Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
cb85cf1f
Commit
cb85cf1f
authored
Aug 29, 2016
by
Patricio Cano
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Refactor LFS token logic to use a Redis key instead of a DB field, making it a 1 use only token.
parent
372be2d2
Changes
15
Show whitespace changes
Inline
Side-by-side
Showing
15 changed files
with
93 additions
and
79 deletions
+93
-79
app/controllers/projects/git_http_client_controller.rb
app/controllers/projects/git_http_client_controller.rb
+1
-2
app/helpers/lfs_helper.rb
app/helpers/lfs_helper.rb
+5
-1
app/models/deploy_key.rb
app/models/deploy_key.rb
+0
-5
app/models/user.rb
app/models/user.rb
+1
-2
db/migrate/20160825173042_add_lfs_token_to_users.rb
db/migrate/20160825173042_add_lfs_token_to_users.rb
+0
-16
db/migrate/20160825182924_add_lfs_token_to_keys.rb
db/migrate/20160825182924_add_lfs_token_to_keys.rb
+0
-16
lib/api/entities.rb
lib/api/entities.rb
+1
-1
lib/api/internal.rb
lib/api/internal.rb
+5
-4
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+7
-5
lib/gitlab/lfs_token.rb
lib/gitlab/lfs_token.rb
+29
-0
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+5
-3
spec/lib/gitlab/lfs_token_spec.rb
spec/lib/gitlab/lfs_token_spec.rb
+35
-0
spec/models/concerns/token_authenticatable_spec.rb
spec/models/concerns/token_authenticatable_spec.rb
+0
-20
spec/requests/api/internal_spec.rb
spec/requests/api/internal_spec.rb
+3
-3
spec/requests/lfs_http_spec.rb
spec/requests/lfs_http_spec.rb
+1
-1
No files found.
app/controllers/projects/git_http_client_controller.rb
View file @
cb85cf1f
...
@@ -132,8 +132,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
...
@@ -132,8 +132,7 @@ class Projects::GitHttpClientController < Projects::ApplicationController
end
end
def
lfs_deploy_key?
def
lfs_deploy_key?
key
=
user
@lfs_deploy_key
.
present?
&&
(
user
&&
user
.
projects
.
include?
(
project
))
@lfs_deploy_key
.
present?
&&
(
key
&&
key
.
projects
.
include?
(
project
))
end
end
def
verify_workhorse_api!
def
verify_workhorse_api!
...
...
app/helpers/lfs_helper.rb
View file @
cb85cf1f
...
@@ -25,7 +25,11 @@ module LfsHelper
...
@@ -25,7 +25,11 @@ module LfsHelper
def
lfs_download_access?
def
lfs_download_access?
return
false
unless
project
.
lfs_enabled?
return
false
unless
project
.
lfs_enabled?
project
.
public?
||
ci?
||
lfs_deploy_key?
||
(
user
&&
user
.
can?
(
:download_code
,
project
))
return
true
if
project
.
public?
return
true
if
ci?
return
true
if
lfs_deploy_key?
(
user
&&
user
.
can?
(
:download_code
,
project
))
end
end
def
lfs_upload_access?
def
lfs_upload_access?
...
...
app/models/deploy_key.rb
View file @
cb85cf1f
class
DeployKey
<
Key
class
DeployKey
<
Key
include
TokenAuthenticatable
add_authentication_token_field
:lfs_token
has_many
:deploy_keys_projects
,
dependent: :destroy
has_many
:deploy_keys_projects
,
dependent: :destroy
has_many
:projects
,
through: :deploy_keys_projects
has_many
:projects
,
through: :deploy_keys_projects
before_save
:ensure_lfs_token
scope
:in_projects
,
->
(
projects
)
{
joins
(
:deploy_keys_projects
).
where
(
'deploy_keys_projects.project_id in (?)'
,
projects
)
}
scope
:in_projects
,
->
(
projects
)
{
joins
(
:deploy_keys_projects
).
where
(
'deploy_keys_projects.project_id in (?)'
,
projects
)
}
scope
:are_public
,
->
{
where
(
public:
true
)
}
scope
:are_public
,
->
{
where
(
public:
true
)
}
...
...
app/models/user.rb
View file @
cb85cf1f
...
@@ -13,7 +13,6 @@ class User < ActiveRecord::Base
...
@@ -13,7 +13,6 @@ class User < ActiveRecord::Base
DEFAULT_NOTIFICATION_LEVEL
=
:participating
DEFAULT_NOTIFICATION_LEVEL
=
:participating
add_authentication_token_field
:authentication_token
add_authentication_token_field
:authentication_token
add_authentication_token_field
:lfs_token
default_value_for
:admin
,
false
default_value_for
:admin
,
false
default_value_for
(
:external
)
{
current_application_settings
.
user_default_external
}
default_value_for
(
:external
)
{
current_application_settings
.
user_default_external
}
...
@@ -118,7 +117,7 @@ class User < ActiveRecord::Base
...
@@ -118,7 +117,7 @@ class User < ActiveRecord::Base
before_validation
:set_public_email
,
if:
->
(
user
)
{
user
.
public_email_changed?
}
before_validation
:set_public_email
,
if:
->
(
user
)
{
user
.
public_email_changed?
}
after_update
:update_emails_with_primary_email
,
if:
->
(
user
)
{
user
.
email_changed?
}
after_update
:update_emails_with_primary_email
,
if:
->
(
user
)
{
user
.
email_changed?
}
before_save
:ensure_authentication_token
,
:ensure_lfs_token
before_save
:ensure_authentication_token
before_save
:ensure_external_user_rights
before_save
:ensure_external_user_rights
after_save
:ensure_namespace_correct
after_save
:ensure_namespace_correct
after_initialize
:set_projects_limit
after_initialize
:set_projects_limit
...
...
db/migrate/20160825173042_add_lfs_token_to_users.rb
deleted
100644 → 0
View file @
372be2d2
# See http://doc.gitlab.com/ce/development/migration_style_guide.html
# for more information on how to write migrations for GitLab.
class
AddLfsTokenToUsers
<
ActiveRecord
::
Migration
include
Gitlab
::
Database
::
MigrationHelpers
# Set this constant to true if this migration requires downtime.
DOWNTIME
=
false
disable_ddl_transaction!
def
change
add_column
:users
,
:lfs_token
,
:string
add_concurrent_index
:users
,
:lfs_token
end
end
db/migrate/20160825182924_add_lfs_token_to_keys.rb
deleted
100644 → 0
View file @
372be2d2
# See http://doc.gitlab.com/ce/development/migration_style_guide.html
# for more information on how to write migrations for GitLab.
class
AddLfsTokenToKeys
<
ActiveRecord
::
Migration
include
Gitlab
::
Database
::
MigrationHelpers
# Set this constant to true if this migration requires downtime.
DOWNTIME
=
false
disable_ddl_transaction!
def
change
add_column
:keys
,
:lfs_token
,
:string
add_concurrent_index
:keys
,
:lfs_token
end
end
lib/api/entities.rb
View file @
cb85cf1f
module
API
module
API
module
Entities
module
Entities
class
UserSafe
<
Grape
::
Entity
class
UserSafe
<
Grape
::
Entity
expose
:name
,
:username
,
:lfs_token
expose
:name
,
:username
end
end
class
UserBasic
<
UserSafe
class
UserBasic
<
UserSafe
...
...
lib/api/internal.rb
View file @
cb85cf1f
...
@@ -88,12 +88,13 @@ module API
...
@@ -88,12 +88,13 @@ module API
get
"/discover"
do
get
"/discover"
do
key
=
Key
.
find
(
params
[
:key_id
])
key
=
Key
.
find
(
params
[
:key_id
])
user
=
key
.
user
user
=
key
.
user
if
user
if
user
user
.
ensure_lfs_token!
token
=
Gitlab
::
LfsToken
.
new
(
user
).
set_token
present
user
,
with:
Entities
::
UserSafe
{
name:
user
.
name
,
username:
user
.
username
,
lfs_token:
token
}
else
else
key
.
ensure_lfs_token!
token
=
Gitlab
::
LfsToken
.
new
(
key
).
set_token
{
username:
'lfs-deploy-key'
,
lfs_token:
key
.
lfs_
token
}
{
username:
"lfs-deploy-key-
#{
key
.
id
}
"
,
lfs_token:
token
}
end
end
end
end
...
...
lib/gitlab/auth.rb
View file @
cb85cf1f
...
@@ -117,12 +117,14 @@ module Gitlab
...
@@ -117,12 +117,14 @@ module Gitlab
end
end
def
lfs_token_check
(
login
,
password
)
def
lfs_token_check
(
login
,
password
)
if
login
==
'lfs-deploy-key'
if
login
.
include?
(
'lfs-deploy-key'
)
key
=
DeployKey
.
find_by_lfs_token
(
password
)
key
=
DeployKey
.
find
(
login
.
gsub
(
'lfs-deploy-key-'
,
''
))
Result
.
new
(
key
,
:lfs_deploy_token
)
if
key
token
=
Gitlab
::
LfsToken
.
new
(
key
).
get_value
Result
.
new
(
key
,
:lfs_deploy_token
)
if
key
&&
token
==
password
else
else
user
=
User
.
find_by_lfs_token
(
password
)
user
=
User
.
by_login
(
login
)
Result
.
new
(
user
,
:lfs_token
)
if
user
&&
user
.
username
==
login
token
=
Gitlab
::
LfsToken
.
new
(
user
).
get_value
Result
.
new
(
user
,
:lfs_token
)
if
user
&&
token
==
password
end
end
end
end
end
end
...
...
lib/gitlab/lfs_token.rb
0 → 100644
View file @
cb85cf1f
module
Gitlab
class
LfsToken
attr_accessor
:actor
def
initialize
(
actor
)
@actor
=
actor
end
def
set_token
token
=
Devise
.
friendly_token
(
50
)
Gitlab
::
Redis
.
with
do
|
redis
|
redis
.
set
(
redis_key
,
token
,
ex:
3600
)
end
token
end
def
get_value
Gitlab
::
Redis
.
with
do
|
redis
|
redis
.
get
(
redis_key
)
end
end
private
def
redis_key
"gitlab:lfs_token:
#{
actor
.
class
.
name
.
underscore
}
_
#{
actor
.
id
}
"
if
actor
end
end
end
spec/lib/gitlab/auth_spec.rb
View file @
cb85cf1f
...
@@ -26,17 +26,19 @@ describe Gitlab::Auth, lib: true do
...
@@ -26,17 +26,19 @@ describe Gitlab::Auth, lib: true do
it
'recognizes user lfs tokens'
do
it
'recognizes user lfs tokens'
do
user
=
create
(
:user
)
user
=
create
(
:user
)
ip
=
'ip'
ip
=
'ip'
token
=
Gitlab
::
LfsToken
.
new
(
user
).
set_token
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
user
.
username
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
user
.
username
)
expect
(
gl_auth
.
find_for_git_client
(
user
.
username
,
user
.
lfs_
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
:lfs_token
))
expect
(
gl_auth
.
find_for_git_client
(
user
.
username
,
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
user
,
:lfs_token
))
end
end
it
'recognizes deploy key lfs tokens'
do
it
'recognizes deploy key lfs tokens'
do
key
=
create
(
:deploy_key
)
key
=
create
(
:deploy_key
)
ip
=
'ip'
ip
=
'ip'
token
=
Gitlab
::
LfsToken
.
new
(
key
).
set_token
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
'lfs-deploy-key'
)
expect
(
gl_auth
).
to
receive
(
:rate_limit!
).
with
(
ip
,
success:
true
,
login:
"lfs-deploy-key-
#{
key
.
id
}
"
)
expect
(
gl_auth
.
find_for_git_client
(
'lfs-deploy-key'
,
key
.
lfs_
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
key
,
:lfs_deploy_token
))
expect
(
gl_auth
.
find_for_git_client
(
"lfs-deploy-key-
#{
key
.
id
}
"
,
token
,
project:
nil
,
ip:
ip
)).
to
eq
(
Gitlab
::
Auth
::
Result
.
new
(
key
,
:lfs_deploy_token
))
end
end
it
'recognizes OAuth tokens'
do
it
'recognizes OAuth tokens'
do
...
...
spec/lib/gitlab/lfs_token_spec.rb
0 → 100644
View file @
cb85cf1f
require
'spec_helper'
describe
Gitlab
::
LfsToken
,
lib:
true
do
describe
'#set_token and #get_value'
do
shared_examples
'an LFS token generator'
do
it
'returns a randomly generated token'
do
token
=
handler
.
set_token
expect
(
token
).
not_to
be_nil
expect
(
token
).
to
be_a
String
expect
(
token
.
length
).
to
eq
50
end
it
'returns the correct token based on the key'
do
token
=
handler
.
set_token
expect
(
handler
.
get_value
).
to
eq
(
token
)
end
end
context
'when the actor is a user'
do
let
(
:actor
)
{
create
(
:user
)
}
let
(
:handler
)
{
described_class
.
new
(
actor
)
}
it_behaves_like
'an LFS token generator'
end
context
'when the actor is a deploy key'
do
let
(
:actor
)
{
create
(
:deploy_key
)
}
let
(
:handler
)
{
described_class
.
new
(
actor
)
}
it_behaves_like
'an LFS token generator'
end
end
end
spec/models/concerns/token_authenticatable_spec.rb
View file @
cb85cf1f
...
@@ -18,26 +18,6 @@ describe User, 'TokenAuthenticatable' do
...
@@ -18,26 +18,6 @@ describe User, 'TokenAuthenticatable' do
subject
{
create
(
:user
).
send
(
token_field
)
}
subject
{
create
(
:user
).
send
(
token_field
)
}
it
{
is_expected
.
to
be_a
String
}
it
{
is_expected
.
to
be_a
String
}
end
end
describe
'lfs token'
do
let
(
:token_field
)
{
:lfs_token
}
it_behaves_like
'TokenAuthenticatable'
describe
'ensure it'
do
subject
{
create
(
:user
).
send
(
token_field
)
}
it
{
is_expected
.
to
be_a
String
}
end
end
end
describe
DeployKey
,
'TokenAuthenticatable'
do
let
(
:token_field
)
{
:lfs_token
}
it_behaves_like
'TokenAuthenticatable'
describe
'ensures authentication token'
do
subject
{
create
(
:deploy_key
).
send
(
token_field
)
}
it
{
is_expected
.
to
be_a
String
}
end
end
end
describe
ApplicationSetting
,
'TokenAuthenticatable'
do
describe
ApplicationSetting
,
'TokenAuthenticatable'
do
...
...
spec/requests/api/internal_spec.rb
View file @
cb85cf1f
...
@@ -108,7 +108,7 @@ describe API::API, api: true do
...
@@ -108,7 +108,7 @@ describe API::API, api: true do
expect
(
response
).
to
have_http_status
(
200
)
expect
(
response
).
to
have_http_status
(
200
)
expect
(
json_response
[
'name'
]).
to
eq
(
user
.
name
)
expect
(
json_response
[
'name'
]).
to
eq
(
user
.
name
)
expect
(
json_response
[
'lfs_token'
]).
to
eq
(
user
.
lfs_token
)
expect
(
json_response
[
'lfs_token'
]).
to
eq
(
Gitlab
::
LfsToken
.
new
(
user
).
get_value
)
end
end
end
end
...
@@ -120,8 +120,8 @@ describe API::API, api: true do
...
@@ -120,8 +120,8 @@ describe API::API, api: true do
expect
(
response
).
to
have_http_status
(
200
)
expect
(
response
).
to
have_http_status
(
200
)
expect
(
json_response
[
'username'
]).
to
eq
(
'lfs-deploy-key'
)
expect
(
json_response
[
'username'
]).
to
eq
(
"lfs-deploy-key-
#{
key
.
id
}
"
)
expect
(
json_response
[
'lfs_token'
]).
to
eq
(
key
.
lfs_token
)
expect
(
json_response
[
'lfs_token'
]).
to
eq
(
Gitlab
::
LfsToken
.
new
(
key
).
get_value
)
end
end
end
end
end
end
...
...
spec/requests/lfs_http_spec.rb
View file @
cb85cf1f
...
@@ -917,7 +917,7 @@ describe 'Git LFS API and storage' do
...
@@ -917,7 +917,7 @@ describe 'Git LFS API and storage' do
end
end
def
authorize_deploy_key
def
authorize_deploy_key
ActionController
::
HttpAuthentication
::
Basic
.
encode_credentials
(
'lfs-deploy-key'
,
key
.
lfs
_token
)
ActionController
::
HttpAuthentication
::
Basic
.
encode_credentials
(
"lfs-deploy-key-
#{
key
.
id
}
"
,
Gitlab
::
LfsToken
.
new
(
key
).
set
_token
)
end
end
def
fork_project
(
project
,
user
,
object
=
nil
)
def
fork_project
(
project
,
user
,
object
=
nil
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment