Commit 64996dbb authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge pull request #230 from bozaro/git-lfs-authenticate

Add git-lfs-authenticate to command white list
parents 4d30c0c5 0bd76995
...@@ -139,3 +139,32 @@ List all keys: ...@@ -139,3 +139,32 @@ List all keys:
Remove all keys from authorized_keys file: Remove all keys from authorized_keys file:
./bin/gitlab-keys clear ./bin/gitlab-keys clear
## Git LFS remark
If you want to play with git-lfs (https://git-lfs.github.com/) on GitLab, you should do the following:
* Install LFS-server (no production-ready implementation yet, but you can use https://github.com/github/lfs-test-server) on any host;
* Add some user on LFS-server (for example: user ```foo``` with password ```bar```);
* Add ```git-lfs-authenticate``` script in any PATH-available directory on GIT-server like this:
```
#!/bin/sh
echo "{
\"href\": \"http://lfs.test.local:9999/test/test\",
\"header\": {
\"Authorization\": \"Basic `echo -n foo:bar | base64`\"
}
}"
```
After that you can play with git-lfs (git-lfs feature will be available via ssh protocol).
This design will work without a script git-lfs-authenticate, but with the following limitations:
* You will need to manually configure lfs-server URL for every user working copy;
* SSO don't work and you need to manually add lfs-server credentials for every user working copy (otherwise, git-lfs will ask for the password for each file).
Usefull links:
* https://github.com/github/git-lfs/tree/master/docs/api - Git LFS API, also contains more information about ```git-lfs-authenticate```;
* https://github.com/github/git-lfs/wiki/Implementations - Git LFS-server implementations.
...@@ -7,7 +7,7 @@ class GitlabShell ...@@ -7,7 +7,7 @@ class GitlabShell
class DisallowedCommandError < StandardError; end class DisallowedCommandError < StandardError; end
class InvalidRepositoryPathError < StandardError; end class InvalidRepositoryPathError < StandardError; end
GIT_COMMANDS = %w(git-upload-pack git-receive-pack git-upload-archive git-annex-shell).freeze GIT_COMMANDS = %w(git-upload-pack git-receive-pack git-upload-archive git-annex-shell git-lfs-authenticate).freeze
attr_accessor :key_id, :repo_name, :git_cmd, :repos_path, :repo_name attr_accessor :key_id, :repo_name, :git_cmd, :repos_path, :repo_name
...@@ -56,16 +56,29 @@ class GitlabShell ...@@ -56,16 +56,29 @@ class GitlabShell
def parse_cmd def parse_cmd
args = Shellwords.shellwords(@origin_cmd) args = Shellwords.shellwords(@origin_cmd)
@git_cmd = args.first @git_cmd = args.first
@git_access = @git_cmd
raise DisallowedCommandError unless GIT_COMMANDS.include?(@git_cmd) raise DisallowedCommandError unless GIT_COMMANDS.include?(@git_cmd)
if @git_cmd == 'git-annex-shell' case @git_cmd
when 'git-annex-shell'
raise DisallowedCommandError unless @config.git_annex_enabled? raise DisallowedCommandError unless @config.git_annex_enabled?
@repo_name = escape_path(args[2].sub(/\A\/~\//, '')) @repo_name = escape_path(args[2].sub(/\A\/~\//, ''))
# Make sure repository has git-annex enabled # Make sure repository has git-annex enabled
init_git_annex(@repo_name) init_git_annex(@repo_name)
when 'git-lfs-authenticate'
raise DisallowedCommandError unless args.count >= 2
@repo_name = escape_path(args[1])
case args[2]
when 'download'
@git_access = 'git-upload-pack'
when 'upload'
@git_access = 'git-receive-pack'
else
raise DisallowedCommandError
end
else else
raise DisallowedCommandError unless args.count == 2 raise DisallowedCommandError unless args.count == 2
@repo_name = escape_path(args.last) @repo_name = escape_path(args.last)
...@@ -73,7 +86,7 @@ class GitlabShell ...@@ -73,7 +86,7 @@ class GitlabShell
end end
def verify_access def verify_access
status = api.check_access(@git_cmd, @repo_name, @key_id, '_any') status = api.check_access(@git_access, @repo_name, @key_id, '_any')
raise AccessDeniedError, status.message unless status.allowed? raise AccessDeniedError, status.message unless status.allowed?
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment