Commit 1c42cc35 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'fix-grack-auth' into 'master'

Fix http clone for public project
parents 8ae59330 7dd18a3e
...@@ -22,14 +22,16 @@ module Grack ...@@ -22,14 +22,16 @@ module Grack
@env['SCRIPT_NAME'] = "" @env['SCRIPT_NAME'] = ""
if project
auth! auth!
else
render_not_found
end
end end
private private
def auth! def auth!
return render_not_found unless project
if @auth.provided? if @auth.provided?
return bad_request unless @auth.basic? return bad_request unless @auth.basic?
...@@ -38,36 +40,35 @@ module Grack ...@@ -38,36 +40,35 @@ module Grack
# Allow authentication for GitLab CI service # Allow authentication for GitLab CI service
# if valid token passed # if valid token passed
if login == "gitlab-ci-token" && project.gitlab_ci? if gitlab_ci_request?(login, password)
token = project.gitlab_ci_service.token
if token.present? && token == password && service_name == 'git-upload-pack'
return @app.call(env) return @app.call(env)
end end
end
@user = authenticate_user(login, password) @user = authenticate_user(login, password)
if @user if @user
Gitlab::ShellEnv.set_env(@user) Gitlab::ShellEnv.set_env(@user)
@env['REMOTE_USER'] = @auth.username @env['REMOTE_USER'] = @auth.username
else
return unauthorized
end end
else
return unauthorized unless project.public?
end end
if authorized_git_request? if authorized_request?
@app.call(env) @app.call(env)
else else
unauthorized unauthorized
end end
end end
def authorized_git_request? def gitlab_ci_request?(login, password)
authorize_request(service_name) if login == "gitlab-ci-token" && project.gitlab_ci?
token = project.gitlab_ci_service.token
if token.present? && token == password && git_cmd == 'git-upload-pack'
true
end
end
false
end end
def authenticate_user(login, password) def authenticate_user(login, password)
...@@ -75,20 +76,31 @@ module Grack ...@@ -75,20 +76,31 @@ module Grack
auth.find(login, password) auth.find(login, password)
end end
def authorize_request(service) def authorized_request?
case service case git_cmd
when *Gitlab::GitAccess::DOWNLOAD_COMMANDS when *Gitlab::GitAccess::DOWNLOAD_COMMANDS
# Serve only upload request. if user
# Authorization on push will be serverd by update hook in repository
Gitlab::GitAccess.new.download_allowed?(user, project) Gitlab::GitAccess.new.download_allowed?(user, project)
elsif project.public?
# Allow clone/fetch for public projects
true
else
false
end
when *Gitlab::GitAccess::PUSH_COMMANDS when *Gitlab::GitAccess::PUSH_COMMANDS
if user
# Skip user authorization on upload request.
# It will be serverd by update hook in repository
true true
else else
false false
end end
else
false
end
end end
def service_name def git_cmd
if @request.get? if @request.get?
@request.params['service'] @request.params['service']
elsif @request.post? elsif @request.post?
......
...@@ -34,7 +34,7 @@ module Gitlab ...@@ -34,7 +34,7 @@ module Gitlab
end end
def download_allowed?(user, project) def download_allowed?(user, project)
if user_allowed?(user) if user && user_allowed?(user)
user.can?(:download_code, project) user.can?(:download_code, project)
else else
false false
...@@ -42,7 +42,7 @@ module Gitlab ...@@ -42,7 +42,7 @@ module Gitlab
end end
def push_allowed?(user, project, ref, oldrev, newrev) def push_allowed?(user, project, ref, oldrev, newrev)
if user_allowed?(user) if user && user_allowed?(user)
action = if project.protected_branch?(ref) action = if project.protected_branch?(ref)
:push_code_to_protected_branches :push_code_to_protected_branches
else else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment