Commit 1c42cc35a187504ec38d4fe5eb4113d80c23614c
Exists in
spb-stable
and in
3 other branches
Merge branch 'fix-grack-auth' into 'master'
Fix http clone for public project
Showing
2 changed files
with
38 additions
and
26 deletions
Show diff stats
lib/gitlab/backend/grack_auth.rb
| @@ -22,14 +22,16 @@ module Grack | @@ -22,14 +22,16 @@ module Grack | ||
| 22 | 22 | ||
| 23 | @env['SCRIPT_NAME'] = "" | 23 | @env['SCRIPT_NAME'] = "" |
| 24 | 24 | ||
| 25 | - auth! | 25 | + if project |
| 26 | + auth! | ||
| 27 | + else | ||
| 28 | + render_not_found | ||
| 29 | + end | ||
| 26 | end | 30 | end |
| 27 | 31 | ||
| 28 | private | 32 | private |
| 29 | 33 | ||
| 30 | def auth! | 34 | def auth! |
| 31 | - return render_not_found unless project | ||
| 32 | - | ||
| 33 | if @auth.provided? | 35 | if @auth.provided? |
| 34 | return bad_request unless @auth.basic? | 36 | return bad_request unless @auth.basic? |
| 35 | 37 | ||
| @@ -38,12 +40,8 @@ module Grack | @@ -38,12 +40,8 @@ module Grack | ||
| 38 | 40 | ||
| 39 | # Allow authentication for GitLab CI service | 41 | # Allow authentication for GitLab CI service |
| 40 | # if valid token passed | 42 | # if valid token passed |
| 41 | - if login == "gitlab-ci-token" && project.gitlab_ci? | ||
| 42 | - token = project.gitlab_ci_service.token | ||
| 43 | - | ||
| 44 | - if token.present? && token == password && service_name == 'git-upload-pack' | ||
| 45 | - return @app.call(env) | ||
| 46 | - end | 43 | + if gitlab_ci_request?(login, password) |
| 44 | + return @app.call(env) | ||
| 47 | end | 45 | end |
| 48 | 46 | ||
| 49 | @user = authenticate_user(login, password) | 47 | @user = authenticate_user(login, password) |
| @@ -51,23 +49,26 @@ module Grack | @@ -51,23 +49,26 @@ module Grack | ||
| 51 | if @user | 49 | if @user |
| 52 | Gitlab::ShellEnv.set_env(@user) | 50 | Gitlab::ShellEnv.set_env(@user) |
| 53 | @env['REMOTE_USER'] = @auth.username | 51 | @env['REMOTE_USER'] = @auth.username |
| 54 | - else | ||
| 55 | - return unauthorized | ||
| 56 | end | 52 | end |
| 57 | - | ||
| 58 | - else | ||
| 59 | - return unauthorized unless project.public? | ||
| 60 | end | 53 | end |
| 61 | 54 | ||
| 62 | - if authorized_git_request? | 55 | + if authorized_request? |
| 63 | @app.call(env) | 56 | @app.call(env) |
| 64 | else | 57 | else |
| 65 | unauthorized | 58 | unauthorized |
| 66 | end | 59 | end |
| 67 | end | 60 | end |
| 68 | 61 | ||
| 69 | - def authorized_git_request? | ||
| 70 | - authorize_request(service_name) | 62 | + def gitlab_ci_request?(login, password) |
| 63 | + if login == "gitlab-ci-token" && project.gitlab_ci? | ||
| 64 | + token = project.gitlab_ci_service.token | ||
| 65 | + | ||
| 66 | + if token.present? && token == password && git_cmd == 'git-upload-pack' | ||
| 67 | + true | ||
| 68 | + end | ||
| 69 | + end | ||
| 70 | + | ||
| 71 | + false | ||
| 71 | end | 72 | end |
| 72 | 73 | ||
| 73 | def authenticate_user(login, password) | 74 | def authenticate_user(login, password) |
| @@ -75,20 +76,31 @@ module Grack | @@ -75,20 +76,31 @@ module Grack | ||
| 75 | auth.find(login, password) | 76 | auth.find(login, password) |
| 76 | end | 77 | end |
| 77 | 78 | ||
| 78 | - def authorize_request(service) | ||
| 79 | - case service | 79 | + def authorized_request? |
| 80 | + case git_cmd | ||
| 80 | when *Gitlab::GitAccess::DOWNLOAD_COMMANDS | 81 | when *Gitlab::GitAccess::DOWNLOAD_COMMANDS |
| 81 | - # Serve only upload request. | ||
| 82 | - # Authorization on push will be serverd by update hook in repository | ||
| 83 | - Gitlab::GitAccess.new.download_allowed?(user, project) | 82 | + if user |
| 83 | + Gitlab::GitAccess.new.download_allowed?(user, project) | ||
| 84 | + elsif project.public? | ||
| 85 | + # Allow clone/fetch for public projects | ||
| 86 | + true | ||
| 87 | + else | ||
| 88 | + false | ||
| 89 | + end | ||
| 84 | when *Gitlab::GitAccess::PUSH_COMMANDS | 90 | when *Gitlab::GitAccess::PUSH_COMMANDS |
| 85 | - true | 91 | + if user |
| 92 | + # Skip user authorization on upload request. | ||
| 93 | + # It will be serverd by update hook in repository | ||
| 94 | + true | ||
| 95 | + else | ||
| 96 | + false | ||
| 97 | + end | ||
| 86 | else | 98 | else |
| 87 | false | 99 | false |
| 88 | end | 100 | end |
| 89 | end | 101 | end |
| 90 | 102 | ||
| 91 | - def service_name | 103 | + def git_cmd |
| 92 | if @request.get? | 104 | if @request.get? |
| 93 | @request.params['service'] | 105 | @request.params['service'] |
| 94 | elsif @request.post? | 106 | elsif @request.post? |
lib/gitlab/git_access.rb
| @@ -34,7 +34,7 @@ module Gitlab | @@ -34,7 +34,7 @@ module Gitlab | ||
| 34 | end | 34 | end |
| 35 | 35 | ||
| 36 | def download_allowed?(user, project) | 36 | def download_allowed?(user, project) |
| 37 | - if user_allowed?(user) | 37 | + if user && user_allowed?(user) |
| 38 | user.can?(:download_code, project) | 38 | user.can?(:download_code, project) |
| 39 | else | 39 | else |
| 40 | false | 40 | false |
| @@ -42,7 +42,7 @@ module Gitlab | @@ -42,7 +42,7 @@ module Gitlab | ||
| 42 | end | 42 | end |
| 43 | 43 | ||
| 44 | def push_allowed?(user, project, ref, oldrev, newrev) | 44 | def push_allowed?(user, project, ref, oldrev, newrev) |
| 45 | - if user_allowed?(user) | 45 | + if user && user_allowed?(user) |
| 46 | action = if project.protected_branch?(ref) | 46 | action = if project.protected_branch?(ref) |
| 47 | :push_code_to_protected_branches | 47 | :push_code_to_protected_branches |
| 48 | else | 48 | else |