BigW Consortium Gitlab

git_http_controller.rb 4.68 KB
Newer Older
1 2
# This file should be identical in GitLab Community Edition and Enterprise Edition

3
class Projects::GitHttpController < Projects::ApplicationController
4 5 6
  include ActionController::HttpAuthentication::Basic
  include KerberosSpnegoHelper

7 8
  attr_reader :user

9 10
  # Git clients will not know what authenticity token to send along
  skip_before_action :verify_authenticity_token
11 12
  skip_before_action :repository
  before_action :authenticate_user
13
  before_action :ensure_project_found!
14 15 16 17

  # GET /foo/bar.git/info/refs?service=git-upload-pack (git pull)
  # GET /foo/bar.git/info/refs?service=git-receive-pack (git push)
  def info_refs
18
    if upload_pack? && upload_pack_allowed?
Jacob Vosmaer committed
19 20 21
      render_ok
    elsif receive_pack? && receive_pack_allowed?
      render_ok
22
    elsif http_blocked?
23
      render_not_allowed
Jacob Vosmaer committed
24 25
    else
      render_not_found
26 27
    end
  end
Jacob Vosmaer committed
28

29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
  # POST /foo/bar.git/git-upload-pack (git pull)
  def git_upload_pack
    if upload_pack? && upload_pack_allowed?
      render_ok
    else
      render_not_found
    end
  end

  # POST /foo/bar.git/git-receive-pack" (git push)
  def git_receive_pack
    if receive_pack? && receive_pack_allowed?
      render_ok
    else
      render_not_found
    end
45 46 47 48 49
  end

  private

  def authenticate_user
50 51 52
    if project && project.public? && upload_pack?
      return # Allow access
    end
53

54 55
    if allow_basic_auth? && basic_auth_provided?
      login, password = user_name_and_password(request)
56
      auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
57

58
      if auth_result.type == :ci && upload_pack?
59
        @ci = true
60 61
      elsif auth_result.type == :oauth && !upload_pack?
        # Not allowed
62
      else
63
        @user = auth_result.user
64
      end
65

66 67 68 69 70 71 72 73 74 75
      if ci? || user
        return # Allow access
      end
    elsif allow_kerberos_spnego_auth? && spnego_provided?
      @user = find_kerberos_user

      if user
        send_final_spnego_response
        return # Allow access
      end
76
    end
77 78 79 80 81 82 83 84 85 86 87 88 89 90

    send_challenges
    render plain: "HTTP Basic: Access denied\n", status: 401
  end

  def basic_auth_provided?
    has_basic_credentials?(request)
  end

  def send_challenges
    challenges = []
    challenges << 'Basic realm="GitLab"' if allow_basic_auth?
    challenges << spnego_challenge if allow_kerberos_spnego_auth?
    headers['Www-Authenticate'] = challenges.join("\n") if challenges.any?
91 92
  end

93
  def ensure_project_found!
Jacob Vosmaer committed
94
    render_not_found if project.blank?
95 96 97 98
  end

  def project
    return @project if defined?(@project)
99 100 101 102 103 104 105

    project_id, _ = project_id_with_suffix
    if project_id.blank?
      @project = nil
    else
      @project = Project.find_with_namespace("#{params[:namespace_id]}/#{project_id}")
    end
106 107
  end

108 109 110 111
  # This method returns two values so that we can parse
  # params[:project_id] (untrusted input!) in exactly one place.
  def project_id_with_suffix
    id = params[:project_id] || ''
Jacob Vosmaer committed
112

113
    %w[.wiki.git .git].each do |suffix|
114 115 116 117 118 119
      if id.end_with?(suffix)
        # Be careful to only remove the suffix from the end of 'id'.
        # Accidentally removing it from the middle is how security
        # vulnerabilities happen!
        return [id.slice(0, id.length - suffix.length), suffix]
      end
120
    end
Jacob Vosmaer committed
121

122 123
    # Something is wrong with params[:project_id]; do not pass it on.
    [nil, nil]
124 125 126
  end

  def upload_pack?
127
    git_command == 'git-upload-pack'
Jacob Vosmaer committed
128 129 130
  end

  def receive_pack?
131
    git_command == 'git-receive-pack'
Jacob Vosmaer committed
132 133
  end

134
  def git_command
135
    if action_name == 'info_refs'
Jacob Vosmaer committed
136
      params[:service]
137
    else
138
      action_name.dasherize
139 140
    end
  end
Jacob Vosmaer committed
141

142
  def render_ok
143
    render json: Gitlab::Workhorse.git_http_ok(repository, user)
144
  end
Jacob Vosmaer committed
145

146 147 148 149 150 151 152 153 154
  def repository
    _, suffix = project_id_with_suffix
    if suffix == '.wiki.git'
      project.wiki.repository
    else
      project.repository
    end
  end

155
  def render_not_found
156
    render plain: 'Not Found', status: :not_found
157 158
  end

159
  def render_not_allowed
160
    render plain: download_access.message, status: :forbidden
161 162
  end

163
  def ci?
Jacob Vosmaer committed
164
    @ci.present?
165
  end
Jacob Vosmaer committed
166

167
  def upload_pack_allowed?
168 169 170
    return false unless Gitlab.config.gitlab_shell.upload_pack

    if user
171
      download_access.allowed?
172
    else
173
      ci? || project.public?
174 175
    end
  end
Jacob Vosmaer committed
176

177 178 179 180 181 182
  def access
    return @access if defined?(@access)

    @access = Gitlab::GitAccess.new(user, project, 'http')
  end

183 184
  def download_access
    return @download_access if defined?(@download_access)
Patricio Cano committed
185

186
    @download_access = access.check('git-upload-pack')
Patricio Cano committed
187 188
  end

189
  def http_blocked?
190
    !access.protocol_allowed?
191 192
  end

Jacob Vosmaer committed
193
  def receive_pack_allowed?
194 195 196 197 198
    return false unless Gitlab.config.gitlab_shell.receive_pack

    # Skip user authorization on upload request.
    # It will be done by the pre-receive hook in the repository.
    user.present?
Jacob Vosmaer committed
199
  end
200
end