the GITLAB_GRACK_AUTH_ONLY variable at some point in the future.

Experimental support for gitlab-git-http-server
https://gitlab.com/gitlab-org/gitlab-git-http-server This change introduces the GITLAB_GRACK_AUTH_ONLY environment variable. When set, Grack requests to GitLab will only respond with the user's GL_ID (if the request is OK) or an error. This allows gitlab-git-http-server to use the main GitLab application as an authentication and authorization backend. If we like how this works we should drop the GITLAB_GRACK_AUTH_ONLY variable at some point in the future.
d3305df7 · Jacob Vosmaer · cd6046e1 · d3305df7 · d3305df7 · d3305df7
Commit d3305df7 authored Jul 28, 2015 by Jacob Vosmaer
4 changed files
--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@@ -26,7 +26,12 @@ module Grack
      auth!

      if project && authorized_request?
-        @app.call(env)
+        if ENV['GITLAB_GRACK_AUTH_ONLY'] == '1'
+          # Tell gitlab-git-http-server the request is OK, and what the GL_ID is
+          [200, { "Content-Type" => "text/plain" }, [Gitlab::ShellEnv.gl_id(@user)]]
+        else
+          @app.call(env)
+        end
      elsif @user.nil? && !@gitlab_ci
        unauthorized
      else

--- a/lib/gitlab/backend/shell_env.rb
+++ b/lib/gitlab/backend/shell_env.rb
@@ -7,7 +7,7 @@ module Gitlab
    def set_env(user)
      # Set GL_ID env variable
      if user
-        ENV['GL_ID'] = "user-#{user.id}"
+        ENV['GL_ID'] = gl_id(user)
      end
    end

@@ -15,5 +15,9 @@ module Gitlab
      # Reset GL_ID env variable
      ENV['GL_ID'] = nil
    end
+
+    def gl_id(user)
+      "user-#{user.id}"
+    end
  end
 end
--- a/lib/support/nginx/gitlab
+++ b/lib/support/nginx/gitlab
@@ -38,6 +38,11 @@ upstream gitlab {
  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
 }

+## Experimental: gitlab-git-http-server
+# upstream gitlab-git-http-server {
+#   server localhost:8181;
+# }
+
 ## Normal HTTP host
 server {
  ## Either remove "default_server" from the listen line below, 
@@ -109,6 +114,26 @@ server {
    proxy_pass http://gitlab;
  }

+  ## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn
+  # location ~ [-\/\w\.]+\.git\/ {
+  #   ## If you use HTTPS make sure you disable gzip compression
+  #   ## to be safe against BREACH attack.
+  #   # gzip off;
+
+  #   ## https://github.com/gitlabhq/gitlabhq/issues/694
+  #   ## Some requests take more than 30 seconds.
+  #   proxy_read_timeout      300;
+  #   proxy_connect_timeout   300;
+  #   proxy_redirect          off;
+
+  #   proxy_set_header    Host                $http_host;
+  #   proxy_set_header    X-Real-IP           $remote_addr;
+  #   proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+  #   proxy_set_header    X-Forwarded-Proto   $scheme;
+
+  #   proxy_pass http://gitlab-git-http-server;
+  # }
+
  ## Enable gzip compression as per rails guide:
  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
  ## WARNING: If you are using relative urls remove the block below

--- a/lib/support/nginx/gitlab-ssl
+++ b/lib/support/nginx/gitlab-ssl
@@ -42,6 +42,11 @@ upstream gitlab {
  server unix:/home/git/gitlab/tmp/sockets/gitlab.socket fail_timeout=0;
 }

+## Experimental: gitlab-git-http-server
+# upstream gitlab-git-http-server {
+#   server localhost:8181;
+# }
+
 ## Redirects all HTTP traffic to the HTTPS host
 server {
  ## Either remove "default_server" from the listen line below, 
@@ -156,6 +161,26 @@ server {
    proxy_pass http://gitlab;
  }

+  ## Experimental: send Git HTTP traffic to gitlab-git-http-server instead of Unicorn
+  # location ~ [-\/\w\.]+\.git\/ {
+  #   ## If you use HTTPS make sure you disable gzip compression
+  #   ## to be safe against BREACH attack.
+  #   gzip off;
+
+  #   ## https://github.com/gitlabhq/gitlabhq/issues/694
+  #   ## Some requests take more than 30 seconds.
+  #   proxy_read_timeout      300;
+  #   proxy_connect_timeout   300;
+  #   proxy_redirect          off;
+
+  #   proxy_set_header    Host                $http_host;
+  #   proxy_set_header    X-Real-IP           $remote_addr;
+  #   proxy_set_header    X-Forwarded-Ssl     on;
+  #   proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+  #   proxy_set_header    X-Forwarded-Proto   $scheme;
+  #   proxy_pass http://gitlab-git-http-server;
+  # }
+
  ## Enable gzip compression as per rails guide:
  ## http://guides.rubyonrails.org/asset_pipeline.html#gzip-compression
  ## WARNING: If you are using relative urls remove the block below