BigW Consortium Gitlab

workhorse.rb 3.5 KB
Newer Older
1 2
require 'base64'
require 'json'
3
require 'securerandom'
4 5 6

module Gitlab
  class Workhorse
Jacob Vosmaer committed
7
    SEND_DATA_HEADER = 'Gitlab-Workhorse-Send-Data'
8
    VERSION_FILE = 'GITLAB_WORKHORSE_VERSION'
9 10 11 12 13 14
    INTERNAL_API_CONTENT_TYPE = 'application/vnd.gitlab-workhorse+json'
    INTERNAL_API_REQUEST_HEADER = 'Gitlab-Workhorse-Api-Request'

    # Supposedly the effective key size for HMAC-SHA256 is 256 bits, i.e. 32
    # bytes https://tools.ietf.org/html/rfc4868#section-2.6
    SECRET_LENGTH = 32
15

Jacob Vosmaer committed
16
    class << self
17 18
      def git_http_ok(repository, user)
        {
19 20
          GL_ID: Gitlab::GlId.gl_id(user),
          RepoPath: repository.path_to_repo,
21 22 23
        }
      end

24 25 26 27 28 29 30 31 32 33 34 35
      def lfs_upload_ok(oid, size)
        {
          StoreLFSPath: "#{Gitlab.config.lfs.storage_path}/tmp/upload",
          LfsOid: oid,
          LfsSize: size,
        }
      end

      def artifact_upload_ok
        { TempPath: ArtifactUploader.artifacts_upload_path }
      end

36
      def send_git_blob(repository, blob)
37
        params = {
38 39 40 41 42
          'RepoPath' => repository.path_to_repo,
          'BlobId' => blob.id,
        }

        [
43
          SEND_DATA_HEADER,
Douwe Maan committed
44
          "git-blob:#{encode(params)}"
45 46
        ]
      end
47

48
      def send_git_archive(repository, ref:, format:)
49 50
        format ||= 'tar.gz'
        format.downcase!
51
        params = repository.archive_metadata(ref, Gitlab.config.gitlab.repository_downloads_path, format)
52 53 54 55
        raise "Repository or ref not found" if params.empty?

        [
          SEND_DATA_HEADER,
Douwe Maan committed
56
          "git-archive:#{encode(params)}"
57 58
        ]
      end
59

Douwe Maan committed
60
      def send_git_diff(repository, diff_refs)
61
        params = {
Douwe Maan committed
62
          'RepoPath'  => repository.path_to_repo,
63 64
          'ShaFrom'   => diff_refs.start_sha,
          'ShaTo'     => diff_refs.head_sha
65 66 67 68 69
        }

        [
          SEND_DATA_HEADER,
          "git-diff:#{encode(params)}"
70 71
        ]
      end
72

Douwe Maan committed
73
      def send_git_patch(repository, diff_refs)
74
        params = {
75
          'RepoPath'  => repository.path_to_repo,
Douwe Maan committed
76 77
          'ShaFrom'   => diff_refs.start_sha,
          'ShaTo'     => diff_refs.head_sha
78 79 80
        }

        [
81
          SEND_DATA_HEADER,
82 83 84 85
          "git-format-patch:#{encode(params)}"
        ]
      end

86 87 88 89 90 91 92 93 94 95 96 97
      def send_artifacts_entry(build, entry)
        params = {
          'Archive' => build.artifacts_file.path,
          'Entry' => Base64.encode64(entry.path)
        }

        [
          SEND_DATA_HEADER,
          "artifacts-entry:#{encode(params)}"
        ]
      end

98
      def version
99 100
        path = Rails.root.join(VERSION_FILE)
        path.readable? ? path.read.chomp : 'unknown'
101 102
      end

103 104
      def secret
        @secret ||= begin
105
          bytes = Base64.strict_decode64(File.read(secret_path).chomp)
106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131
          raise "#{secret_path} does not contain #{SECRET_LENGTH} bytes" if bytes.length != SECRET_LENGTH
          bytes
        end
      end
      
      def write_secret
        bytes = SecureRandom.random_bytes(SECRET_LENGTH)
        File.open(secret_path, 'w:BINARY', 0600) do |f| 
          f.chmod(0600)
          f.write(Base64.strict_encode64(bytes))
        end
      end
      
      def verify_api_request!(request_headers)
        JWT.decode(
          request_headers[INTERNAL_API_REQUEST_HEADER],
          secret,
          true,
          { iss: 'gitlab-workhorse', verify_iss: true, algorithm: 'HS256' },
        )
      end

      def secret_path
        Rails.root.join('.gitlab_workhorse_secret')
      end
      
132
      protected
133

134 135 136
      def encode(hash)
        Base64.urlsafe_encode64(JSON.dump(hash))
      end
137 138
    end
  end
Jacob Vosmaer committed
139
end