Skip to content

G
gitlab-ce
Commit 474e170d authored by Lin Jen-Shin's avatar Lin Jen-Shin
Browse files
Options

Resolve conflicts introduced by: 

https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7383
parent 52976bbf
Hide whitespace changes
Inline Side-by-side
Showing with 71 additions and 187 deletions
lib/gitlab/git_access.rb
View file @ 474e170d
......@@ -42,13 +42,9 @@ module Gitlab
when *DOWNLOAD_COMMANDS
check_download_access!
when *PUSH_COMMANDS
<<<<<<< HEAD
push_access_check(changes)
check_push_access!(changes)
when *GIT_ANNEX_COMMANDS
git_annex_access_check(project, changes)
=======
check_push_access!(changes)
>>>>>>> 714f70a38df10e678bffde6e6081a97e31d8317c
end
build_status_object(true)
......@@ -56,37 +52,7 @@ module Gitlab
build_status_object(false, ex.message)
end
<<<<<<< HEAD
def download_access_check
if user
user_download_access_check
elsif deploy_key.nil? && geo_node_key.nil? && !guest_can_downlod_code?
raise UnauthorizedError, ERROR_MESSAGES[:download]
end
end
def push_access_check(changes)
if project.repository_read_only?
raise UnauthorizedError, 'The repository is temporarily read-only. Please try again later.'
end
if Gitlab::Geo.secondary?
raise UnauthorizedError, "You can't push code on a secondary GitLab Geo node."
end
return if git_annex_branch_sync?(changes)
if user
user_push_access_check(changes)
else
raise UnauthorizedError, ERROR_MESSAGES[deploy_key ? :deploy_key : :upload]
end
end
def guest_can_downlod_code?
=======
def guest_can_download_code?
>>>>>>> 714f70a38df10e678bffde6e6081a97e31d8317c
Guest.can?(:download_code, project)
end
......@@ -98,57 +64,6 @@ module Gitlab
authentication_abilities.include?(:build_download_code) && user_access.can_do_action?(:build_download_code)
end
<<<<<<< HEAD
def user_push_access_check(changes)
unless authentication_abilities.include?(:push_code)
raise UnauthorizedError, ERROR_MESSAGES[:upload]
end
if changes.blank?
return # Allow access.
end
unless project.repository.exists?
raise UnauthorizedError, ERROR_MESSAGES[:no_repo]
end
if project.above_size_limit?
raise UnauthorizedError, Gitlab::RepositorySizeError.new(project).push_error
end
if ::License.block_changes?
message = ::LicenseHelper.license_message(signed_in: true, is_admin: (user && user.is_admin?))
raise UnauthorizedError, message
end
changes_list = Gitlab::ChangesList.new(changes)
push_size_in_bytes = 0
# Iterate over all changes to find if user allowed all of them to be applied
changes_list.each do |change|
status = change_access_check(change)
unless status.allowed?
# If user does not have access to make at least one change - cancel all push
raise UnauthorizedError, status.message
end
if project.size_limit_enabled?
push_size_in_bytes += EE::Gitlab::Deltas.delta_size_check(change, project.repository)
end
end
if project.changes_will_exceed_size_limit?(push_size_in_bytes.to_mb)
raise UnauthorizedError, Gitlab::RepositorySizeError.new(project).new_changes_error
end
end
def change_access_check(change)
Checks::ChangeAccess.new(change, user_access: user_access, project: project, env: @env).exec
end
=======
>>>>>>> 714f70a38df10e678bffde6e6081a97e31d8317c
def protocol_allowed?
Gitlab::ProtocolAccess.allowed?(protocol)
end
......@@ -162,7 +77,7 @@ module Gitlab
end
def check_active_user!
return if deploy_key?
return if deploy_key? || geo_node_key?
if user && !user_access.allowed?
raise UnauthorizedError, "Your account has been blocked."
......@@ -181,47 +96,12 @@ module Gitlab
end
end
<<<<<<< HEAD
def check_geo_license!
if Gitlab::Geo.secondary? && !Gitlab::Geo.license_allows?
raise UnauthorizedError, 'Your current license does not have GitLab Geo add-on enabled.'
end
end
def matching_merge_request?(newrev, branch_name)
Checks::MatchingMergeRequest.new(newrev, branch_name, project).match?
end
def protected_branch_action(oldrev, newrev, branch_name)
# we dont allow force push to protected branch
if forced_push?(oldrev, newrev)
:force_push_code_to_protected_branches
elsif Gitlab::Git.blank_ref?(newrev)
# and we dont allow remove of protected branch
:remove_protected_branches
elsif matching_merge_request?(newrev, branch_name) && project.developers_can_merge_to_protected_branch?(branch_name)
:push_code
elsif project.developers_can_push_to_protected_branch?(branch_name)
:push_code
else
:push_code_to_protected_branches
end
end
def protected_tag?(tag_name)
project.repository.tag_exists?(tag_name)
end
def deploy_key
actor if actor.is_a?(DeployKey)
end
def geo_node_key
actor if actor.is_a?(GeoNodeKey)
end
def deploy_key_can_read_project?
=======
def check_repository_existence!
unless project.repository.exists?
raise UnauthorizedError, ERROR_MESSAGES[:no_repo]
......@@ -229,7 +109,7 @@ module Gitlab
end
def check_download_access!
return if deploy_key?
return if deploy_key? || geo_node_key?
passed = user_can_download_code? ||
build_can_download_code? ||
......@@ -240,8 +120,18 @@ module Gitlab
end
end
# TODO: please clean this up
def check_push_access!(changes)
>>>>>>> 714f70a38df10e678bffde6e6081a97e31d8317c
if project.repository_read_only?
raise UnauthorizedError, 'The repository is temporarily read-only. Please try again later.'
end
if Gitlab::Geo.secondary?
raise UnauthorizedError, "You can't push code on a secondary GitLab Geo node."
end
return if git_annex_branch_sync?(changes)
if deploy_key
check_deploy_key_push_access!
elsif user
......@@ -252,24 +142,21 @@ module Gitlab
return if changes.blank? # Allow access.
if project.above_size_limit?
raise UnauthorizedError, Gitlab::RepositorySizeError.new(project).push_error
end
if ::License.block_changes?
message = ::LicenseHelper.license_message(signed_in: true, is_admin: (user && user.is_admin?))
raise UnauthorizedError, message
end
check_change_access!(changes)
end
<<<<<<< HEAD
def can_read_project?
if user
user_access.can_read_project?
elsif deploy_key
deploy_key_can_read_project?
elsif geo_node_key
true
else
Guest.can?(:read_project, project)
=======
def check_user_push_access!
unless authentication_abilities.include?(:push_code)
raise UnauthorizedError, ERROR_MESSAGES[:upload]
>>>>>>> 714f70a38df10e678bffde6e6081a97e31d8317c
end
end
......@@ -282,13 +169,24 @@ module Gitlab
def check_change_access!(changes)
changes_list = Gitlab::ChangesList.new(changes)
push_size_in_bytes = 0
# Iterate over all changes to find if user allowed all of them to be applied
changes_list.each do |change|
status = check_single_change_access(change)
unless status.allowed?
# If user does not have access to make at least one change - cancel all push
raise UnauthorizedError, status.message
end
if project.size_limit_enabled?
push_size_in_bytes += EE::Gitlab::Deltas.delta_size_check(change, project.repository)
end
end
if project.changes_will_exceed_size_limit?(push_size_in_bytes.to_mb)
raise UnauthorizedError, Gitlab::RepositorySizeError.new(project).new_changes_error
end
end
......@@ -301,10 +199,6 @@ module Gitlab
skip_authorization: deploy_key?).exec
end
def matching_merge_request?(newrev, branch_name)
Checks::MatchingMergeRequest.new(newrev, branch_name, project).match?
end
def deploy_key
actor if deploy_key?
end
......@@ -313,9 +207,19 @@ module Gitlab
actor.is_a?(DeployKey)
end
def geo_node_key
actor if geo_node_key?
end
def geo_node_key?
actor.is_a?(GeoNodeKey)
end
def can_read_project?
if deploy_key
if deploy_key?
deploy_key.has_access_to?(project)
elsif geo_node_key?
true
elsif user
user.can?(:read_project, project)
end || Guest.can?(:read_project, project)
......@@ -350,10 +254,6 @@ module Gitlab
raise UnauthorizedError, "You don't have access"
end
unless project.repository.exists?
raise UnauthorizedError, "Repository does not exist"
end
if Gitlab::Geo.enabled? && Gitlab::Geo.secondary?
raise UnauthorizedError, "You can't use git-annex with a secondary GitLab Geo node."
end
......@@ -380,16 +280,5 @@ module Gitlab
true
end
def commit_from_annex_sync?(commit_message)
return false unless Gitlab.config.gitlab_shell.git_annex_enabled
# Commit message starting with <git-annex in > so avoid push rules on this
commit_message.start_with?('git-annex in')
end
def old_commit?(commit)
commit.refs(project.repository).any?
end
end
end
spec/lib/gitlab/git_access_spec.rb
View file @ 474e170d
......@@ -154,7 +154,7 @@ describe Gitlab::GitAccess, lib: true do
let(:actor) { key }
context 'pull code' do
subject { access.download_access_check }
subject { access.send(:check_download_access!) }
it { expect { subject }.not_to raise_error }
end
......@@ -247,8 +247,7 @@ describe Gitlab::GitAccess, lib: true do
permissions_matrix[role].each do |action, allowed|
context action do
<<<<<<< HEAD
subject { access.push_access_check(changes[action]) }
subject { access.send(:check_push_access!, changes[action]) }
it do
if allowed
......@@ -276,7 +275,7 @@ describe Gitlab::GitAccess, lib: true do
permissions_matrix[role].each do |action, allowed|
context action do
subject { access.push_access_check(changes[action]) }
subject { access.send(:check_push_access!, changes[action]) }
it do
if allowed
......@@ -284,10 +283,6 @@ describe Gitlab::GitAccess, lib: true do
else
expect { subject }.to raise_error(Gitlab::GitAccess::UnauthorizedError)
end
=======
subject { access.send(:check_push_access!, changes[action]) }
it { expect(subject.allowed?).to allowed ? be_truthy : be_falsey }
>>>>>>> 714f70a38df10e678bffde6e6081a97e31d8317c
end
end
end
......@@ -543,20 +538,20 @@ describe Gitlab::GitAccess, lib: true do
allow(Gitlab::Geo).to receive(:secondary?) { true }
end
it { expect { access.push_access_check(git_annex_changes) }.to raise_error(described_class::UnauthorizedError) }
it { expect { access.send(:check_push_access!, git_annex_changes) }.to raise_error(described_class::UnauthorizedError) }
end
describe 'and git hooks unset' do
describe 'git annex enabled' do
before { allow(Gitlab.config.gitlab_shell).to receive(:git_annex_enabled).and_return(true) }
it { expect { access.push_access_check(git_annex_changes) }.not_to raise_error }
it { expect { access.send(:check_push_access!, git_annex_changes) }.not_to raise_error }
end
describe 'git annex disabled' do
before { allow(Gitlab.config.gitlab_shell).to receive(:git_annex_enabled).and_return(false) }
it { expect { access.push_access_check(git_annex_changes) }.not_to raise_error }
it { expect { access.send(:check_push_access!, git_annex_changes) }.not_to raise_error }
end
end
......@@ -571,7 +566,7 @@ describe Gitlab::GitAccess, lib: true do
describe 'git annex enabled' do
before { allow(Gitlab.config.gitlab_shell).to receive(:git_annex_enabled).and_return(true) }
it { expect { access.push_access_check(git_annex_changes) }.not_to raise_error }
it { expect { access.send(:check_push_access!, git_annex_changes) }.not_to raise_error }
end
describe 'git annex enabled, push to master branch' do
......@@ -580,7 +575,7 @@ describe Gitlab::GitAccess, lib: true do
allow_any_instance_of(Commit).to receive(:safe_message) { 'git-annex in me@host:~/repo' }
end
it { expect { access.push_access_check(git_annex_master_changes) }.not_to raise_error }
it { expect { access.send(:check_push_access!, git_annex_master_changes) }.not_to raise_error }
end
describe 'git annex disabled' do
......@@ -588,7 +583,7 @@ describe Gitlab::GitAccess, lib: true do
allow(Gitlab.config.gitlab_shell).to receive(:git_annex_enabled).and_return(false)
end
it { expect { access.push_access_check(git_annex_changes) }.to raise_error(described_class::UnauthorizedError) }
it { expect { access.send(:check_push_access!, git_annex_changes) }.to raise_error(described_class::UnauthorizedError) }
end
end
......@@ -602,7 +597,7 @@ describe Gitlab::GitAccess, lib: true do
before { allow(Gitlab.config.gitlab_shell).to receive(:git_annex_enabled).and_return(true) }
it { expect(access.check('git-annex-shell', git_annex_changes).allowed?).to be_truthy }
it { expect { access.push_access_check(git_annex_changes) }.not_to raise_error }
it { expect { access.send(:check_push_access!, git_annex_changes) }.not_to raise_error }
end
describe 'git annex disabled' do
......@@ -611,7 +606,7 @@ describe Gitlab::GitAccess, lib: true do
end
it { expect(access.check('git-annex-shell', git_annex_changes).allowed?).to be_falsey }
it { expect { access.push_access_check(git_annex_changes) }.to raise_error(described_class::UnauthorizedError) }
it { expect { access.send(:check_push_access!, git_annex_changes) }.to raise_error(described_class::UnauthorizedError) }
end
end
end
......@@ -628,21 +623,21 @@ describe Gitlab::GitAccess, lib: true do
describe "author email check" do
it 'returns true' do
expect { access.push_access_check('6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master') }.not_to raise_error
expect { access.send(:check_push_access!, '6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master') }.not_to raise_error
end
it 'returns false' do
project.create_push_rule
project.push_rule.update(commit_message_regex: "@only.com")
expect { access.push_access_check('6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master') }.to raise_error(described_class::UnauthorizedError)
expect { access.send(:check_push_access!, '6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master') }.to raise_error(described_class::UnauthorizedError)
end
it 'returns true for tags' do
project.create_push_rule
project.push_rule.update(commit_message_regex: "@only.com")
expect { access.push_access_check('6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/tags/v1') }.not_to raise_error
expect { access.send(:check_push_access!, '6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/tags/v1') }.not_to raise_error
end
it 'allows githook for new branch with an old bad commit' do
......@@ -655,7 +650,7 @@ describe Gitlab::GitAccess, lib: true do
project.push_rule.update(commit_message_regex: "Change some files")
# push to new branch, so use a blank old rev and new ref
expect { access.push_access_check("#{Gitlab::Git::BLANK_SHA} 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/new-branch") }.not_to raise_error
expect { access.send(:check_push_access!, "#{Gitlab::Git::BLANK_SHA} 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/new-branch") }.not_to raise_error
end
it 'allows githook for any change with an old bad commit' do
......@@ -668,7 +663,7 @@ describe Gitlab::GitAccess, lib: true do
project.push_rule.update(commit_message_regex: "Change some files")
# push to new branch, so use a blank old rev and new ref
expect { access.push_access_check('6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master') }.not_to raise_error
expect { access.send(:check_push_access!, '6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master') }.not_to raise_error
end
it 'does not allow any change from Web UI with bad commit' do
......@@ -683,7 +678,7 @@ describe Gitlab::GitAccess, lib: true do
project.push_rule.update(commit_message_regex: "Change some files")
# push to new branch, so use a blank old rev and new ref
expect { access.push_access_check('6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master') }.to raise_error(described_class::UnauthorizedError)
expect { access.send(:check_push_access!, '6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master') }.to raise_error(described_class::UnauthorizedError)
end
end
......@@ -694,13 +689,13 @@ describe Gitlab::GitAccess, lib: true do
end
it 'returns false for non-member user' do
expect { access.push_access_check('6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master') }.to raise_error(described_class::UnauthorizedError)
expect { access.send(:check_push_access!, '6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master') }.to raise_error(described_class::UnauthorizedError)
end
it 'returns true if committer is a gitlab member' do
create(:user, email: 'dmitriy.zaporozhets@gmail.com')
expect { access.push_access_check('6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master') }.not_to raise_error
expect { access.send(:check_push_access!, '6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master') }.not_to raise_error
end
end
......@@ -715,14 +710,14 @@ describe Gitlab::GitAccess, lib: true do
project.create_push_rule
project.push_rule.update(file_name_regex: "jpg$")
expect { access.push_access_check('913c66a37b4a45b9769037c55c2d238bd0942d2e 33f3729a45c02fc67d00adb1b8bca394b0e761d9 refs/heads/master') }.to raise_error(described_class::UnauthorizedError)
expect { access.send(:check_push_access!, '913c66a37b4a45b9769037c55c2d238bd0942d2e 33f3729a45c02fc67d00adb1b8bca394b0e761d9 refs/heads/master') }.to raise_error(described_class::UnauthorizedError)
end
it 'returns true if file name is allowed' do
project.create_push_rule
project.push_rule.update(file_name_regex: "exe$")
expect { access.push_access_check('913c66a37b4a45b9769037c55c2d238bd0942d2e 33f3729a45c02fc67d00adb1b8bca394b0e761d9 refs/heads/master') }.not_to raise_error
expect { access.send(:check_push_access!, '913c66a37b4a45b9769037c55c2d238bd0942d2e 33f3729a45c02fc67d00adb1b8bca394b0e761d9 refs/heads/master') }.not_to raise_error
end
end
......@@ -735,14 +730,14 @@ describe Gitlab::GitAccess, lib: true do
project.create_push_rule
project.push_rule.update(max_file_size: 1)
expect { access.push_access_check('cfe32cf61b73a0d5e9f13e774abde7ff789b1660 913c66a37b4a45b9769037c55c2d238bd0942d2e refs/heads/master') }.to raise_error(described_class::UnauthorizedError)
expect { access.send(:check_push_access!, 'cfe32cf61b73a0d5e9f13e774abde7ff789b1660 913c66a37b4a45b9769037c55c2d238bd0942d2e refs/heads/master') }.to raise_error(described_class::UnauthorizedError)
end
it "returns true when size is allowed" do
project.create_push_rule
project.push_rule.update(max_file_size: 2)
expect { access.push_access_check('cfe32cf61b73a0d5e9f13e774abde7ff789b1660 913c66a37b4a45b9769037c55c2d238bd0942d2e refs/heads/master') }.not_to raise_error
expect { access.send(:check_push_access!, 'cfe32cf61b73a0d5e9f13e774abde7ff789b1660 913c66a37b4a45b9769037c55c2d238bd0942d2e refs/heads/master') }.not_to raise_error
end
it "returns true when size is nil" do
......@@ -750,7 +745,7 @@ describe Gitlab::GitAccess, lib: true do
project.create_push_rule
project.push_rule.update(max_file_size: 2)
expect { access.push_access_check('cfe32cf61b73a0d5e9f13e774abde7ff789b1660 913c66a37b4a45b9769037c55c2d238bd0942d2e refs/heads/master') }.not_to raise_error
expect { access.send(:check_push_access!, 'cfe32cf61b73a0d5e9f13e774abde7ff789b1660 913c66a37b4a45b9769037c55c2d238bd0942d2e refs/heads/master') }.not_to raise_error
end
end
......@@ -762,13 +757,13 @@ describe Gitlab::GitAccess, lib: true do
it 'returns false when blob is too big' do
allow_any_instance_of(Gitlab::Git::Blob).to receive(:size).and_return(100.megabytes.to_i)
expect { access.push_access_check('cfe32cf61b73a0d5e9f13e774abde7ff789b1660 913c66a37b4a45b9769037c55c2d238bd0942d2e refs/heads/master') }.to raise_error(described_class::UnauthorizedError)
expect { access.send(:check_push_access!, 'cfe32cf61b73a0d5e9f13e774abde7ff789b1660 913c66a37b4a45b9769037c55c2d238bd0942d2e refs/heads/master') }.to raise_error(described_class::UnauthorizedError)
end
it 'returns true when blob is just right' do
allow_any_instance_of(Gitlab::Git::Blob).to receive(:size).and_return(2.megabytes.to_i)
expect { access.push_access_check('cfe32cf61b73a0d5e9f13e774abde7ff789b1660 913c66a37b4a45b9769037c55c2d238bd0942d2e refs/heads/master') }.not_to raise_error
expect { access.send(:check_push_access!, 'cfe32cf61b73a0d5e9f13e774abde7ff789b1660 913c66a37b4a45b9769037c55c2d238bd0942d2e refs/heads/master') }.not_to raise_error
end
end
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7