Commit a1f76904 authored by Stan Hu's avatar Stan Hu

Merge branch '3891-remove-geo-ssh-repo-sync' into 'master'

Remove SSH repository sync support from Geo

Closes #3891

See merge request gitlab-org/gitlab-ee!3553
parents 0fb58cf6 d2d54197
......@@ -5,28 +5,20 @@ import {
import '../flash';
import Api from '../api';
const onPrimaryCheckboxChange = function onPrimaryCheckboxChange(e, $namespaces, $key, $useSSH) {
const onPrimaryCheckboxChange = function onPrimaryCheckboxChange(e, $namespaces) {
const $namespacesSelect = $('.select2', $namespaces);
$namespacesSelect.select2('data', null);
$namespaces.toggleClass('hidden', e.currentTarget.checked);
$key.toggleClass('hidden', e.currentTarget.checked || !$useSSH.is(':checked'));
};
export default function geoNodeForm($container) {
const $namespaces = $('.js-hide-if-geo-primary', $container);
const $primaryCheckbox = $('input[type="checkbox"]', $container);
const $select2Dropdown = $('.js-geo-node-namespaces', $container);
const $useHTTP = $('.js-use-http', $container);
const $useSSH = $('.js-use-ssh', $container);
const $sshKey = $('.js-ssh-key', $container);
$primaryCheckbox.on('change', e =>
onPrimaryCheckboxChange(e, $namespaces, $sshKey, $useSSH));
$useHTTP.on('click', () => $sshKey.toggleClass('hidden', true));
$useSSH.on('click', () => $sshKey.toggleClass('hidden', false));
onPrimaryCheckboxChange(e, $namespaces));
$select2Dropdown.select2({
placeholder: s__('Geo|Select groups to replicate.'),
......
class GeoNode < ActiveRecord::Base
include IgnorableColumn
include Presentable
belongs_to :geo_node_key, inverse_of: :geo_node, dependent: :destroy # rubocop: disable Cop/ActiveRecordDependent
ignore_column :clone_protocol
ignore_column :geo_node_key_id
belongs_to :oauth_application, class_name: 'Doorkeeper::Application', dependent: :destroy # rubocop: disable Cop/ActiveRecordDependent
has_many :geo_node_namespace_links
......@@ -9,10 +12,7 @@ class GeoNode < ActiveRecord::Base
has_one :status, class_name: 'GeoNodeStatus'
default_values url: ->(record) { record.class.current_node_url },
primary: false,
clone_protocol: 'http'
accepts_nested_attributes_for :geo_node_key
primary: false
validates :url, presence: true, uniqueness: { case_sensitive: false }
validate :check_url_is_valid
......@@ -21,12 +21,9 @@ class GeoNode < ActiveRecord::Base
validates :access_key, presence: true
validates :encrypted_secret_access_key, presence: true
validates :clone_protocol, presence: true, inclusion: %w(ssh http)
validates :geo_node_key, presence: true, if: :uses_ssh_key?
validate :check_not_adding_primary_as_secondary, if: :secondary?
after_initialize :build_dependents
after_save :expire_cache!
after_destroy :expire_cache!
before_validation :update_dependents_attributes
......@@ -246,19 +243,7 @@ class GeoNode < ActiveRecord::Base
{ protocol: uri.scheme, host: uri.host, port: uri.port, script_name: uri.path }
end
def build_dependents
build_geo_node_key if new_record? && secondary? && geo_node_key.nil?
end
def update_dependents_attributes
if primary?
self.geo_node_key = nil
elsif uses_ssh_key?
self.geo_node_key&.title = "Geo node: #{self.url}"
end
self.geo_node_key = nil unless uses_ssh_key? || geo_node_key&.persisted?
if self.primary?
self.oauth_application = nil
update_clone_url
......
class GeoNodeKey < Key
has_one :geo_node, inverse_of: :geo_node_key
def orphaned?
self.geo_nodes.length == 0
end
def almost_orphaned?
self.geo_nodes.length == 1
end
def destroyed_when_orphaned?
true
end
# Geo secondary nodes use these keys to get read access to all projects.
# If the secondary is promoted to a primary, its key is no longer valid.
#
# This is necessary because keys are placed in the `~git/.ssh` directory;
# repository mirroring and other actions that shell out to SSH make use of
# the same directory. A Geo secondary does not perform any of these actions,
# but if it is made a primary and the keys are not removed, every user on the
# GitLab instance will be able to access every project using this key.
def active?
geo_node&.uses_ssh_key?
end
end
require 'securerandom'
module Geo
# The clone_url_prefix is used to build URLs for the Geo synchronization
# If this is missing from the primary node we raise this exception
EmptyCloneUrlPrefixError = Class.new(StandardError)
class BaseSyncService
include ExclusiveLeaseGuard
include ::Gitlab::Geo::ProjectLogHelpers
......@@ -53,16 +49,6 @@ module Geo
LEASE_TIMEOUT
end
def primary_ssh_path_prefix
@primary_ssh_path_prefix ||= Gitlab::Geo.primary_node.clone_url_prefix.tap do |prefix|
raise EmptyCloneUrlPrefixError, 'Missing clone_url_prefix in the primary node' unless prefix.present?
end
end
def primary_http_path_prefix
@primary_http_path_prefix ||= Gitlab::Geo.primary_node.url
end
private
def retry_count
......@@ -90,25 +76,7 @@ module Geo
end
def fetch_geo_mirror(repository)
case current_node&.clone_protocol
when 'http'
fetch_http_geo_mirror(repository)
when 'ssh'
fetch_ssh_geo_mirror(repository)
else
raise "Unknown clone protocol: #{current_node&.clone_protocol}"
end
end
def build_repository_url(prefix, repository)
url = prefix
url += '/' unless url.end_with?('/')
url + repository.full_path + '.git'
end
def fetch_http_geo_mirror(repository)
url = build_repository_url(primary_http_path_prefix, repository)
url = Gitlab::Geo.primary_node.url + repository.full_path + '.git'
# Fetch the repository, using a JWT header for authentication
authorization = ::Gitlab::Geo::BaseRequest.new.authorization
......@@ -117,12 +85,6 @@ module Geo
repository.with_config(header) { repository.fetch_as_mirror(url, forced: true) }
end
def fetch_ssh_geo_mirror(repository)
url = build_repository_url(primary_ssh_path_prefix, repository)
repository.fetch_as_mirror(url, forced: true)
end
def registry
@registry ||= Geo::ProjectRegistry.find_or_initialize_by(project_id: project.id)
end
......
......@@ -6,7 +6,6 @@ module Geo
@geo_node = geo_node
@old_namespace_ids = geo_node.namespace_ids
@params = params.dup
@params.delete(:geo_node_key_attributes)
@params[:namespace_ids] = @params[:namespace_ids].to_s.split(',')
end
......
......@@ -27,8 +27,7 @@ module Geo
update_delay_s: update_delay_in_seconds,
download_time_s: download_time_in_seconds)
rescue Gitlab::Shell::Error,
Gitlab::Git::RepositoryMirroring::RemoteError,
Geo::EmptyCloneUrlPrefixError => e
Gitlab::Git::RepositoryMirroring::RemoteError => e
fail_registry!('Error syncing repository', e)
rescue Gitlab::Git::Repository::NoRepository => e
log_info('Setting force_to_redownload flag')
......
......@@ -28,8 +28,7 @@ module Geo
download_time_s: download_time_in_seconds)
rescue Gitlab::Git::RepositoryMirroring::RemoteError,
Gitlab::Shell::Error,
ProjectWiki::CouldNotCreateWikiError,
Geo::EmptyCloneUrlPrefixError => e
ProjectWiki::CouldNotCreateWikiError => e
fail_registry!('Error syncing wiki repository', e)
rescue Gitlab::Git::Repository::NoRepository => e
log_info('Setting force_to_redownload flag')
......
- disable_key_edit = local_assigns.fetch(:disable_key_edit, false)
= form_errors(geo_node)
.form-group
= form.label :url, 'URL', class: 'control-label'
......@@ -13,33 +11,6 @@
= form.check_box :primary
%strong This is a primary node
.form-group.js-hide-if-geo-primary{ class: ('hidden' unless geo_node.secondary?) }
= form.label :clone_protocol, s_('Geo|Repository cloning'), class: 'control-label'
.col-sm-10
.radio
= form.label :clone_protocol_http do
= form.radio_button :clone_protocol, :http, class: 'js-use-http'
.option-title
HTTP/HTTPS
.option-description= _('Clone repositories and wikis from the primary using HTTP/HTTPS.')
.radio
= form.label :clone_protocol_ssh do
= form.radio_button :clone_protocol, :ssh, class: 'js-use-ssh'
.option-title
SSH (deprecated)
.option-description= _('Authentication must be manually configured. Deprecated since GitLab 10.2.')
= form.fields_for :geo_node_key, geo_node.geo_node_key, include_id: !disable_key_edit do |fg|
.form-group.js-ssh-key{ class: ('hidden' unless geo_node.secondary? && geo_node.clone_protocol == 'ssh') }
= fg.label :key, 'Public Key', class: 'control-label'
.col-sm-10
= fg.text_area :key, class: 'form-control thin_area', rows: 5, disabled: disable_key_edit
- unless disable_key_edit
%p.help-block
For SSH authentication, paste the public key used by the node you are adding. Read more about it
= link_to 'here', help_page_path('gitlab-geo/configuration.html', anchor: 'step-5-enabling-the-secondary-gitlab-node')
.form-group.js-hide-if-geo-primary{ class: ('hidden' unless geo_node.secondary?) }
= form.label :namespace_ids, s_('Geo|Groups to replicate'), class: 'control-label'
.col-sm-10
......
......@@ -3,7 +3,7 @@
Edit Geo Node
= form_for [:admin, @node], html: { class: 'form-horizontal js-geo-node-form' } do |f|
= render partial: 'form', locals: { form: f, geo_node: @node, disable_key_edit: true }
= render partial: 'form', locals: { form: f, geo_node: @node }
.form-actions
= f.submit 'Save changes', class: 'btn btn-create'
= link_to 'Cancel', admin_geo_nodes_path, class: 'btn btn-cancel'
......
---
title: Remove Geo SSH repo sync support
merge_request: 3553
author:
type: removed
class RemoveGeoSshRepoSync < ActiveRecord::Migration
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
GeoNode = Class.new(ActiveRecord::Base)
Key = Class.new(ActiveRecord::Base)
disable_ddl_transaction!
def up
Key.where(id: GeoNode.all.select(:geo_node_key_id)).delete_all
remove_column :geo_nodes, :clone_protocol
remove_column :geo_nodes, :geo_node_key_id
end
def down
add_column :geo_nodes, :geo_node_key_id, :integer
add_column_with_default :geo_nodes, :clone_protocol, :string, default: 'http', allow_null: false
end
end
......@@ -11,7 +11,7 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema.define(version: 20171124165823) do
ActiveRecord::Schema.define(version: 20171124182517) do
# These are extensions that must be enabled in order to support this database
enable_extension "plpgsql"
......@@ -977,7 +977,6 @@ ActiveRecord::Schema.define(version: 20171124165823) do
create_table "geo_nodes", force: :cascade do |t|
t.boolean "primary"
t.integer "geo_node_key_id"
t.integer "oauth_application_id"
t.boolean "enabled", default: true, null: false
t.string "access_key"
......@@ -986,7 +985,6 @@ ActiveRecord::Schema.define(version: 20171124165823) do
t.string "clone_url_prefix"
t.integer "files_max_capacity", default: 10, null: false
t.integer "repos_max_capacity", default: 25, null: false
t.string "clone_protocol", default: "http", null: false
t.string "url", null: false
end
......
......@@ -24,7 +24,7 @@ Example response:
"enabled": true,
"files_max_capacity": 10,
"repos_max_capacity": 25,
"clone_protocol": "ssh"
"clone_protocol": "http"
},
{
"id": 2,
......@@ -58,7 +58,7 @@ Example response:
"enabled": true,
"files_max_capacity": 10,
"repos_max_capacity": 25,
"clone_protocol": "ssh"
"clone_protocol": "http"
}
```
......
......@@ -38,9 +38,8 @@ and the replicated read-only ones as **secondaries**.
Keep in mind that:
- Secondaries talk to primary to get user data for logins (API), to
clone/pull from repositories (SSH) and to retrieve LFS Objects and Attachments
(HTTPS + JWT).
- Secondaries talk to the primary to get user data for logins (API) and to
replicate repositories, LFS Objects and Attachments (HTTPS + JWT).
- Since GitLab Enterprise Edition Premium 10.0, the primary no longer talks to
secondaries to notify for changes (API).
......@@ -62,7 +61,7 @@ The following diagram illustrates the underlying architecture of GitLab Geo:
[Source diagram](https://docs.google.com/drawings/d/1Abw0P_H0Ew1-2Lj_xPDRWP87clGIke-1fil7_KQqrtE/edit)
In this diagram, there is one Geo primary node and one secondary. The
secondary clones repositories via git over SSH. Attachments, LFS objects, and
secondary clones repositories via git over HTTPS. Attachments, LFS objects, and
other files are downloaded via HTTPS using the GitLab API to authenticate,
with a special endpoint protected by JWT.
......
......@@ -113,7 +113,14 @@ certificate from the primary and follow
[these instructions](https://docs.gitlab.com/omnibus/settings/ssl.html)
on the secondary.
### Step 4. Managing the secondary GitLab node
### Step 4. Enable Git access over HTTP/HTTPS
GitLab Geo synchronizes repositories over HTTP/HTTPS, and so requires this clone
method to be enabled. Navigate to **Admin Area ➔ Settings**
(`/admin/application_settings`) on the primary node, and set
`Enabled Git access protocols` to `Both SSH and HTTP(S)` or `Only HTTP(S)`.
### Step 5. Managing the secondary GitLab node
You can monitor the status of the syncing process on a secondary node
by visiting the primary node's **Admin Area ➔ Geo Nodes** (`/admin/geo_nodes`)
......@@ -170,42 +177,6 @@ secondary nodes, but repositories that have not been selected will be empty.
1. Secondary nodes won't pull repositories that do not belong to the selected
groups to be replicated.
## Replicating wikis and repositories over SSH
>**Warning:**
In GitLab 10.2, replicating repositories and wikis over SSH was deprecated.
Support for SSH replication will be removed in 10.3. These instructions should
only be used if you need to add a new secondary in the short term.
1. SSH into the **secondary** node and login as root:
```bash
sudo -i
```
1. Add the primary's SSH key fingerprint to the `known_hosts` file.
```bash
sudo -u git -H ssh git@<primary-node-url>
```
Replace `<primary-node-url>` with the FQDN of the primary node. You should
manually check the displayed fingerprint against a trusted record of the
expected value before accepting it!
1. Generate a *passphraseless* SSH keypair for the `git` user, and capture the
public component:
```bash
test -e ~git/.ssh/id_rsa || sudo -u git -H ssh-keygen -q -t rsa -b 4096 -f ~git/.ssh/id_rsa
cat ~git/.ssh/id_rsa.pub
```
Follow the steps above to set up the new Geo node. When you reach
[Step 4: Enabling the secondary GitLab node](#step-4-managing-the-secondary-gitlab-node)
select "SSH (deprecated)" instead of "HTTP/HTTPS", and populate the "Public Key"
with the output of the previous command (beginning `ssh-rsa AAAA...`).
### Upgrading Geo
See the [updating the Geo nodes document](updating_the_geo_nodes.md).
......
......@@ -123,7 +123,15 @@ cp primary.geo.example.com.crt /usr/local/share/ca-certificates
update-ca-certificates
```
### Step 4. Managing the secondary GitLab node
### Step 4. Enable Git access over HTTP/HTTPS
GitLab Geo synchronizes repositories over HTTP/HTTPS, and so requires this clone
method to be enabled. Navigate to **Admin Area ➔ Settings**
(`/admin/application_settings`) on the primary node, and set
`Enabled Git access protocols` to `Both SSH and HTTP(S)` or `Only HTTP(S)`.
### Step 5. Managing the secondary GitLab node
You can monitor the status of the syncing process on a secondary node
by visiting the primary node's **Admin Area ➔ Geo Nodes** (`/admin/geo_nodes`)
......@@ -173,10 +181,6 @@ Point your users to the ["Using a Geo Server" guide](using_a_geo_server.md).
Read [Selective replication](configuration.md#selective-replication).
## Replicating wikis and repositories over SSH
Read [Replicating wikis and repositories over SSH](configuration.md#replicating-wikis-and-repositories-over-ssh).
## Troubleshooting
Read the [troubleshooting document](troubleshooting.md).
......
......@@ -44,8 +44,8 @@ The following guide assumes that:
make sure the GitLab version is the same on all nodes.
- The IP of the primary server for our examples will be `1.2.3.4`, whereas the
secondary's IP will be `5.6.7.8`. Note that the primary and secondary servers
**must** be able to communicate over these addresses (using HTTPS & SSH).
These IP addresses can either be public or private.
**must** be able to communicate over these addresses. These IP addresses can
either be public or private.
If your GitLab installation is using external PostgreSQL, the Omnibus roles
will not be able to perform all necessary configuration steps. Refer to
......
......@@ -25,11 +25,6 @@ You must make the changes in the exact specific order:
1. Promote the Postgres in your secondary node as primary
1. Modify the `gitlab.rb` for both nodes to reflect their new statuses
1. Log-in to your secondary node with a user with `sudo` permission
1. **Remove** the Geo SSH client keys (this is very important!):
```bash
sudo rm ~git/.ssh/id_rsa ~git/.ssh/id_rsa.pub
```
1. Run `sudo gitlab-rake geo:set_secondary_as_primary`
1. Rsync everything in `/var/opt/gitlab/gitlab-rails/uploads` and
`/var/opt/gitlab/gitlab-rails/shared` from your old node to the new one.
......
......@@ -53,29 +53,6 @@ and expect something like:
By running the command above, `primary` should be `true` when executed in
the primary node, and `false` on any secondary.
#### Did I define the correct SSH Key for the node?
You must create an SSH Key for `git` user.
This key is the one you have to inform at `Admin > Geo`.
#### Can I SSH from secondary to primary node using `git` user account?
This is the most obvious cause of problems with repository replication issues.
If you haven't added the primary node's key to `known_hosts`, you will end up with
a lot of failed sidekiq jobs with an error similar to:
```
Gitlab::Shell::Error: Host key verification failed. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
```
An easy way to fix this is by logging in as the `git` user in the secondary node and run:
```bash
# remove old entries to your primary gitlab in known_hosts
ssh-keyscan -R your-primary-gitlab.example.com
```
#### How do I fix the message, "ERROR: replication slots can only be used if max_replication_slots > 0"?
This means that the `max_replication_slots` PostgreSQL variable needs to
......
......@@ -14,6 +14,20 @@ all you need to do is update GitLab itself:
the tracking database is enabled.
1. [Test](#check-status-after-updating) primary and secondary nodes, and check version in each.
## Upgrading to GitLab 10.3
### Support for SSH repository synchronization removed
In GitLab 10.2, synchronizing secondaries over SSH was deprecated. In 10.3,
support is removed entirely. All installations will switch to the HTTP/HTTPS
cloning method instead. Before upgrading, ensure that all your Geo nodes are
configured to use this method and that it works for your installation. In
particular, ensure that [Git access over HTTP/HTTPS is enabled](configuration.md#step-4-enable-git-access-over-http-https).
Synchronizing repositories over the public Internet using HTTP is insecure, so
you should ensure that you have HTTPS configured before upgrading. Note that
file synchronization is **also** insecure in these cases!
## Upgrading to GitLab 10.2
### Secure PostgreSQL replication
......
......@@ -86,9 +86,7 @@ class Admin::GeoNodesController < Admin::ApplicationController
:primary,
:namespace_ids,
:repos_max_capacity,
:files_max_capacity,
:clone_protocol,
geo_node_key_attributes: [:key]
:files_max_capacity
)
end
......
......@@ -12,8 +12,7 @@ module EE
def can_read_project?
raise NotImplementedError.new unless defined?(super)
return geo_node_key.active? if geo_node_key?
return true if actor == :geo
return true if geo?
super
end
......@@ -52,16 +51,8 @@ module EE
end
end
def geo_node_key
actor if geo_node_key?
end
def geo_node_key?
actor.is_a?(::GeoNodeKey)
end
def geo?
geo_node_key? || actor == :geo
actor == :geo
end
end
end
......
module SystemCheck
module Geo
class HTTPCloneEnabledCheck < ::SystemCheck::BaseCheck
set_name 'HTTP/HTTPS repository cloning is enabled'
def check?
enabled_git_access_protocol.blank? || enabled_git_access_protocol == 'http'
end
def show_error
try_fixing_it(
'Enable HTTP/HTTPS repository cloning for Geo repository synchronization'
)
for_more_information('doc/gitlab-geo/README.md')
end
private
def enabled_git_access_protocol
Gitlab::CurrentSettings.current_application_settings.enabled_git_access_protocol
end
end
end
end
......@@ -1092,7 +1092,11 @@ module API
expose :enabled
expose :files_max_capacity
expose :repos_max_capacity
expose :clone_protocol
# Retained for backwards compatibility. Remove in API v5
expose :clone_protocol do |_record, _options|
'http'
end
end
class PersonalAccessToken < Grape::Entity
......
......@@ -57,8 +57,7 @@ module API
gl_repository: gl_repository,
gl_username: user&.username,
repository_path: repository_path,
gitaly: gitaly_payload(params[:action]),
geo_node: actor.is_a?(GeoNodeKey)
gitaly: gitaly_payload(params[:action])
}
end
......
......@@ -11,10 +11,10 @@ module SystemCheck
].freeze
set_name 'Git user has default SSH configuration?'
set_skip_reason 'skipped (Geo uses SSH key, or git user is not present / configured)'
set_skip_reason 'skipped (git user is not present / configured)'
def skip?
::Gitlab::Geo.current_node&.uses_ssh_key? || !home_dir || !File.directory?(home_dir)
!home_dir || !File.directory?(home_dir)
end
def check?
......
......@@ -462,6 +462,7 @@ namespace :gitlab do
SystemCheck::Geo::GeoDatabaseConfiguredCheck,
SystemCheck::Geo::DatabaseReplicationCheck,
SystemCheck::Geo::HttpConnectionCheck,
SystemCheck::Geo::HTTPCloneEnabledCheck,
SystemCheck::Geo::ClocksSynchronizationCheck,
SystemCheck::App::GitUserDefaultSSHConfigCheck
]
......
......@@ -110,7 +110,7 @@ describe Admin::GeoNodesController, :postgresql do
end
describe '#create' do
let(:geo_node_attributes) { { url: 'http://example.com', geo_node_key_attributes: { key: SSHKeygen.generate } } }
let(:geo_node_attributes) { { url: 'http://example.com' } }
def go
post :create, geo_node: geo_node_attributes
......@@ -139,16 +139,9 @@ describe Admin::GeoNodesController, :postgresql do
end
describe '#update' do
let(:geo_node_attributes) do
{
url: 'http://example.com',
clone_protocol: 'ssh',
geo_node_key_attributes: attributes_for(:key)
}
end
let(:geo_node_attributes) { { url: 'http://example.com' } }
let(:geo_node) { create(:geo_node, :ssh) }
let!(:original_fingerprint) { geo_node.geo_node_key.fingerprint }
let(:geo_node) { create(:geo_node) }
def go
post :update, id: geo_node, geo_node: geo_node_attributes
......@@ -168,25 +161,11 @@ describe Admin::GeoNodesController, :postgresql do
allow(Gitlab::Geo).to receive(:license_allows?).and_return(true)
end
it 'updates the node without changing the key' do
it 'updates the node' do
go
geo_node.reload
expect(geo_node.url.chomp('/')).to eq(geo_node_attributes[:url])
expect(geo_node.geo_node_key.fingerprint).to eq(original_fingerprint)
end
context 'changing clone protocol' do
let(:geo_node_attributes) { { clone_protocol: 'http' } }
it 'changes the protocol without removing the key' do
go
geo_node.reload
expect(geo_node.clone_protocol).to eq('http')
expect(geo_node.geo_node_key.fingerprint).to eq(original_fingerprint)
end
end
it 'delegates the update of the Geo node to Geo::NodeUpdateService' do
......
require 'spec_helper'
describe SystemCheck::Geo::HTTPCloneEnabledCheck do
describe '#check?' do
subject { described_class.new.check? }
where(:enabled_protocol, :result) do
[
['unknown', false],
['ssh', false],
['http', true],
['', true],
[nil, true]
]
end
with_them do
before do
stub_application_setting(enabled_git_access_protocol: enabled_protocol)
end
it { is_expected.to eq(result) }
end
end
end
require 'spec_helper'
describe API::Internal do
let(:project) { create(:project, :repository) }
let(:secret_token) { Gitlab::Shell.secret_token }
describe "POST /internal/allowed", :clean_gitlab_redis_shared_state do
context 'Geo Node' do
let(:geo_node) { create(:geo_node, :ssh) }
it 'recognizes the Geo Node' do
post(
api("/internal/allowed"),
key_id: geo_node.geo_node_key.id,
project: project.repository.path_to_repo,
action: 'git-upload-pack',
secret_token: secret_token,
protocol: 'ssh')
expect(response.status).to eq(200)
expect(json_response['geo_node']).to be(true)
end
end
context 'user' do
let(:user) { create(:user) }
let(:key) { create(:key, user: user) }
before do
project.team << [user, :developer]
end
it 'does not recognize key as a Geo Node' do
post(
api("/internal/allowed"),
key_id: key.id,
project: project.repository.path_to_repo,
action: 'git-upload-pack',
secret_token: secret_token,
protocol: 'ssh')
expect(response.status).to eq(200)
expect(json_response['geo_node']).to be(false)
end
end
end
end
FactoryGirl.define do
factory :geo_node_key, class: 'GeoNodeKey' do
title
key do
SSHKeygen.generate
end
end
end
......@@ -8,11 +8,6 @@ FactoryGirl.define do
uri.to_s
end
trait :ssh do
clone_protocol 'ssh'
association :geo_node_key
end
trait :primary do
primary true
url do
......
......@@ -351,32 +351,6 @@ describe Gitlab::GitAccess do
end
end
describe 'geo node key permissions' do
let(:key) { build(:geo_node_key, geo_node: geo_node) }
let(:actor) { key }
context 'assigned to ssh primary geo node' do
let(:geo_node) { build(:geo_node, :ssh, primary: true) }
it { expect { pull_access_check }.to raise_not_found }
it { expect { push_access_check }.to raise_not_found }
end
context 'assigned to ssh secondary geo node' do
let(:geo_node) { build(:geo_node, :ssh, primary: false) }
it { expect { pull_access_check }.not_to raise_error }
it { expect { push_access_check }.to raise_unauthorized(described_class::ERROR_MESSAGES[:upload]) }
end
context 'assigned to http secondary geo node' do
let(:geo_node) { build(:geo_node, primary: false) }
it { expect { pull_access_check }.to raise_not_found }
it { expect { push_access_check }.to raise_not_found }
end
end
describe 'build authentication_abilities permissions' do
let(:authentication_abilities) { build_authentication_abilities }
......@@ -1036,6 +1010,13 @@ describe Gitlab::GitAccess do
end
end
describe 'Geo system permissions' do
let(:actor) { :geo }
it { expect { pull_access_check }.not_to raise_error }
it { expect { push_access_check }.to raise_unauthorized(Gitlab::GitAccess::ERROR_MESSAGES[:upload]) }
end
private
def raise_unauthorized(message)
......
......@@ -41,16 +41,6 @@ describe SystemCheck::App::GitUserDefaultSSHConfigCheck do
it { is_expected.to eq(expected_result) }
end
it 'skips Geo secondaries with SSH' do
stub_user
stub_home_dir
node = create(:geo_node, :ssh)
stub_current_geo_node(node)
is_expected.to be_truthy
end
end
describe '#check?' do
......
require 'spec_helper'
describe GeoNodeKey do
describe 'Associations' do
it { is_expected.to have_one(:geo_node) }
end
describe '#active?' do
let(:geo_node) { create(:geo_node, :ssh) }
let(:geo_node_key) { geo_node.geo_node_key }
subject { geo_node_key.active? }
it 'returns true for a secondary SSH Geo node' do
is_expected.to be_truthy
end
it 'returns false for a primary SSH Geo node' do
geo_node.primary = true
is_expected.to be_falsy
end
it 'returns false for a secondary HTTP Geo node' do
geo_node.clone_protocol = 'http'
is_expected.to be_falsy
end
end
end
......@@ -15,30 +15,18 @@ describe GeoNode, type: :model do
let(:api_version) { API::API.version }
context 'associations' do
it { is_expected.to belong_to(:geo_node_key).dependent(:destroy) }
it { is_expected.to belong_to(:oauth_application).dependent(:destroy) }
it { is_expected.to have_many(:geo_node_namespace_links) }
it { is_expected.to have_many(:namespaces).through(:geo_node_namespace_links) }
end
context 'validations' do
let(:ssh_node) { build(:geo_node, :ssh) }
it { expect(ssh_node).to validate_presence_of(:geo_node_key) }
it { expect(new_node).not_to validate_presence_of(:geo_node_key) }
it { expect(new_primary_node).not_to validate_presence_of(:geo_node_key) }
end
context 'default values' do
let(:gitlab_host) { 'gitlabhost' }
where(:attribute, :value) do
:url | Gitlab::Routing.url_helpers.root_url
:primary | false
:repos_max_capacity | 25
:files_max_capacity | 10
:clone_protocol | 'http'
end
with_them do
......@@ -57,33 +45,7 @@ describe GeoNode, type: :model do
end
context 'dependent models and attributes for GeoNode' do
let(:geo_node_key_attributes) { FactoryGirl.build(:geo_node_key).attributes }
context 'on initialize' do
it 'initializes a corresponding key' do
expect(empty_node.geo_node_key).to be_present
end
it 'is valid when required attributes are present' do
new_node.clone_protocol = 'ssh'
new_node.geo_node_key_attributes = geo_node_key_attributes
expect(new_node).to be_valid
end
end
context 'on create' do
context 'SSH node' do
let(:ssh_node) { create(:geo_node, :ssh) }
it 'saves a corresponding key' do
expect(ssh_node.geo_node_key).to be_persisted
end
end
it 'does not save a key' do
expect(node.geo_node_key).to be_nil
end
it 'saves a corresponding oauth application if it is a secondary node' do
expect(node.oauth_application).to be_persisted
end
......@@ -94,7 +56,7 @@ describe GeoNode, type: :model do
end
it 'persists current clone_url_prefix' do
expect(primary_node.clone_url_prefix).to be_present
expect(primary_node.clone_url_prefix).to eq(Gitlab.config.gitlab_shell.ssh_path_prefix)
end
end
end
......@@ -144,10 +106,6 @@ describe GeoNode, type: :model do
end
context 'when required fields are not filled' do
it 'returns an initialized Geo node key' do
expect(empty_node.geo_node_key).not_to be_nil
end
it 'returns an URI object' do
expect(empty_node.uri).to be_a URI
end
......@@ -404,43 +362,4 @@ describe GeoNode, type: :model do
end
end
end
describe '#geo_node_key' do
context 'primary node' do
it 'cannot be set' do
node = new_primary_node
expect(node.geo_node_key).to be_nil
node.geo_node_key = build(:geo_node_key)
expect(node).to be_valid
node.save!
expect(node.geo_node_key(true)).to be_nil
end
end
context 'secondary node' do
it 'is not set for HTTP' do
node = build(:geo_node, url: 'http://example.com/')
expect(node.geo_node_key).to be_present
node.save!
expect(node.geo_node_key).to be_nil
end
it 'is automatically set for SSH' do
node = build(:geo_node, :ssh, url: 'http://example.com/')
expect(node.geo_node_key).to be_present
node.save!
expect(node.geo_node_key.title).to eq('Geo node: http://example.com/')
end
end
end
end
......@@ -15,18 +15,4 @@ describe Geo::BaseSyncService do
expect(subject.lease_key).to eq('geo_sync_service:wiki:999')
end
end
describe '#primary_ssh_path_prefix' do
let!(:primary_node) { create(:geo_node, :primary) }
it 'raises exception when clone_url_prefix is nil' do
allow_any_instance_of(GeoNode).to receive(:clone_url_prefix) { nil }
expect { subject.primary_ssh_path_prefix }.to raise_error Geo::EmptyCloneUrlPrefixError
end
it 'returns the prefix defined in the primary node' do
expect(subject.primary_ssh_path_prefix).to eq('git@localhost:')
end
end
end
......@@ -7,17 +7,14 @@ describe Geo::NodeUpdateService do
let(:geo_node_with_restrictions) { create(:geo_node, namespace_ids: [groups.first.id]) }
describe '#execute' do
it 'updates the node without changing the key' do
ssh_node = create(:geo_node, :ssh)
original_fingerprint = ssh_node.geo_node_key.fingerprint
params = { url: 'http://example.com', geo_node_key_attributes: attributes_for(:key) }
service = described_class.new(ssh_node, params)
it 'updates the node' do
params = { url: 'http://example.com' }
service = described_class.new(geo_node, params)
service.execute
ssh_node.reload
expect(ssh_node.url.chomp('/')).to eq(params[:url])
expect(ssh_node.geo_node_key.fingerprint).to eq(original_fingerprint)
geo_node.reload
expect(geo_node.url.chomp('/')).to eq(params[:url])
end
it 'returns true when update succeeds' do
......
......@@ -235,21 +235,5 @@ describe Geo::RepositorySyncService do
expect(registry.repository_retry_at).to be_nil
end
end
context 'secondary replicates over SSH' do
set(:ssh_secondary) { create(:geo_node, :ssh) }
let(:url_to_repo) { "#{primary.clone_url_prefix}/#{project.full_path}.git" }
before do
stub_current_geo_node(ssh_secondary)
end
it 'fetches wiki repository over SSH' do
expect(repository).to receive(:fetch_as_mirror).with(url_to_repo, forced: true).once
subject.execute
end
end
end
end
......@@ -141,21 +141,5 @@ RSpec.describe Geo::WikiSyncService do
end
end
end
context 'secondary replicates over SSH' do
set(:ssh_secondary) { create(:geo_node, :ssh) }
let(:url_to_repo) { "#{primary.clone_url_prefix}/#{project.full_path}.wiki.git" }
before do
stub_current_geo_node(ssh_secondary)
end
it 'fetches wiki repository over SSH' do
expect(repository).to receive(:fetch_as_mirror).with(url_to_repo, forced: true).once
subject.execute
end
end
end
end
......@@ -22,7 +22,6 @@ describe 'geo rake tasks' do
expect(node.uri.scheme).to eq('https')
expect(node.primary).to be_truthy
expect(node.geo_node_key).to be_nil
end
end
......
......@@ -6,8 +6,7 @@ RSpec.describe Geo::MetricsUpdateWorker, :geo do
subject { described_class.new }
describe '#perform' do
let(:geo_node_key) { create(:geo_node_key) }
let(:secondary) { create(:geo_node, geo_node_key: geo_node_key) }
let(:secondary) { create(:geo_node) }
before do
stub_current_geo_node(secondary)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment