Skip to content

G
gitlab-shell
Commit 44e7804d authored by Patricio Cano's avatar Patricio Cano
Browse files
Options

Allow GitLab Shell to check for allowed access based on the used Git protocol.

parent 5afdd3f1
Hide whitespace changes
Inline Side-by-side
Showing with 11 additions and 6 deletions
hooks/pre-receive
View file @ 44e7804d
...@@ -5,12 +5,15 @@ ...@@ -5,12 +5,15 @@
refs = $stdin.read refs = $stdin.read
key_id = ENV['GL_ID'] key_id = ENV['GL_ID']
protocol = ENV['PROTOCOL']
repo_path = Dir.pwd repo_path = Dir.pwd
require_relative '../lib/gitlab_custom_hook' require_relative '../lib/gitlab_custom_hook'
require_relative '../lib/gitlab_access' require_relative '../lib/gitlab_access'
if GitlabAccess.new(repo_path, key_id, refs).exec && protocol ||= 'http'
if GitlabAccess.new(repo_path, key_id, refs, protocol).exec &&
GitlabCustomHook.new.pre_receive(refs, repo_path) GitlabCustomHook.new.pre_receive(refs, repo_path)
exit 0 exit 0
else else
......
lib/gitlab_access.rb
View file @ 44e7804d
...@@ -9,18 +9,19 @@ class GitlabAccess ...@@ -9,18 +9,19 @@ class GitlabAccess
include NamesHelper include NamesHelper
attr_reader :config, :repo_path, :repo_name, :changes attr_reader :config, :repo_path, :repo_name, :changes, :protocol
def initialize(repo_path, actor, changes) def initialize(repo_path, actor, changes, protocol = nil)
@config = GitlabConfig.new @config = GitlabConfig.new
@repo_path = repo_path.strip @repo_path = repo_path.strip
@actor = actor @actor = actor
@repo_name = extract_repo_name(@repo_path.dup) @repo_name = extract_repo_name(@repo_path.dup)
@changes = changes.lines @changes = changes.lines
@protocol = protocol
end end
def exec def exec
status = api.check_access('git-receive-pack', @repo_name, @actor, @changes) status = api.check_access('git-receive-pack', @repo_name, @actor, @changes, @protocol)
raise AccessDeniedError, status.message unless status.allowed? raise AccessDeniedError, status.message unless status.allowed?
......
lib/gitlab_net.rb
View file @ 44e7804d
...@@ -14,7 +14,7 @@ class GitlabNet ...@@ -14,7 +14,7 @@ class GitlabNet
CHECK_TIMEOUT = 5 CHECK_TIMEOUT = 5
READ_TIMEOUT = 300 READ_TIMEOUT = 300
def check_access(cmd, repo, actor, changes) def check_access(cmd, repo, actor, changes, protocol = nil)
project_name = repo.gsub("'", "") project_name = repo.gsub("'", "")
project_name = project_name.gsub(/\.git\Z/, "") project_name = project_name.gsub(/\.git\Z/, "")
project_name = project_name.gsub(/\A\//, "") project_name = project_name.gsub(/\A\//, "")
...@@ -24,6 +24,7 @@ class GitlabNet ...@@ -24,6 +24,7 @@ class GitlabNet
action: cmd, action: cmd,
changes: changes, changes: changes,
project: project_name, project: project_name,
protocol: protocol
} }
if actor =~ /\Akey\-\d+\Z/ if actor =~ /\Akey\-\d+\Z/
......
lib/gitlab_shell.rb
View file @ 44e7804d
...@@ -85,7 +85,7 @@ class GitlabShell ...@@ -85,7 +85,7 @@ class GitlabShell
end end
def verify_access def verify_access
status = api.check_access(@git_access, @repo_name, @key_id, '_any') status = api.check_access(@git_access, @repo_name, @key_id, '_any', 'ssh')
raise AccessDeniedError, status.message unless status.allowed? raise AccessDeniedError, status.message unless status.allowed?
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7