Download as
Browse Code »

Commit 1c42cc35a187504ec38d4fe5eb4113d80c23614c

Authored by Dmitriy Zaporozhets
2 parents 8ae59330 7dd18a3e
Exists in spb-stable and in 3 other branches 6-8-stable, 7-0-stable, 7-0-stable-spb

Merge branch 'fix-grack-auth' into 'master' 

Fix http clone for public project
Showing 2 changed files with 38 additions and 26 deletions   Show diff stats
lib/gitlab/backend/grack_auth.rb
  Diff comments   View file @1c42cc3
... ... @@ -22,14 +22,16 @@ module Grack
22 22  
23 23 @env['SCRIPT_NAME'] = ""
24 24  
25   - auth!
  25 + if project
  26 + auth!
  27 + else
  28 + render_not_found
  29 + end
26 30 end
27 31  
28 32 private
29 33  
30 34 def auth!
31   - return render_not_found unless project
32   -
33 35 if @auth.provided?
34 36 return bad_request unless @auth.basic?
35 37  
... ... @@ -38,12 +40,8 @@ module Grack
38 40  
39 41 # Allow authentication for GitLab CI service
40 42 # if valid token passed
41   - if login == "gitlab-ci-token" && project.gitlab_ci?
42   - token = project.gitlab_ci_service.token
43   -
44   - if token.present? && token == password && service_name == 'git-upload-pack'
45   - return @app.call(env)
46   - end
  43 + if gitlab_ci_request?(login, password)
  44 + return @app.call(env)
47 45 end
48 46  
49 47 @user = authenticate_user(login, password)
... ... @@ -51,23 +49,26 @@ module Grack
51 49 if @user
52 50 Gitlab::ShellEnv.set_env(@user)
53 51 @env['REMOTE_USER'] = @auth.username
54   - else
55   - return unauthorized
56 52 end
57   -
58   - else
59   - return unauthorized unless project.public?
60 53 end
61 54  
62   - if authorized_git_request?
  55 + if authorized_request?
63 56 @app.call(env)
64 57 else
65 58 unauthorized
66 59 end
67 60 end
68 61  
69   - def authorized_git_request?
70   - authorize_request(service_name)
  62 + def gitlab_ci_request?(login, password)
  63 + if login == "gitlab-ci-token" && project.gitlab_ci?
  64 + token = project.gitlab_ci_service.token
  65 +
  66 + if token.present? && token == password && git_cmd == 'git-upload-pack'
  67 + true
  68 + end
  69 + end
  70 +
  71 + false
71 72 end
72 73  
73 74 def authenticate_user(login, password)
... ... @@ -75,20 +76,31 @@ module Grack
75 76 auth.find(login, password)
76 77 end
77 78  
78   - def authorize_request(service)
79   - case service
  79 + def authorized_request?
  80 + case git_cmd
80 81 when *Gitlab::GitAccess::DOWNLOAD_COMMANDS
81   - # Serve only upload request.
82   - # Authorization on push will be serverd by update hook in repository
83   - Gitlab::GitAccess.new.download_allowed?(user, project)
  82 + if user
  83 + Gitlab::GitAccess.new.download_allowed?(user, project)
  84 + elsif project.public?
  85 + # Allow clone/fetch for public projects
  86 + true
  87 + else
  88 + false
  89 + end
84 90 when *Gitlab::GitAccess::PUSH_COMMANDS
85   - true
  91 + if user
  92 + # Skip user authorization on upload request.
  93 + # It will be serverd by update hook in repository
  94 + true
  95 + else
  96 + false
  97 + end
86 98 else
87 99 false
88 100 end
89 101 end
90 102  
91   - def service_name
  103 + def git_cmd
92 104 if @request.get?
93 105 @request.params['service']
94 106 elsif @request.post?
... ...
lib/gitlab/git_access.rb
  Diff comments   View file @1c42cc3
... ... @@ -34,7 +34,7 @@ module Gitlab
34 34 end
35 35  
36 36 def download_allowed?(user, project)
37   - if user_allowed?(user)
  37 + if user && user_allowed?(user)
38 38 user.can?(:download_code, project)
39 39 else
40 40 false
... ... @@ -42,7 +42,7 @@ module Gitlab
42 42 end
43 43  
44 44 def push_allowed?(user, project, ref, oldrev, newrev)
45   - if user_allowed?(user)
  45 + if user && user_allowed?(user)
46 46 action = if project.protected_branch?(ref)
47 47 :push_code_to_protected_branches
48 48 else
... ...