Commit 2100c3d2 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'master' into git-annex

Conflicts:
	lib/gitlab_shell.rb
parents 849d8fdc f61186ba
......@@ -8,13 +8,18 @@ require_relative '../lib/gitlab_net'
#
print "Check GitLab API access: "
resp = GitlabNet.new.check
if resp.code == "200"
begin
resp = GitlabNet.new.check
if resp.code == "200"
print 'OK'
else
else
abort "FAILED. code: #{resp.code}"
end
rescue GitlabNet::ApiUnreachableError
abort "FAILED: Failed to connect to internal API"
end
puts "\nCheck directories and files: "
config = GitlabConfig.new
......
......@@ -18,16 +18,21 @@ class GitlabAccess
end
def exec
begin
status = api.check_access('git-receive-pack', @repo_name, @actor, @changes)
if status.allowed?
true
else
return true if status.allowed?
message = status.message
rescue GitlabNet::ApiUnreachableError
message = "Failed to authorize your Git request: internal API unreachable"
end
# reset GL_ID env since we stop git push here
ENV['GL_ID'] = nil
puts "GitLab: #{status.message}"
puts "GitLab: #{message}"
false
end
end
protected
......
......@@ -7,6 +7,8 @@ require_relative 'gitlab_logger'
require_relative 'gitlab_access'
class GitlabNet
class ApiUnreachableError < StandardError; end
def check_access(cmd, repo, actor, changes)
project_name = repo.gsub("'", "")
project_name = project_name.gsub(/\.git\Z/, "")
......@@ -64,63 +66,66 @@ class GitlabNet
"#{config.gitlab_url}/api/v3/internal"
end
def http_client_for(url)
Net::HTTP.new(url.host, url.port).tap do |http|
if URI::HTTPS === url
def http_client_for(uri)
http = Net::HTTP.new(uri.host, uri.port)
if uri.is_a?(URI::HTTPS)
http.use_ssl = true
http.cert_store = cert_store
http.verify_mode = OpenSSL::SSL::VERIFY_NONE if config.http_settings['self_signed_cert']
end
http
end
end
def http_request_for(url, method = :get)
def http_request_for(method, uri, params = {})
request_klass = method == :get ? Net::HTTP::Get : Net::HTTP::Post
request = request_klass.new(uri.request_uri)
user = config.http_settings['user']
password = config.http_settings['password']
request.basic_auth(user, password) if user && password
if method == :get
Net::HTTP::Get.new(url.request_uri).tap { |r| r.basic_auth(user, password) if user && password }
else
Net::HTTP::Post.new(url.request_uri).tap { |r| r.basic_auth(user, password) if user && password }
end
request.set_form_data(params.merge(secret_token: secret_token))
request
end
def get(url)
$logger.debug "Performing GET #{url}"
def request(method, url, params = {})
$logger.debug "Performing #{method.to_s.upcase} #{url}"
uri = URI.parse(url)
url = URI.parse(url)
http = http_client_for url
request = http_request_for url
request.set_form_data(secret_token: secret_token)
http = http_client_for(uri)
request = http_request_for(method, uri, params)
http.start { |http| http.request(request) }.tap do |resp|
if resp.code == "200"
$logger.debug { "Received response #{resp.code} => <#{resp.body}>." }
begin
response = http.start { http.request(request) }
rescue => e
$logger.warn "Failed to connect to internal API <#{method.to_s.upcase} #{url}>: #{e.inspect}"
raise ApiUnreachableError
end
if response.code == "200"
$logger.debug "Received response #{response.code} => <#{response.body}>."
else
$logger.error { "API call <GET #{url}> failed: #{resp.code} => <#{resp.body}>." }
$logger.error "API call <#{method.to_s.upcase} #{url}> failed: #{response.code} => <#{response.body}>."
end
response
end
def get(url)
request(:get, url)
end
def post(url, params)
$logger.debug "Performing POST #{url}"
url = URI.parse(url)
http = http_client_for(url)
request = http_request_for(url, :post)
request.set_form_data(params.merge(secret_token: secret_token))
http.start { |http| http.request(request) }.tap do |resp|
if resp.code == "200"
$logger.debug { "Received response #{resp.code} => <#{resp.body}>." }
else
$logger.error { "API call <POST #{url}> failed: #{resp.code} => <#{resp.body}>." }
end
end
request(:post, url, params)
end
def cert_store
@cert_store ||= OpenSSL::X509::Store.new.tap do |store|
@cert_store ||= begin
store = OpenSSL::X509::Store.new
store.set_default_paths
if ca_file = config.http_settings['ca_file']
......@@ -130,6 +135,8 @@ class GitlabNet
if ca_path = config.http_settings['ca_path']
store.add_path(ca_path)
end
store
end
end
......
......@@ -18,10 +18,14 @@ class GitlabPostReceive
update_redis
if broadcast_message = GitlabNet.new.broadcast_message
begin
broadcast_message = GitlabNet.new.broadcast_message
if broadcast_message
puts
print_broadcast_message(broadcast_message["message"])
end
rescue GitlabNet::ApiUnreachableError
end
end
protected
......
......@@ -21,15 +21,14 @@ class GitlabShell
if git_cmds.include?(@git_cmd)
ENV['GL_ID'] = @key_id
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# TODO: Fix validation for git-annex-shell !!!!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
if validate_access
access = api.check_access(@git_cmd, @repo_name, @key_id, '_any')
if access.allowed?
process_cmd
else
message = "gitlab-shell: Access denied for git command <#{@origin_cmd}> by #{log_username}."
$logger.warn message
$stderr.puts "Access denied."
puts access.message
end
else
raise DisallowedCommandError
......@@ -37,10 +36,12 @@ class GitlabShell
else
puts "Welcome to GitLab, #{username}!"
end
rescue GitlabNet::ApiUnreachableError => ex
puts "Failed to authorize your Git request: internal API unreachable"
rescue DisallowedCommandError => ex
message = "gitlab-shell: Attempt to execute disallowed command <#{@origin_cmd}> by #{log_username}."
$logger.warn message
puts 'Not allowed command'
puts 'Disallowed command'
end
protected
......@@ -90,10 +91,6 @@ class GitlabShell
end
end
def validate_access
api.check_access(@git_cmd, @repo_name, @key_id, '_any').allowed?
end
# This method is not covered by Rspec because it ends the current Ruby process.
def exec_cmd(*args)
Kernel::exec({'PATH' => ENV['PATH'], 'LD_LIBRARY_PATH' => ENV['LD_LIBRARY_PATH'], 'GL_ID' => ENV['GL_ID']}, *args, unsetenv_others: true)
......@@ -104,11 +101,12 @@ class GitlabShell
end
def user
# Can't use "@user ||=" because that will keep hitting the API when @user is really nil!
if instance_variable_defined?('@user')
@user
else
return @user if defined?(@user)
begin
@user = api.discover(@key_id)
rescue GitlabNet::ApiUnreachableError
@user = nil
end
end
......
......@@ -5,15 +5,56 @@ describe GitlabAccess do
let(:repository_path) { "/home/git/repositories" }
let(:repo_name) { 'dzaporozhets/gitlab-ci' }
let(:repo_path) { File.join(repository_path, repo_name) + ".git" }
let(:gitlab_access) { GitlabAccess.new(repo_path, 'key-123', 'wow') }
let(:api) do
double(GitlabNet).tap do |api|
api.stub(check_access: GitAccessStatus.new(true))
end
end
subject do
GitlabAccess.new(repo_path, 'key-123', 'wow').tap do |access|
access.stub(exec_cmd: :exec_called)
access.stub(api: api)
end
end
before do
GitlabConfig.any_instance.stub(repos_path: repository_path)
end
describe :initialize do
it { gitlab_access.repo_name.should == repo_name }
it { gitlab_access.repo_path.should == repo_path }
it { gitlab_access.changes.should == ['wow'] }
it { subject.repo_name.should == repo_name }
it { subject.repo_path.should == repo_path }
it { subject.changes.should == ['wow'] }
end
describe "#exec" do
context "access is granted" do
it "returns true" do
expect(subject.exec).to be_true
end
end
context "access is denied" do
before do
api.stub(check_access: GitAccessStatus.new(false))
end
it "returns false" do
expect(subject.exec).to be_false
end
end
context "API connection fails" do
before do
api.stub(:check_access).and_raise(GitlabNet::ApiUnreachableError)
end
it "returns false" do
expect(subject.exec).to be_false
end
end
end
end
......@@ -26,6 +26,11 @@ describe GitlabNet, vcr: true do
gitlab_net.check
end
end
it "raises an exception if the connection fails" do
Net::HTTP.any_instance.stub(:request).and_raise(StandardError)
expect { gitlab_net.check }.to raise_error(GitlabNet::ApiUnreachableError)
end
end
describe :discover do
......@@ -42,6 +47,13 @@ describe GitlabNet, vcr: true do
gitlab_net.discover('key-126')
end
end
it "raises an exception if the connection fails" do
VCR.use_cassette("discover-ok") do
Net::HTTP.any_instance.stub(:request).and_raise(StandardError)
expect { gitlab_net.discover('key-126') }.to raise_error(GitlabNet::ApiUnreachableError)
end
end
end
describe :broadcast_message do
......@@ -110,6 +122,13 @@ describe GitlabNet, vcr: true do
end
end
end
it "raises an exception if the connection fails" do
Net::HTTP.any_instance.stub(:request).and_raise(StandardError)
expect {
gitlab_net.check_access('git-upload-pack', 'gitlab/gitlabhq.git', 'user-1', changes)
}.to raise_error(GitlabNet::ApiUnreachableError)
end
end
describe :host do
......@@ -139,12 +158,13 @@ describe GitlabNet, vcr: true do
let(:user) { 'user' }
let(:password) { 'password' }
let(:url) { URI 'http://localhost/' }
subject { gitlab_net.send :http_request_for, url }
subject { gitlab_net.send :http_request_for, :get, url }
before do
gitlab_net.send(:config).http_settings.stub(:[]).with('user') { user }
gitlab_net.send(:config).http_settings.stub(:[]).with('password') { password }
get.should_receive(:basic_auth).with(user, password).once
get.should_receive(:set_form_data).with(hash_including(secret_token: 'a123')).once
end
it { should_not be_nil }
......
......@@ -135,6 +135,22 @@ describe GitlabShell do
api.should_receive(:discover).with(key_id)
end
end
context "failed connection" do
before {
ssh_cmd 'git-upload-pack gitlab-ci.git'
api.stub(:check_access).and_raise(GitlabNet::ApiUnreachableError)
}
after { subject.exec }
it "should not process the command" do
subject.should_not_receive(:process_cmd)
end
it "should not execute the command" do
subject.should_not_receive(:exec_cmd)
end
end
end
describe :validate_access do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment