Commit 2100c3d2 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'master' into git-annex

Conflicts:
	lib/gitlab_shell.rb
parents 849d8fdc f61186ba
...@@ -8,13 +8,18 @@ require_relative '../lib/gitlab_net' ...@@ -8,13 +8,18 @@ require_relative '../lib/gitlab_net'
# #
print "Check GitLab API access: " print "Check GitLab API access: "
resp = GitlabNet.new.check begin
if resp.code == "200" resp = GitlabNet.new.check
print 'OK' if resp.code == "200"
else print 'OK'
abort "FAILED. code: #{resp.code}" else
abort "FAILED. code: #{resp.code}"
end
rescue GitlabNet::ApiUnreachableError
abort "FAILED: Failed to connect to internal API"
end end
puts "\nCheck directories and files: " puts "\nCheck directories and files: "
config = GitlabConfig.new config = GitlabConfig.new
......
...@@ -18,15 +18,20 @@ class GitlabAccess ...@@ -18,15 +18,20 @@ class GitlabAccess
end end
def exec def exec
status = api.check_access('git-receive-pack', @repo_name, @actor, @changes) begin
if status.allowed? status = api.check_access('git-receive-pack', @repo_name, @actor, @changes)
true
else return true if status.allowed?
# reset GL_ID env since we stop git push here
ENV['GL_ID'] = nil message = status.message
puts "GitLab: #{status.message}" rescue GitlabNet::ApiUnreachableError
false message = "Failed to authorize your Git request: internal API unreachable"
end end
# reset GL_ID env since we stop git push here
ENV['GL_ID'] = nil
puts "GitLab: #{message}"
false
end end
protected protected
......
...@@ -7,6 +7,8 @@ require_relative 'gitlab_logger' ...@@ -7,6 +7,8 @@ require_relative 'gitlab_logger'
require_relative 'gitlab_access' require_relative 'gitlab_access'
class GitlabNet class GitlabNet
class ApiUnreachableError < StandardError; end
def check_access(cmd, repo, actor, changes) def check_access(cmd, repo, actor, changes)
project_name = repo.gsub("'", "") project_name = repo.gsub("'", "")
project_name = project_name.gsub(/\.git\Z/, "") project_name = project_name.gsub(/\.git\Z/, "")
...@@ -64,63 +66,66 @@ class GitlabNet ...@@ -64,63 +66,66 @@ class GitlabNet
"#{config.gitlab_url}/api/v3/internal" "#{config.gitlab_url}/api/v3/internal"
end end
def http_client_for(url) def http_client_for(uri)
Net::HTTP.new(url.host, url.port).tap do |http| http = Net::HTTP.new(uri.host, uri.port)
if URI::HTTPS === url
http.use_ssl = true if uri.is_a?(URI::HTTPS)
http.cert_store = cert_store http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE if config.http_settings['self_signed_cert'] http.cert_store = cert_store
end http.verify_mode = OpenSSL::SSL::VERIFY_NONE if config.http_settings['self_signed_cert']
end end
http
end end
def http_request_for(url, method = :get) def http_request_for(method, uri, params = {})
request_klass = method == :get ? Net::HTTP::Get : Net::HTTP::Post
request = request_klass.new(uri.request_uri)
user = config.http_settings['user'] user = config.http_settings['user']
password = config.http_settings['password'] password = config.http_settings['password']
request.basic_auth(user, password) if user && password
request.set_form_data(params.merge(secret_token: secret_token))
request
end
def request(method, url, params = {})
$logger.debug "Performing #{method.to_s.upcase} #{url}"
uri = URI.parse(url)
http = http_client_for(uri)
request = http_request_for(method, uri, params)
if method == :get begin
Net::HTTP::Get.new(url.request_uri).tap { |r| r.basic_auth(user, password) if user && password } response = http.start { http.request(request) }
rescue => e
$logger.warn "Failed to connect to internal API <#{method.to_s.upcase} #{url}>: #{e.inspect}"
raise ApiUnreachableError
end
if response.code == "200"
$logger.debug "Received response #{response.code} => <#{response.body}>."
else else
Net::HTTP::Post.new(url.request_uri).tap { |r| r.basic_auth(user, password) if user && password } $logger.error "API call <#{method.to_s.upcase} #{url}> failed: #{response.code} => <#{response.body}>."
end end
response
end end
def get(url) def get(url)
$logger.debug "Performing GET #{url}" request(:get, url)
url = URI.parse(url)
http = http_client_for url
request = http_request_for url
request.set_form_data(secret_token: secret_token)
http.start { |http| http.request(request) }.tap do |resp|
if resp.code == "200"
$logger.debug { "Received response #{resp.code} => <#{resp.body}>." }
else
$logger.error { "API call <GET #{url}> failed: #{resp.code} => <#{resp.body}>." }
end
end
end end
def post(url, params) def post(url, params)
$logger.debug "Performing POST #{url}" request(:post, url, params)
url = URI.parse(url)
http = http_client_for(url)
request = http_request_for(url, :post)
request.set_form_data(params.merge(secret_token: secret_token))
http.start { |http| http.request(request) }.tap do |resp|
if resp.code == "200"
$logger.debug { "Received response #{resp.code} => <#{resp.body}>." }
else
$logger.error { "API call <POST #{url}> failed: #{resp.code} => <#{resp.body}>." }
end
end
end end
def cert_store def cert_store
@cert_store ||= OpenSSL::X509::Store.new.tap do |store| @cert_store ||= begin
store = OpenSSL::X509::Store.new
store.set_default_paths store.set_default_paths
if ca_file = config.http_settings['ca_file'] if ca_file = config.http_settings['ca_file']
...@@ -130,6 +135,8 @@ class GitlabNet ...@@ -130,6 +135,8 @@ class GitlabNet
if ca_path = config.http_settings['ca_path'] if ca_path = config.http_settings['ca_path']
store.add_path(ca_path) store.add_path(ca_path)
end end
store
end end
end end
......
...@@ -18,9 +18,13 @@ class GitlabPostReceive ...@@ -18,9 +18,13 @@ class GitlabPostReceive
update_redis update_redis
if broadcast_message = GitlabNet.new.broadcast_message begin
puts broadcast_message = GitlabNet.new.broadcast_message
print_broadcast_message(broadcast_message["message"]) if broadcast_message
puts
print_broadcast_message(broadcast_message["message"])
end
rescue GitlabNet::ApiUnreachableError
end end
end end
......
...@@ -21,15 +21,14 @@ class GitlabShell ...@@ -21,15 +21,14 @@ class GitlabShell
if git_cmds.include?(@git_cmd) if git_cmds.include?(@git_cmd)
ENV['GL_ID'] = @key_id ENV['GL_ID'] = @key_id
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! access = api.check_access(@git_cmd, @repo_name, @key_id, '_any')
# TODO: Fix validation for git-annex-shell !!!!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! if access.allowed?
if validate_access
process_cmd process_cmd
else else
message = "gitlab-shell: Access denied for git command <#{@origin_cmd}> by #{log_username}." message = "gitlab-shell: Access denied for git command <#{@origin_cmd}> by #{log_username}."
$logger.warn message $logger.warn message
$stderr.puts "Access denied." puts access.message
end end
else else
raise DisallowedCommandError raise DisallowedCommandError
...@@ -37,10 +36,12 @@ class GitlabShell ...@@ -37,10 +36,12 @@ class GitlabShell
else else
puts "Welcome to GitLab, #{username}!" puts "Welcome to GitLab, #{username}!"
end end
rescue GitlabNet::ApiUnreachableError => ex
puts "Failed to authorize your Git request: internal API unreachable"
rescue DisallowedCommandError => ex rescue DisallowedCommandError => ex
message = "gitlab-shell: Attempt to execute disallowed command <#{@origin_cmd}> by #{log_username}." message = "gitlab-shell: Attempt to execute disallowed command <#{@origin_cmd}> by #{log_username}."
$logger.warn message $logger.warn message
puts 'Not allowed command' puts 'Disallowed command'
end end
protected protected
...@@ -90,10 +91,6 @@ class GitlabShell ...@@ -90,10 +91,6 @@ class GitlabShell
end end
end end
def validate_access
api.check_access(@git_cmd, @repo_name, @key_id, '_any').allowed?
end
# This method is not covered by Rspec because it ends the current Ruby process. # This method is not covered by Rspec because it ends the current Ruby process.
def exec_cmd(*args) def exec_cmd(*args)
Kernel::exec({'PATH' => ENV['PATH'], 'LD_LIBRARY_PATH' => ENV['LD_LIBRARY_PATH'], 'GL_ID' => ENV['GL_ID']}, *args, unsetenv_others: true) Kernel::exec({'PATH' => ENV['PATH'], 'LD_LIBRARY_PATH' => ENV['LD_LIBRARY_PATH'], 'GL_ID' => ENV['GL_ID']}, *args, unsetenv_others: true)
...@@ -104,11 +101,12 @@ class GitlabShell ...@@ -104,11 +101,12 @@ class GitlabShell
end end
def user def user
# Can't use "@user ||=" because that will keep hitting the API when @user is really nil! return @user if defined?(@user)
if instance_variable_defined?('@user')
@user begin
else
@user = api.discover(@key_id) @user = api.discover(@key_id)
rescue GitlabNet::ApiUnreachableError
@user = nil
end end
end end
......
...@@ -5,15 +5,56 @@ describe GitlabAccess do ...@@ -5,15 +5,56 @@ describe GitlabAccess do
let(:repository_path) { "/home/git/repositories" } let(:repository_path) { "/home/git/repositories" }
let(:repo_name) { 'dzaporozhets/gitlab-ci' } let(:repo_name) { 'dzaporozhets/gitlab-ci' }
let(:repo_path) { File.join(repository_path, repo_name) + ".git" } let(:repo_path) { File.join(repository_path, repo_name) + ".git" }
let(:gitlab_access) { GitlabAccess.new(repo_path, 'key-123', 'wow') } let(:api) do
double(GitlabNet).tap do |api|
api.stub(check_access: GitAccessStatus.new(true))
end
end
subject do
GitlabAccess.new(repo_path, 'key-123', 'wow').tap do |access|
access.stub(exec_cmd: :exec_called)
access.stub(api: api)
end
end
before do before do
GitlabConfig.any_instance.stub(repos_path: repository_path) GitlabConfig.any_instance.stub(repos_path: repository_path)
end end
describe :initialize do describe :initialize do
it { gitlab_access.repo_name.should == repo_name } it { subject.repo_name.should == repo_name }
it { gitlab_access.repo_path.should == repo_path } it { subject.repo_path.should == repo_path }
it { gitlab_access.changes.should == ['wow'] } it { subject.changes.should == ['wow'] }
end
describe "#exec" do
context "access is granted" do
it "returns true" do
expect(subject.exec).to be_true
end
end
context "access is denied" do
before do
api.stub(check_access: GitAccessStatus.new(false))
end
it "returns false" do
expect(subject.exec).to be_false
end
end
context "API connection fails" do
before do
api.stub(:check_access).and_raise(GitlabNet::ApiUnreachableError)
end
it "returns false" do
expect(subject.exec).to be_false
end
end
end end
end end
...@@ -26,6 +26,11 @@ describe GitlabNet, vcr: true do ...@@ -26,6 +26,11 @@ describe GitlabNet, vcr: true do
gitlab_net.check gitlab_net.check
end end
end end
it "raises an exception if the connection fails" do
Net::HTTP.any_instance.stub(:request).and_raise(StandardError)
expect { gitlab_net.check }.to raise_error(GitlabNet::ApiUnreachableError)
end
end end
describe :discover do describe :discover do
...@@ -42,6 +47,13 @@ describe GitlabNet, vcr: true do ...@@ -42,6 +47,13 @@ describe GitlabNet, vcr: true do
gitlab_net.discover('key-126') gitlab_net.discover('key-126')
end end
end end
it "raises an exception if the connection fails" do
VCR.use_cassette("discover-ok") do
Net::HTTP.any_instance.stub(:request).and_raise(StandardError)
expect { gitlab_net.discover('key-126') }.to raise_error(GitlabNet::ApiUnreachableError)
end
end
end end
describe :broadcast_message do describe :broadcast_message do
...@@ -110,6 +122,13 @@ describe GitlabNet, vcr: true do ...@@ -110,6 +122,13 @@ describe GitlabNet, vcr: true do
end end
end end
end end
it "raises an exception if the connection fails" do
Net::HTTP.any_instance.stub(:request).and_raise(StandardError)
expect {
gitlab_net.check_access('git-upload-pack', 'gitlab/gitlabhq.git', 'user-1', changes)
}.to raise_error(GitlabNet::ApiUnreachableError)
end
end end
describe :host do describe :host do
...@@ -139,12 +158,13 @@ describe GitlabNet, vcr: true do ...@@ -139,12 +158,13 @@ describe GitlabNet, vcr: true do
let(:user) { 'user' } let(:user) { 'user' }
let(:password) { 'password' } let(:password) { 'password' }
let(:url) { URI 'http://localhost/' } let(:url) { URI 'http://localhost/' }
subject { gitlab_net.send :http_request_for, url } subject { gitlab_net.send :http_request_for, :get, url }
before do before do
gitlab_net.send(:config).http_settings.stub(:[]).with('user') { user } gitlab_net.send(:config).http_settings.stub(:[]).with('user') { user }
gitlab_net.send(:config).http_settings.stub(:[]).with('password') { password } gitlab_net.send(:config).http_settings.stub(:[]).with('password') { password }
get.should_receive(:basic_auth).with(user, password).once get.should_receive(:basic_auth).with(user, password).once
get.should_receive(:set_form_data).with(hash_including(secret_token: 'a123')).once
end end
it { should_not be_nil } it { should_not be_nil }
......
...@@ -135,6 +135,22 @@ describe GitlabShell do ...@@ -135,6 +135,22 @@ describe GitlabShell do
api.should_receive(:discover).with(key_id) api.should_receive(:discover).with(key_id)
end end
end end
context "failed connection" do
before {
ssh_cmd 'git-upload-pack gitlab-ci.git'
api.stub(:check_access).and_raise(GitlabNet::ApiUnreachableError)
}
after { subject.exec }
it "should not process the command" do
subject.should_not_receive(:process_cmd)
end
it "should not execute the command" do
subject.should_not_receive(:exec_cmd)
end
end
end end
describe :validate_access do describe :validate_access do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment