Merge branch '3232-lfs-files-pull-from-secondary' into 'master'

Geo - Whitelist LFS requests to download objects on a secondary node Closes #3232 See merge request !2758

Merge branch '3232-lfs-files-pull-from-secondary' into 'master'
Geo - Whitelist LFS requests to download objects on a secondary node Closes #3232 See merge request !2758
04ac1711 · Robert Speicher · 0ae313c4 · 8a0724ce · 04ac1711 · 04ac1711
Commit 04ac1711 authored Sep 05, 2017 by Robert Speicher
5 changed files
--- a/app/controllers/projects/lfs_api_controller.rb
+++ b/app/controllers/projects/lfs_api_controller.rb
 class Projects::LfsApiController < Projects::GitHttpClientController
+  include ApplicationSettingsHelper
+  include ApplicationHelper
+  include GitlabRoutingHelper
  include LfsRequest
  skip_before_action :lfs_check_access!, only: [:deprecated]
+  before_action :lfs_check_batch_operation!, only: [:batch]
  def batch
    unless objects.present?
@@ -90,4 +94,16 @@ class Projects::LfsApiController < Projects::GitHttpClientController
      }
    }
  end
+  def lfs_check_batch_operation!
+    if upload_request? && Gitlab::Geo.secondary?
+      render(
+        json: {
+          message: "You cannot write to a secondary GitLab Geo instance. Please use #{geo_primary_default_url_to_repo(project)} instead."
+        },
+        content_type: "application/vnd.git-lfs+json",
+        status: 403
+      )
+    end
+  end
 end
--- a/changelogs/unreleased-ee/3232-lfs-files-pull-from-secondary.yml
+++ b/changelogs/unreleased-ee/3232-lfs-files-pull-from-secondary.yml
+---
+title: Geo - Whitelist LFS requests to download objects on a secondary node
+merge_request: 2758
+author:
+type: fixed
--- a/lib/gitlab/middleware/readonly_geo.rb
+++ b/lib/gitlab/middleware/readonly_geo.rb
@@ -65,7 +65,7 @@ module Gitlab
      end
      def whitelisted_routes
-        logout_route || grack_route || @whitelisted.any? { |path| request.path.include?(path) } || sidekiq_route
+        logout_route || grack_route || @whitelisted.any? { |path| request.path.include?(path) } || lfs_route || sidekiq_route
      end
      def logout_route
@@ -79,6 +79,10 @@ module Gitlab
      def grack_route
        request.path.end_with?('.git/git-upload-pack')
      end
+      def lfs_route
+        request.path.end_with?('/info/lfs/objects/batch')
+      end
    end
  end
 end
--- a/spec/lib/gitlab/middleware/readonly_geo_spec.rb
+++ b/spec/lib/gitlab/middleware/readonly_geo_spec.rb
@@ -35,6 +35,7 @@ describe Gitlab::Middleware::ReadonlyGeo do
  end
  subject { described_class.new(fake_app) }
  let(:request) { Rack::MockRequest.new(rack_stack) }
  context 'normal requests to a secondary Gitlab Geo' do
@@ -103,6 +104,13 @@ describe Gitlab::Middleware::ReadonlyGeo do
        expect(response).not_to be_a_redirect
        expect(subject).not_to disallow_request
      end
+      it 'expects a POST LFS request to batch URL to be allowed' do
+        response = request.post('/root/rouge.git/info/lfs/objects/batch')
+        expect(response).not_to be_a_redirect
+        expect(subject).not_to disallow_request
+      end
    end
  end

--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb