Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-shell
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-shell
Commits
961fe45c
Commit
961fe45c
authored
Nov 24, 2014
by
Valery Sizov
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Revert "Revert "Merge branch 'git_hook_messages'""
This reverts commit
f8453da5
.
parent
f8453da5
Changes
13
Hide whitespace changes
Inline
Side-by-side
Showing
13 changed files
with
62 additions
and
31 deletions
+62
-31
CHANGELOG
CHANGELOG
+3
-0
VERSION
VERSION
+1
-1
lib/gitlab_access.rb
lib/gitlab_access.rb
+6
-4
lib/gitlab_access_status.rb
lib/gitlab_access_status.rb
+20
-0
lib/gitlab_net.rb
lib/gitlab_net.rb
+6
-2
lib/gitlab_shell.rb
lib/gitlab_shell.rb
+1
-1
spec/gitlab_net_spec.rb
spec/gitlab_net_spec.rb
+14
-13
spec/gitlab_shell_spec.rb
spec/gitlab_shell_spec.rb
+6
-5
spec/vcr_cassettes/allowed-pull.yml
spec/vcr_cassettes/allowed-pull.yml
+1
-1
spec/vcr_cassettes/allowed-push.yml
spec/vcr_cassettes/allowed-push.yml
+1
-1
spec/vcr_cassettes/denied-pull.yml
spec/vcr_cassettes/denied-pull.yml
+1
-1
spec/vcr_cassettes/denied-push-with-user.yml
spec/vcr_cassettes/denied-push-with-user.yml
+1
-1
spec/vcr_cassettes/denied-push.yml
spec/vcr_cassettes/denied-push.yml
+1
-1
No files found.
CHANGELOG
View file @
961fe45c
v2.4.0
- Show error message when git access is rejected
v2.2.0
- Support for custom hooks (Drew Blessing and Jose Kahan)
...
...
VERSION
View file @
961fe45c
2.
3.1
2.
4.0
lib/gitlab_access.rb
View file @
961fe45c
require_relative
'gitlab_init'
require_relative
'gitlab_net'
require_relative
'gitlab_access_status'
require_relative
'names_helper'
require
'json'
...
...
@@ -17,13 +18,14 @@ class GitlabAccess
end
def
exec
if
api
.
allowed?
(
'git-receive-pack'
,
@repo_name
,
@actor
,
@changes
)
return
true
status
=
api
.
check_access
(
'git-receive-pack'
,
@repo_name
,
@actor
,
@changes
)
if
status
.
allowed?
true
else
# reset GL_ID env since we stop git push here
ENV
[
'GL_ID'
]
=
nil
puts
"GitLab:
You are not allowed to access some of the refs!
"
return
false
puts
"GitLab:
#{
status
.
message
}
"
false
end
end
...
...
lib/gitlab_access_status.rb
0 → 100644
View file @
961fe45c
require
'json'
class
GitAccessStatus
attr_accessor
:status
,
:message
alias_method
:allowed?
,
:status
def
initialize
(
status
,
message
=
''
)
@status
=
status
@message
=
message
end
def
self
.
create_from_json
(
json
)
values
=
JSON
.
parse
(
json
)
self
.
new
(
values
[
"status"
],
values
[
"message"
])
end
def
to_json
{
status:
@status
,
message:
@message
}.
to_json
end
end
\ No newline at end of file
lib/gitlab_net.rb
View file @
961fe45c
...
...
@@ -6,7 +6,7 @@ require_relative 'gitlab_config'
require_relative
'gitlab_logger'
class
GitlabNet
def
allowed?
(
cmd
,
repo
,
actor
,
changes
)
def
check_access
(
cmd
,
repo
,
actor
,
changes
)
project_name
=
repo
.
gsub
(
"'"
,
""
)
project_name
=
project_name
.
gsub
(
/\.git\Z/
,
""
)
project_name
=
project_name
.
gsub
(
/\A\//
,
""
)
...
...
@@ -26,7 +26,11 @@ class GitlabNet
url
=
"
#{
host
}
/allowed"
resp
=
post
(
url
,
params
)
!!
(
resp
.
code
==
'200'
&&
resp
.
body
==
'true'
)
if
resp
.
code
==
'200'
GitAccessStatus
.
create_from_json
(
resp
.
body
)
else
GitAccessStatus
.
new
(
false
,
"API is not accesible"
)
end
end
def
discover
(
key
)
...
...
lib/gitlab_shell.rb
View file @
961fe45c
...
...
@@ -60,7 +60,7 @@ class GitlabShell
end
def
validate_access
api
.
allowed?
(
@git_cmd
,
@repo_name
,
@key_id
,
'_any'
)
api
.
check_access
(
@git_cmd
,
@repo_name
,
@key_id
,
'_any'
).
allowed?
end
# This method is not covered by Rspec because it ends the current Ruby process.
...
...
spec/gitlab_net_spec.rb
View file @
961fe45c
require_relative
'spec_helper'
require_relative
'../lib/gitlab_net'
require_relative
'../lib/gitlab_access_status'
describe
GitlabNet
,
vcr:
true
do
...
...
@@ -43,26 +44,26 @@ describe GitlabNet, vcr: true do
end
end
describe
:
allowed?
do
describe
:
check_access
do
context
'ssh key with access to project'
do
it
'should allow pull access for dev.gitlab.org'
do
VCR
.
use_cassette
(
"allowed-pull"
)
do
access
=
gitlab_net
.
allowed?
(
'git-receive-pack'
,
'gitlab/gitlabhq.git'
,
'key-126'
,
changes
)
access
.
should
be_true
access
=
gitlab_net
.
check_access
(
'git-receive-pack'
,
'gitlab/gitlabhq.git'
,
'key-126'
,
changes
)
access
.
allowed?
.
should
be_true
end
end
it
'adds the secret_token t
heo
request'
do
it
'adds the secret_token t
o the
request'
do
VCR
.
use_cassette
(
"allowed-pull"
)
do
Net
::
HTTP
::
Post
.
any_instance
.
should_receive
(
:set_form_data
).
with
(
hash_including
(
secret_token:
'a123'
))
gitlab_net
.
allowed?
(
'git-receive-pack'
,
'gitlab/gitlabhq.git'
,
'key-126'
,
changes
)
gitlab_net
.
check_access
(
'git-receive-pack'
,
'gitlab/gitlabhq.git'
,
'key-126'
,
changes
)
end
end
it
'should allow push access for dev.gitlab.org'
do
VCR
.
use_cassette
(
"allowed-push"
)
do
access
=
gitlab_net
.
allowed?
(
'git-upload-pack'
,
'gitlab/gitlabhq.git'
,
'key-126'
,
changes
)
access
.
should
be_true
access
=
gitlab_net
.
check_access
(
'git-upload-pack'
,
'gitlab/gitlabhq.git'
,
'key-126'
,
changes
)
access
.
allowed?
.
should
be_true
end
end
end
...
...
@@ -70,22 +71,22 @@ describe GitlabNet, vcr: true do
context
'ssh key without access to project'
do
it
'should deny pull access for dev.gitlab.org'
do
VCR
.
use_cassette
(
"denied-pull"
)
do
access
=
gitlab_net
.
allowed?
(
'git-receive-pack'
,
'gitlab/gitlabhq.git'
,
'key-2'
,
changes
)
access
.
should
be_false
access
=
gitlab_net
.
check_access
(
'git-receive-pack'
,
'gitlab/gitlabhq.git'
,
'key-2'
,
changes
)
access
.
allowed?
.
should
be_false
end
end
it
'should deny push access for dev.gitlab.org'
do
VCR
.
use_cassette
(
"denied-push"
)
do
access
=
gitlab_net
.
allowed?
(
'git-upload-pack'
,
'gitlab/gitlabhq.git'
,
'key-2'
,
changes
)
access
.
should
be_false
access
=
gitlab_net
.
check_access
(
'git-upload-pack'
,
'gitlab/gitlabhq.git'
,
'key-2'
,
changes
)
access
.
allowed?
.
should
be_false
end
end
it
'should deny push access for dev.gitlab.org (with user)'
do
VCR
.
use_cassette
(
"denied-push-with-user"
)
do
access
=
gitlab_net
.
allowed?
(
'git-upload-pack'
,
'gitlab/gitlabhq.git'
,
'user-1'
,
changes
)
access
.
should
be_false
access
=
gitlab_net
.
check_access
(
'git-upload-pack'
,
'gitlab/gitlabhq.git'
,
'user-1'
,
changes
)
access
.
allowed?
.
should
be_false
end
end
end
...
...
spec/gitlab_shell_spec.rb
View file @
961fe45c
require_relative
'spec_helper'
require_relative
'../lib/gitlab_shell'
require_relative
'../lib/gitlab_access_status'
describe
GitlabShell
do
subject
do
...
...
@@ -12,7 +13,7 @@ describe GitlabShell do
let
(
:api
)
do
double
(
GitlabNet
).
tap
do
|
api
|
api
.
stub
(
discover:
{
'name'
=>
'John Doe'
})
api
.
stub
(
allowed?:
true
)
api
.
stub
(
check_access:
GitAccessStatus
.
new
(
true
)
)
end
end
let
(
:key_id
)
{
"key-
#{
rand
(
100
)
+
100
}
"
}
...
...
@@ -140,13 +141,13 @@ describe GitlabShell do
before
{
ssh_cmd
'git-upload-pack gitlab-ci.git'
}
after
{
subject
.
exec
}
it
"should call api.
allowed?
"
do
api
.
should_receive
(
:
allowed?
).
it
"should call api.
check_access
"
do
api
.
should_receive
(
:
check_access
).
with
(
'git-upload-pack'
,
'gitlab-ci.git'
,
key_id
,
'_any'
)
end
it
"should disallow access and log the attempt if
allowed? returns false
"
do
api
.
stub
(
allowed?:
false
)
it
"should disallow access and log the attempt if
check_access returns false status
"
do
api
.
stub
(
check_access:
GitAccessStatus
.
new
(
false
)
)
message
=
"gitlab-shell: Access denied for git command <git-upload-pack gitlab-ci.git> "
message
<<
"by user with key
#{
key_id
}
."
$logger
.
should_receive
(
:warn
).
with
(
message
)
...
...
spec/vcr_cassettes/allowed-pull.yml
View file @
961fe45c
...
...
@@ -42,7 +42,7 @@ http_interactions:
-
'
0.089741'
body
:
encoding
:
UTF-8
string
:
'
true
'
string
:
'
{"status":
"true"}
'
http_version
:
recorded_at
:
Wed, 03 Sep 2014 11:27:36 GMT
recorded_with
:
VCR 2.4.0
spec/vcr_cassettes/allowed-push.yml
View file @
961fe45c
...
...
@@ -42,7 +42,7 @@ http_interactions:
-
'
0.833195'
body
:
encoding
:
UTF-8
string
:
'
true
'
string
:
'
{"status":
"true"}
'
http_version
:
recorded_at
:
Wed, 03 Sep 2014 11:27:37 GMT
recorded_with
:
VCR 2.4.0
spec/vcr_cassettes/denied-pull.yml
View file @
961fe45c
...
...
@@ -40,7 +40,7 @@ http_interactions:
-
'
0.028027'
body
:
encoding
:
UTF-8
string
:
'
{"message":"404
Not
found"}'
string
:
'
{"
status":
false,
"
message":"404
Not
found"}'
http_version
:
recorded_at
:
Wed, 03 Sep 2014 11:27:38 GMT
recorded_with
:
VCR 2.4.0
spec/vcr_cassettes/denied-push-with-user.yml
View file @
961fe45c
...
...
@@ -42,7 +42,7 @@ http_interactions:
-
'
0.019640'
body
:
encoding
:
UTF-8
string
:
'
false
'
string
:
'
{"status":
false}
'
http_version
:
recorded_at
:
Wed, 03 Sep 2014 11:27:39 GMT
recorded_with
:
VCR 2.4.0
spec/vcr_cassettes/denied-push.yml
View file @
961fe45c
...
...
@@ -40,7 +40,7 @@ http_interactions:
-
'
0.015198'
body
:
encoding
:
UTF-8
string
:
'
{"message":"404
Not
found"}'
string
:
'
{"
status":
false,
"
message":"404
Not
found"}'
http_version
:
recorded_at
:
Wed, 03 Sep 2014 11:27:38 GMT
recorded_with
:
VCR 2.4.0
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment