workhorse.rb 7.84 KB
Newer Older
1 2
require 'base64'
require 'json'
3
require 'securerandom'
4
require 'uri'
5 6 7

module Gitlab
  class Workhorse
Douwe Maan's avatar
Douwe Maan committed
8 9 10 11
    SEND_DATA_HEADER = 'Gitlab-Workhorse-Send-Data'.freeze
    VERSION_FILE = 'GITLAB_WORKHORSE_VERSION'.freeze
    INTERNAL_API_CONTENT_TYPE = 'application/vnd.gitlab-workhorse+json'.freeze
    INTERNAL_API_REQUEST_HEADER = 'Gitlab-Workhorse-Api-Request'.freeze
12
    NOTIFICATION_CHANNEL = 'workhorse:notifications'.freeze
Kim "BKC" Carlbäcker's avatar
Kim "BKC" Carlbäcker committed
13
    ALLOWED_GIT_HTTP_ACTIONS = %w[git_receive_pack git_upload_pack info_refs].freeze
14 15 16 17

    # Supposedly the effective key size for HMAC-SHA256 is 256 bits, i.e. 32
    # bytes https://tools.ietf.org/html/rfc4868#section-2.6
    SECRET_LENGTH = 32
18

Jacob Vosmaer's avatar
Jacob Vosmaer committed
19
    class << self
20
      def git_http_ok(repository, is_wiki, user, action, show_all_refs: false)
Kim "BKC" Carlbäcker's avatar
Kim "BKC" Carlbäcker committed
21
        raise "Unsupported action: #{action}" unless ALLOWED_GIT_HTTP_ACTIONS.include?(action.to_s)
22

23
        project = repository.project
24
        params = {
25
          GL_ID: Gitlab::GlId.gl_id(user),
26
          GL_REPOSITORY: Gitlab::GlRepository.gl_repository(project, is_wiki),
27
          GL_USERNAME: user&.username,
28
          ShowAllRefs: show_all_refs
29
        }
30 31 32 33 34
        server = {
          address: Gitlab::GitalyClient.address(project.repository_storage),
          token: Gitlab::GitalyClient.token(project.repository_storage)
        }
        params[:Repository] = repository.gitaly_repository.to_h
35
        params[:GitalyServer] = server
36 37

        params
38 39
      end

40
      def artifact_upload_ok
41
        { TempPath: JobArtifactUploader.workhorse_upload_path }
42 43
      end

44
      def send_git_blob(repository, blob)
45
        params = if Gitlab::GitalyClient.feature_enabled?(:workhorse_raw_show, status: Gitlab::GitalyClient::MigrationStatus::OPT_OUT)
46 47 48 49 50 51 52 53 54 55 56 57 58 59
                   {
                     'GitalyServer' => gitaly_server_hash(repository),
                     'GetBlobRequest' => {
                       repository: repository.gitaly_repository.to_h,
                       oid: blob.id,
                       limit: -1
                     }
                   }
                 else
                   {
                     'RepoPath' => repository.path_to_repo,
                     'BlobId' => blob.id
                   }
                 end
60 61

        [
62
          SEND_DATA_HEADER,
Douwe Maan's avatar
Douwe Maan committed
63
          "git-blob:#{encode(params)}"
64 65
        ]
      end
66

67
      def send_git_archive(repository, ref:, format:)
68 69
        format ||= 'tar.gz'
        format.downcase!
70
        params = repository.archive_metadata(ref, Gitlab.config.gitlab.repository_downloads_path, format)
71 72
        raise "Repository or ref not found" if params.empty?

73
        if Gitlab::GitalyClient.feature_enabled?(:workhorse_archive, status: Gitlab::GitalyClient::MigrationStatus::OPT_OUT)
74 75 76 77 78 79
          params.merge!(
            'GitalyServer' => gitaly_server_hash(repository),
            'GitalyRepository' => repository.gitaly_repository.to_h
          )
        end

80 81 82
        # If present DisableCache must be a Boolean. Otherwise workhorse ignores it.
        params['DisableCache'] = true if git_archive_cache_disabled?

83 84
        [
          SEND_DATA_HEADER,
Douwe Maan's avatar
Douwe Maan committed
85
          "git-archive:#{encode(params)}"
86 87
        ]
      end
88

Douwe Maan's avatar
Douwe Maan committed
89
      def send_git_diff(repository, diff_refs)
90
        params = if Gitlab::GitalyClient.feature_enabled?(:workhorse_send_git_diff, status: Gitlab::GitalyClient::MigrationStatus::OPT_OUT)
91 92 93 94 95 96 97 98 99
                   {
                     'GitalyServer' => gitaly_server_hash(repository),
                     'RawDiffRequest' => Gitaly::RawDiffRequest.new(
                       gitaly_diff_or_patch_hash(repository, diff_refs)
                     ).to_json
                   }
                 else
                   workhorse_diff_or_patch_hash(repository, diff_refs)
                 end
100 101 102 103

        [
          SEND_DATA_HEADER,
          "git-diff:#{encode(params)}"
104 105
        ]
      end
106

Douwe Maan's avatar
Douwe Maan committed
107
      def send_git_patch(repository, diff_refs)
108
        params = if Gitlab::GitalyClient.feature_enabled?(:workhorse_send_git_patch, status: Gitlab::GitalyClient::MigrationStatus::OPT_OUT)
109 110 111 112 113 114 115 116 117
                   {
                     'GitalyServer' => gitaly_server_hash(repository),
                     'RawPatchRequest' => Gitaly::RawPatchRequest.new(
                       gitaly_diff_or_patch_hash(repository, diff_refs)
                     ).to_json
                   }
                 else
                   workhorse_diff_or_patch_hash(repository, diff_refs)
                 end
118 119

        [
Z.J. van de Weg's avatar
Z.J. van de Weg committed
120
          SEND_DATA_HEADER,
121 122 123 124
          "git-format-patch:#{encode(params)}"
        ]
      end

125
      def send_artifacts_entry(build, entry)
126 127 128
        file = build.artifacts_file
        archive = file.file_storage? ? file.path : file.url

129
        params = {
130
          'Archive' => archive,
131
          'Entry' => Base64.encode64(entry.to_s)
132 133 134 135 136 137 138 139
        }

        [
          SEND_DATA_HEADER,
          "artifacts-entry:#{encode(params)}"
        ]
      end

140 141 142 143 144 145 146 147 148 149 150 151
      def send_url(url, allow_redirects: false)
        params = {
          'URL' => url,
          'AllowRedirects' => allow_redirects
        }

        [
          SEND_DATA_HEADER,
          "send-url:#{encode(params)}"
        ]
      end

152 153 154 155 156
      def terminal_websocket(terminal)
        details = {
          'Terminal' => {
            'Subprotocols' => terminal[:subprotocols],
            'Url' => terminal[:url],
157
            'Header' => terminal[:headers],
158
            'MaxSessionTime' => terminal[:max_session_time]
159 160
          }
        }
161
        details['Terminal']['CAPem'] = terminal[:ca_pem] if terminal.key?(:ca_pem)
162 163 164 165

        details
      end

166
      def version
167 168
        path = Rails.root.join(VERSION_FILE)
        path.readable? ? path.read.chomp : 'unknown'
169 170
      end

171 172
      def secret
        @secret ||= begin
173
          bytes = Base64.strict_decode64(File.read(secret_path).chomp)
174
          raise "#{secret_path} does not contain #{SECRET_LENGTH} bytes" if bytes.length != SECRET_LENGTH
175

176 177 178
          bytes
        end
      end
179

180 181
      def write_secret
        bytes = SecureRandom.random_bytes(SECRET_LENGTH)
182
        File.open(secret_path, 'w:BINARY', 0600) do |f|
Jacob Vosmaer's avatar
Jacob Vosmaer committed
183
          f.chmod(0600) # If the file already existed, the '0600' passed to 'open' above was a no-op.
184 185 186
          f.write(Base64.strict_encode64(bytes))
        end
      end
187

188
      def verify_api_request!(request_headers)
189 190 191 192
        decode_jwt(request_headers[INTERNAL_API_REQUEST_HEADER])
      end

      def decode_jwt(encoded_message)
193
        JWT.decode(
194
          encoded_message,
195 196
          secret,
          true,
197
          { iss: 'gitlab-workhorse', verify_iss: true, algorithm: 'HS256' }
198 199 200 201
        )
      end

      def secret_path
202
        Gitlab.config.workhorse.secret_file
203
      end
204

Kamil Trzcinski's avatar
Kamil Trzcinski committed
205
      def set_key_and_notify(key, value, expire: nil, overwrite: true)
206
        Gitlab::Redis::Queues.with do |redis|
207 208
          result = redis.set(key, value, ex: expire, nx: !overwrite)
          if result
Kamil Trzcinski's avatar
Kamil Trzcinski committed
209
            redis.publish(NOTIFICATION_CHANNEL, "#{key}=#{value}")
210 211 212 213 214 215 216
            value
          else
            redis.get(key)
          end
        end
      end

217
      protected
218

219 220 221
      def encode(hash)
        Base64.urlsafe_encode64(JSON.dump(hash))
      end
222 223 224 225 226 227 228

      def gitaly_server_hash(repository)
        {
          address: Gitlab::GitalyClient.address(repository.project.repository_storage),
          token: Gitlab::GitalyClient.token(repository.project.repository_storage)
        }
      end
229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244

      def workhorse_diff_or_patch_hash(repository, diff_refs)
        {
          'RepoPath'  => repository.path_to_repo,
          'ShaFrom'   => diff_refs.base_sha,
          'ShaTo'     => diff_refs.head_sha
        }
      end

      def gitaly_diff_or_patch_hash(repository, diff_refs)
        {
          repository: repository.gitaly_repository,
          left_commit_id: diff_refs.base_sha,
          right_commit_id: diff_refs.head_sha
        }
      end
245 246 247 248

      def git_archive_cache_disabled?
        ENV['WORKHORSE_ARCHIVE_CACHE_DISABLED'].present? || Feature.enabled?(:workhorse_archive_cache_disabled)
      end
249 250
    end
  end
Jacob Vosmaer's avatar
Jacob Vosmaer committed
251
end