Merge branch 'git-annex' into 'master'

Git annex support - [x] Add authorization for git-annex commands - [x] Test it manually - [x] Add CHANGELOG-EE entry - [x] Add documentation __Git annex commands allowed only for users who have push access to repository__. We might want to change it in future allowing `git annex get .` for `Reporter` role. It requires understanding which git-annex commands are read-only. cc @marin @sytse See merge request !312

Merge branch 'git-annex' into 'master'
Git annex support - [x] Add authorization for git-annex commands - [x] Test it manually - [x] Add CHANGELOG-EE entry - [x] Add documentation __Git annex commands allowed only for users who have push access to repository__. We might want to change it in future allowing `git annex get .` for `Reporter` role. It requires understanding which git-annex commands are read-only. cc @marin @sytse See merge request !312
07a0e729 · Dmitriy Zaporozhets · 6ae4003b · 50ed6168 · 07a0e729 · 07a0e729
Commit 07a0e729 authored Feb 17, 2015 by Dmitriy Zaporozhets
5 changed files
--- a/CHANGELOG-EE
+++ b/CHANGELOG-EE
@@ -6,6 +6,7 @@ v 7.8.0
  - Added Github Enterprise importer
  - When project has MR rebase enabled, MR will have rebase checkbox selected by default
  - Minor UI fixes for sidebar navigation
+  - Manage large binaries with git annex

 v 7.7.0
  - Added custom header logo support (Drew Blessing)

--- a/GITLAB_SHELL_VERSION
+++ b/GITLAB_SHELL_VERSION
-2.4.3
+2.5.0
--- a/doc/workflow/README.md
+++ b/doc/workflow/README.md
@@ -13,3 +13,4 @@
 - [Project importing from GitLab.com to your private GitLab instance](import_projects_from_gitlab_com.md)
 - [Protected branches](protected_branches.md)
 - [Web Editor](web_editor.md)
+- [Manage large binaries with git annex](git_annex.md)
--- a/doc/workflow/git_annex.md
+++ b/doc/workflow/git_annex.md
+# Git annex
+
+The biggest limitation of git compared to some older centralized version control systems has been the maximum size of the repositories.
+The general recommendation is to not have git repositories larger than 1GB to preserve performance.
+Although GitLab has no limit (some repositories in GitLab are over 50GB!) we subscribe to the advise to keep repositories as small as you can.
+
+Not being able to version control large binaries is a big problem for many larger organizations.
+Video, photo's, audio, compiled binaries and many other types of files are too large.
+As a workaround, people keep artwork-in-progress in a Dropbox folder and only check in the final result.
+This results in using outdated files, not having a complete history and the risk of losing work.
+
+This problem is solved by integrating the awesome [git-annex](https://git-annex.branchable.com/).
+Git-annex allows managing large binaries with git, without checking the contents into git.
+You check in only a symlink that contains the SHA-1 of the large binary.
+If you need the large binary you can sync it from the GitLab server over rsync, a very fast file copying tool.
+
+<!-- more -->
+
+## Using GitLab Annex
+
+For example, if you want to upload a very large file and check it into your Git repository:
+
+```bash
+git clone git@gitlab.example.com:group/project.git
+git annex init 'My Laptop'            # initialize the annex project
+cp ~/tmp/debian.iso ./                # copy a large file into the current directory
+git annex add .                       # add the large file to git annex
+git commit -am"Added Debian iso"      # commit the file meta data
+git annex sync --content              # sync the git repo and large file to the GitLab server
+```
+
+Downloading a single large file is also very simple:
+
+```bash
+git clone git@gitlab.example.com:group/project.git
+git annex sync                        # sync git branches but not the large file
+git annex get debian.iso              # download the large file
+```
+
+To download all files:
+
+```bash
+git clone git@gitlab.example.com:group/project.git
+git annex sync --content              # sync git branches and download all the large files
+```
+
+You don't have to setup git-annex on a separate server or add annex remotes to the repository.
+Git-annex without GitLab gives everyone that can access the server access to the files of all projects.
+GitLab annex ensures you can only acces files of projects you work on (developer, master or owner role).
+
+## How it works
+
+Internally GitLab uses [GitLab Shell](https://gitlab.com/gitlab-org/gitlab-shell) to handle ssh access and this was a great integration point for git-annex.
+We've added a setting to GitLab Shell so you can disable GitLab Annex support if you don't want it.
+
+You'll have to use ssh style links for to git remote to your GitLab server instead of https style links.
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -2,6 +2,7 @@ module Gitlab
  class GitAccess
    DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }
    PUSH_COMMANDS = %w{ git-receive-pack }
+    GIT_ANNEX_COMMANDS = %w{ git-annex-shell }

    attr_reader :params, :project, :git_cmd, :user

@@ -28,6 +29,10 @@ module Gitlab
        else
          raise 'Wrong actor'
        end
+      when *GIT_ANNEX_COMMANDS
+        if actor.is_a? Key
+          git_annex_access_check(actor.user, project, changes)
+        end
      else
        return build_status_object(false, "Wrong command")
      end
@@ -221,5 +226,21 @@ module Gitlab
    def build_status_object(status, message = '')
      GitAccessStatus.new(status, message)
    end
+
+    def git_annex_access_check(user, project, changes)
+      unless user && user_allowed?(user)
+        return build_status_object(false, "You don't have access")
+      end
+
+      unless project.repository.exists?
+        return build_status_object(false, "Repository does not exist")
+      end
+
+      if user.can?(:push_code, project)
+        build_status_object(true)
+      else
+        build_status_object(false, "You don't have permission")
+      end
+    end
  end
 end