Commit 79c58482 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge pull request #56 from smashwilson/36-logger

Logger
parents 45881f17 45b3a3a7
config.yml config.yml
tmp/* tmp/*
*.log
...@@ -26,3 +26,14 @@ redis: ...@@ -26,3 +26,14 @@ redis:
# socket: /tmp/redis.socket # Only define this if you want to use sockets # socket: /tmp/redis.socket # Only define this if you want to use sockets
namespace: resque:gitlab namespace: resque:gitlab
# Log file.
# Default is gitlab-shell.log in the root directory.
# log_file: "/home/git/gitlab-shell/gitlab-shell.log"
# Log level. INFO by default
log_level: INFO
# Audit usernames.
# Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
# incurs an extra API call on every gitlab-shell command.
audit_usernames: false
...@@ -31,6 +31,18 @@ class GitlabConfig ...@@ -31,6 +31,18 @@ class GitlabConfig
redis['namespace'] || 'resque:gitlab' redis['namespace'] || 'resque:gitlab'
end end
def log_file
@config['log_file'] ||= File.join(ROOT_PATH, 'gitlab-shell.log')
end
def log_level
@config['log_level'] ||= 'INFO'
end
def audit_usernames
@config['audit_usernames'] ||= false
end
# Build redis command to write update event in gitlab queue # Build redis command to write update event in gitlab queue
def redis_command def redis_command
if redis.empty? if redis.empty?
......
require 'open3' require 'open3'
require_relative 'gitlab_config' require_relative 'gitlab_config'
require_relative 'gitlab_logger'
class GitlabKeys class GitlabKeys
attr_accessor :auth_file, :key attr_accessor :auth_file, :key
...@@ -17,6 +18,7 @@ class GitlabKeys ...@@ -17,6 +18,7 @@ class GitlabKeys
when 'add-key'; add_key when 'add-key'; add_key
when 'rm-key'; rm_key when 'rm-key'; rm_key
else else
$logger.warn "Attempt to execute invalid gitlab-keys command #{@command.inspect}."
puts 'not allowed' puts 'not allowed'
false false
end end
...@@ -25,12 +27,14 @@ class GitlabKeys ...@@ -25,12 +27,14 @@ class GitlabKeys
protected protected
def add_key def add_key
$logger.info "Adding key #{@key_id} => #{@key.inspect}"
cmd = "command=\"#{ROOT_PATH}/bin/gitlab-shell #{@key_id}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{@key}" cmd = "command=\"#{ROOT_PATH}/bin/gitlab-shell #{@key_id}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{@key}"
cmd = "echo \'#{cmd}\' >> #{auth_file}" cmd = "echo \'#{cmd}\' >> #{auth_file}"
system(cmd) system(cmd)
end end
def rm_key def rm_key
$logger.info "Removing key #{@key_id}"
cmd = "sed -i '/shell #{@key_id}\"/d' #{auth_file}" cmd = "sed -i '/shell #{@key_id}\"/d' #{auth_file}"
system(cmd) system(cmd)
end end
......
require 'logger'
require_relative 'gitlab_config'
def convert_log_level log_level
Logger.const_get(log_level.upcase)
rescue NameError
$stderr.puts "WARNING: Unrecognized log level #{log_level.inspect}."
$stderr.puts "WARNING: Falling back to INFO."
Logger::INFO
end
config = GitlabConfig.new
$logger = Logger.new(config.log_file)
$logger.level = convert_log_level(config.log_level)
...@@ -3,6 +3,7 @@ require 'openssl' ...@@ -3,6 +3,7 @@ require 'openssl'
require 'json' require 'json'
require_relative 'gitlab_config' require_relative 'gitlab_config'
require_relative 'gitlab_logger'
class GitlabNet class GitlabNet
def allowed?(cmd, repo, key, ref) def allowed?(cmd, repo, key, ref)
...@@ -13,7 +14,6 @@ class GitlabNet ...@@ -13,7 +14,6 @@ class GitlabNet
key_id = key.gsub("key-", "") key_id = key.gsub("key-", "")
url = "#{host}/allowed?key_id=#{key_id}&action=#{cmd}&ref=#{ref}&project=#{project_name}" url = "#{host}/allowed?key_id=#{key_id}&action=#{cmd}&ref=#{ref}&project=#{project_name}"
resp = get(url) resp = get(url)
!!(resp.code == '200' && resp.body == 'true') !!(resp.code == '200' && resp.body == 'true')
...@@ -40,6 +40,8 @@ class GitlabNet ...@@ -40,6 +40,8 @@ class GitlabNet
end end
def get(url) def get(url)
$logger.debug "Performing GET #{url}"
url = URI.parse(url) url = URI.parse(url)
http = Net::HTTP.new(url.host, url.port) http = Net::HTTP.new(url.host, url.port)
...@@ -57,7 +59,13 @@ class GitlabNet ...@@ -57,7 +59,13 @@ class GitlabNet
request.basic_auth config.http_settings['user'], config.http_settings['password'] request.basic_auth config.http_settings['user'], config.http_settings['password']
end end
http.start {|http| http.request(request) } http.start {|http| http.request(request) }.tap do |resp|
if resp.code == "200"
$logger.debug { "Received response #{resp.code} => <#{resp.body}>." }
else
$logger.error { "API call <GET #{url}> failed: #{resp.code} => <#{resp.body}>." }
end
end
end end
def cert_store def cert_store
......
...@@ -2,6 +2,7 @@ require 'open3' ...@@ -2,6 +2,7 @@ require 'open3'
require 'fileutils' require 'fileutils'
require_relative 'gitlab_config' require_relative 'gitlab_config'
require_relative 'gitlab_logger'
class GitlabProjects class GitlabProjects
# Project name is a directory name for repository with .git at the end # Project name is a directory name for repository with .git at the end
...@@ -31,6 +32,7 @@ class GitlabProjects ...@@ -31,6 +32,7 @@ class GitlabProjects
when 'import-project'; import_project when 'import-project'; import_project
when 'fork-project'; fork_project when 'fork-project'; fork_project
else else
$logger.warn "Attempt to execute invalid gitlab-projects command #{@command.inspect}."
puts 'not allowed' puts 'not allowed'
false false
end end
...@@ -39,6 +41,7 @@ class GitlabProjects ...@@ -39,6 +41,7 @@ class GitlabProjects
protected protected
def add_project def add_project
$logger.info "Adding project #{@project_name} at <#{full_path}>."
FileUtils.mkdir_p(full_path, mode: 0770) FileUtils.mkdir_p(full_path, mode: 0770)
cmd = "cd #{full_path} && git init --bare && #{create_hooks_cmd}" cmd = "cd #{full_path} && git init --bare && #{create_hooks_cmd}"
system(cmd) system(cmd)
...@@ -49,6 +52,7 @@ class GitlabProjects ...@@ -49,6 +52,7 @@ class GitlabProjects
end end
def rm_project def rm_project
$logger.info "Removing project #{@project_name} from <#{full_path}>."
FileUtils.rm_rf(full_path) FileUtils.rm_rf(full_path)
end end
...@@ -56,6 +60,7 @@ class GitlabProjects ...@@ -56,6 +60,7 @@ class GitlabProjects
# URL must be publicly clonable # URL must be publicly clonable
def import_project def import_project
@source = ARGV.shift @source = ARGV.shift
$logger.info "Importing project #{@project_name} from <#{@source}> to <#{full_path}>."
cmd = "cd #{repos_path} && git clone --bare #{@source} #{project_name} && #{create_hooks_cmd}" cmd = "cd #{repos_path} && git clone --bare #{@source} #{project_name} && #{create_hooks_cmd}"
system(cmd) system(cmd)
end end
...@@ -71,15 +76,26 @@ class GitlabProjects ...@@ -71,15 +76,26 @@ class GitlabProjects
def mv_project def mv_project
new_path = ARGV.shift new_path = ARGV.shift
return false unless new_path unless new_path
$logger.error "mv-project failed: no destination path provided."
return false
end
new_full_path = File.join(repos_path, new_path) new_full_path = File.join(repos_path, new_path)
# check if source repo exists # verify that the source repo exists
# and target repo does not exist unless File.exists?(full_path)
return false unless File.exists?(full_path) $logger.error "mv-project failed: source path <#{full_path}> does not exist."
return false if File.exists?(new_full_path) return false
end
# ...and that the target repo does not exist
if File.exists?(new_full_path)
$logger.error "mv-project failed: destination path <#{new_full_path}> already exists."
return false
end
$logger.info "Moving project #{@project_name} from <#{full_path}> to <#{new_full_path}>."
FileUtils.mv(full_path, new_full_path) FileUtils.mv(full_path, new_full_path)
end end
...@@ -87,16 +103,26 @@ class GitlabProjects ...@@ -87,16 +103,26 @@ class GitlabProjects
new_namespace = ARGV.shift new_namespace = ARGV.shift
# destination namespace must be provided # destination namespace must be provided
return false unless new_namespace unless new_namespace
$logger.error "fork-project failed: no destination namespace provided."
return false
end
#destination namespace must exist # destination namespace must exist
namespaced_path = File.join(repos_path, new_namespace) namespaced_path = File.join(repos_path, new_namespace)
return false unless File.exists?(namespaced_path) unless File.exists?(namespaced_path)
$logger.error "fork-project failed: destination namespace <#{namespaced_path}> does not exist."
return false
end
#a project of the same name cannot already be within the destination namespace # a project of the same name cannot already be within the destination namespace
full_destination_path = File.join(namespaced_path, project_name.split('/')[-1]) full_destination_path = File.join(namespaced_path, project_name.split('/')[-1])
return false if File.exists?(full_destination_path) if File.exists?(full_destination_path)
$logger.error "fork-project failed: destination repository <#{full_destination_path}> already exists."
return false
end
$logger.info "Forking project from <#{full_path}> to <#{full_destination_path}>."
cmd = "cd #{namespaced_path} && git clone --bare #{full_path} && #{create_hooks_to(full_destination_path)}" cmd = "cd #{namespaced_path} && git clone --bare #{full_path} && #{create_hooks_to(full_destination_path)}"
system(cmd) system(cmd)
end end
...@@ -108,7 +134,6 @@ class GitlabProjects ...@@ -108,7 +134,6 @@ class GitlabProjects
up_hook_path = File.join(ROOT_PATH, 'hooks', 'update') up_hook_path = File.join(ROOT_PATH, 'hooks', 'update')
"ln -s #{pr_hook_path} #{dest_path}/hooks/post-receive && ln -s #{up_hook_path} #{dest_path}/hooks/update" "ln -s #{pr_hook_path} #{dest_path}/hooks/post-receive && ln -s #{up_hook_path} #{dest_path}/hooks/update"
end end
end end
...@@ -8,7 +8,9 @@ class GitlabShell ...@@ -8,7 +8,9 @@ class GitlabShell
def initialize def initialize
@key_id = /key-[0-9]+/.match(ARGV.join).to_s @key_id = /key-[0-9]+/.match(ARGV.join).to_s
@origin_cmd = ENV['SSH_ORIGINAL_COMMAND'] @origin_cmd = ENV['SSH_ORIGINAL_COMMAND']
@repos_path = GitlabConfig.new.repos_path @config = GitlabConfig.new
@repos_path = @config.repos_path
@user_tried = false
end end
def exec def exec
...@@ -20,13 +22,18 @@ class GitlabShell ...@@ -20,13 +22,18 @@ class GitlabShell
if validate_access if validate_access
process_cmd process_cmd
else
message = "gitlab-shell: Access denied for git command <#{@origin_cmd}> by #{log_username}."
$logger.warn message
$stderr.puts "Access denied."
end end
else else
message = "gitlab-shell: Attempt to execute disallowed command <#{@origin_cmd}> by #{log_username}."
$logger.warn message
puts 'Not allowed command' puts 'Not allowed command'
end end
else else
user = api.discover(@key_id) puts "Welcome to GitLab, #{username}!"
puts "Welcome to GitLab, #{user && user['name'] || 'Anonymous'}!"
end end
end end
...@@ -44,7 +51,9 @@ class GitlabShell ...@@ -44,7 +51,9 @@ class GitlabShell
def process_cmd def process_cmd
repo_full_path = File.join(repos_path, repo_name) repo_full_path = File.join(repos_path, repo_name)
exec_cmd "#{@git_cmd} #{repo_full_path}" cmd = "#{@git_cmd} #{repo_full_path}"
$logger.info "gitlab-shell: executing git command <#{cmd}> for #{log_username}."
exec_cmd(cmd)
end end
def validate_access def validate_access
...@@ -58,4 +67,23 @@ class GitlabShell ...@@ -58,4 +67,23 @@ class GitlabShell
def api def api
GitlabNet.new GitlabNet.new
end end
def user
# Can't use "@user ||=" because that will keep hitting the API when @user is really nil!
if @user_tried
@user
else
@user_tried = true
@user = api.discover(@key_id)
end
end
def username
user && user['name'] || 'Anonymous'
end
# User identifier to be used in log messages.
def log_username
@config.audit_usernames ? username : "user with key #{@key_id}"
end
end end
...@@ -2,6 +2,10 @@ require_relative 'spec_helper' ...@@ -2,6 +2,10 @@ require_relative 'spec_helper'
require_relative '../lib/gitlab_keys' require_relative '../lib/gitlab_keys'
describe GitlabKeys do describe GitlabKeys do
before do
$logger = double('logger').as_null_object
end
describe :initialize do describe :initialize do
let(:gitlab_keys) { build_gitlab_keys('add-key', 'key-741', 'ssh-rsa AAAAB3NzaDAxx2E') } let(:gitlab_keys) { build_gitlab_keys('add-key', 'key-741', 'ssh-rsa AAAAB3NzaDAxx2E') }
...@@ -18,6 +22,11 @@ describe GitlabKeys do ...@@ -18,6 +22,11 @@ describe GitlabKeys do
gitlab_keys.should_receive(:system).with(valid_cmd) gitlab_keys.should_receive(:system).with(valid_cmd)
gitlab_keys.send :add_key gitlab_keys.send :add_key
end end
it "should log an add-key event" do
$logger.should_receive(:info).with('Adding key key-741 => "ssh-rsa AAAAB3NzaDAxx2E"')
gitlab_keys.send :add_key
end
end end
describe :rm_key do describe :rm_key do
...@@ -28,6 +37,11 @@ describe GitlabKeys do ...@@ -28,6 +37,11 @@ describe GitlabKeys do
gitlab_keys.should_receive(:system).with(valid_cmd) gitlab_keys.should_receive(:system).with(valid_cmd)
gitlab_keys.send :rm_key gitlab_keys.send :rm_key
end end
it "should log an rm-key event" do
$logger.should_receive(:info).with('Removing key key-741')
gitlab_keys.send :rm_key
end
end end
describe :exec do describe :exec do
...@@ -48,6 +62,13 @@ describe GitlabKeys do ...@@ -48,6 +62,13 @@ describe GitlabKeys do
gitlab_keys.should_receive(:puts).with('not allowed') gitlab_keys.should_receive(:puts).with('not allowed')
gitlab_keys.exec gitlab_keys.exec
end end
it 'should log a warning on unknown commands' do
gitlab_keys = build_gitlab_keys('nooope')
gitlab_keys.stub(puts: nil)
$logger.should_receive(:warn).with('Attempt to execute invalid gitlab-keys command "nooope".')
gitlab_keys.exec
end
end end
def build_gitlab_keys(*args) def build_gitlab_keys(*args)
......
...@@ -4,6 +4,7 @@ require_relative '../lib/gitlab_projects' ...@@ -4,6 +4,7 @@ require_relative '../lib/gitlab_projects'
describe GitlabProjects do describe GitlabProjects do
before do before do
FileUtils.mkdir_p(tmp_repos_path) FileUtils.mkdir_p(tmp_repos_path)
$logger = double('logger').as_null_object
end end
after do after do
...@@ -37,10 +38,16 @@ describe GitlabProjects do ...@@ -37,10 +38,16 @@ describe GitlabProjects do
gl_projects.should_receive(:system).with(valid_cmd) gl_projects.should_receive(:system).with(valid_cmd)
gl_projects.exec gl_projects.exec
end end
it "should log an add-project event" do
$logger.should_receive(:info).with("Adding project #{repo_name} at <#{tmp_repo_path}>.")
gl_projects.exec
end
end end
describe :mv_project do describe :mv_project do
let(:gl_projects) { build_gitlab_projects('mv-project', repo_name, 'repo.git') } let(:gl_projects) { build_gitlab_projects('mv-project', repo_name, 'repo.git') }
let(:new_repo_path) { File.join(tmp_repos_path, 'repo.git') }
before do before do
FileUtils.mkdir_p(tmp_repo_path) FileUtils.mkdir_p(tmp_repo_path)
...@@ -50,7 +57,33 @@ describe GitlabProjects do ...@@ -50,7 +57,33 @@ describe GitlabProjects do
File.exists?(tmp_repo_path).should be_true File.exists?(tmp_repo_path).should be_true
gl_projects.exec gl_projects.exec
File.exists?(tmp_repo_path).should be_false File.exists?(tmp_repo_path).should be_false
File.exists?(File.join(tmp_repos_path, 'repo.git')).should be_true File.exists?(new_repo_path).should be_true
end
it "should fail if no destination path is provided" do
incomplete = build_gitlab_projects('mv-project', repo_name)
$logger.should_receive(:error).with("mv-project failed: no destination path provided.")
incomplete.exec.should be_false
end
it "should fail if the source path doesn't exist" do
bad_source = build_gitlab_projects('mv-project', 'bad-src.git', 'dest.git')
$logger.should_receive(:error).with("mv-project failed: source path <#{tmp_repos_path}/bad-src.git> does not exist.")
bad_source.exec.should be_false
end
it "should fail if the destination path already exists" do
FileUtils.mkdir_p(File.join(tmp_repos_path, 'already-exists.git'))
bad_dest = build_gitlab_projects('mv-project', repo_name, 'already-exists.git')
message = "mv-project failed: destination path <#{tmp_repos_path}/already-exists.git> already exists."
$logger.should_receive(:error).with(message)
bad_dest.exec.should be_false
end
it "should log an mv-project event" do
message = "Moving project #{repo_name} from <#{tmp_repo_path}> to <#{new_repo_path}>."
$logger.should_receive(:info).with(message)
gl_projects.exec
end end
end end
...@@ -66,6 +99,11 @@ describe GitlabProjects do ...@@ -66,6 +99,11 @@ describe GitlabProjects do
gl_projects.exec gl_projects.exec
File.exists?(tmp_repo_path).should be_false File.exists?(tmp_repo_path).should be_false
end end
it "should log an rm-project event" do
$logger.should_receive(:info).with("Removing project #{repo_name} from <#{tmp_repo_path}>.")
gl_projects.exec
end
end end
describe :import_project do describe :import_project do
...@@ -75,6 +113,12 @@ describe GitlabProjects do ...@@ -75,6 +113,12 @@ describe GitlabProjects do
gl_projects.exec gl_projects.exec
File.exists?(File.join(tmp_repo_path, 'HEAD')).should be_true File.exists?(File.join(tmp_repo_path, 'HEAD')).should be_true
end end
it "should log an import-project event" do
message = "Importing project #{repo_name} from <https://github.com/randx/six.git> to <#{tmp_repo_path}>."
$logger.should_receive(:info).with(message)
gl_projects.exec
end
end end
describe :fork_project do describe :fork_project do
...@@ -87,7 +131,15 @@ describe GitlabProjects do ...@@ -87,7 +131,15 @@ describe GitlabProjects do
gl_projects_import.exec gl_projects_import.exec
end end
it "should not fork without a destination namespace" do
missing_arg = build_gitlab_projects('fork-project', source_repo_name)
$logger.should_receive(:error).with("fork-project failed: no destination namespace provided.")
missing_arg.exec.should be_false
end
it "should not fork into a namespace that doesn't exist" do it "should not fork into a namespace that doesn't exist" do
message = "fork-project failed: destination namespace <#{tmp_repos_path}/forked-to-namespace> does not exist."
$logger.should_receive(:error).with(message)
gl_projects_fork.exec.should be_false gl_projects_fork.exec.should be_false
end end
...@@ -101,9 +153,24 @@ describe GitlabProjects do ...@@ -101,9 +153,24 @@ describe GitlabProjects do
end end
it "should not fork if a project of the same name already exists" do it "should not fork if a project of the same name already exists" do
#trying to fork again should fail as the repo already exists # create a fake project at the intended destination
FileUtils.mkdir_p(File.join(tmp_repos_path, 'forked-to-namespace', repo_name))
# trying to fork again should fail as the repo already exists
message = "fork-project failed: destination repository <#{tmp_repos_path}/forked-to-namespace/#{repo_name}> "
message << "already exists."
$logger.should_receive(:error).with(message)
gl_projects_fork.exec.should be_false gl_projects_fork.exec.should be_false
end end
it "should log a fork-project event" do
message = "Forking project from <#{File.join(tmp_repos_path, source_repo_name)}> to <#{dest_repo}>."
$logger.should_receive(:info).with(message)
# create destination namespace
FileUtils.mkdir_p(File.join(tmp_repos_path, 'forked-to-namespace'))
gl_projects_fork.exec.should be_true
end
end end
describe :exec do describe :exec do
...@@ -112,6 +179,12 @@ describe GitlabProjects do ...@@ -112,6 +179,12 @@ describe GitlabProjects do
gitlab_projects.should_receive(:puts).with('not allowed') gitlab_projects.should_receive(:puts).with('not allowed')
gitlab_projects.exec gitlab_projects.exec
end end
it 'should log a warning for unknown commands' do
gitlab_projects = build_gitlab_projects('hurf-durf', repo_name)
$logger.should_receive(:warn).with('Attempt to execute invalid gitlab-projects command "hurf-durf".')
gitlab_projects.exec
end
end end
def build_gitlab_projects(*args) def build_gitlab_projects(*args)
......
...@@ -11,13 +11,15 @@ describe GitlabShell do ...@@ -11,13 +11,15 @@ describe GitlabShell do
end end
let(:api) do let(:api) do
double(GitlabNet).tap do |api| double(GitlabNet).tap do |api|
api.stub(discover: 'John Doe') api.stub(discover: { 'name' => 'John Doe' })
api.stub(allowed?: true) api.stub(allowed?: true)
end end
end end
let(:key_id) { "key-#{rand(100) + 100}" } let(:key_id) { "key-#{rand(100) + 100}" }
let(:repository_path) { "/home/git#{rand(100)}/repos" } let(:repository_path) { "/home/git#{rand(100)}/repos" }
before { GitlabConfig.any_instance.stub(:repos_path).and_return(repository_path) } before do
GitlabConfig.any_instance.stub(repos_path: repository_path, audit_usernames: false)
end
describe :initialize do describe :initialize do
before { ssh_cmd 'git-receive-pack' } before { ssh_cmd 'git-receive-pack' }
...@@ -64,6 +66,18 @@ describe GitlabShell do ...@@ -64,6 +66,18 @@ describe GitlabShell do
it "should set the GL_ID environment variable" do it "should set the GL_ID environment variable" do
ENV.should_receive("[]=").with("GL_ID", key_id) ENV.should_receive("[]=").with("GL_ID", key_id)
end end
it "should log the command execution" do
message = "gitlab-shell: executing git command "
message << "<git-upload-pack #{File.join(repository_path, 'gitlab-ci.git')}> "
message << "for user with key #{key_id}."
$logger.should_receive(:info).with(message)
end
it "should use usernames if configured to do so" do
GitlabConfig.any_instance.stub(audit_usernames: true)
$logger.should_receive(:info) { |msg| msg.should =~ /for John Doe/ }
end
end end
context 'git-receive-pack' do context 'git-receive-pack' do
...@@ -77,6 +91,13 @@ describe GitlabShell do ...@@ -77,6 +91,13 @@ describe GitlabShell do
it "should execute the command" do it "should execute the command" do
subject.should_receive(:exec_cmd).with("git-receive-pack #{File.join(repository_path, 'gitlab-ci.git')}") subject.should_receive(:exec_cmd).with("git-receive-pack #{File.join(repository_path, 'gitlab-ci.git')}")
end end
it "should log the command execution" do
message = "gitlab-shell: executing git command "
message << "<git-receive-pack #{File.join(repository_path, 'gitlab-ci.git')}> "
message << "for user with key #{key_id}."
$logger.should_receive(:info).with(message)
end
end end
context 'arbitrary command' do context 'arbitrary command' do
...@@ -90,6 +111,11 @@ describe GitlabShell do ...@@ -90,6 +111,11 @@ describe GitlabShell do
it "should not execute the command" do it "should not execute the command" do
subject.should_not_receive(:exec_cmd) subject.should_not_receive(:exec_cmd)
end end
it "should log the attempt" do
message = "gitlab-shell: Attempt to execute disallowed command <arbitrary command> by user with key #{key_id}."
$logger.should_receive(:warn).with(message)
end
end end
context 'no command' do context 'no command' do
...@@ -110,6 +136,13 @@ describe GitlabShell do ...@@ -110,6 +136,13 @@ describe GitlabShell do
api.should_receive(:allowed?). api.should_receive(:allowed?).
with('git-upload-pack', 'gitlab-ci.git', key_id, '_any') with('git-upload-pack', 'gitlab-ci.git', key_id, '_any')
end end
it "should disallow access and log the attempt if allowed? returns false" do
api.stub(allowed?: false)
message = "gitlab-shell: Access denied for git command <git-upload-pack gitlab-ci.git> "
message << "by user with key #{key_id}."
$logger.should_receive(:warn).with(message)
end
end end
def ssh_cmd(cmd) def ssh_cmd(cmd)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment