Commit 5cf5680f authored by Jacob Vosmaer (GitLab)'s avatar Jacob Vosmaer (GitLab) Committed by Douwe Maan

Deny repository disk access in development and test

parent 434efdac
...@@ -43,13 +43,18 @@ class GemnasiumService < Service ...@@ -43,13 +43,18 @@ class GemnasiumService < Service
def execute(data) def execute(data)
return unless supported_events.include?(data[:object_kind]) return unless supported_events.include?(data[:object_kind])
# Gitaly: this class will be removed https://gitlab.com/gitlab-org/gitlab-ee/issues/6010
repo_path = Gitlab::GitalyClient::StorageSettings.allow_disk_access do
project.repository.path_to_repo
end
Gemnasium::GitlabService.execute( Gemnasium::GitlabService.execute(
ref: data[:ref], ref: data[:ref],
before: data[:before], before: data[:before],
after: data[:after], after: data[:after],
token: token, token: token,
api_key: api_key, api_key: api_key,
repo: project.repository.path_to_repo # Gitaly: fixed by https://gitlab.com/gitlab-org/security-products/gemnasium-migration/issues/9 repo: repo_path
) )
end end
end end
...@@ -12,8 +12,10 @@ class MigrateProcessCommitWorkerJobs < ActiveRecord::Migration ...@@ -12,8 +12,10 @@ class MigrateProcessCommitWorkerJobs < ActiveRecord::Migration
end end
def repository_storage_path def repository_storage_path
Gitlab::GitalyClient::StorageSettings.allow_disk_access do
Gitlab.config.repositories.storages[repository_storage].legacy_disk_path Gitlab.config.repositories.storages[repository_storage].legacy_disk_path
end end
end
def repository_path def repository_path
# TODO: review if the change from Legacy storage needs to reflect here as well. # TODO: review if the change from Legacy storage needs to reflect here as well.
......
...@@ -64,8 +64,10 @@ class RemoveDotGitFromUsernames < ActiveRecord::Migration ...@@ -64,8 +64,10 @@ class RemoveDotGitFromUsernames < ActiveRecord::Migration
# we rename suffix instead of removing it # we rename suffix instead of removing it
path = path.sub(/\.git\z/, '_git') path = path.sub(/\.git\z/, '_git')
Gitlab::GitalyClient::StorageSettings.allow_disk_access do
check_routes(path.dup, 0, path) check_routes(path.dup, 0, path)
end end
end
def check_routes(base, counter, path) def check_routes(base, counter, path)
route_exists = route_exists?(path) route_exists = route_exists?(path)
......
...@@ -33,11 +33,6 @@ module Gitlab ...@@ -33,11 +33,6 @@ module Gitlab
MAXIMUM_GITALY_CALLS = 35 MAXIMUM_GITALY_CALLS = 35
CLIENT_NAME = (Sidekiq.server? ? 'gitlab-sidekiq' : 'gitlab-web').freeze CLIENT_NAME = (Sidekiq.server? ? 'gitlab-sidekiq' : 'gitlab-web').freeze
# We have a mechanism to let GitLab automatically opt in to all Gitaly
# features. We want to be able to exclude some features from automatic
# opt-in. That is what EXPLICIT_OPT_IN_REQUIRED is for.
EXPLICIT_OPT_IN_REQUIRED = [Gitlab::GitalyClient::StorageSettings::DISK_ACCESS_DENIED_FLAG].freeze
MUTEX = Mutex.new MUTEX = Mutex.new
class << self class << self
...@@ -249,7 +244,7 @@ module Gitlab ...@@ -249,7 +244,7 @@ module Gitlab
when MigrationStatus::OPT_OUT when MigrationStatus::OPT_OUT
true true
when MigrationStatus::OPT_IN when MigrationStatus::OPT_IN
opt_into_all_features? && !EXPLICIT_OPT_IN_REQUIRED.include?(feature_name) opt_into_all_features? && !explicit_opt_in_required.include?(feature_name)
else else
false false
end end
...@@ -259,6 +254,13 @@ module Gitlab ...@@ -259,6 +254,13 @@ module Gitlab
false false
end end
# We have a mechanism to let GitLab automatically opt in to all Gitaly
# features. We want to be able to exclude some features from automatic
# opt-in. This function has an override in EE.
def self.explicit_opt_in_required
[]
end
# opt_into_all_features? returns true when the current environment # opt_into_all_features? returns true when the current environment
# is one in which we opt into features automatically # is one in which we opt into features automatically
def self.opt_into_all_features? def self.opt_into_all_features?
......
...@@ -5,6 +5,7 @@ module SystemCheck ...@@ -5,6 +5,7 @@ module SystemCheck
attr_accessor :orphans attr_accessor :orphans
def multi_check def multi_check
Gitlab::GitalyClient::StorageSettings.allow_disk_access do
Gitlab.config.repositories.storages.each do |storage_name, repository_storage| Gitlab.config.repositories.storages.each do |storage_name, repository_storage|
storage_path = repository_storage.legacy_disk_path storage_path = repository_storage.legacy_disk_path
...@@ -17,6 +18,7 @@ module SystemCheck ...@@ -17,6 +18,7 @@ module SystemCheck
print_orphans(orphans, storage_name) print_orphans(orphans, storage_name)
end end
end end
end
private private
......
...@@ -296,16 +296,22 @@ describe ProjectsController do ...@@ -296,16 +296,22 @@ describe ProjectsController do
shared_examples_for 'updating a project' do shared_examples_for 'updating a project' do
context 'when only renaming a project path' do context 'when only renaming a project path' do
it "sets the repository to the right path after a rename" do it "sets the repository to the right path after a rename" do
original_repository_path = project.repository.path original_repository_path = Gitlab::GitalyClient::StorageSettings.allow_disk_access do
project.repository.path
end
expect { update_project path: 'renamed_path' } expect { update_project path: 'renamed_path' }
.to change { project.reload.path } .to change { project.reload.path }
expect(project.path).to include 'renamed_path' expect(project.path).to include 'renamed_path'
assign_repository_path = Gitlab::GitalyClient::StorageSettings.allow_disk_access do
assigns(:repository).path
end
if project.hashed_storage?(:repository) if project.hashed_storage?(:repository)
expect(assigns(:repository).path).to eq(original_repository_path) expect(assign_repository_path).to eq(original_repository_path)
else else
expect(assigns(:repository).path).to include(project.path) expect(assign_repository_path).to include(project.path)
end end
expect(response).to have_gitlab_http_status(302) expect(response).to have_gitlab_http_status(302)
......
...@@ -280,7 +280,11 @@ describe ProjectsHelper do ...@@ -280,7 +280,11 @@ describe ProjectsHelper do
describe '#sanitizerepo_repo_path' do describe '#sanitizerepo_repo_path' do
let(:project) { create(:project, :repository) } let(:project) { create(:project, :repository) }
let(:storage_path) { Gitlab.config.repositories.storages.default.legacy_disk_path } let(:storage_path) do
Gitlab::GitalyClient::StorageSettings.allow_disk_access do
Gitlab.config.repositories.storages.default.legacy_disk_path
end
end
before do before do
allow(Settings.shared).to receive(:[]).with('path').and_return('/base/repo/export/path') allow(Settings.shared).to receive(:[]).with('path').and_return('/base/repo/export/path')
......
...@@ -52,7 +52,9 @@ describe Gitlab::GitAccessWiki do ...@@ -52,7 +52,9 @@ describe Gitlab::GitAccessWiki do
context 'when the wiki repository does not exist' do context 'when the wiki repository does not exist' do
it 'returns not found' do it 'returns not found' do
wiki_repo = project.wiki.repository wiki_repo = project.wiki.repository
Gitlab::GitalyClient::StorageSettings.allow_disk_access do
FileUtils.rm_rf(wiki_repo.path) FileUtils.rm_rf(wiki_repo.path)
end
# Sanity check for rm_rf # Sanity check for rm_rf
expect(wiki_repo.exists?).to eq(false) expect(wiki_repo.exists?).to eq(false)
......
...@@ -6,7 +6,11 @@ require Rails.root.join('db', 'migrate', '20161124141322_migrate_process_commit_ ...@@ -6,7 +6,11 @@ require Rails.root.join('db', 'migrate', '20161124141322_migrate_process_commit_
describe MigrateProcessCommitWorkerJobs do describe MigrateProcessCommitWorkerJobs do
let(:project) { create(:project, :legacy_storage, :repository) } # rubocop:disable RSpec/FactoriesInMigrationSpecs let(:project) { create(:project, :legacy_storage, :repository) } # rubocop:disable RSpec/FactoriesInMigrationSpecs
let(:user) { create(:user) } # rubocop:disable RSpec/FactoriesInMigrationSpecs let(:user) { create(:user) } # rubocop:disable RSpec/FactoriesInMigrationSpecs
let(:commit) { project.commit.raw.rugged_commit } let(:commit) do
Gitlab::GitalyClient::StorageSettings.allow_disk_access do
project.commit.raw.rugged_commit
end
end
describe 'Project' do describe 'Project' do
describe 'find_including_path' do describe 'find_including_path' do
......
...@@ -49,10 +49,14 @@ describe TurnNestedGroupsIntoRegularGroupsForMysql do ...@@ -49,10 +49,14 @@ describe TurnNestedGroupsIntoRegularGroupsForMysql do
end end
it 'renames the repository of any projects' do it 'renames the repository of any projects' do
expect(updated_project.repository.path) repo_path = Gitlab::GitalyClient::StorageSettings.allow_disk_access do
updated_project.repository.path
end
expect(repo_path)
.to end_with("#{parent_group.name}-#{child_group.name}/#{updated_project.path}.git") .to end_with("#{parent_group.name}-#{child_group.name}/#{updated_project.path}.git")
expect(File.directory?(updated_project.repository.path)).to eq(true) expect(File.directory?(repo_path)).to eq(true)
end end
it 'creates a redirect route for renamed projects' do it 'creates a redirect route for renamed projects' do
......
...@@ -2943,7 +2943,7 @@ describe Project do ...@@ -2943,7 +2943,7 @@ describe Project do
project.rename_repo project.rename_repo
expect(project.repository.rugged.config['gitlab.fullpath']).to eq(project.full_path) expect(rugged_config['gitlab.fullpath']).to eq(project.full_path)
end end
end end
...@@ -3104,7 +3104,7 @@ describe Project do ...@@ -3104,7 +3104,7 @@ describe Project do
it 'updates project full path in .git/config' do it 'updates project full path in .git/config' do
project.rename_repo project.rename_repo
expect(project.repository.rugged.config['gitlab.fullpath']).to eq(project.full_path) expect(rugged_config['gitlab.fullpath']).to eq(project.full_path)
end end
end end
...@@ -3525,13 +3525,13 @@ describe Project do ...@@ -3525,13 +3525,13 @@ describe Project do
it 'writes full path in .git/config when key is missing' do it 'writes full path in .git/config when key is missing' do
project.write_repository_config project.write_repository_config
expect(project.repository.rugged.config['gitlab.fullpath']).to eq project.full_path expect(rugged_config['gitlab.fullpath']).to eq project.full_path
end end
it 'updates full path in .git/config when key is present' do it 'updates full path in .git/config when key is present' do
project.write_repository_config(gl_full_path: 'old/path') project.write_repository_config(gl_full_path: 'old/path')
expect { project.write_repository_config }.to change { project.repository.rugged.config['gitlab.fullpath'] }.from('old/path').to(project.full_path) expect { project.write_repository_config }.to change { rugged_config['gitlab.fullpath'] }.from('old/path').to(project.full_path)
end end
it 'does not raise an error with an empty repository' do it 'does not raise an error with an empty repository' do
...@@ -3817,4 +3817,10 @@ describe Project do ...@@ -3817,4 +3817,10 @@ describe Project do
let(:uploader_class) { AttachmentUploader } let(:uploader_class) { AttachmentUploader }
end end
end end
def rugged_config
Gitlab::GitalyClient::StorageSettings.allow_disk_access do
project.repository.rugged.config
end
end
end end
...@@ -188,7 +188,11 @@ describe ProjectWiki do ...@@ -188,7 +188,11 @@ describe ProjectWiki do
before do before do
subject.wiki # Make sure the wiki repo exists subject.wiki # Make sure the wiki repo exists
BareRepoOperations.new(subject.repository.path_to_repo).commit_file(image, 'image.png') repo_path = Gitlab::GitalyClient::StorageSettings.allow_disk_access do
subject.repository.path_to_repo
end
BareRepoOperations.new(repo_path).commit_file(image, 'image.png')
end end
it 'returns the latest version of the file if it exists' do it 'returns the latest version of the file if it exists' do
......
...@@ -74,7 +74,9 @@ describe RemoteMirror do ...@@ -74,7 +74,9 @@ describe RemoteMirror do
mirror.update_attribute(:url, 'http://foo:baz@test.com') mirror.update_attribute(:url, 'http://foo:baz@test.com')
config = repo.raw_repository.rugged.config config = Gitlab::GitalyClient::StorageSettings.allow_disk_access do
repo.raw_repository.rugged.config
end
expect(config["remote.#{mirror.remote_name}.url"]).to eq('http://foo:baz@test.com') expect(config["remote.#{mirror.remote_name}.url"]).to eq('http://foo:baz@test.com')
end end
......
...@@ -522,7 +522,6 @@ describe API::Internal do ...@@ -522,7 +522,6 @@ describe API::Internal do
context 'the project path was changed' do context 'the project path was changed' do
let(:project) { create(:project, :repository, :legacy_storage) } let(:project) { create(:project, :repository, :legacy_storage) }
let!(:old_path_to_repo) { project.repository.path_to_repo }
let!(:repository) { project.repository } let!(:repository) { project.repository }
before do before do
......
...@@ -272,8 +272,11 @@ describe Projects::CreateService, '#execute' do ...@@ -272,8 +272,11 @@ describe Projects::CreateService, '#execute' do
it 'writes project full path to .git/config' do it 'writes project full path to .git/config' do
project = create_project(user, opts) project = create_project(user, opts)
rugged = Gitlab::GitalyClient::StorageSettings.allow_disk_access do
project.repository.rugged
end
expect(project.repository.rugged.config['gitlab.fullpath']).to eq project.full_path expect(rugged.config['gitlab.fullpath']).to eq project.full_path
end end
def create_project(user, opts) def create_project(user, opts)
......
...@@ -9,7 +9,7 @@ RSpec.configure do |config| ...@@ -9,7 +9,7 @@ RSpec.configure do |config|
# Use 'and_wrap_original' to make sure the arguments are valid # Use 'and_wrap_original' to make sure the arguments are valid
allow(Gitlab::GitalyClient).to receive(:feature_enabled?).and_wrap_original do |m, *args| allow(Gitlab::GitalyClient).to receive(:feature_enabled?).and_wrap_original do |m, *args|
m.call(*args) m.call(*args)
!Gitlab::GitalyClient::EXPLICIT_OPT_IN_REQUIRED.include?(args.first) !Gitlab::GitalyClient.explicit_opt_in_required.include?(args.first)
end end
end end
end end
......
...@@ -44,7 +44,9 @@ describe RepositoryRemoveRemoteWorker do ...@@ -44,7 +44,9 @@ describe RepositoryRemoveRemoteWorker do
end end
def create_remote_branch(remote_name, branch_name, target) def create_remote_branch(remote_name, branch_name, target)
rugged = project.repository.rugged rugged = Gitlab::GitalyClient::StorageSettings.allow_disk_access do
project.repository.rugged
end
rugged.references.create("refs/remotes/#{remote_name}/#{branch_name}", target.id) rugged.references.create("refs/remotes/#{remote_name}/#{branch_name}", target.id)
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment